Nowadays the payment fraud landscape is changing quite fast. Changing from classic schemes as bank cheque fraud, faked manual payment orders to organized crime with corporates as targets
2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
2
Index
1. Definitions Page 3
2. Why you should be concerned ? Page 5
3. Potential Impact Page 6
4. Fraud: Basic Controls Page 7
5. Changing Payment Fraud Landscape Page 8
6. Red Flags - Managing Payments Page 9
7. Risk and Controls: Beneficiary Change Requests Page 11
8. Combat Payment Fraud: Best Practices Page 12
9. Sources used and to expand knowledge Page 13
3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Definitions
Fraud: An act by one party, whether successful or not, to deprive another of something (goods, services, money,
etc.) by deception. Fraud also occurs when dishonest acts are committed without personal gain but are intended
to create a loss or risk of loss for another person or entity. This includes the intentional misrepresentation of
financial condition.
Social engineering: In the context of information security, refers to psychological manipulation of people into
performing actions or divulging confidential information. A type of confidence trick for the purpose of
information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many
steps in a more complex fraud scheme.
Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The
computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal
exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups
of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or
mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as
Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Definitions
Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to
computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as
well as computer networks such as private and public networks, including the whole Internet.
5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Why you should be concerned ?
Currently, market has a wide range of systems, products and services focused on computer security
services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc.
All these measures are indispensable and have become a priority for any company or organization
towards ensuring its assets, but social engineering plays with the advantage that you can use
techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this
there is no patch or upgrade that provides effective protection against such attacks.
People is normally “the weak link in the chain”.
6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Potential Impact
• Financial loss
• Increased management time
• Loss of public trust & loss of corporate image
• Legal penalty fee
• Loss of new/existing customers
• Increased external/internal audit costs
• Company Morale
• Etc.
7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Fraud: Basic Controls
Understand the risk (internal / external)
Trust vs. Process (knowledge of people vs. formal processes in action)
Know your customers / suppliers
Know your employees (from recruitment to last day on the organization)
Training (best practices, awareness, etc.)
8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Changing Payment Fraud Landscape
Classic schemes (still alive)
Local structures & processes
New fraud opportunities rising
Changing to harmonized services
Faked manual
payment orders
Direct debit fraud
Bank cheque fraud
Organized crime Psycological expertise
Corporates as
targets
Technology
Corrupted
communicationSocial networks
Local business
knowledge
Different ERP
systems
Established
external
relationships
Diverse
processes
Stricter
segregation of
duties
One system Less local
knowledge
Distance to business
New environments bring new risks
9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Red Flags - Managing Payments
Alarmist or perhaps overly complimentary language
Abusive or aggressive requests to transact
Changes in a customer’s usual tone or demeanor
Suggestions of losing money if you fail to act
Senior officer name-dropping to rush transactions
Customers/suppliers calling in before callbacks can be made
Changes in a customer’s/supplier’s usual callback number
Customers/suppliers are rarely available via official channels
Customers/suppliers seem anxious to complete transactions
Customers/suppliers contact details that aren’t on file
Unfamiliar suppliers or altered transaction details
Additional system login steps or transaction pages
System instructions that “appear” mysteriously
Poorly written grammar, syntax or spelling
Fake letterhead, faxed or email instructions
Email address variations or domain name changes
Have you noticed?
10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Red Flags - Managing Payments
Receive unsolicited calls from unknown contacts
Contact alleged customers on unusual numbers
Accept enclosed or unconfirmed contact details
Receive or act on unsolicited instructions
Click on unexpected, unfamiliar or fake links
Circumvent procedures with plausible reasons
Deal with a first-time or unknown beneficiary
Carry out instructions after a profile change
Make immediate or urgent payment changes
Remove close to all or an entire account balance
Approve an unknown or unfamiliar transaction
Transfer funds by or before an extended holiday
Transfer funds to a known secrecy haven
Transfer a small followed by a large sum to a beneficiary
Transfer funds to an alternative jurisdiction
11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Risk and Controls: Beneficiary Change Requests
The problems with fraudsters are that they . . .
• Make attempts to redirect payments.
• Seek to change beneficiary bank details.
• Hope you will accept forged letterheads.
• Attempt to notify you of new bank changes.
• Pose as new account managers/bank technicians.
• Hack senior email accounts to request a payment.
• Operate across markets, sectors, geographies.
• Work in more creative, sophisticated ways.
The ways to reduce risk of fraud is to . . .
• Independently validate all change requests that you receive.
• Confirm agreements in writing with known contacts.
• Never deal with agreements from unknown requesters.
• Validate only via approved channels and contacts.
• Ensure beneficiary payment processes are robust.
• Always be vigilant to unusual or requests that contain red flags.
12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Combat Payment Fraud: Best Practices
• You want to PERFORM checks to reduce payment fraud risk
» Validate payment instructions for any new counterparty, the same authentication should be applied for any subsequent change requests received.
• You want to MANAGE High-value or -risk transactions
» Set additional approval levels in your electronic banking system.
• You want to REDUCE business-wide transaction risk
» Segregate duties for sensitive and high-risk activities.
• You want to better UNDERSTAND social engineering
» Ask IS and/or group treasury for advise. Promote trainings.
• You want to know how to CHECK suspicious activity
» Review transaction reports and conduct frequent user audits.
• Follow at any time the best IT Security best practices regarding Information Security management
• Make yourself familiar with policies like the Electronic Banking Security Policy and Best Practices for Payments
• Whenever fraud (attempt) happens: Report immediately to your manager in order to allign with FICO, Treasury and coordinate next steps!
• After resolve the attack, it is important to do a lesson learner exercise to improve the knowledge we got from the real attack for futures similar
situations
13. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Sources used to expand knowledge
“Types of Phishing Attacks” | PC World
URL: http://www.pcworld.com/article/135293/article.html
“Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (book in Spanish)
URL: http://www.ra-ma.es/libros/HACKING-CON-INGENIERIA-SOCIAL-TECNICAS-PARA-HACKEAR-HUMANOS-MUNDO-
HACKER/89345/978-84-9964-539-1
“Stop, Thief! Best Practices in Fighting Payment Fraud” | Citibank | Author: Cheryl Gurz
URL: http://www.citibank.com/transactionservices/home/about_us/articles/docs/fraud_best_practices.pdf
“Bank fraud” - Wikipedia
URL: https://en.wikipedia.org/wiki/Bank_fraud
14. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid
Questions ?
Many thanks !
Ramiro Cid
CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL
ramiro@ramirocid.com
@ramirocid
http://www.linkedin.com/in/ramirocid
http://ramirocid.com http://es.slideshare.net/ramirocid
http://www.youtube.com/user/cidramiro