Financial institutions have weathered the COVID-19 crisis well, with many of them further digitalizing their products and services in record time and processing more than 81 million Electronic Stimulus Payments (EIP) and more than 4 million Paycheck Protection Program (PPP) loans. However, an area of continued concern is the rise in the overall level of fraud that appears to be resulting from the environmental conditions created by the pandemic.
With that in mind, I attended a recent FS-ISAC training exercise with a focus on Business Email Compromise (BEC). This exercise was a great experience, providing me insight into the inner working of a BEC. The nuts and bolts of a BEC include the following steps:
- Making contact – someone reaches out (usually through Email) claiming to be a CEO, IT person, VP, etc. needing something from you. The Email address may be slightly off or something about it in general just does not seem right.
- What they ask for – The contact comes with a high sense of urgency, justification for what they are asking for (such as immediate vendor disbursement, bonus for employees, etc.), and makes you feel like you are needed to make this happen. Requests may come with follow-up phone calls spoofing extensions to make it seem even more authentic.
- These are planned attacks and usually predicated by a pre-attack (gathering the information needed to execute it such as names, extensions, Email addresses, department structure, etc.).
- Once convinced, victims may execute wire transfers, ACH payroll files, or even purchase prepaid gift cards and send them to the fraudsters. These funds are not typically recoverable once gone.
- In the future, BECs may be backed by the power of artificial intelligence (AI), automating these attacks and allowing the power of machine learning to execute even more sophisticated attacks.
According to the FBI, BEC scams accounted for half of the cyber-crime losses in 2019, and that number continues to surge since the onset of COVID-19. In fact, HelpNetSecurity is reporting a 67% increase in the number of email attacks during the pandemic.
Statistically, the majority of BEC scams involve gift cards (62%), direct transfer (22%), and payroll diversion (16%). But what makes BEC scams challenging is that they are social engineering threats versus technical threats, making them easier to conduct than other forms of cybercrime. Because combatting BEC fraud involves creating a human firewall, education plays a pivotal role in mitigating it.
But financial institutions have much more than BEC fraud to consider. Although the focus of the FS-ISAC exercise was BEC, other areas of fraud are also on the rise due to COVID, including ransomware. The FBI explains it this way:
Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return…You can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware.
Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there.
Financial institutions should convey to their customers that neither they nor the FBI support paying a ransom in response to a ransomware threat. They advise avoiding exposure to ransomware—or any type of malware—and practicing online security best practices. See this months’ Cyber Watch post for more information about current ransomware trends and ways to combat against it.
With education paying such a pivotal role in mitigating fraud due to COVID-19, I reached out to Steven Silberstein, FS-ISAC CEO, to learn more about the recent rise in fraud and how financial institutions can help prevent it.
Q&A with Steven Silberstein, CEO, FS-ISAC
MARK: Since the onset of COVID-19, we’ve seen a significant increase in fraud. What changes should financial institutions make to their fraud prevention strategies to both stay on top of cyber threats and mitigate fraud.
STEVEN: Reports of fraud related to government stimulus and/or other governmental support, such as unemployment benefits, have been on the rise and are thus an area of concern. The financial sector has weathered COVID well, but this is because it is a highly regulated industry and it is always improving security.
The pandemic triggered two dramatic changes to the financial sector:
1) an abrupt, wholesale move to remote working, and
2) an accelerated deployment of digital banking services.
These two dramatically expanded the industry’s attack surface. Increasingly, cybersecurity is a shared responsibility of firms, employees, and customers. Therefore, ongoing education is important to make both customers and employees aware of best practices in cyber hygiene as well as how to recognize phishing, smishing, and other social engineering attacks.
Mark: Do you have a few tips for mitigating fraud you could share?
Steven: Managing access and authentication processes is increasingly critical as fraud attempts multiply. Both financial institutions and their customers should be considering how remote working impacts their infrastructure. A few tips:
- Assess the configuration of your network, software, and where your data is securely stored regularly.
- Configure access controls such as file, directory, and network share permissions with the least privilege in mind.
- Use firewalls to block access from known malicious IP addresses.
- Enable strong spam filters to prevent phishing emails from reaching end users.
Mark: While the overall level of fraud has increased in the wake of COVID-19, certain types of fraud, such as email compromise and ransomware, are presenting more pervasive risks than others. What do financial institutions need to know and do to combat these threats?
Steven: Customers of financial institutions have been targeted with email compromise and credential theft exploits at an increased level during COVID-19. Using the urgency of COVID with themes such as PPE purchasing or medication, too many of the public have clicked a link they shouldn’t have clicked. We are seeing institutions ramp up education of customers to help protect them.
Ransomware attacks are also on the rise. Threat actors have differing motivations and attack patterns, so financial institutions must know their enemies and understand who they are dealing with. The best way to know is through global cyber intelligence sharing focused on the financial sector, as threat actors know no borders and tend to attempt the same strategy on multiple targets.
Mark: Would you talk a little about the 2020 virtual CAPS (Cyber-attacks against payments systems) exercises and how exercises like this help to improve financial institutions’ defense and response skills to a cyber-attack?
Steven: CAPS exercises use real-world scenarios to challenge incident response teams to overcome a simulated attack against systems and processes. Participants practice mobilizing quickly, working under pressure, and recognizing critical intelligence to defend against an attack.
The goal is to build a clearer understanding of vulnerabilities and improve response plans and capabilities. The training advances both the understanding of possible real-life cyber incidents, as well as exercises the overall response plan of an institution.
You can learn more about the FS-ISAC and their events, including the CAPS exercises, here.
Conclusion
Clearly, mitigating fraud remains a high priority for financial institutions, and NEACH is committed to providing our members with ongoing education and sharing industry best practices for mitigating fraud in several ways —such as NEACH events and conferences, blog posts and articles, and Q&As with industry thought leaders and experts.
For example, NEACH’s upcoming virtual Payments Management Conference, November 16-17, also features several sessions on fraud, including “The FBI Says BEC is #1,” “Fraud 2020 and Beyond,” and a session by the Federal Reserve, “Fighting Fraud: What’s Ahead from the Federal Reserve in Payments Security.”
I hope you will join us. To learn more about the conference and to register, visit the NEACH website.