PDF download

View full screen

View transcript


Insights for governments on cybersecurity and fraud prevention in an ever-growing digital environment

Hi, everyone. Welcome, and thank you for joining us today for our webinar. My name is Jason Paulnock. I manage U.S. Bank's Government Banking Team in the central region, the central part of the country. And within U.S. Bank, our focus on government banking is really to try to help our clients understand how to be as operationally efficient as they possibly can be, and understanding how to combat fraud is certainly part of that.

A recent article on HealthNetSecurity.com noted that COVID-19 has presented a once-in-a-lifetime opportunity for the bad actors to really take advantage of the situation. And cybersecurity pros seen a 63% increase in cyber attacks.

Electronic vendor fraud has been increasing over the past few years, and has reached the point where GFOA recently published an advisory for government to put safeguards and internal controls in place to mitigate the risk. Such scams have cost organizations over $9 billion in 2016, according to the US Financial Crimes Enforcement Network.

And perhaps you've heard of the recent impact to government. One scammer defrauded a county in Washington State of $740,000 by posing as an accountant from a construction firm. A small town in Colorado paid a fraudster a million dollars after they posed as a contractor, too.

So I'm really excited to have you join today, and think you'll learn some new insight to the problem from our presenter, Jake Bernier. Jake is a member of U.S. Bank's Red Team, where he conducts offensive security testing to challenge security practices. Jake's basically a hacker employed by U.S. Bank to ethically test our system. Jake has eight years of experience in information security space. And in addition to his day job, enjoys teaching ethical hacking techniques at a local college.

I'm going to turn it over to Jake and have him walk through the presentation. And when we're done, we'll try to answer Q&As that were posed by a number of you as part of the registration process. Jake, take it away.

Thanks, Jason. I'm very excited to go through the content today. So with that, let's go ahead and get started.

So what we're going to be focusing on today is a technique called Business Email Compromise. You may or may not be familiar with it. But primarily, this is a scam, really, where fraudsters trying to hack, spoof, our masquerade a business email account in order to access the company. And ultimately, to perform fraudulent transactions. The idea here is they are financially motivated, looking to monetize these attacks.

So here's a simple-- a silly example we have here, the presentation, where they're sending an email from American Company, except they registered a domain with an "n" instead of an "m," trying to trick them to think that this is coming from a legitimate source here.

So real quick, we got some numbers here on the slide deck. I won't go through this fully, but really, just noting, kind of like Jason pointed out, that this is a problem, especially with COVID-19. We got more folks working from home. We're really relying on remote communications, whether that's webinars, more email conversations, instant messages, things like that.

Because of this, the opportunity is just spiking for the attackers. They are making a lot of money on these types of scams. So that's a little unfortunate. So today we're going to walk through what are some different flavors of business email compromise. We also have some demonstrations that we have put together to show you what it looks like when an attacker starts to prepare and conduct one of these attacks.

All right, so identifying types of Business Email Compromise. The first one here is fairly simple. I can remember quite a few years back, when I first started seeing and working on some of these, this is what we call the Executive Masquerade. So really they're what the attackers are doing here is they're just spoofing, pretending to be a high level business executive-- chief financial officer, chief technology officer, CEO, et cetera.

The account can be spoofed or hacked in most cases. But this simple form, it's spoofed. We'll talk about what that means in a little bit. And it's really quite simple. They would say, hey, I'm the CFO. Please send me a wire transfer, an ACH transfer, whatever that might be. I'm asking for x amount of money.

Believe it or not, this is fairly successful. No longer do they have to do these very large, sophisticated campaigns. They found out pretty quick, if I look up a company, figure out who that C-level executive is, we can easily set up a scenario where we're trying to be urgent. We're going to use that authority in that management chain and ask for a fund to be transferred over.

Move forward a little bit. Folks are starting to catch on to that. So what they're really relying on a lot now is what we're calling the Supplier Swindle. So it might seem a little odd now, if you were to get an email directly from a C-level executive or from a high level director. It might make a little more sense if you've got an email from somebody you do business with-- a supplier, a vendor-- and they were asking you for a wire transfer or some other way of transferring funds.

This is important. A lot of times, it's made through a fake email, but it can also be a telephone call, et cetera. So something important to note here is, well, how are attackers doing this? Why is this successful?

They're doing their research. And then, in the government space, this can sometimes be a little bit easier because you have to have certain documents and certain transparency on who you do business with and who those vendors are. The attackers are well aware of that. So they can figure out vendor A, B, or C that you're working with, pretend to be that company, and send in an email asking for funds.

And so, this brings us to my first demonstration. So what I'm going to do here is-- we have three demonstrations that we'll do throughout the presentation. I'll kind of set the stage up with this slide deck here. But then we're going to switch over to a video that I've pre-prepared for that demonstration. This is going to switch back and forth between what I'm going to call the attacker and the victim. So we're going to be able to see both sides of this attack.

And just a little bit of a disclaimer. This is all done in a lab environment with test accounts. I'm not actually hacking anybody in front of you. However, all of the techniques that I'm going to show you here are very realistic. These are things that attackers are definitely doing. So it hopefully can provide a little more insight and awareness on how these are set up, and how they're carried out.

So this first one here, we're going to go with that sort of supplier spoofing. So we're going to pretend to be from an insurance company. And we're actually going to do email spoofing. So we're not going to hack any email account. We're going to pretend to come from an insurance company. We're going to send an email, and simply ask for funds from that victim.

Let's go ahead. We're going to switch over to the demonstration.

All right. And as I go through this, I may pause or highlight things. I recommend viewing in full screen, if you can. Otherwise, bear with me as we walk through this here.

So we're sitting here on the attacker server. This is a computer that the attacker had set up, and we have some code here. We're not going to go through this line-by-line, so don't worry. But what I'm going to demonstrate here is how email spoofing works.

So we're going to pretend to send an email, in this example, from beth.vogel@TimberInsurance.com So when we send an email, just like if you're going to send an old fashioned snail mail physical letter, you can actually pretend that that email's coming from anybody you want. We're simply forging it on our end. Because we own the server that's sending the email, we can pretend to be anybody we want to.

So in this case, we're pretending to come from Timber Insurance. And we're going to be sending it to, in this example, Todd Benson. And we can also change this reply to email address. This is important. We'll show this when we switch over to the victim's side.

But if I pretend that I'm sending an email from Beth, and Todd gets that email and he replies, where's the reply going to go? Well, if we're not careful, it's going to go back to Beth. We don't want that as an attacker.

As an attacker, I want to control the communication. So I'm going to change the Reply To address. So if Todd is suspicious or wants to communicate with Beth, it's going to actually come to my Yahoo account.

So we'll kind of move along here. Kind of setting up the scenario, we have a PDF form. In this example, we're going to ask for a wire transfer. This is just an attachment with instructions we want them to follow, and where to send that money to.

But you might be asking, how do we know to be Timber Insurance? As an attacker, we can figure this out a variety of different ways. But mostly, that's looking up online job postings, LinkedIn profiles, social media, marketing pages. So we understand they're going to expect an email from Timber Insurance.

So it's important here. You can see the email that we're setting up. We want it to sound urgent. This is an important email. Send payment by the end of the work week. Prompt payment is necessary. These are key words. Fraudsters, attackers have been doing this for a very long time. They want it to sound very important.

So all we're going to do on our side, as the attacker, is we're going to run that little script that we created. That's going to send the email over.

From here, we're actually going to go ahead and switch over and view things from the victim's perspective. So here we are. We're working away. This is Todd's box. And we can see we have a new email from Beth.

In this example, we happen to be using Gmail, but this could be any type of client or email setup. You can see the subject line, and you can see that it's from Beth Vogel.

You'll notice, though, there is that little question mark at the side. So even Gmail is sort of catching on to these types of attacks. Yes, it says it's coming from Timber Insurance, but we're not able to validate that that's actually the source. So that's why you're seeing that little question mark there.

So we can see this. We tried to make this email look as realistic as possible. So we talked about making the email sound important. We have a fake signature. We even have a fake confidentiality notice at the bottom, to make this look legitimate. So the attackers are doing all they can to make these emails look real.

So here's this wire transfer form. You can say-- we can see a couple of red flags here right away. Transfer to Jim Johnson on behalf of the company. So that's going to a personal account. You also might notice a personal address in that space, et cetera.

Another thing that I want to point out here is in the signature, there's a phone number there. So what these fraudsters, what these attackers have started to figure out is a lot of times the process for a transfer of funds, is they want to put in some sort of 2-step verification. You get the email, and then you call them and validate that it's true.

Well, if you're calling the phone number that's in the fake email to begin with, you might think you're doing a step up. But that number might very well be owned by the fraudster, by the attacker. So it's very common for them to put in a phone number that actually they own, as well.

So if you call them up and try and validate-- hey, Beth, did you mean to send this over? Is this truly the new process? You might leave a message, and they'll just email you back and say, hey, I got your message. Please send that over.

So if we click Reply here-- this is where that Reply To technique comes into play. You can see it says Beth Vogel. But if we look really closely, it says JohnsonJimJ@Yahoo.com. So it's not actually going to Beth's account. So this is where we kind of bring these techniques together, of a spoofed email and a separate Reply To.

So just for demonstration purposes, we'll have our victim Todd here just say, hey, Beth, thank you for bringing this to my attention. We're going to send this payment over by the end of the day today.

And if you're-- it can be easy to fall for this and not notice that Reply To, especially with all this work from home, we're glued to our computer screens, many of us. We're trying to work through a lot of different stuff. So if you're not careful, you can easily miss that little indicator there.

So we'll flip back to the attacker side now, just to show that that email did indeed go back to the attacker, to their personal Yahoo account that they set up specifically for this type of attack.

And there we have the email in the Inbox here. So that is our first demonstration.

Now, this is probably the least sophisticated attack. Lots of indicators here. Maybe you work with somebody else, and not Beth at Timber Insurance, et cetera, et cetera.

So what the attackers have done is they started to ramp-up the sophistication. Simply spoofing an email isn't enough anymore. So they're starting to do what we called the Hack Job. So instead of spoofing an email, what they're going to do is actually try and hack into somebody's email account, and use the hacked email account to then request a transfer of funds.

This could be a personal account. This could be a business account, whatever that is. It's going to look more legitimate, if you're a victim, if it's coming from a source that you trust.

So the second demonstration we have here is Email Credential Theft. So this is a little more sophisticated. And this is going to actually have two victims, because we don't want to spoof an email anymore. We want to compromise one.

So the first thing we have here is, we're going to send what's called the phishing email-- this is a generic phishing email-- over to our first vendor victim. We're going to ask them to log in to their email account to update their email storage space. They're going to enter their user name and password. We're going to steal that username and password, take over that vendor's email account.

But that's not our end game. This is the first step. Once we have access to that vendor's email account, we're then going to use that to actually hit our second victim and say, hey, I want a wire transfer. Transfer these funds over.

So we're going to walk through this. A little more sophisticated. And we're going to see what this looks like.

All right, so the first thing here is we're going to start on the attacker side again. What I did here is we registered an email @Outlook.com that kind of fits the scenario. So in this example, Quota Limit exceeded at Outlook.com.

Now, let's say we did our research and we found a vendor that we know does business with a variety of commercial real estate properties. That's sort of the scenario we're setting up here. But we're actually going to have a generic type phishing email-- Email Storage Notice.

So anybody that uses Office 365 might be familiar with some of the technologies we're talking about here. But this is an email that you should never actually get from Office 365 or from your IT department. So hopefully, this looks a little suspicious when we go through it. However, it it's believable enough for these types of scenarios to indeed work.

So we're going to speed up so we can read this whole email here. But Office 365 has prevented the delivery of seven new emails to your inbox because the synchronization of messages failed due to the following error in the server-- email storage quota met. The account has exceeded the quota.

And then, if that was not convincing enough, we're going to say you reached your limit. Please click the link below to confirm this account is still active. So that's the action we're asking for. That's going to be a link to a server that we, the attacker, had set up.

And we're going to stay, "Until you complete this, you may experience email delivery and sending issues. This is an automated message. Please do not reply."

So if our victim buys into this, of course, they're not going to want their email to stop working, so they're going to click the link. And of course, the attackers, just like everybody else, has Spellcheck. They're going to make sure the spelling, the grammar, lines up the best they can. No longer can you just look at an email and say, hey, that looks like it's maybe broken English or it doesn't really make sense. They're doing their homework, if you will, to make sure that these look believable.

And you'll notice we added a link there. This is a Bitly link. If you're not familiar with Bitly, it's just a URL shortener. It has many legitimate purposes, but it can help an attacker masquerade or hide where that link is actually going to.

So now that we have this scenario set up, we're going to send that email over to our victim. We're going to flip over to our victim. And we see we have this new email.

So we're a little concerned. We're going to do the old check. If we hover over the link, it actually doesn't show us anything different. It shows that same Bitly link.

We're going to click that link and try and sign it. This looks very, very similar to the Office 365 logging prompt. But it, in fact, is not. This is a server set up to look like it. So if we actually zoom in on this address, this is not Microsoft's web page. This is the attacker's site. But every other detail looks very legitimate.

So we're going to enter our email address and enter our password here. And then go ahead and click Sign In. Now, you'll notice, it just reloads the Log In page. And if we look at the Log In up here, now we're at the legitimate Microsoft page. So this is a common technique that attackers will use.

If you think about it from a victim perspective, you just tried to log in. It didn't work. What do you think happened? The first thing you might think of is, oh, I accidentally typed the wrong password in. So now the second time you log in, it'll work. You might think nothing of it, and you move on with your day.

When unfortunately, in the background-- we switch back over to the attacker's server-- you just sent your email address and your password to the attacker's server. And so, this is kind of in jest-- my really strong password. But it doesn't matter how strong your password, how complex your password is, if you accidentally send it directly to an attacker.

So what we're going to do, as an attacker now, is we're going to open up Office 365. We'll log out of our account. We're going to log in to this newly compromised account.

We'll enter that email address. And go ahead and paste in that password that we stole. Fantastic. All right. So now, we have full access to Bill's email here.

So as an attacker, I'm going to start searching around. I might search, does he have any passwords that he saved in his email? Doesn't look like it.

I'm going to search for certain keywords. So when I search for wire here, I see there's a conversation, conveniently, about a wire transfer.

So if we start to pay attention, what it looks like is Bill Shorts, the person who we've compromised, actually is a treasurer for a vendor. And they do maintenance for commercial properties. One of their customers is Todd. So we can see kind of some back and forth here of Bill talking to Todd.

This is fantastic for us as an attacker. We have almost everything we need. We have access to Bill's email. We have one of his customers. We have a wire transfer form that they're used to using. It's probably branded. It has the correct information in it. And we have an already established email chain.

So what we're going to do is, we're just simply going to download this wire transfer form. Why would I make up a new one when I can use the same form that they already used? All we have to do is modify some of those variables so that the transfer is instructed to come to an account that we own, instead of this Timber HVAC vendor company.

So we'll go ahead and we'll make a new copy of this. We'll open it up. And again, we're going to change some of these key items. So that might be things like having it go to a personal account. These are some of those red flags. Personal account, a personal location instead of a business address, things of that nature.

So we'll kind of speed up. Unfortunately, it's never this obvious, right? Transfer to Jim Fraudster. But you get the idea for the demonstration here.

We'll kind of speed along, updating this document. We save that. And now we can actually use this existing chain and send this directly to Todd.

So we're just going to set this up and say, hey. We actually just updated our payment process. Please use this new transfer form in the attached document.

So you imagine, if you're Todd, you're getting an email from Bill Shorts-- somebody you've been in contact with before, a vendor you've done business with before, in an email chain that you've already had contact with him on. You're going to get instructions for a new payment process, with a document you're familiar with. The only difference is maybe the account's different.

So you might forgive Todd, actually, for falling for this. This is going to look very sophisticated for Todd, when he gets this email. So this is why these attackers are becoming more and more successful with these types of scams.

So we'll go ahead and we're going to switch back to the presentation here.

All right. So another technique, the Lawyer Up. You'll kind of notice a theme through most of these, is they're trying to have some sort of authority, or urgency, or scare tactics against you. And one of those is identifying themselves as a lawyer or a law firm. This can be a very successful scenario for an attacker.

If you come in and you say that, hey, I'm handling confidential information. This is very time sensitive. As a victim, you can really be pressured to do something quickly, right? We need to get these funds over for handling this information. We need this sensitive information sent over immediately because we have an open case, et cetera, et cetera.

Another important piece to notice-- and this happens with most attacks. This is not unique to the Lawyer Up. But the time in which they send these attacks is also thought out. So the attackers are paying very special attention to every little detail. So they're going to send these at the end of the business day or the end of the work week.

Why? Because if they catch you right before you leave, you might be in a rushed state. You might be more likely to comply with their requests. So the timing of these is really important, too. They're not sending these in the middle of the night. They're trying to line up with when you're busy, when you're rushed, et cetera. And again, of course, they're going to ask for funds or sensitive information.

Another example-- and this is important to note-- is depending on where you are in the attacker's attack chain, you might not be asked for a transfer of funds. They might simply be trying to gather or mine information out of you. So again, they might spoof or hack an account to make it look legitimate. But they might only be after W-2s, sensitive personal information, HR information. Anything that they can leverage in a future attack is going to be useful.

Another important thing to note here is I've been referring to them as the attacker, the adversary, the fraudster, et cetera. But really, it's not one individual. There is an entire network of these fraudsters, if you will, all working together.

You can think of it much like a business. They are making money. They want to be efficient. Each person has an individual role in that business, if you will, that they're going to master and get better at. So it's not just getting across and trying to trick this one person that's doing these attacks. It's an entire entity that we're trying to work against. And because of that, it can be difficult as they constantly change tactics and techniques.

But again, with this data dump, if that individual just wants that data, they might sell that to some other attacker who is then going to use it to set up and actually ask for a wire transfer, or things of that nature. So sometimes the information itself is just as important as the business email scam where they're just asking for funds.

The last demonstration I have is the most sophisticated one. So bear with me as we go through this. We're going to cover quite a bit of techniques here.

But just to kind of set the landscape, this is again going to have two separate victims. And this could happen. We're going to pick on commercial real estate. And attackers often do because they know money moves around quite a bit. But this could be a different area in government.

The business line is not really important. What's important is how they're navigating through this, what the attackers are doing, and how intimate they are in these types of communications.

So what we're going to do is we're going to target a landlord. We're going to pretend to be a tenant. What we're going to do is convince this landlord to open a Word document that contains a piece of malware. That malware is going to give us full access to that landlord's computer.

With this access, we're going to grab as much information as we can. We're going to piece all that information together. And then we're going to target the tenants of that landlord, and ask them to transfer funds over to us.

So the difference here is we're not just compromising the email. We're going to get that full computer access. Again, this is the most sophisticated one, probably the least likely that you're going to see. But it's a good one to demonstrate because this type of attack is happening. And it's important to kind of get that awareness of what it looks like.

So we'll switch over here. All right.

So here we are on the attacker side. And we're going to set up again. We're going to use a phishing email to try and get our victim to open up a Word document with a piece of malware.

So you'll notice all of these phishing emails usually have an action-- click a link, send me money, open this document, et cetera. So the scenario we're going to use here is tailor-made for this landlord. It's very, very specific.

We're going to pretend to be one of his tenants. We might have figured that out by looking online, doing our own investigative research as an attacker to figure out who this tenant does business with. The landlord, excuse me, does business with. And we're simply going to say, hey, I have some questions about this Tenant License Agreement. Can you please view it here?

And so, what we're doing is, we're sending them a link. We're not suddenly sending them the attachment directly. Now, attackers will sometimes send malicious attachments directly. However, they tend to favor sending them as a link, because if I send an attachment, you think about it, a bunch of places can scan it. Your email inbox, all these different places, antivirus might pick it up, et cetera. If I send you a link, there is no file the scan until it gets to that machine. So it's less likely that I'm going to get caught as an attacker.

So here you can see, I'm going to reuse that same technique. We have a Bitly link that's sort of masquerading what's going on behind the scenes. Attackers don't always do this. Sometimes they buy a domain that looks similar. But the idea is, they're trying to make it fit the context of the scenario here so that it's more believable.

So we'll go ahead and send this over. And then we're going to go over to the victim's side and see what things look like here.

So we got a new email. It looks like can got an email from a tenant. Well, we'd better make sure that we open this link up and make sure everything's OK.

So if we click the link, at first glance, this looks like a dropbox page with a 2019 Lease Agreement. Up at the top, again, if we look at the address bar, this is not Dropbox. There's an indicator there. And also, you'll notice it's asking me to download a file. I didn't click anything yet. It's almost forcing me to do it.

So we'll do what we shouldn't do, and download that file and open it. So this is a legitimate Word document. But here's the next phase here. So if you're familiar with macros in a Word document, all these are, are just scripts that run in the background.

What's important to know here, though, is the malware has not run yet. And it cannot run until the user clicks Enable Content in the document. So to further trick our victim to do that, we've put this fake image up.

So if we look at this Word document, it says McAfee Secure. This document has been secured by McAfee. To view, this click Enable Content. So they're actually using security against them, into believing they're doing something to help protect the document, when in fact, it's not.

If we scroll down, we can't view the document until we do that. So you'll see it's in Protected view. We click Enable Editing at the top. And then we have a big security warning that says Macros Have Been Disabled, Security Warning. So we're getting mixed signals here. Microsoft is trying to tell us, you might not want to run this. But this big McAfee Secure fake image is suggesting we should do it.

So we'll do what we shouldn't, for the sake of the demonstration, and we'll click Enable Content. What happens is, that image goes away. We see the commercial lease agreement. In the background, however, malicious software is running and establishing a remote connection between the victim and the attacker machine.

So we'll go ahead we'll close the Word document. We'll pretend we're done with it. We'll exit out of the site. And then we'll go back to work. Everything appears to be normal.

We switch back to the attacker machine, we are just getting started here. So this might not look like much, but I now have remote access to that computer. So everything that victim has access to in their computer, we also have access to. And we're going to first figure out what's going on by taking a screenshot.

So I want to take a picture of this user's desktop and figure out, what is that user seeing right now? We'll kind of speed this up a little bit, you can see that. So here's the picture. It looks like they're working on a wire transfer form. They're going through their day.

So I'm also going to say, OK, well, what's on that computer? I'm going to look in their Documents folder. Looks like they have everything neatly organized. They have a tenant spreadsheet. So let's go ahead and download that. Looks like they have folders organized by properties and tenants.

So again, anything that victim has access to on the computer, we also have access to now. So we have a wire transfer form and a tenant's sheet that we're going to download.

And just for demonstration purposes, we're downloading just these two. But realistically, we could siphon off everything that user has access to on that computer.

So we're going to open these up and see what they look like. So this is very helpful. We have that wire transfer form that we can potentially reuse, a list of tenants that this landlord manages, the amount of money they pay each month, their address, their contact information, et cetera.

So before we move on, the last thing we're going to do is we're going to install what's called a key logger. What this is going to do is, in the background, it's going to log keystrokes. So anything our victim types on their computer is going to be sent back to the attacker. We're hoping that they type in something sensitive-- personal information, a user name and password, et cetera.

So we're going to go back to the victim and expedite this. So as an attacker, we might sit on that computer for five hours, five days, five weeks. However long it takes. But for the demonstration, we're just going to log out of email and log back in.

So this is different than the previous demo. This is the legitimate Microsoft Log In page. They're not going to a malicious site anymore. But the problem is that key logger is in the background. So again, every time they are typing on their keyboard, that's being sent back to the attacker. So we're going to steal their username a password this way.

And now they signed into their Outlook here.

Perfect. All right, so if we switch back over to the attacking machine, we should now have that username and password. So we can look and we can see right here, there's the email and there's that strong password. Again, it doesn't matter how strong it is if your computer is infected.

So at this point, we can kind of pick up, much like the other demonstration. We're going to go ahead log into their email account using this stolen user name and password, just to validate that that works. And it looks like it did.

So again, from here, we can start to search around in their email, again trying to pull up as much information as possible. It looks like he's having a conversation with a tenant here. They had some issues with parking and road construction, so that's interesting.

We can then validate, is this still a tenant? Yep, William Fodder. Here they are in the email. Here they are in that tenant spreadsheet that we pulled down. We know how much they pay each month. We know where that property addresses is, et cetera. So we're able to really pull a lot of pieces of information together with this access, to really make a very believable email to our second victim, which is going to be William Fodder.

So William, again, is a tenant who is now going to get an email from his actual landlord with very accurate information and new instructions on where to send his next payment. So we'll kind of set this up. William, we have made some changes to our wire transfer process. Please review the attached PDF for the updated process and use this for your next payment.

Of course, if you remember, we already downloaded, in this example, they use wire transfers. To that PDF document that they are using, took that from our first victim. So we can open that back up and modify some of the details in that spreadsheet.

Kind of speed this along here. Again, just modifying who we're transferring it to, the account numbers, et cetera. We're also going to cross-reference this, make sure that we have the right amount happening here, that everything lines up when our victim gets this.

We'll attach that new transfer document and go ahead and send it over. So this is going to be very, very believable. If you're William, you're getting an email that's going to look very legitimate. So it's pretty likely that they're going to end up falling for that and sending that new payment over.

All right. So we'll kind of switch gears here. Hopefully that's helping increase a little bit of awareness. But I don't want to leave you with just a cloudy day, a bunch of problems and no solutions. So we're going to spend a little bit of time talking about what you can do about this. What are some prevention strategies in response? So now that I showed you how to break into the car, how do we protect it?

One very simple piece-- and this is more important now than ever, because of COVID-19, the huge increase in work from home. But your cyber security posture at home impacts your cybersecurity posture at work. It's not different. To an attacker, it's all interconnected. So everything that you're posting online-- LinkedIn, Facebook, Instagram, et cetera-- these attackers are going to use against you.

It might seem simple, like simple information. But all those details added together are going to make those emails, if they're using an email, more believable, the way down to like something simple, like your location. If they know you live in Minnesota, for example, if you get an email about something that's related to Washington, that's going to raise a red flag for you.

So they have to make sure they go through all of these details and make a very informed impact. They can also guess your email address, based on the formatting. So all the stuff that you might think is personal or internal information only, rethink that.

Especially for government, a lot of that, like I think we said earlier, is posted online. There has to be a certain level of transparency there. And unfortunately, that can sometimes be used against you. So just because an email looks believable, it doesn't mean it's real, or doesn't mean it's legitimate, rather.

So again, Preventing Risk with Enterprise Strategies. So some things that we can do. Avoid free email accounts. Register similar domains. So if you're working with domains that have maybe different names or similar letters that look the same-- I think we had it earlier where there was American Company, replacing that "M" with an "N" is a common technique.

Two-factor authentication is huge, whether it's for email or your payments. So in the demonstrations where we stole those email username and passwords, if they had two-factor authentication enabled, I wouldn't have been able to log in. I would have put my username and password in, and then it would have asked for that second piece of information. And the victim would have been texted with a second factor code, which they did not expect.

So that is not only a good indicator, if you get a code for two-factor authentication that you didn't try to log into, that's a good indicator for you that something suspicious is happening. But it also helps prevent an attacker from reusing those credentials.

And then, of course, intrusion detection systems that can help flag certain emails and certain activity that's happening on the network and on your computer.

Then, of course, moving on to some personnel policies. Again, be careful what you post online. Immediately report anything that's suspicious or that you have a weird feeling about. Scrutinize all email requests. I like to pick on-- we'll pick on car salesmen for a second here, because I think most of us can relate to that.

But if you've ever worked with a car salesman, or any salesman at all, you know that feeling, when you kind of feel like you're not in control of the conversation anymore. Something feels off. You feel like you're being pressured into doing something that you don't typically want to do.

That's a red flag. that is an opportunity for you to take a step back. Maybe talk to another co-worker. Maybe validate what's going on, if you're an outside channel. Listen to that feeling because that is the same feeling that you might feel if you're a potential victim of a fraudulent scam like this.

Understand your customer's habits. This is important. For example, if you typically do ACH transfers and they're asking for a wire transfer, that might be very suspicious. That might be a red flag.

Back to that first demonstration. Do not use the Reply in an email. This is a little strict. You can use the Reply, but just be sensitive and aware of that tactic where that Reply might change. If you click Reply, just take a second. Look whereas it actually replying to. Is it going where you intend it to go?

And then, of course, inquire about protective banking services. So wire transfer is what we used in all the demonstrations here. These attacks still apply if you're using ACH, or really any type of transfer, the attacker is just going to adjust to how you're working with those funds.

But there's things that you can you can do to make it better-- ACH filters, blocks, things like that to make sure that where you're sending money and where you're sending funds is where you expect it to go.

Now unfortunately, no matter what we do here, the attackers are going to constantly keep adapting. As long as they're making money doing this, they're going to continue to do it. So it's not out of the question that this might happen to you.

If it does, it's important to admit it and act immediately. If you've been in that situation or you find yourself there, it's OK. But the faster you're able to act, the better chance, the better odds that you're going to be able to get those funds back. So contact your customer service. Open a fraud case. Get in contact with your local FBI agents, if you can. And then, save all those messages and evidence.

So with that, I think we have some Q&A. I hope that this was helpful. And if anything, a little eye-opening in increasing awareness on what things look like from the attacker's perspective, in relation to some of these business email compromises and different fraudulent actions.

Great. Thanks, Jake. That was really, I think, pretty cool to see how fraud takes place from the perspective of the bad actors and the hackers. Interesting how easy it is to really see that.

We did have some questions asked during a registration process that we'll try to answer. And I would just ask that if there are further questions that you have, please reach out to your relationship manager or treasury management consultant with those questions, and they can help answer them.

The first question is, are there new products outside of [INAUDIBLE] Positive Pay or ACH to help combat fraud? And as Jake mentioned, there are. I would say two of the, I guess, most recent products that are out there that we see people moving to that are less risky, the first is Virtual Card.

So over the last number of years, many organizations have implemented the purchasing card. And over the past few years, the growth in moving those cards from a physical environment to a virtual environment has really started to grow. From a fraud standpoint, the benefit to using those cards is that each number is really a single use number to pay that vendor's payment. And then, therefore it's really hard for fraudsters to get a hold of. So that's one tool.

The other tool, which will be available soon at U.S. Bank, is something called account validation. That tool really allows our clients to get the status of an account, whether it's open or active, and the ownership of that account, before payments are made. So think about it as doing a pre-note, but you also get the ownership information. So you can confirm whether the ownership that you're being told matches the ownership on that account. And that product, like I said, is coming soon. It will be available and we think can reduce ACH fraud.

The next question was, what's the best way to handle ACH debits that are initiated by the customer? And really, the best way to handle those is using a debit block or a debit filter, and ACH Positive Pay. So for those vendors that you know we're going to debit your account, you can set them up with a filter so that only those vendors, only those account numbers can come in and debit your account.

Or if you want to, you can set up ACH Positive Pay, which will allow you to see that person coming into your account and approve it before the funds are sent out.

What are the best practices for managing threats from a treasury management perspective instead of an IT perspective? We have a handful of tips, let's say, for decreasing payment fraud risk. The first one is to enroll new vendors in ACH at the start of a relationship.

So as you on-board vendors, including ACH or enrollment-- or Virtual Pay, for that matter-- as part of the process helps reduce the opportunity for scammers to change that method, or to say, hey, you've been paying me by check. Now please pay me by ACH, because you're doing it at the start, where there's that interaction.

Reach out to your existing vendors and encourage them to sign up for ACH payments. Again, by you reaching out to them, you're verifying that they are who they are because you're initiating that contact. And you can then set them up in ACH, and then you're insured that you're talking to the right people.

We encourage that only offering ACH enrollment forms by phone is the best practice. As Jake said, I know that there has been a push to move people to electronic forms of payment. And I think it became commonplace to offer ACH enrollment on a website. That does create the risk that anybody can go out there and grab it. And it does happen.

We were just on a website recently, looking for some information for one of our clients, and noticed they had an ACH form on the website, and alerted them to that fact. But putting a phone number out there so people need to call you, and you can send it to an email that you know.

Also, as Jake said, always call back a known number. Don't rely on the number on a form to call people back, as a second form of verification. Have that information that was set up at the start, so you're calling people back that you know, using numbers that you previously verified.

And verifying those accounts by phone is the other tip that we have, to always double check, whether or not it's part of your process. And then using, like I said, those numbers that are known.

The last question that we had was, what are the threats to mobile devices, and how should we safeguard against them? Maybe, Jake, you can take that one.

Yeah, absolutely. So the mobile devices, that's a constantly changing space. But what I can say is, most attacks that we went over today would still apply to the mobile space. So being diligent, and looking at the emails, looking at the Reply, it all still applies. So what I mean by that is, if they're sending you an email and it's a link, just to type in and enter your username and password, it doesn't matter what device you're on.

However, people tend to have a more relaxed perspective of security when they're on their mobile device. So just remember, when you're getting communications to your mobile device, whether that's email, text message, et cetera, take these same practices and same checklists in your mind on validating who this email is coming from, where you're responding to, et cetera.

The last demonstration, when we talked about malware, that particular example would only work on a laptop. There is malware out there that you'll see on a mobile device. However, just because of the way that mobile devices are architected, it's a lot more difficult to pull off.

So typically speaking, when you're dealing with a mobile device, it's just going to be paying a lot more attention to the communications when you're moving back and forth on that device, just like you would when you're on a computer.

Great. Well, thanks, Jake. I know we're at the top of the hour. So I want to thank everybody for joining us today. Hopefully you got some new tips and tricks, and some insights on fraud that you can use to protect your organization. So thank you, and I hope everyone has a great day and a great rest of the week. 

PDF View

August, 2020

Insights for governments on cybersecurity and fraud prevention in an ever-growing digital environment

U.S. Bank leaders discuss how fraud and cybersecurity trends impact your government organization


Learn more »

Scroll to top