Phishing for Fraud: Don't Let your Company Get Hooked!

Phishing for Fraud: Don't Let your Company Get Hooked! March 2009 Approved for 1 CTP/CCM recertification credit by the Association for Financial Professionals 1

Today s Speakers: Joe Potuzak is Senior Vice President and Payment Solutions Risk Manager. Joe has more than 20 years experience in commercial lending, operations and payments risk management roles. Rachel M. Floars is Senior Vice President and Electronic Delivery Systems Risk Manager. Rachel has more than 25 years experience in operations and risk management roles. 2 2

Today s Agenda: of Fraud of Fraud Preventing Fraud 3 3

Polling Questions How would your company categorize its current level of concern related to fraud? Very High High Moderate Low Very Low / No Concern How would your company categorize its current level of resources (people, processes, systems) allocated to fraud detection and prevention? Have more than enough resources allocated Have the right level of resources allocated Don t have enough resources allocated No resources currently allocated 4 4

Association for Financial Professionals (AFP) Payments Fraud & Control Survey March 2008 552 corporate cash managers, analysts, directors, asst. treasurers & controllers surveyed: Fifteen Industries Revenue Size Ownership Manufacturing (21%) Retail (11%) Insurance (9%) Energy (9%) Less than $100MM (9%) $100-999.9MM (34%) $1B+ (57%) Publicly owned (47%) Privately held (32%) Non-profit (11%) Government (10%) 5 5

AFP Payments Fraud & Control Survey March 2008 71% of organizations experienced attempted or actual payments fraud in 2007: of Fraud Loss Size Median loss Check fraud (94%) ACH debit (26%) Corporate cards (13%) Consumer ACH and/or card payments (10%) ACH credits (4%) Wire transfer (3%) Prepaid/gift cards (1%) No loss (63%) Less than $25,000 (25%) $25,000 99,999 (7%) $100,000+ (7%) $13,900 6 6

Additionally, Organizations are experiencing the following impacts: Disabled websites unavailable for use by their clients. Office computers that are shut down by viruses. Compromise and theft of sensitive client and / or employee information. Manipulation or destruction of important organizational data by a former disgruntled Employee. Malicious use of their systems to attack another system. 7 7

Polling Question Which is the most effective source currently used for maintaining knowledge of evolving fraud trends and schemes? Advisories / information from your financial institution. Industry associations. Newspapers and periodicals. Peer networking. Software / hardware / processing vendors. 8 8

Check Fraud Check fraud is widespread despite significant decline in check usage.* Growth in check fraud is outpacing growth in electronic payments fraud.* Accounts payable/disbursement accounts most frequent target (84%).* Payroll accounts second most frequent target (34%).* Examples: Counterfeit checks imprinted with organization s MICR line but other business name. Altered payee names or amounts. Forged signatures. Lost, stolen or counterfeit employee paychecks. Fraudulent checks identified with positive pay and represented as ACH debits. *Source: AFP 2008 Payments Fraud and Control Survey 9 9

ACH & Wire Fraud 15% of organizations surveyed experienced financial losses from ACH fraud in 2007.* Failure to adopt effective internal controls and bank fraud control services cited as most frequent reasons for ACH loss.* Examples: Fraudulent ACH debits posted to business account. Misdirected outgoing wire or ACH payment. Fictitious employee added to ACH payroll file. Keying errors. *Source: AFP 2008 Payments Fraud and Control Survey 10 10

Online Payments Fraud Two Components of Online Payments Fraud: THEFT of consumer / business payment information / credentials FRAUDULENT USE of consumer / business payment information / credentials for unauthorized financial activity Scams / Schemes may have varied Goals: Target only the theft of information / credentials. Objective is to use fraudulently at a later time in the same or another channel, or sale in market. Target both the theft of information / credentials & immediately use for unauthorized financial activity. Objective is to get in and out before victim and/or FI becomes aware. 11 11

Online Payments Fraud A primary theft scam / scheme is Phishing / Spamming Services, which attempt to entice an email recipient into clicking on a fraudulent link. November 2008 online fraud data.* 207 global bank brands targeted in online phishing attempts (24% increase from October 2008). 10,626 actual phishing attacks. 53% of worldwide phishing attacks targeted at U.S. banks. *Source: RSA Security, Inc., Online Fraud Report 12 12

Online Payments Fraud (Continued) Bogus Website requesting entry of consumer / business payment information / credentials. Automatic download of malicious software (malware) to victim s computer. You ve Got Mail CLICK 13 MALWARE EXAMPLES Keystroke Logging Hidden URL redirect Trojan Remote Control SQL Injection Captures and records user keystrokes Unknowingly redirects user to bogus URL Looks like a desirable function, but when selected allows unauthorized access to computer Allows a fraudster to control computer from remote location Allows fraudster to execute unauthorized SQL commands, Used to steal information from a database 13 13

Online Payments Fraud (Continued) Easy to Spot Graphics Pop-Ups Used Victim s Knowledge of Scheme The Evolution Of Phishing Malware Spear Phishing Targets Companies Hishing Embeds malware into Hardware Wishing Targets Individuals Sishing Entices users to click on advertising links???????????? 14 14

B2B Card Payments Fraud* Purchasing and Travel & Entertainment cards. 73% of AFP survey respondents indicate that their organization uses corporate cards. 13% reported attempted or actual payments fraud. Purchasing cards more likely to be involved in fraud than T&E cards (75% versus 46%). Likely perpetrator is an unknown external party or employee versus vendor. *Source: AFP 2008 Payments Fraud and Control Survey 15 15

Consumer Electronic Payments Fraud* 43% of respondents accept ACH and/or card payments from consumers. Most fraud involves credit cards. Credit cards (89%) ACH (38%) Signature debit cards (24%) PIN debit cards (11%) Channels used to commit consumer ACH and/or card payments fraud resulting in financial loss. Online via the Web (71%) In person (e.g. store or branch location) (63%) Over the phone (46%) 1/3 of organizations reported an increase in consumer electronic payments fraud from 2006 to 2007. *Source: AFP 2008 Payments Fraud and Control Survey 16 16

Consumer Electronic Payments Fraud (Continued) Failure to safeguard consumer data when accepting electronic payments can result in a data security breach. A data security breach can be costly in terms of investigative, legal, reputation, financial impacts. Examples 2007 loss of data for 45 million credit card holders by TJX (parent company of TJ Maxx) resulted in $256MM in investigative, legal and enhanced security costs. Heartland Payment Systems stock price fell 42% in the days following its January 20, 2009 announcement of a security breach. 17 17

Polling Question Which type of fraud causes your company the most concern? Check Fraud ACH and Wire Transfer Fraud Online Payments Fraud B2B Payments Fraud Consumer Electronic Payments Fraud 18 18

Preventing Check Fraud Migrate to safer electronic payments services. Direct deposit of pay via ACH and payroll cards. Integrated payables. Implement positive pay, reverse positive pay and payee positive pay services. Reconcile accounts and review activity daily; report suspicious items promptly. Segregate duties (check issuance, approval). Limit number of authorized signers. Limit posting of checks to deposit-only accounts. Obtain CD-ROM paid check imaging. Use larger font for check printing and asterisks to prevent adding payees. Place out going mail in a safe and secure location. 19 19

Preventing Check Fraud (Continued) Utilize checks with security features. Store check stock, signature stamps, facsimile signatures and check stock in secure environment with inventory control. Shred confidential documents no longer needed. 20 20

Preventing ACH and Wire Fraud Reconcile accounts daily. Return unauthorized ACH debits timely. No later than the opening of business on the second banking day following the Settlement Date of the original entry (ACH Rules). Use ACH debit blocks, filters and positive pay services. Provide trading partners with a Universal Payment Identification Code (UPIC) in lieu of account number. UPIC is a unique bank account identifier issued by financial institutions that allows organizations to receive electronic payments without divulging confidential banking information. 21 21

Preventing Online Payments Fraud Implement policies and procedures. User access and password management. Acceptable use of the Internet policy. Prompt updates of employee access as changes warrant (re-assignments, terminations, etc.) Periodic online fraud report sort of State of the Union of online fraud in your company. When and how Social Security numbers can be used / displayed / printed. Institute an employee education and awareness program (to include both new employees and periodic refresher training for existing employees). General education of risks, social engineering scams, and controls. More specific education on topics that may be directly targeting your business spear phishing Policies and procedures. Advisories. 22 22

Preventing Online Payments Fraud (Continued) Protect essential hardware and software Manage both physical and systems access. Desktops versus laptops. Back up files incrementally (daily) and fully (weekly / offsite). Test restore function. Check browser configuration for appropriate settings. Consider encryption of sensitive data. Ensure that anti-virus updates, spy-ware updates, and operating systems and browser patches are current. Implement a firewall, selected based upon your business needs, and ensure that it is enabled and configured for automatic updates (if available). Segregate responsibilities for payments template maintenance, entry and approval to limit internal fraud and exposure to phishing. Take steps to securely dispose of assets (hardware, software, records). As warranted, use multi-factor authentication tools (tokens, digital certificates, etc.) Assign dual system administrators for online cash management services. 23 23

Preventing Online Payments Fraud (Continued) Use bookmarks in your web browser for entities with which you regularly communicate. Navigate pop-ups wisely. Consider using a pop-up block function in your browser. Do not enter personal information. Legitimate entities don t ask for personal info via a pop-up. Never click inside a pop-up window to close. Either click X at the top right corner or (based on the operating system) hold down Alt and F4 to close current window. Be cautious about all communications you receive. Install a phishing filter on your email application Do not be intimidated by a caller or an email that has a complaint and/or suggests dire consequences if response is not immediate. Be cautious of unsolicited email. Do not feel obligated to open. Instead, just delete. Do not open attachments or click on hyperlinks in unsolicited email. If unsure of the authenticity, verify. The key is to know the origin through information you have verified yourself. Never give out your password, account number, ID or credentials via email, the Web, text messages, or the telephone. 24 24

Preventing Online Payments Fraud (Continued) Know the warning signs of when you may have a problem! Know your computer(s). If acting strangely (slow response times, excessive popups, etc. check it out! Know when to expect your account statements. If they are late and/or do not arrive, contact your financial institution to find out why. If your FI offers, take advantage of online functionality that allows more frequent review of activities. Look for unauthorized charges on your statements. If identified, notify your FI immediately. Consider mobile / email alerts / notifications for high risk activities. Know how to respond in an event! Quarantine any computer suspected of being compromised. Forward suspect phishing emails to the FTC at spam@uce.gov. Apply additional scrutiny or controls to transactions following attacks. If you think you ve been scammed, visit http://www.ftc.gov/idtheft. 25 25

Preventing B2B Card Payments Fraud* Require original receipts for purchases or confirmations of Web purchases from employees. Define spending limits by employee or level. Assign a permanent administrator to train cardholders and monitor usage. Develop a detailed cardholder agreement that both employees/cardholders and supervisors must sign. Conduct surprise audits of compliance with card usage policies. *Source: 2008 Payments Fraud and Control Survey 26 26

Preventing Consumer Electronic Payments Fraud Cards Utilize Address Verification Service (AVS), Card Verification Number (CVV2, CVC2, etc.), Verified by Visa and Master Card SecureCode to protect against card fraud. Ensure card processing system and hardware is Payment Card Industry (PCI) compliant. Mandatory for merchants/processors accepting Visa, Master Card, AMEX and Discover. Specific requirements for firewalls, network security, encryption and protection of card holder data. For more information visit www.bbt.com/pci 27 27

Preventing Consumer Electronic Payments Fraud (Continued) ACH Delay shipping goods until period for ACH returns has elapsed. Ensure ACH Web payment capability complies with ACH Rules. Employ fraudulent transaction detection system. Verify routing numbers. Secure Internet session (minimum 128 bit SSL encryption technology). Conduct annual security audit. 28 28

Other Fraud Measures Employees Conduct background checks. Require mandatory vacations. Delete online user IDs as part of exit process. Monitor and respond to suspicious behavior. Randomly audit work activities. Implement dual control for sensitive treasury management transactions. Set and review internal controls, procedures and employee limits. Investigate customer claims of non-receipt of payment. Promptly report suspected payments fraud to law enforcement and your bank. 29 29

Concluding Thoughts Designate a principal individual or unit responsible for fraud. Approach fraud as a business, versus technology, function. Ask questions to understand your risk exposure. Identify and inventory assets. Identify and stay current on the threats to your assets. Implement a good mix of solutions that best meets your business needs. 30 30

Thank you for participating today. Evaluation You will receive a short webinar evaluation request via email. Your feedback is very important to us. Contact Information For additional information, please call 1-800-810-5625 to reach a BB&T Payments Consultant. Or visit http://www.bbt.com/bbt/business/products/paymentsolutions/default. html Member FDIC 31 31