Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Payment fraud

691 visualizaciones

Publicado el

Nowadays the payment fraud landscape is changing quite fast. Changing from classic schemes as bank cheque fraud, faked manual payment orders to organized crime with corporates as targets

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Payment fraud

  1. 1. Twitter: @ramirocid Ramiro Cid | @ramirocid Payment Fraud
  2. 2. Twitter: @ramirocid 2 Index 1. Definitions Page 3 2. Why you should be concerned ? Page 5 3. Potential Impact Page 6 4. Fraud: Basic Controls Page 7 5. Changing Payment Fraud Landscape Page 8 6. Red Flags - Managing Payments Page 9 7. Risk and Controls: Beneficiary Change Requests Page 11 8. Combat Payment Fraud: Best Practices Page 12 9. Sources used and to expand knowledge Page 13
  3. 3. Twitter: @ramirocid Definitions  Fraud: An act by one party, whether successful or not, to deprive another of something (goods, services, money, etc.) by deception. Fraud also occurs when dishonest acts are committed without personal gain but are intended to create a loss or risk of loss for another person or entity. This includes the intentional misrepresentation of financial condition.  Social engineering: In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.  Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
  4. 4. Twitter: @ramirocid Definitions  Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as well as computer networks such as private and public networks, including the whole Internet.
  5. 5. Twitter: @ramirocid Why you should be concerned ? Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc. All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks. People is normally “the weak link in the chain”.
  6. 6. Twitter: @ramirocid Potential Impact • Financial loss • Increased management time • Loss of public trust & loss of corporate image • Legal penalty fee • Loss of new/existing customers • Increased external/internal audit costs • Company Morale • Etc.
  7. 7. Twitter: @ramirocid Fraud: Basic Controls  Understand the risk (internal / external)  Trust vs. Process (knowledge of people vs. formal processes in action)  Know your customers / suppliers  Know your employees (from recruitment to last day on the organization)  Training (best practices, awareness, etc.)
  8. 8. Twitter: @ramirocid Changing Payment Fraud Landscape Classic schemes (still alive) Local structures & processes New fraud opportunities rising Changing to harmonized services Faked manual payment orders Direct debit fraud Bank cheque fraud Organized crime Psycological expertise Corporates as targets Technology Corrupted communicationSocial networks Local business knowledge Different ERP systems Established external relationships Diverse processes Stricter segregation of duties One system Less local knowledge Distance to business New environments bring new risks
  9. 9. Twitter: @ramirocid Red Flags - Managing Payments Alarmist or perhaps overly complimentary language Abusive or aggressive requests to transact Changes in a customer’s usual tone or demeanor Suggestions of losing money if you fail to act Senior officer name-dropping to rush transactions Customers/suppliers calling in before callbacks can be made Changes in a customer’s/supplier’s usual callback number Customers/suppliers are rarely available via official channels Customers/suppliers seem anxious to complete transactions Customers/suppliers contact details that aren’t on file Unfamiliar suppliers or altered transaction details Additional system login steps or transaction pages System instructions that “appear” mysteriously Poorly written grammar, syntax or spelling Fake letterhead, faxed or email instructions Email address variations or domain name changes Have you noticed?
  10. 10. Twitter: @ramirocid Red Flags - Managing Payments Receive unsolicited calls from unknown contacts Contact alleged customers on unusual numbers Accept enclosed or unconfirmed contact details Receive or act on unsolicited instructions Click on unexpected, unfamiliar or fake links Circumvent procedures with plausible reasons Deal with a first-time or unknown beneficiary Carry out instructions after a profile change Make immediate or urgent payment changes Remove close to all or an entire account balance Approve an unknown or unfamiliar transaction Transfer funds by or before an extended holiday Transfer funds to a known secrecy haven Transfer a small followed by a large sum to a beneficiary Transfer funds to an alternative jurisdiction
  11. 11. Twitter: @ramirocid Risk and Controls: Beneficiary Change Requests The problems with fraudsters are that they . . . • Make attempts to redirect payments. • Seek to change beneficiary bank details. • Hope you will accept forged letterheads. • Attempt to notify you of new bank changes. • Pose as new account managers/bank technicians. • Hack senior email accounts to request a payment. • Operate across markets, sectors, geographies. • Work in more creative, sophisticated ways. The ways to reduce risk of fraud is to . . . • Independently validate all change requests that you receive. • Confirm agreements in writing with known contacts. • Never deal with agreements from unknown requesters. • Validate only via approved channels and contacts. • Ensure beneficiary payment processes are robust. • Always be vigilant to unusual or requests that contain red flags.
  12. 12. Twitter: @ramirocid Combat Payment Fraud: Best Practices • You want to PERFORM checks to reduce payment fraud risk » Validate payment instructions for any new counterparty, the same authentication should be applied for any subsequent change requests received. • You want to MANAGE High-value or -risk transactions » Set additional approval levels in your electronic banking system. • You want to REDUCE business-wide transaction risk » Segregate duties for sensitive and high-risk activities. • You want to better UNDERSTAND social engineering » Ask IS and/or group treasury for advise. Promote trainings. • You want to know how to CHECK suspicious activity » Review transaction reports and conduct frequent user audits. • Follow at any time the best IT Security best practices regarding Information Security management • Make yourself familiar with policies like the Electronic Banking Security Policy and Best Practices for Payments • Whenever fraud (attempt) happens: Report immediately to your manager in order to allign with FICO, Treasury and coordinate next steps! • After resolve the attack, it is important to do a lesson learner exercise to improve the knowledge we got from the real attack for futures similar situations
  13. 13. Twitter: @ramirocid Sources used to expand knowledge “Types of Phishing Attacks” | PC World URL: “Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (book in Spanish) URL: HACKER/89345/978-84-9964-539-1 “Stop, Thief! Best Practices in Fighting Payment Fraud” | Citibank | Author: Cheryl Gurz URL: “Bank fraud” - Wikipedia URL:
  14. 14. Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL @ramirocid