Business Email Compromise Scam
-
Upload
guardian-analytics -
Category
Economy & Finance
-
view
393 -
download
3
Transcript of Business Email Compromise Scam
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Business Email Compromise – Why it’s So Effective, and How to Prevent It
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Analytics BEC Education Campaign
• Best Practices Kit• Unbranded materials you can use to educate your clients
• Materials for you and your teams• Detection• Conversations with clients
• Example of scams• Fraud Update on BEC
Guardian Analytics Best Practices Kitwww.GuardianAnalytics.com/BEC-‐FI
2
We’re providing materials for FIs to use internally and for them to use to educate business clients.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
FBI Warning: Business Email Compromise
3
• Over 12,000 businesses victimized
• $1.2B in losses• Increase in 270% from January 2015 to August 2015
• Institutions experiencing their clients victimized with increasing frequency – many seeing clients hit daily!
Latest BEC impact
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Different Forms of BEC
1. Business Email Spoof 2. Business Email Hack
Criminal determines attack pattern based on whose email they have (CxO vs Controller/Procurement)Focus on CxO
@Redllaw @Redlaw @Redlaw
3. Business Email Hack / Vendor Email, Invoice Spoof
Vendor
@vendorr
4
Fraudsters’ preferred attack scheme depends on which email account he’s able to compromise.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
1. CxO Masquerading – Domain Spoofing
1. Business Email Spoof
@Redllaw
FinanceStaff
Create new lookalike domain (Redllaw vs. Redlaw)
Who to targetAnd impersonateBest messageResearch Target Business and Person(s)
General informationPersonal informationCustomers/partnersCompany news
FundingProducts/patents
Travel plans
5
Fraudsters use publicly available information to learn about the company and who they will impersonate to make the emails very believable.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Monitor CEO email
2. Business Email Hack – CEO Masquerading
6
2. Business Email Hack
Email Takeover
Phishing
Social Engineering
Breaches
Malware
• Relationships• Common phrases• Business activities• Typical transactions• Calendar/travel
@Redlaw
• Move• Delete• Auto-‐forward
Hide email traffic using rules
FinanceStaff
Fraudster studies CEO’s prior emails to make the fake email consistent with style, tone, and wording.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Criminal “Payload” is Changing
7
FinanceStaff
Wire Payment
Employee/W2 info
Finance / HR Staff
Wire Fraud
• Identity theft• Tax fraud• New account
fraud
Criminals are expanding on the success of BEC to date, now asking for complete W2 files.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Monitor victim email
VendorsVendor email trafficRelevant “jump in” pointInvoices
3. Supplier Masquerading – Hacked Internal Email
Email Takeover
Phishing
Social Engineering
Breaches
Malware
@Redlaw
@vendorr
3. Business Email Hack / Vendor Email Spoof Spoofed
Invoice
New supplier lookalike domain
Use CC to fake conversations
about the invoice
Vendor
• Move• Delete• Auto-‐forward
Hide email traffic using rules
8
Fraudsters study vendor emails & invoices to make attack as consistent as possible with prior invoices.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Criminals Use Simple and Complex Schemes
EmailFrom: CEO
Subject: Need your help – pls keep it quietTo: Dave, Controller
Message:Dave,Can you please wire $56,000 to this company. I’m in a meeting right now, but you don’t need any further approvals.If you have questions, please reply to this email. Your prompt attention to this is critical.
Thanks,CEO
EmailFrom: Vendor
Subject: Invoice – New ProcessTo: Finance, Accounts Payable
Message:
Please find attached our latest invoice for the past billing period. Also note that we are implementing a new payment process. Instead of how you have previously made payments, please wire the funds directly to our account. Here are the wire instructions:Routing number: xxxxxxxxxxAccount number: xxxxxxxxxx
EmailFrom: CEO
Subject: Confidential – Attorney will callTo: Dave, Controller
Message:Dear Dave,
I would like to bring you in on something very important, but highly confidential. I would appreciate your timely support as well as your discretion, as we are not ready to tell the whole company about this –we are in the process of acquiring a company overseas. This is very strategic to our business.
I’ll be connecting you with a lawyer in London who is brokering this transaction for us. He will provide payment instructions for you.
I’m handing this project to you because I know I can trust you.
I’ll check in with you periodically.Thanks, CEO
Simple Request§ Relies on urgency and unavailability
Complex Story§ Relies on secrecy, sense of importance§ Can result in multiple payments
9
Schemes are tuned to increase credibility and decrease likilhood of victim catching on.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Spoofed Vendor Payments Seen in ACH
10
EmailFrom: Vendor
Subject: Invoice – New ProcessTo: Finance, Accounts Payable
Message:
Please find attached our latest invoice for the past billing period. Also note that we are implementing a new payment process. Instead of how you have previously made payments, please wire the funds directly to our account. Here are the wire instructions:Routing number: xxxxxxxxxxAccount number: xxxxxxxxxx
Traditional: Wire
New: ACH
We’re seeing further adaptation of the scheme to be consistent with prior vendor invoices.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Same Day ACH – Good Target For Criminals
11
• Prey on urgency/immediacy• Hard to detect amidst larger ACH volumes• Same Day ACH likely to replace some wire volume
ODFI
ACH Files
Morning Same Day Submission
Afternoon Same DaySubmission
StandardSubmission
Same DaySettlement
Fraudsters will likely increase the use of ACH to take advantage of the speed of Same Day settlement.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
BEC Victim Trends
• Variety of business types under attack• Title companies• Consulting firms• IT providers• Legal services
• Tend to have higher transactional volumes • Businesses victimized multiple times
• Multiple payments as part of one scheme• “Vendor” asking for multiple invoices• Multiple “vendors” (one business hit 7 times)
• Transportation• Food service• Banks!
12
We’ve seen a broad range of businesses being victimized, and repeat attacks when they’re successful.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
BEC Transaction Trends• Amounts
• Consistent with normal company amounts• Largest - $5MM• Average - $250K• Escalating amounts
• Case 1: $3K, $19K, $30K, $50K• Case 2: $8K to $80K
• Beneficiary FI and location• Mix of international and domestic • US - small CUs to largest banks• International – mostly Asia or Eastern Europe
• Beneficiary• Individual - 1/3 • Businesses - 2/3
• Trading and export• Products• Logistics
• Services• Catering
13
Criminals do their homework and keep amounts consistent with prior payments.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Global Distribution of Wire Destinations
Country % of incidentsUS 51.72%China 12.64%Hungary 8.05%Malaysia 5.75%Thailand 4.60%Hong Kong 3.45%Nigeria 3.45%Bulgaria 1.15%UK 1.15%UAE 1.15%Seychelles 1.15%Ukraine 1.15%Taiwan 1.15%United Kingdom 1.15%AU 1.15%Poland 1.15%
Attempted wires – volume of tx
14
The wide distribution of beneficiaries makes it difficult to detect fraudulent wires by monitoring for payments to specific destinations
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Domestic Distribution of Wire Destinations
State% of incidents
FL 18.75%NY 9.38%IN 9.38%CA 9.38%TX 9.38%NC 6.25%AZ 6.25%GA 6.25%MI 6.25%SC 3.13%WI 3.13%MS 3.13%ID 3.13%CT 3.13%OH 3.13%
Attempted wires – volume of tx
15
Similarly for domestic wires, they’re widespread, risking high false positives for rules-‐based systems.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Impact of BEC Fraud On Financial Institutions
16
Increased alerts to try to detect
Increased callbacks
Increased volume & cost of recovery
Degradation in trust/experience
Reputation risk
Cost of Education
Increase inbank cost
Poor customer experience
Better fraud prevention can reduce
negative impact
Even though FIs are not liable for losses, they are hit with increased costs and damaged reputation.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Why Detecting BEC is Hard
17
New beneficiaries common (40% of wires to new beneficiaries)
BEC beneficiary FIs vary (domestic, international, banks, credit unions)
Spoofed CEO email
Spoofed supplier email
Legitimate user
(CFO or controller)
Online
Fax
Branch
Criminal beneficiaryor mule
Criminals do their homework on their targets and prey on urgency, sense of duty and importance
Legitimate user logs into online banking or requests the wire (legacy ATO detection methods don’t work)
BEC amounts within typical range of client wires
Fraudulent wires from BEC are hard to detect because requestors, process and amounts are consistent with prior wires.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Typical Fraud Detection Not Working
18
Detection Rates
Alert Volumes
Low
Low
High
High
Trust too little
Know when to trustKnow when NOT to trust
Trust too much
Over $100KAnd internationalAnd new recipient
Over $100KOr internationalOr new recipient
FIs are having to trade off volume of false positives with friction and success rates at detecting fraudulent payments. Guardian Analytics delivers high detection with low false positives.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Knowing When To Trust, When to Raise Risk
Learn each individual originator behavior over time to determine risk
Learn new recipient ratio, typical
beneficiary patterns (i.e. keeps false positives for title companies down)
Look to see if we can raise or lower trust of a
beneficiary
If multiple wires to same “bene” spread out, can raise trust
If many in rapid succession, less trustworthy
Use what we’ve learned from other
fraudMule
Match in mule database?
©2016 Guardian Analytics , Inc. Confidential & Proprietary
100+ Wire Attributes Analyzed
20
AddendaAddendaLength DisplayFields IntermediateFIName PaymentNotificationIndicatorAddendaInformation DrawdownCreditAccount IntermediateFIStateProvince ReceiverFINameAmount DrawdownDebitAccount OBI ReceiverFIAddress1AmountCurrencyCode DrawdownDebitAccountAdviceInfoAdditionalInfo OMADOutputCycleDate ReceiverFIAddress2BBI DrawdownDebitAccountAdviceInfoAdviceCode OMADOutputDate ReceiverFIAddress3BeneAddress1 ExchangeRate OMADOutputDestinationID ReceiverFICountryCodeBeneAddress2 IMADInputCycleDate OMADOutputSequenceNumber ReceiverFIIDCodeBeneAddress3 IMADInputSequenceNumber OMADOutputTime ReceiverFIIDBeneCountryCode IMADInputSource OrigAddress1 ReceiverFINameBeneFIAddress1 ImmutableCompanyID OrigAddress2 ReceiverFIStateProvinceBeneFIAddress2 ImmutableUserID OrigAddress3 RecurrenceBeneFIAddress3 InstructedAmount OrigCountryCode RepeatRequestBeneficiaryAdviceInfoAdditionalInfo InstructedCurrencyCode OrigFIAddress1 RequestIDBeneficiaryAdviceInfoAdviceCode InstructingFIAddress1 OrigFIAddress2 SenderFIBeneficiaryFIAdviceInfoAdditionalInfo InstructingFIAddress2 OrigFIAddress3 SenderFIAddress1BeneficiaryFIAdviceInfoAdviceCode InstructingFIAddress3 OrigFICountryCode SenderFIAddress2BeneFICountryCode InstructingFICountryCode OrigFIID SenderFIAddress3BeneFIID InstructingFIID OrigFIIDCode SenderFICountryCodeBeneFIIDCode InstructingFIIDCode OrigFIName SenderFIIDCodeBeneFIName InstructingFIName OrigFIStateProvince SenderFIIDBeneFIStateProvince InstructingFIStateProvince OrigIDCode SenderFINameBeneIDCode IntermediateFIAddress1 OrigName SenderFIStateProvince
BeneIdentifier IntermediateFIAddress2 OrigStateProvince SenderReferenceBeneName IntermediateFIAddress3 PaymentNotificationContactFaxNumber SettlementMethodBeneReference IntermediateFIAdviceInfoAdditionalInfo PaymentNotificationContactMobileNumber SourceBeneStateProvince IntermediateFIAdviceInfoAdviceCode PaymentNotificationContactName StatusBusinessFunctionCode IntermediateFICountryCode PaymentNotificationContactNotificationElectronicAddress Type_SubtypeDestinationType IntermediateFIID PaymentNotificationContactPhoneNumber SubTypeDirection IntermediateFIIDCode PaymentNotificationEndToEndIdentification TemplateNameDisplayFields TransferDateDrawdownCreditAccount TypeDrawdownDebitAccount WireID
We analyze 100+ aspects of client behavior. Risk is scored based on combinations of activities.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Analytics Wire Finds Unusual Wires
Would beneficiary be expected? (new beneficiary ratio, beneficiary and FI location/region)
Are the originator’s wire actions normal? (timing, velocity, type, accounts, direction, use of instructions, content of instructions)
Are the wires typical? (type, amount)
Originator Model
Wire Behavioral Analytics
Cross-‐institution risk data(Network effect)
Beneficiary Model
Is this a high or low risk beneficiary?(beneficiary history with other originators, name/ account number match, suspected mule)
Self learningNo rules to writeNot threat specific
Adapts to new threatAutomatic updates to analytics
100+ attributes from wire system
21
Our solution answers behavioral questions that indicate what is normal vs. suspicious behavior.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Real-time Risk Scoring and Intervention
22
WireSystem
Send to Fed
Review Alerts
Risk score and hold/release instructions returned immediately to wire system
Mobile
Branch
Contact Center
Online
File upload
InitiateWire
Wire comes in; payment fields immediately sent to Guardian Analytics
for analysis
9.2 2.2
Hold Release
Analyze 30+ fields and nearly 75 attributes
from PAYPlus
Release/cancel
Guardian Analytics Wire
Every wire is risk scored. Automatic release of low-‐risk wires allows analysts to focus their time on investigating the small number of high-‐risk payments.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Analytics Wire Successfully Detects BECAttack 1 Attack 2 Attack 3 Attack 4 Attack 5
Beneficiary FI AZ-based CU Large national
bankLarge national bank
LargeInternational bank
Chinese bank
Beneficiary Location
AZ (previouslysent wires to many states, and other countries)
NY (previously sent wires to TX, WI)
HongKong (had done US and UK wires in the past)
China(history of US wires only)
Beneficiary Individual Individual Individual Business Business
Originator Velocity
First wire in four months
OBI Frequency
Infrequent or new or use of OBI
Originator Amount
$39K $20K (most wires 0-‐$1000)
$73K $125K $2,871,000 $4,950,000 $4,850,000 $4,969,000
Originator Description
Frequent wire sender – IT Services Company
Frequent wire sender – Title Company
Sporadicwire sender – Legal Services
Frequentwire sender –Transportation Services
Frequent wire sender – Title Company
No one bank pattern – US/international, large/small, bank/CU
No one location pattern
Combination of business and individual
Mixed use of instructions
Amount often within range of typical behavior
Could be single or multiple hits
Attacks have a wide range of variation, making BEC attacks difficult to detect with rules.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Accurate Detection, Low Alert Volume
The combination of specific
attributes of this wire was unusual and untrusted,
and yielded a red alert
Guardian Analytics provides complete and consolidated view of account history
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Accurate Detection, Low Alert Volume
The combination of specific
attributes of this wire was unusual and untrusted,
and yielded a red alertNote that behavioral
deviations are expected and do not yield red alerts (top
row)
Note the variation in wire amount did not trigger a false-‐positive
as FraudMAP recognized combined behavior as normal
©2016 Guardian Analytics , Inc. Confidential & Proprietary
You’ve Detected It – Now On To the Client…
• Be prepared with details, be prepared to spend time with the business
• Start like normal verification call; get customer talking
• Help them to see why you’re suspicious• Explain the scams• Probe into the situation – ask if they received the request via email, ask for key words• Push for non-‐email based confirmation
• Remind them you’re there to help
• Redirect the emotion – focus on the pain of the business losing money
26
Be prepared for what can be a difficult call with a victimized client.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Impact of BEC Fraud On Financial Institutions
27
Cost of Education
Reduced alerts
Reduced callbacks
Increased detection, less recovery
Increase in trust, enhanced experience
Decrease in costs
IncreaseIn Trust
By improving their ability to detect BEC attacks, FIs will reduce costs and increase trust.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Analytics Successes with BEC
Fraud prevented
$19M in two months
Efficiency gainsReduced reviews to only wires flagged by Guardian
Analytics, all else automatically processed
(50-‐100 wires/day)
Client experienceReduced callbacksReduction in alerts
freed time for deeper client discussion of likely
BEC attacks
Bank with ~4,000 wires per day
Fraud prevented
$500K in six months
Efficiency gainsPreviously held all online
wires (250/day) Guardian Analytics scores all 1500 wires/day, but holds only 75 from any channel, reducing bank
effort by 70%
Client experienceFaster processingFewer callbacks
(1-‐5/day)
Bank with ~1,500 wires per day
28
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Analytics Wire Benefits
29
• Accurate detection with low alert rates• Reduction in false positives reduces overall workload and creates time for banks to spend with customers• Better client experience• Reduction of time spent on paperwork and funds retrieval• Reduced risk of lawsuits, reputation issues• Build deep client satisfaction and loyalty
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Guardian Risk Engine
Solutions to Detect Fraud Across Channels and Transactions
Guardian Solutions
Guardian Enterprise API
Guardian Visual Analytics
We offer behavior-‐based solutions across channels and payment types, plus an API to incorporate proprietary data. The Risk Engine calculates risk scores that are presented through our visual analytics.
©2016 Guardian Analytics , Inc. Confidential & Proprietary
For More Information
• Email [email protected]• Request a one-on-one briefing
• Visit www.GuardianAnalytics.com• Sign up for a demo• Sign up for our monthly Fraud Updates
• Download BEC Best Practices• www.GuardianAnalytics.com/BEC-FI
• Watch the recording of this webinar• http://info.guardiananalytics.com/BECWebinar-Mar2016-reg.html
31
©2016 Guardian Analytics , Inc. Confidential & Proprietary
Business Email Compromise – Why it’s So
Effective, and How to Prevent It
Thank You!