2. The Business of Cybercrime
By 2019,
the annual global cost of
cybercrime is estimated to equal
$2.1 Trillion.
Source: Juniper Research
3. • Direct theft of funds through fraud/scams/extortion.
• Loss of critical/sensitive/confidential data.
• Business disruption or downtime.
• System clean-up, data/program recovery.
• Post-breach IT & business consultation fees.
• Reputational damage to business.
Cybercrime Financial Loss is Correlated With:
4. • 43% percent of all cyberattacks in 2015 were
leveraged at small to midsized businesses
(250 or less employees).*
• Dangerous misconception: “I’m too small to
bother with” or “It won’t happen here.”
• Cybercriminals know that the small guys are
less protected.
It’s Not Just Big Businesses Effected
* Source: Symantec 2016 Cybersecurity Report
5. • Smaller to mid-sized companies.
• Busy professionals focused on clients making
deals.
• Multiple separate players during transactions:
Buyer, seller, buyer’s agent, seller’s agent, escrow
agent, lawyer, mortgage broker, banks.
• Real estate purchase = large sums of money.
Cybercriminals Love Real Estate
11. Business Email Compromise
Background
◦ Methods: Spoof Domain, Spoof Username, Reply To,
Compromised Account
◦ Victims: Businesses, Governments and Individuals
◦ Targets: Money and PII/W2 Information
Scope (10/2013-4/2016)
◦ 50 States / 95 Countries
◦ 80 Countries
◦ 23,800+ victims
◦ $3,300,000,000+ lost
12. BEC - Continued
The FBI’s Approach
◦ Awareness
◦ Recovery
◦ Data
Collection/Analysis
◦ Pursuit of
Individuals/Crime
Groups
Recent examples
How you can help
Example 1
• Day 1: Victim wired $98K to HK
• Day 2: @9:15AM: Victim contacted
FBI
• Day 2: @ 9:30AM: Complaint desk
notified C-5
• Day 2: @ 10:30AM: FBI emailed
FINCEN Rapid Response Team
• Day 2: @ 3:30PM: HK account
frozen
• Day 7: Funds returned to victim in
full
Example
• Victim identified compromised
account (E-mail Spoofing)
• Contacted banks where wires were
sent
• Hold Harmless Letter
• Identify Account Holders
13. Wire Fraud Scheme – Condo
Closing
Focus on Facilitation
Money Mules
◦ Structuring Transactions
◦ Quick Wire Transfers
AML Policies
◦ Proactive vs Reactive
How you can help
Individual received victim’s funds via wire
Within 24 hours:
Individual conducted structured
withdrawals
Individual sent multiple international
wires.
No funds remained in account
Buyer contacted a few days before closing
with wire transfer instructions
Account was recently opened. Two cashier’s
checks were issued.
Checks cashed at local check cashing facility
14. Building Effective Relationships
Why is it good for the FBI?
◦ Helps us develop a more accurate Intel picture
◦ Encourages timely reporting
◦ Creates additional investigative options
Why is it good for you?
◦ Be part of the Intel cycle
◦ To build trust
◦ Know how/where to report frauds
◦ The FBI can be a source of information for you
16. Domestic Wires
Victim Contact Bank – Request Recall of Wire
File Police Report
Contact Local FBI Office
Internet Crime – File Report with ic3.gov
17. FBI Points of Contact
Lakeville RA
◦ Main Number - 508-947-0625
Supervisory Senior Resident Agent Kevin R. White
◦ Email – Kevin.White@ic.fbi.gov
Special Agent Sarah De Lair
◦ Email – Sarah.DeLair@ic.fbi.gov
Internet Crime Complaint Center
◦ Website – www.ic3.gov
20. Who Is John Garner?
• Established iMedia in 1998 to help business use technology
profitably.
• We ensure your technology keeps you productive, secure and
current.
• We manage the technology for over 70 businesses in
southeastern Mass
• Over 50 terabytes of data is protected for our clients.
• Ransomware attacks cost victims more than $1 Billion in 2016.
iMediaTechnology clients didn’t pay a penny.
34. Internet Use and
Password Policy forWork
• An internet usage policy provides employees with rules
and guidelines about the appropriate use of company
equipment, network and Internet access.
• A password policy is a set of rules designed to enhance
computer security by encouraging users to employ
strong passwords and use them properly.
35. Clean up your browser
• Remove Java and Flash
• Uninstall unused web browser plugin’s.
36. Security AwarenessTraining
• Think BeforeYouClick!
• Be Suspicious of unexpected emails from your spouse,
children, and colleagues
• KnowBe4 web based training with Phishing email tests
37. Bottom Line:
Let's Get Serious
About Protecting Yourself and
Your Company Against
Cybercrime!
40. 40
Legal Disclaimer
This presentation is advisory in nature and necessarily general in
content. No liability is assumed by reason of the information provided.
Whether or not or to what extent a particular loss is covered depends
on the facts and circumstances of the loss and the terms and conditions
of the policy as issued.
The precise coverage afforded is subject to the terms and conditions of
the policies as issued.
41. 41
MA Data Breach Law
Title XV, Chapter 93H§ 3:
“A person or agency that maintains or stores…data that includes
personal information about a resident of the commonwealth, shall
provide notice, as soon as practicable and without unreasonable delay,
when such person or agency
(1) knows or has reason to know of a breach of security or
(2) when the person or agency knows or has reason to know that the
personal information of such resident was acquired or used by an
unauthorized person or used for an unauthorized purpose…”
42. 42
What is the most
common data breach?
Source: Ponemon Institute and IBM. 2016 Cost of Data Breach Study U.S. June 2016
43. 43
Cost of a Data Breach
Direct
Costs
$76
Indirect
Costs
$145
Discovery
Data Forensics
Audit/Consulting
Notification
Call Center
Identity Monitoring
Identity Remediation
Lawsuits
Regulatory Fines
Reputational Damage/Lost
Business
Source: Ponemon Institute and IBM. 2016 Cost of Data Breach Study: U.S., June 2016
Cost per Record $221 (2016)
Customer Acquisition
Time/Effort spent
Loss of goodwill
44. 44
Where can you get
coverage?
Commercial Property?
General Commercial Liability?
Commercial Crime?
Computer Crime?
Professional Liability>
45. 45
Where can you get
coverage?
Unauthorized Record
Access
Cyber Fraud
Denial of Service
Cyber Extortion
Cyber Vandalism
ISO Property Policy
Surety Assoc.
Computer Crime
Surety Assoc. Crime
Policy
Extortion & Kidnap
Ransom Policy
46. 46
Cyber Insurance
First Party Losses
Loss of Private Data
Notification costs, publicity costs,
crisis management expenses
Business Continuity Expense
Extra expenses to continue
operations, business income loss
Cyber Extortion
Ransom payment, other expenses
Third Party Losses
Customer Suits – Privacy
Suits from customers alleging
negligence in protecting information
and other causes of action
Customer Suits – Denial of Service
Suits from customers alleging
negligence in protecting the network
against denial of service
Regulation
State law compliance, federal fines &
penalties, PCI Assessments
47. 47
Best Practices
• Information Security Policy
• Incident Response Plan
• Business Continuity Plan
• Web Server Security
• Mobile Device Security
• Third Party Vendors
• Written Contracts with indemnification clause
• Make sure to audit and check their security rating
Introduction as to who I am, my job and how this relates to the group I am talking about and what I am going to talk about.
How the FBI prioritizes its threats
- Impact - # victims, $ of loss, egregiousness (sympathetic victims, abuse of trust), scope of scheme (local, national, international), sophistication (organized crime group vs lone wolf)
- Assessment of impact, driven based on our intelligence at the time.
- FBI Intel function is dynamic – we can change priorities, resource allocation, level of focus based on Intel.
Other areas of focus within economic crimes include:
- Credit Card Frauds
- ATM Skimming
- Intellectual Property Rights
- Insurance Fraud
- Mortgage Fraud
- Foreign lottery Schemes
- Law Enforcement Impersonation
At this point, they don’t rise to our “primary areas of focus”. But, that is part of the reason we are hear. And that is why Building Effective Relationships is so important. Because you can impact our intel picture.
Company had a garbage collection contract with a City. Company collects the garbage and hauls it to a disposal facility. The company receives a spreadsheet from the disposal facility every 2 weeks detailing the tonnage deposited at the disposal facility.
After a four year relationship, the company receives an e-mail from the disposal company with new account details. The e-mail had an accurate invoice spreadsheet attached and requested the payment be sent to a new bank account and routing number. The company sent the wire. The company received a confirmation number and e-mailed to head of accounting at the disposal company and received a thank you e-mail. After two weeks passed, the company received another invoice and was asked to send the payment to another account at a different bank. The company received an e-mail from what appeared to be the POC from the disposal company stating that the money from the previous transfer was refunded and they needed to wire the money to another bank account. The company checked and didn’t see a refund and sent a text message to the POC at the disposal company. The POC stated that he didn’t send any e-mails and was not aware of a refund.
We have recovered over 3.5 million in funds for victims.
We have been successful in pulling back funds multiple links down the chain.
We have been successful in identifying additional victims from money mule account, then contacted those victims to make them aware of the fraud and prevent additional loss.
Give example of recent complaint :
-E-mail from real estate managers account stated that they always request funds two days before closing so we have enough time to confirm the availability of the funds in our account. Provided the name of the account to transfer funds, “MROD General Contracting LLC” which is a wing of their firm with the sole aim of closing transactions. Funds were subsequently wired into account.
-IP addresses for e-mails came back to Nigeria
Real estate Manager – believed that her e-mail was hacked and her email account has bene acting “funny” for a few days (Account Takeover)
Money Mules – talk about BEC
- In this example, this was a BEC victim. $100K
- 20K was taken out in three different withdrawals
- One $40K wire was sent to Hong Kong
- One $40K wire was sent to Nigeria
- We got the funds from the 2 wire back
SARs- but also call
Active monitoring
Active holds on suspected money mule accounts
If you suspect your customers are the victims of online romance schemes, work from home schemes or other financial schemes, confront them. Contact local law enforcement to do a wellness check.
What are you doing to ensure money mules or those laundering funds are just opening accounts across the street when you close them down? Chexsystems?
Tell us what you are seeing. Intel on ML schemes.
I listed this first, because this is the biggest and most important focus we have at the moment. That is because it has a broad impact into everything we do. It impacts how we prioritize our threats, how we dedicate our resources, how we go about investigating our cases.
It all starts with Intelligence. The FBI is an Intelligence based law enforcement organization. That means that intelligence drives our investigative process. Now, I am a criminal agent. I have been an agent for 11 years and I think it took 10 years for me to accept this fact. And it really was a simple comment from our Director that helped in click. He said that “Intelligence is simply information that helps us do our job.” Dir. Comey has a gift for making things sounds simple. So as the program coordinator for Financial Institution Fraud, I need Intel. I need information about the threat. Where do you think a good source of information might be? Ongoing cases, victim complaints… yes…. But also Industry. That is where you come in. Without Industry, we can’t get an accurate sight picture of our threat. If we can’t see clearly, we can’t possibly hope to address it adequately.
This is something, I will admit, is something the FBI has not done well enough. We have not shared information that way we could or should, we have been too guarded with our information and too reliant on the willingness to organizations to accept the one sided relationship were we simply take and don’t give anything back in return. It is the case we can tell you everything, no. But you can’t either. You have BSA restrictions, we have Grand Jury, victim rights, operational security concerns. But, if we can trust each other. Really believe we are working on the same side to help victims and catch the bad guys, we will find (as I have done already) that we can share a lot more than we have. Example, everything I am going to talk about today is about active investigations. But it will be sanitized.
This trust thing is pretty important. You need to trust that when you tell us things, we are going to act on it appropriately. That certain things will happen on the phone for lead value and certain things will go in formal records. You need to trust that you won’t lose control the second you call us and that will work with you. But that trust is built over time. That trust will help us/and you as it will encourage early reporting of crimes. There are a few banks that I think I have the perfect relationship. I think of the bank as the place that he works. And he thinks of the FBI as the place that I work. Not these two massive bureaucracies. We also talk informally just to flush things out. Not just to report crimes.
I feel confident, that should something occur at his bank, he will call me. I am sure he is confident that if he calls me, I will answer the call…. And I will help. Receiving the call early is important. As investigators, a proactive investigation is preferred to a historical one. It allows us to use sources, use undercovers, catch people in the act. A historical one is interviews, document reviews, involves represented parties They take longer and are less successful. We can work with you on proactive case. I will touch on an example of this when I talk about account takeovers.
One of the biggest complaint we here from industry, is “who do I call.” There are a lot of LEAs out there. It can be confusing. But that is where a relationship can help as well. Call me up and ask. The FBI also disseminates information. We do this through formal and information channels. We do PSA’s through our websites (Like IC3), we do intel products that can be distributed to various groups (like banks), and we can have conversations.
I have come to the conclusion that to have a healthy successful Financial Institution Fraud Program, effective relationships with industry are a NEED, not a want. The threats I cover today and the cases of I will be talking about would not be possible without an effective relationship with industry.
Welcome! Thank you for being with us today.
I’m John Garner from iMedia Technology, and you’re joining our webinar “7 Critical security protections every business must have to avoid a cyber attack”
Today’s webinar will take about 20-30 minutes. At the end we’ll do a few Q&A’s
If you have a question, please enter it into the GoToWebinar Chat box.
The past two years we’ve seen a huge shift in cyber crime activity, more than I’ve seen in my entire IT career.
Day to day we manage the technology of 70 businesses.
We’re focusing more and more of our efforts on security, along with keeping our clients business technology current and productive.
We’re managing 50 terabytes of data, and as of yet I’m happy to report non of our clients have had to pay a single penny towards ransomeware.
And that’s not by accident.
I’m nervous. I’m not comfortable with public speaking.
If you’ve ever done this, you know the feeling…
what if I forget to smile,
do I sound like I’m reading,
am I interesting,
will they like me? Of course I’m nervous.
Here’s why I do it. To help my clients and to help you.
If you’re good at what you do, its because you care, and your customers value you. So I tolerate being nervous.
You know what makes me more than nervous? Even scared? Cyber crime.
We just heard about how serious cyber crime is. And I want to help you avoid becoming a victim. If you’re a business owner, a broker, an independent agent and you or your firm become a cyber victim, you have an obligation to inform and protect your clients.
And as I prepared for this webinar, I realized that we see headlines about cyber security breaches every day.
The thing is, those headlines are for large companies with recognizable brand names. Only the big breaches make the headlines.
The breaches that happen to small businesses by and large go unreported, and are a bit less news worthy.
I want you to understand, that the same tactics used to breach large corporations,
including the Democratic National Committee, are what I’m going to present to you today.
Its unfair, isn’t it.
If it were a burglary, hit and run, or mugging you’re a victim and people are sympathetic.
If it cyber crime there will be no sympathy.
Think of your emotions when you heard Target was hacked.
Stupid, right?
You will be investigated and questioned about what you did to prevent this from happening.
You may be found liable facing fines and lawsuits. And Ignorance wont be a defense.
.
And like any business, you might start off as a small business owner, with goals of growth.
Here’s how you make that transition.
Think of spam as casting a broad net. You hope by covering a wide area you’ll get a few bites.
Phishing is more targeted. An example might be targeting people with a Netflix account. Your goal is to trick them into providing their account credentials, credit card information, perhaps even their SSN.
Spear Phishing is a very targeted attack. There are specific people that I want to attack, and I’ll use information very familiar with the target to engage with them. I’ll pose as a face book friend. I’ll send emails posing as their banker, accountant, or attorney. My email attacks will be very specific and very convincing.
This is the technique reported to have been used by the Russian hackers on the DNC,
Think of spam as casting a broad net. You hope by covering a wide area you’ll get a few bites.
Phishing is more targeted. An example might be targeting people with a Netflix account. Your goal is to trick them into providing their account credentials, credit card information, perhaps even their SSN.
Spear Phishing is a very targeted attack. There are specific people that I want to attack, and I’ll use information very familiar with the target to engage with them. I’ll pose as a face book friend. I’ll send emails posing as their banker, accountant, or attorney. My email attacks will be very specific and very convincing.
This is the technique reported to have been used by the Russian hackers on the DNC,
77% of attacks are targeted towards small and medium enterprises.
Criminals know the vast majority have not taken steps to protect their busiess.
The next few slides we will take some time to address these 5 common attack points
These are paid for advertisements tainted with infection code, or malware.
A third party legitimate ad service is hired to place ads across the internet.
The ads look very legitimate.
However the pages the ads link to are a malicious site.
Cyber criminals need an army of computers to help them with their business.
The dropper is they way they go about building their army.
Last fall there was a large internet outage and many companies had their websites go off line.
It turned out an attack on the internet was performed by common security cameras and the like – the IoT
Ransomware is when your data becomes encrypted and is held for a ransom payment.
Encryption is the act of scrambling your data and making it unreadable. Encryption can only be reversed with a secret key.
Once your data is encrypted, there is no way to decrypt the data without the key.
When we have come across encrypted data, the only way we can help is to restore the data from a prior backup.