How to stay safe from cyberfraud MICHELLE GRAFF: Good afternoon, and welcome to today's webinar-- "How to Stay Safe from Cyberfraud." My name is Michelle Graff, and I'll be moderating today's session. Before we get started, I'll go over a few housekeeping items. All participants have been placed on listen-only mode, to prevent any background noise. We will not host a live Q&A, but we have a couple of questions that people have submitted during the registration process that we'll answer today. But if you do have additional questions, following today's session, please book an appointment with a banker at usbank.com. We'd also love to hear your feedback on this webinar, which you can provide using the postsession survey. Today we're going to talk about the latest cybercrime tactics and how you can protect yourself and your loved ones from them. We have two fantastic speakers, whom I will now pass the mic over to introduce themselves. David and Charles, will you take it away? CHARLES BANKS: Absolutely. Thank you, Michelle. Really appreciate the introduction. My name is Charles Banks, and I've been with the bank 14 years. And I am currently a member of our Information Security Services team. And I manage our security briefing center operations, where we have a heavy focus on providing both information and cybersecurity-awareness training and truly understanding the landscape and some of the things that we'll talk about today. DAVE PILOT: Thanks, Charles. Dave Pilot. I'm part of our Enterprise Fraud Strategy organization. My team is focused on fraud fusion strategy, which is really a matter of taking disciplines on the fraud side of the house, connecting them with friends like Charles on the information-security side of the house, to understand how to get to a holistic view of fraud and ways to respond. CHARLES BANKS: And Dave, I'll say that I'm really happy to be on this webinar with you. Not only do we share a common haircut, but we also [LAUGH] share a common focus when it comes to how we approach and respond to, and help our protect our customers against, cyberfraud. And I know we had some discussions on where to start, here, in terms of sharing that information, the information that we have. We thought the best place, of course, would be to define what counts as cyberfraud. And there are a couple of definitions that we've found. One is more focused around the individual definition of what "cyberfraud" might mean for our audience, the everyday consumer, where it is any type of fraud that is essentially perpetuated online, whether it's through the traditional means of a laptop or a desktop computer or a mobile device. Any connectivity to the internet, any crime or fraud perpetuated using those digital delivery mechanisms is what we consider cyber fraud. So the most common type of fraud, and we'll talk about why it's the most common type of fraud today for everyone that's listening-- Dave and I will explain to you why it's the most common and what some of the approaches are. So we wanted to start with, of course, first, the definition. So what is cyberfraud? And now, the next slide, this gives you some idea of why cyberfraud so heavily accounts for the number of, let's call them, "breaches" that we see or crimes perpetuated against consumers. The reason why there are so many of them-- and Dave can share this with us-- is because it's highly organized organizations that are actually pushing and perpetuating these attacks. So you'll see here, by the numbers, organized crime accounts for 80% of what we consider cybersecurity breaches and cyberfraud. Dave, anything you want to share about that? I think, on our next slide, Dave's going to dive in a little bit deeper into why these groups are so highly organized and are able to drive as much compromise as they do. They essentially run these organizations the same way a Fortune 500 business would run their organization. So I'll pass it over to Dave, to give you an idea of how they set up their ecosystems to drive this threat. DAVE PILOT: Thanks, Charles. And that's a perfect, perfect setup. The challenge with cyberfraud or cybercrime in general is concerned at its core is cultural. In each of our respective industries, we've had a way that we thought about our bottom line-- profits, losses, et cetera-- and approaches to those. And we commonly would see threat actors, fraudsters, et cetera, come and do things, but it was typically a group doing a thing. It's no longer the world that we live in. On the banking side, from our perspective, it's crystal-clear to us that there is an entire cybercrime ecosystem. It's worldwide. Some of it is the organized-crime groups referred to on the prior slide. Sometimes it's nation-states. There are governments that are not friendly to America that have formal, funded government cyberwarfare units, and those units perpetuate cybercrime. They work with the organized-crime groups. There's a ton of interrelation between them. And so you really wind up with this honeycomb of a world. Everybody's heard of phishing, everybody's heard of account takeovers or business-email compromise, everybody knows what a money mule is, but we don't necessarily stop and think of all of those things as connected today. And, to Charles's point on the prior slide, it truly is a corporatized structure. So you have entire criminal industries where people come to work, every day, just like we do, sit at a desk, get paid for their work, go home-- and so you have an organization-- let's take phishing as an example-- where there will be a team of people whose job is to go figure out ways to phish people using Netflix-themed lures Amazon-themed-- whatever it might be there's another group working on creating synthetic identities-- fake IDs, with real elements, that are difficult to detect. And then somebody who wants to do account takeovers will simply go to those groups, who are targeting attacks, using specific themes or lures-- perhaps attacks for specific organizations. But ultimately, the person who attacks is typically not the person who orchestrated the scheme. So you go and buy a how-to tutorial on the online banking controls or whatever institution you want to target. Somebody's done the research, knows what the process is, knows what data elements you need. They've got it all packaged up. So if you want to go rob a bank, you go buy that package from that person. Then later, when you want to move the money, you go to somebody whose day job is creating money-mule networks. They're recruiting people-- maybe on college campuses, where the students think it's a legitimate job. It's all digital, and you can do it on the side. What college student doesn't want pizza money? No idea that they're part of a mule network, but it's been orchestrated in such a way that now you've done your account takeovers-- you bought that package from whoever created it-- now you've got a pile of money-- you need to move it-- you go rent a mule network-- a few hundred dollars a week. You're going to make thousands. It's a minimal investment. And the end result is, the attackers are a kind of spread out. There's not a single bad guy. And that's the world we all think of, the world we grew up in, playing Cops and Robbers. Right? Well, it's not "that" bad guy. It's "these" bad guys. They're distributed-- some international, some domestic. They're all working together. They're all getting paid. And from a law-enforcement perspective, when you want to put a case file together and go get them, well, who and which part and who's liable? Because they have corporatized their structure, because there is a full supply chain, in the criminal world, they have federated their liability, essentially. It's less likely that you're going to go after a guy for writing a how-to tutorial to compromise online banking than you are to go after the guy who moved the money. But it's distributed. It's more difficult to identify and defend against. It's more difficult to prosecute and litigate. And it's a really challenging world. And I think we just don't often think about how drastically that landscape has changed. CHARLES BANKS: Yeah. I don't necessarily know that a lot of us are-- aside from the cybersecurity or fraud professionals that are out there, a lot of us don't have an idea of what this world looks like. And I think it's really good, Dave, that you've given this overview of this ecosystem-- talked about how well organized they are and the fact that, in a lot of cases, not only are they able to monetize this ecosystem through their direct attacks but then they're selling these attacks as a service, which then further moves law enforcement away from the attacker-- the person that might have created the exploit that they're now selling to other attackers. So that's a really good illustration. I think it really will help us illustrate the point that we're going to make throughout this presentation, that, hey, there are going to be some very different approaches to how we are trying to protect our customers from cyberfraud and what our customers can do to protect themselves from cyberfraud. Right? There's going to have to be a balance, there. There's what you've coined-- you coined for us, in a conversation yesterday-- there's a technical approach to this, which is what the bank is providing. Then there's also a behavioral approach to stopping this, which is what our customers have to actually help us with. So this sets us up for a really good conversation about that. Well, Dave, to the point of all of this that we've seen here, this is highly organized ecosystem, this structure. And you've dated this. Right? This is cybercrime 2022, based on that, on the next slide, what are some of the scams that we're currently seeing on the landscape, this year? What is this highly evolved ecosystem-- what are they perpetuating against our customers, at this point? What are we seeing? DAVE PILOT: Yeah, absolutely. And I think we have two great examples, here. I mean, payment scams-- obviously, a broad topic. Right? But think about the world we live in. How does money move? Payments is the wave of the future. Right? Every organization, every individual, is thinking about payment services. So you've got the Zelles of the world. You've got ACH transactions. You've got this broad scope of money that's moving. It's all moving in a digital channel. So if you want to go steal that money, you're just thinking through, what's the easiest way in? You think about the emergence of fintechs in the financial industry. Right? The PayPals of the world. You've got a different level of regulatory oversight than with a traditional bank. In the fintech space, they've got the venture capital. They're investing in innovation. They're coming to market with really cool, disruptive ideas, and it's all about reducing friction and getting money from A to B right now. That creates a target-rich environment for threat actors. And if we don't understand that, if we don't understand that flip side of the coin, this great, easy thing-- boom-- might be easy to compromise. Let's think about that. Let's think about what controls look like, and let's understand how to truly control the payments landscape. You want to protect the money, right? But we don't think about that enough against the backdrop of that crime ecosystem. So what might a payment scam look like? Well there's the business-email compromise that gets talked about, where your systems are compromised, so you send a request from what appears to be an authorized signer-- a CFO, whatever it might be-- to send out a wire transfer to a new payee. Well, if you've gotten the access and you can change that payment and redirect the funds to you instead of where they were supposed to go, for the bad guy that is a low bar, in terms of technical expertise, the social engineering, et cetera, with potentially a multimillion-dollar payoff. Of course they're going to try, all the time. So how well do you understand the processes that allow authorization of big chunks of money movement in your business? And have you thought about those from a bad-guys' perspective? We all think about it from our perspective. What works-- keeps the business going. How well can we do? Do you step back and think, if I was a bad guy, how would I break this? Against the environment we're facing, you have to. Other scams, more at the personal level, there's things like Zelle fraud. A scammer's going to contact you, maybe as a pop-up on a smart TV that says, hey, your Amazon Prime Service has been interrupted. Contact us here. Well, you're looking at your TV, you've got Prime, you think that's legit, so you call them. And the person on the other end is going to be professional. They're going to have a clear script to read off of. It's going to sound like any other call-center interaction you've ever had in your life. And you've already taken the bait. You believe you're talking to Amazon. They understand Amazon's script, policies, processes. They're presenting themselves as Amazon. Now they're going to start asking for account data. If you give it to them, your money is leaving before the phone call is over. So the scams come in so many different ways, and they all center on, where does money move from A to B? What can I do to put myself in the middle and change B to C? And that's it, in a nutshell. And again, you've got entire criminal organizations that are simply assessing how these payment platforms work, what a typical transaction looks like, and what would be the easiest way to make you think that you're talking to your legitimate commercial client, business partner, buddy that you owe beer money from last night. They're looking at all of those and figuring out ways to insert themselves in the middle and redirect those funds. It's a challenge. And when you look at emerging scams, the student-loan-forgiveness topic is a good one, particularly on the heels of the COVID pandemic. We've all seen the news articles about the billions of dollars that were stolen, related to COVID stimulus funds. Well, student-loan forgiveness-- this is another instance of the government providing money-- bad guys want it. It's the exact same thing. Charles, I think you've got some specifics, here. You saw something about this on your personal device, recently. CHARLES BANKS: Yeah, actually-- and you brought up some really good points, Dave, when you were talking about places where we are and where processing payments-- the bad guys-- what we've actually done, to your point, is, we've provided them a broader range of approach for us. We have so many-- I mean, you used a perfect example by saying, you may see a pop-up show up on your smart TV. Right? It's no longer, OK, maybe I got a text that I don't recognize, and they're asking me for more information about processing a payment or some of my accounts that I have online. This is showing up on your televisions-- on your connected devices. And every day, we're swimming in a broader and larger sea of this connected opportunity for these criminals. Right? So I think, as we've been talking, that's where understanding what your behaviors are that you would need to implement to make yourself the best digital citizen and protect yourselves, that's where it's going to be key. And you also mentioned that connection-- let's call it that "human connection"-- with your payment provider, with your process provider, with your bank. And so what is your bank doing, to help protect you or to educate you? And this is what I received as a US Bank customer via email. They sent me-- hey, based on the current landscape and some of the things that are happening within our financial structures, these scams are bubbling up. And we're seeing more of those-- whether it's a COVID scam, based on those stimulus funds being redirected, or something like this-- student-loan forgiveness-- and that process is now in place. So a bank sent me this email to say, these are the things that you should be on the lookout for. Recognize that currently there is a process for loan forgiveness and that the bad guys are targeting that particular process to funnel money away. So I think it's, again, one of those things where we have to continually educate ourselves about the landscape-- what's going on in the environment that we should be aware of-- might be a good avenue of approach for a criminal-- and then start recognizing when we see things that are unusual. So if student-loan forgiveness is something that's right now going through a process, know that you may see-- if you're a student loan holder and you're looking for having some of those loans forgiven, understand that you may be a target. You may be a target for a scam. So be on the lookout for that. Again, be a good digital citizen and educate yourself. So I'm glad you talked about those different avenues of approach, because one of the things I don't think we think about enough is that, as we look toward this, let's call it, "convenience"-- we're highly susceptible to anything that makes our lives simpler, easier, faster. And so we're connecting all of these devices. We're connecting these devices that allow for the speed of process. But one of the things that we're not doing, on top of that, is making sure that, hey, one, is this the right approach for me to process a payment? Should I process a wire transfer for multiple millions of dollars? And I verify my form of authentication for that wire transfer as a fax? Probably not the best way to authenticate a wire transfer. But again, are we asking ourselves these questions? As we're connecting these devices and moving these processes to all of these different avenues, are we doing so safely? And again, that's good digital citizenship. So I'm glad you sort of connected those two, Dave. DAVE PILOT: I would piggyback on that a little bit. I love what you just described. And I think what people need to understand-- back to the whole topic of convenience-- the internet of things is awesome, when it works the right way. It's also the internet of thieves. CHARLES BANKS: Yep. DAVE PILOT: How often are you thinking about that, when this smart refrigerator looks cool, or when Alexa is listening in on your conference calls at work? Internet of things; internet of thieves. If you don't stay aware and vigilant around the two, you're going to fall victim. And in the banking world, we think about Know Your Customer, the whole KYC process, the regulations and rules around that. It's critically important. And banks do it for the right reasons, but it's another corporate process, at the end of the day. Flip the switch. For the threat actors, it's Know Your Victim. Nobody's giving them a rule or a reg or a process checklist that they have to follow. Know Your Victim is the key to the bank vault. And so they know your business better than you, in many cases. When they show up, whether it's a cyber reel, a social-engineering reel-- and that gets into the whole technology-versus-behavior-- I think we're going to talk about that a little bit more here in a minute. But when they show up in either channel, they know you already. They know your processes better than your call-center people do, as an example. And that's not a slam on any existing corporate employees. It's just the reality we live in. And Charles, part of the reason I appreciate working with you so much-- aside from the fact, I mean, the same haircut-- you touched on that, earlier-- yeah, we're obviously awesome. But you're the kind of partner-- and this is critical for every organization to have, in this world-- who thinks in 3D. It's easy, in the corporate world, to be an all-star checker player, but the bad guys are playing chess. The best checkers player in the world is going to lose to a chess grand master, no two ways about it. And Charles, we think in 3D. And so, while you're on the security side of the house, I'm on the fraud side of the house, we're looking at our respective channels through different approaches but with common goals. And it comes down to, we have to know our environment. We have to know our processes. We have to understand where capabilities can identify creative attacks. And then, how can we come together to cover those attacks-- from a cybersecurity perspective, from a fraud perspective, from multiple others. And it really drills down to-- There is a highly technical component to the crime as a service ecosystem. Everybody's seen the headlines about ransomware and on and on. There's a highly technical component. But there is a critically important behavioral component. It is much easier for a fraudster today to contact an organization's back-office personnel. They can find them on LinkedIn. Right? You get the LinkedIn invite from somebody who says, hey, it was cool to meet you at the conference. You don't remember them, but you've met a bunch of people at the conference, so, sure, come on in. Now they're looking at your entire network, depending on how your LinkedIn is structured. In five minutes, they know your boss, they know your team, they know your function. Now they've got a list of other contacts to send the same invite to. By the way, they're a nation-state-sponsored cyberfraud group that does this specifically. They use LinkedIn for corporate surveillance. So again, the fraudsters know your organization. Now they've gotten close to you. You've got an implicit trust. And so, when they pick up the call or pick up the phone and call you or send the random email, you're more likely to respond. And before long, they're asking you about creating a relationship. And next thing you know, there is a payment, and-- Well, that was career-limiting. Right? It's a tough situation, and it's easy to fall for. So there's the whole technical piece of it, which is critically important. There's the whole human-behavioral piece. And this leads into this topic, here, around social engineering in general. I just gave an example, through LinkedIn, but it happens at all levels-- internet of things, internet of thieves. You wouldn't walk down a dark alley with a blindfold. The internet is a dark alley. Don't walk down it not paying attention. And Charles, I think you had some great points you wanted to call out on this. CHARLES BANKS: Yeah. And actually I'm glad you brought up LinkedIn, Dave. It's almost like you set them up; I knock them down. For everyone on the webinar, we didn't plan this, but I literally this morning received a notification from LinkedIn. It was someone accepting my LinkedIn connect request. And it was someone and I had not requested a connection with. So now, I as a good digital citizen who's trying to protect my own personal online ecosystem, I have to go in and I have to change my profile. I probably have to eliminate my LinkedIn profile-- either change all my passwords, in the process, there-- because I received a notification to say that I had reached out to someone to make a connection, and this connection was for someone not even in my space, not even within the information, cybersecurity-fraud space. They are in the medical industry. And they're like, hey, yes, absolutely, I'll accept your connection request. And I didn't make that request. One of the things that we talk about is-- and you just talked about, Dave-- the fact that, again, this ecosystem, this criminal ecosystem-- and, in a lot of cases, is nation-state driven and supported-- is giant. Right? And there are billions of dollars at stake-- billions of dollars that they can earn, through their theft, from us. And so what we have to do is, we have to change our approach. We talked about those different approaches but common goals. It can no longer just be this technical solutioning that we drive, hey, let's buy the next, biggest, best technology, and we'll be fine. No. We have to take that other approach, where, in conjunction with the technical approach, there've got to be some behavioral changes. And so that's what we're talking about here, with the social-engineering piece of it. We have to create a community-- a community where it's not just your fraud professionals and your cyber professionals protecting you, but you have to protect yourselves. And the way that you do that is making some behavioral changes-- being on the lookout for certain things, like an unusual LinkedIn request that was accepted that you didn't accept. Being a good digital citizen means that, for me, I have alerts that tell me when those things are here. I understand all of the tools that are at my disposal. As a consumer of US Bank, I understand all of the tools at my disposal to help me, as a good digital citizen, manage and protect my accounts. So, understanding that you are going to, at some point in time-- and you're actively, at any point in time, being socially engineered-- right? You may see a small approach in the beginning that might be that LinkedIn request, or it might be, hey, this is a text from someone that you met at a conference. I don't know if you remember me, but you said you wanted to connect. That's the first step. So understanding how all of those small bits, how all of those small bites at you-- that's how you're being socially engineered for the big delivery. The big delivery is now, hey, we've built this trusted relationship. Can you do this for me? Can you process this wire-transfer request? All of that is a part of social engineering. But we have solutions for that. Understand how you make yourself a better digital citizen, and understand what the approach is. Once you understand what the approach is, you can educate yourself against that. And I know, on the next slide, there are certain things that you should know, and we will help you to understand, that we will not ask you for. Banks will never ask you for personally identifiable information-- PII-- or your data, certain data, that is your identity. We're not going to ask you for that via text. Right? We're not going to ask you for your PIN number via text or your Social Security number or even probably your date of birth. Because one-- and I think, Dave, you made this point, as we were pulling this all together-- we already have that information. Right? So part of being a good digital citizen and protecting yourselves and being a part of that security community that we're trying to build is understanding what your part is, understanding that you have to be diligent. You have to be aware of what the landscape looks like, what the attacks are going to look like, what the social engineering will look like, and understand what we will never ask you for. Use us. Use the resources that we're making available to you, whether it's alerts or whether it's your contact center or your fraud banker. If you have something come up that's unusual, call us. If we ask you for your PIN number or your Social Security number through a text, call our contact center. Call our fraud liaison center. And we'll help you to parse through what is legitimate. So yeah, understanding how to make yourself-- You mentioned walking down the alley with a blindfold on. Hey, well, we're going to be your eyes and your ears. If you decide that you want to walk down the alley with a blindfold on, we're going to be your eyes and ears-- but you have to take advantage of what we provide-- the services that we provide-- which means, you have to be aware. DAVE PILOT: That engagement, right there, is the key. Right? It has to be the two-way street. No bank can protect every customer or client relationship from fraud-- and vice versa. So we have to be synced up. We have to be thinking in a common approach. And Charles, I think you summed it up well in the previous slide. I would just piggyback and say, at the end of the day, if your Spidey-Sense is tingling, trust it and reach out. And when you want to reach out, and you're not sure if that text message is from US Bank or any other institution, don't google the number for the contact center. Don't do it. CHARLES BANKS: Yep. DAVE PILOT: Bad guys buy ads and put them at the top of the search results. That's an easy social-engineering round. Use your existing documented contact points in whatever form your relationship is. If it's a personal banking relationship, there's a phone number on the back of your debit card-- credit card. There's a phone number on your mortgage statement. Use those. If it's a corporate-client relationship, that's already established. Call the numbers you know. Don't google. Don't do a web search. If this looks funky, let me go to my known source of truth, contact my financial institution directly, and then get it handled. But it starts with trust in your Spidey-Sense. If you ignore the tingle in your gut, you do so at your own danger. We have to work together on this. CHARLES BANKS: Yeah. What I really appreciate is that you threw in a Spider-Man reference. DAVE PILOT: [LAUGH] CHARLES BANKS: Kudos to you, for working that in. But-- really good point, Dave. You do have to trust your gut. It's the same as if you were walking down that actual dark alley. You know, in those dark corners, that there could be the possibility of some type of danger. You're trusting your Spidey-Sense, when you're walking down the dark alley. Why not do that when you are walking down the dark alley of the internet and all of that connectedness we just talked about? Use your Spidey-Sense. Anytime you can reference Spider-Man in real life, [LAUGH] make sure you do that. Right? The other thing, too, that was important that you mentioned was the relationships-- the relationships-- the relationship manager, the contact-center banker, the fraud liaison. I think, a lot of times, we lose sight of this human connectedness that we actually have to take advantage of. We want to rely on all the technology. Well, rely on that human connectedness that you're establishing with those institutions that are actually allowing you to find an easy way through life. Don't lose sight of those. Talk to your relationship managers. Talk to your contact-center bankers. Talk to your fraud liaisons. Talk to us. Ask us questions-- which, we'll take a couple of these, here, shortly-- but stay connected with us. That piece of it, I think, sight of it gets lost. And you mentioned sort of thinking 3D. That's where I get the opportunity to really think in 3D and how to strengthen those human-connected relationships that will actually help us in that behavioral approach to security. You got to maintain that. So I'm glad you brought up Spider-Man [LAUGH] and people. People are so important to all of this. DAVE PILOT: That's the key, at the end of the day. There's no silver bullet. There's no one-stop shop. Technology might be able to protect 90%, 95% of your business. Well, that other 5%, 10%, whatever that delta is, in your personal relationships, your commercial relationships, et cetera, that's people. So the technology is going to do everything it can. The bad guys are funding, or are indeed, groups that are looking to outstrip the technology. They know it better than we do. Cutting-edge is not cutting-edge-- or, at best, it's a double-edged sword that cuts both ways. I don't think we think about that enough. And so, leverage the technology. Be smart. Be proactive. Layered controls. Defense in depth. But leverage the people, too. Look at the behaviors-- what comes through the technology? Do the behaviors match? Is this normal? Is it a little bit anomalous? You know, same way you would if you were at the grocery store. Right? You know what's normal; you know what's not. You're going to respond to the abnormal. Do the same thing in your financial environment. Build those relationships Charles, to your point. You nailed it. CHARLES BANKS: Yeah, absolutely. Well, as a part of building those relationships and helping you to know where to go, what we want to do on the webinar today was actually take a few of your questions which we thought were really important and the answers to which would provide good guidance for everyone else that's out there and may have that same question but may not know where to go to get an answer to it. So our host, Michelle, do you want to-- MICHELLE GRAFF: Yeah, I can read them to you, and you guys can take them away from that point. So our first question is from Virginia. "How can someone find resources to report suspected fraud? What information is needed, to report fraud?" CHARLES BANKS: Dave, you want to take this one, to start? DAVE PILOT: Yeah, I can. It's a great question. I'm going to try to stay kind of high-level, in the interest of time, but let me point out that reporting fraud can take several different forms. Obviously, with your financial institution-- again, back to the trusted contacts-- reach out. What information do you need? I hate to say it, but everything that you have. What was the amount? What was the date? What was the payment mechanism? Was it a digital payment? Was it a check? What was everything? Pieces of that are useful to fraud teams. Pieces of that are useful to security teams. Pieces of it are useful to law enforcement, for case files. So there's that one avenue with your financial institution, around suspected fraud, even if it was a bad text message, the phone number that it came from and the carrier that you are on-- you wouldn't think of those, normally, as fraud data, but they are. That helps us find the bad guys. There's also law enforcement. And the FBI has an internet cybercrime-complaints function-- ic3.gov. Reporting information to them when you see cybercrime helps the FBI to create an aggregate, total view of what this cybercrime ecosystem looks like. So it's not just as simple as your banker, your relationship manager-- those are all important. Local authorities, depending on the case, reporting through ic3.gov-- and again, it's about the totality of the data. How were you contacted? Where did it come from? What was the interaction? Screenshots are awesome. But hand over everything that you have, and then let us engage. There are always options and capabilities, but it comes down to timely, comprehensive, and effective. CHARLES BANKS: Really, that's fantastic advice, Dave, because we did mention that, hey, typically what will lead to ultimately being that this suspected fraud are those bread crumbs or those small bites, those social-engineering bites, that started with a text, that started with a phone call, that started with an email that resulted in a business-email compromise. Collect all of that. You're going to have to essentially be detectives and backtrack and understand where was that first approach-- collect that evidence. We do forensics. We do digital forensics, to help you with the backtrack, but we can only work as successfully at that as we have information that allows us to do that. Anything-- To your point, collect all of that. Think back to the first time that you saw that first connection, share that with us, and we can help with the backtrack. Good advice, really good advice, Dave. Michelle? MICHELLE GRAFF: Thank you. Great. So our second question is from Krista. And they ask "Tips/recommendations for digital fraud? How do you distinguish whether you are speaking to a legit representative for a business?" CHARLES BANKS: That's a good question. I'll kick this off with something that Dave and I were talking about earlier in the webinars. One, did this representative call you? If they called you, that's probably going to be the first time where your Spidey-Sense should tingle to say, have I gotten a phone call from this representative before? Have I established a type of relationship that calls for that type of connection or that type of contact with me? If you haven't, after that phone call or after that connection, reach out to those legitimate channels that you know you've used in the past, or have available to you to use now, that have been identified for you. Dave mentioned the fact that, on the back of your US Bank credit card or your debit card, there's a telephone number for our contact center. On our web page, on US Bank's web page-- and again, don't necessarily click on the one that first comes up when you google-- the one that has "Ad" next to it-- don't click that one. Understand what our web page is. Find our website, and those resources are going to be there to include how do you get in contact with a legitimate representative. So if we come to you first, think about that a little bit. Right? DAVE PILOT: That's really the key. And I think, to just put a bow on that-- and again, staying high-level-- there was a very well-orchestrated fraud campaign-- started late in 2021, ran roughly through the first half of '22-- targeting multiple financial institutions, internationally-- so, different platforms, products, et cetera, at each institution. But what the actor was doing was stealing credentials in order to log into bank systems as an authorized user and initiate wire transfers, set up authorized signers-- whatever it might be-- a common attack type. What this actor did-- [LAUGH] the short version. It's a lot more complex. I could take an hour. The short version is, what the actor did was set up fake websites that were perfect mirror images of the platforms at the institutions they were targeting. Then, they used targeted geofenced Google ads to lure victims. So they knew the institutions they were targeting, they knew the clients of the institutions and where they were located, so that they would set up ads in a specific city for a specific period of time-- typically, a pretty short window. And the minute one of those clients clicked on that top Google ad, you got the bad guys at it. And it popped up a page that looked exactly like the page you were trying to get to. So people would enter their credentials. And the screen would blink and redirect them to the real page. Well, you just did your search, you're trying to get logged in-- page blinked. Stupid internet. You reenter your credentials. And now you're logging in for real, but the bad guy has your data. That was that page in the middle. They're logging in as you, later. You're never going to know. It was a really well-thought-out attack-- got a lot of law-enforcement attention. But those things are so simple, and you don't think about it. Let me google. No, no, no, no. Use real data. Go to confirmed sources. And to Charles's point, think about what was the engagement. Did you call your institution, or did they call you? Did you call Netflix, or did they call you to tell you there was a problem with your account? Think about it. Understand, how do these relationships work? Again, what are the behaviors? No technology can save you, in those instances where you don't recognize, this isn't normal. Maybe I should keep my mouth shut. CHARLES BANKS: Yep. And again, breadcrumb, there. Right? That small blink of the screen. We have to slow ourselves down, I think-- as good digital citizens, slow ourselves down. It doesn't have to be that there's a super sense of urgency and speed to react. Recognize those small context clues, like the screen blinking. There are ways to stop-- and again, we talk about the behaviors. There are ways to stop yourself from being exploited this way. And it's just a matter of slowing ourselves down, I think. DAVE PILOT: Spot on. CHARLES BANKS: Yep. MICHELLE GRAFF: Wow. Well, thank you. [LAUGH] Know that my mind has been thoroughly blown, I think. [LAUGH] I want to wrap things up a bit. I just want to say thank you to both Charles and Dave, for your wonderful information and such a relevant and important topic. I think these are all great reminders for all of us today to help protect ourselves from the fraudsters, especially given that they're always getting smarter. You know? And so, with that, I want to also thank everyone for attending our webinar and presentation. A reminder-- we will be posting the recording from today's session at usbank.com/wellnesswebinars in the next week. We'd also love your feedback. We really use that feedback for future topics. And you can do so in the postevent survey following this session. And this concludes our webinar. We hope you have a wonderful rest of your afternoon. Thank you! CHARLES BANKS: Thanks, everyone. Thanks, Dave. DAVE PILOT: Thank you all. Charles, appreciate you, bud.