Not-For-Profit Finance Forum Westpac New Zealand Limited

Transcription

1 Not-For-Profit Finance Forum Westpac New Zealand Limited Managing Fraud insights from a consumer banking perspective Claire Smollett Investigations Manager - Financial Crime Management Hayley Muong Senior Investigator - Financial Crime Management

2 Agenda Robust Internal Controls to prevent fraud Principles of an Internal Fraud Investigation Investigating Legacy Fraud in a Cyber world The Evolution of a Scam with you as the victim

3 Robust Internal Controls to prevent fraud Principles of an Internal Fraud Investigation Investigating Legacy Fraud in a Cyber world The Evolution of a Scam with you as the victim

4 Our Control Environment WNZL believe internal fraud is Almost Certain Controls are calibrated to the Westpac Code of Conduct Backed up by SAS monitoring of behaviours most likely to flag deviance Whistleblower hotline Bank wide training modules for Red Flag identification Hindsight every staff incident

5 Your Control Environment If you are an organisation or operate a business you will maintain appropriate internal controls so as to ensure that unauthorised, forged or fraudulent instructions are not given to Westpac. Appropriate = 6 months Audited annual reports Demonstrate adequate security (Passwords etc) Defined roles and responsibilities

6 Robust Internal Controls to prevent fraud Principles of an Internal Fraud Investigation Investigating Legacy Fraud in a Cyber world The Evolution of a Scam with you as the victim

7 Internal Fraud Donald Cressey s Fraud Triangle According to Cressey, there are three factors that must be present at the same time for an ordinary person to commit fraud Rationalisation

8 Internal Fraud Investigation Find Deviant Behaviours, Find Fraud? Signs of a workplace deviant: Bullying or Intimidation Intra-Office Affairs Expense account fraud Sending or viewing inappropriate images Inability to comply with social norms Polarising personality

9 Internal Fraud Case Study A Westpac bank manager who fleeced her elderly clients out of more than $350,000

10 Robust Internal Controls to prevent fraud Principles of an Internal Fraud Investigation Investigating Legacy Fraud in a Cyber world The Evolution of a Scam with you as the victim

11 Traditional Cheque Fraud

12 Traditional Cheque Fraud

13 With ID that looks a little like this

14 Usually results in

15 Fraud at your front door Socially engineering identity facts Will often be the Bank or a service provider, but also known to be collecting for charitable organisations Will approach the most vulnerable in our society May telephone to add layers of authenticity Significant losses between October and February 2016

16 Robust Internal Controls to prevent fraud Principles of an Internal Fraud Investigation Investigating Legacy Fraud in a Cyber world The Evolution of a Scam with you as the victim

17 Traditional financial cybercrime Cybercrime is a term for any illegal activity that uses a computer as it s primary means of commission. The growing list of cybercrimes includes crimes that have been made possible by computers, such as network intrusions and the dissemination of computer viruses, as well as computer-based variations of existing crimes, such as identity theft, stalking, bullying and terrorism. Social Engineering Refers to psychologically manipulating people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. Malware Malicious software designed to infiltrate or damage a computer system. In the context of financial cybercrime, malware is typically used to capture user credentials, steal information or attempt to perform malicious transactions. These can either take place in real-time or at a later date using harvested credentials, and are increasingly two-factor authentication aware. Phishing A social engineering attack attempting to steal sensitive information (usually access credentials, identity or credit card information) by masquerading as a trusted party in an electronic communication. Typically attempt to evoke a response by using a threatening call to action (e.g. Your account will be locked verify your information ). Man in the Middle A man-in-the-middle (MITM) attack is a form of eavesdropping or interception where communication between two users is monitored and modified by an unauthorized party.

18

19 Phishing Identifying properties of a phishing . address spelled wrong Asking user to click on the link Generic addressing Poor or awkward grammar Link seems legitimate but is it really? No disclaimer or security header

20 Phishing Critical features found on the The plain text Westpac link on the printed copy does not exist. The Westpac website link in the contains a HIDDEN and different link under the plain text. It s important to ask yourself three simple questions to help spot a scam , 1. Does it instruct you to perform a task such as click a link, open an attachment or call a number? 2. Does it ask for account information, or for you to verify your online security? 3. Does the have poor grammar, punctuation or spelling?

21

22 Spear phishing

23 Hacking I hope everything is good with you and your family. I need your help. Please let me know if you can help me. My cousin and were hospitalized at Saint Louis University, Baguio City, Philippines and am writing you from a Sick Bed. before they could carry out the operation which he told me he will be strong by Friday and hopefully by Friday15th of march it will be done I have spent all I have on me right now and the hospital/surgery team wants to carry out an operation, and have set a deadline to operate on him The cost of the operation is the sum of 101, PHP, i converter the money is about $2,500. is there anyway you can be of help to us? I promise to refund your money as soon as i return home

24

25 Whaling Also known as CEO fraud Typically involves a hacker masquerading as a senior executive asking an employee to transfer money FBI noted in April 2016 a 270% increase in identified victims since January 2015 Internationally has affected Mattel, Snapchat and Seagate Technologies Domestically has affected Te Wananga o Aotearoa and the New Zealand Fire Service. Sadly - we know of many many more that have gone unreported

26 Cybercrime as a Service Aspiring hackers can buy off the shelf exploit kits Bought and sold in Dark Web marketplaces Monthly updates 24 x 7 support Hosting services Anti Virus avoidance checks An example: Cryptolocker Ransomware

27

28

29

30 Thank you