SlideShare a Scribd company logo

Payment fraud

Ramiro Cid
Ramiro Cid

Nowadays the payment fraud landscape is changing quite fast. Changing from classic schemes as bank cheque fraud, faked manual payment orders to organized crime with corporates as targets

Technology
1 of 14
Download to read offline
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid Payment Fraud
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Definitions Page 3 2. Why you should be concerned ? Page 5 3. Potential Impact Page 6 4. Fraud: Basic Controls Page 7 5. Changing Payment Fraud Landscape Page 8 6. Red Flags - Managing Payments Page 9 7. Risk and Controls: Beneficiary Change Requests Page 11 8. Combat Payment Fraud: Best Practices Page 12 9. Sources used and to expand knowledge Page 13
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Fraud: An act by one party, whether successful or not, to deprive another of something (goods, services, money, etc.) by deception. Fraud also occurs when dishonest acts are committed without personal gain but are intended to create a loss or risk of loss for another person or entity. This includes the intentional misrepresentation of financial condition.  Social engineering: In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.  Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as well as computer networks such as private and public networks, including the whole Internet.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc. All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks. People is normally “the weak link in the chain”.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Potential Impact • Financial loss • Increased management time • Loss of public trust & loss of corporate image • Legal penalty fee • Loss of new/existing customers • Increased external/internal audit costs • Company Morale • Etc.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Fraud: Basic Controls  Understand the risk (internal / external)  Trust vs. Process (knowledge of people vs. formal processes in action)  Know your customers / suppliers  Know your employees (from recruitment to last day on the organization)  Training (best practices, awareness, etc.)
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Changing Payment Fraud Landscape Classic schemes (still alive) Local structures & processes New fraud opportunities rising Changing to harmonized services Faked manual payment orders Direct debit fraud Bank cheque fraud Organized crime Psycological expertise Corporates as targets Technology Corrupted communicationSocial networks Local business knowledge Different ERP systems Established external relationships Diverse processes Stricter segregation of duties One system Less local knowledge Distance to business New environments bring new risks
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Red Flags - Managing Payments Alarmist or perhaps overly complimentary language Abusive or aggressive requests to transact Changes in a customer’s usual tone or demeanor Suggestions of losing money if you fail to act Senior officer name-dropping to rush transactions Customers/suppliers calling in before callbacks can be made Changes in a customer’s/supplier’s usual callback number Customers/suppliers are rarely available via official channels Customers/suppliers seem anxious to complete transactions Customers/suppliers contact details that aren’t on file Unfamiliar suppliers or altered transaction details Additional system login steps or transaction pages System instructions that “appear” mysteriously Poorly written grammar, syntax or spelling Fake letterhead, faxed or email instructions Email address variations or domain name changes Have you noticed?
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Red Flags - Managing Payments Receive unsolicited calls from unknown contacts Contact alleged customers on unusual numbers Accept enclosed or unconfirmed contact details Receive or act on unsolicited instructions Click on unexpected, unfamiliar or fake links Circumvent procedures with plausible reasons Deal with a first-time or unknown beneficiary Carry out instructions after a profile change Make immediate or urgent payment changes Remove close to all or an entire account balance Approve an unknown or unfamiliar transaction Transfer funds by or before an extended holiday Transfer funds to a known secrecy haven Transfer a small followed by a large sum to a beneficiary Transfer funds to an alternative jurisdiction
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Risk and Controls: Beneficiary Change Requests The problems with fraudsters are that they . . . • Make attempts to redirect payments. • Seek to change beneficiary bank details. • Hope you will accept forged letterheads. • Attempt to notify you of new bank changes. • Pose as new account managers/bank technicians. • Hack senior email accounts to request a payment. • Operate across markets, sectors, geographies. • Work in more creative, sophisticated ways. The ways to reduce risk of fraud is to . . . • Independently validate all change requests that you receive. • Confirm agreements in writing with known contacts. • Never deal with agreements from unknown requesters. • Validate only via approved channels and contacts. • Ensure beneficiary payment processes are robust. • Always be vigilant to unusual or requests that contain red flags.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Combat Payment Fraud: Best Practices • You want to PERFORM checks to reduce payment fraud risk » Validate payment instructions for any new counterparty, the same authentication should be applied for any subsequent change requests received. • You want to MANAGE High-value or -risk transactions » Set additional approval levels in your electronic banking system. • You want to REDUCE business-wide transaction risk » Segregate duties for sensitive and high-risk activities. • You want to better UNDERSTAND social engineering » Ask IS and/or group treasury for advise. Promote trainings. • You want to know how to CHECK suspicious activity » Review transaction reports and conduct frequent user audits. • Follow at any time the best IT Security best practices regarding Information Security management • Make yourself familiar with policies like the Electronic Banking Security Policy and Best Practices for Payments • Whenever fraud (attempt) happens: Report immediately to your manager in order to allign with FICO, Treasury and coordinate next steps! • After resolve the attack, it is important to do a lesson learner exercise to improve the knowledge we got from the real attack for futures similar situations
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Sources used to expand knowledge “Types of Phishing Attacks” | PC World URL: http://www.pcworld.com/article/135293/article.html “Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (book in Spanish) URL: http://www.ra-ma.es/libros/HACKING-CON-INGENIERIA-SOCIAL-TECNICAS-PARA-HACKEAR-HUMANOS-MUNDO- HACKER/89345/978-84-9964-539-1 “Stop, Thief! Best Practices in Fighting Payment Fraud” | Citibank | Author: Cheryl Gurz URL: http://www.citibank.com/transactionservices/home/about_us/articles/docs/fraud_best_practices.pdf “Bank fraud” - Wikipedia URL: https://en.wikipedia.org/wiki/Bank_fraud
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro

Recommended

Fraud in the Banking Sector
Fraud in the Banking Sector Fraud in the Banking Sector
Fraud in the Banking Sector
Venktesh Venke
 
Identity Theft Presentation
Identity Theft PresentationIdentity Theft Presentation
Identity Theft Presentation
charlesgarrett
 
E banking security
E banking securityE banking security
E banking security
Iman Rahmanian
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
Network Intelligence India
 
Fraud Detection presentation
Fraud Detection presentationFraud Detection presentation
Fraud Detection presentation
Hernan Huwyler
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
Vasundhara Singh Gautam
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft ppt
Angela Lawson
 
ATM Frauds and Solutions
ATM Frauds and SolutionsATM Frauds and Solutions
ATM Frauds and Solutions
Clarice_Wilson
 

Recommended

Fraud in the Banking Sector
Fraud in the Banking Sector Fraud in the Banking Sector
Fraud in the Banking Sector
Venktesh Venke
 
Identity Theft Presentation
Identity Theft PresentationIdentity Theft Presentation
Identity Theft Presentation
charlesgarrett
 
E banking security
E banking securityE banking security
E banking security
Iman Rahmanian
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
Network Intelligence India
 
Fraud Detection presentation
Fraud Detection presentationFraud Detection presentation
Fraud Detection presentation
Hernan Huwyler
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
Vasundhara Singh Gautam
 
Identity Theft ppt
Identity Theft pptIdentity Theft ppt
Identity Theft ppt
Angela Lawson
 
ATM Frauds and Solutions
ATM Frauds and SolutionsATM Frauds and Solutions
ATM Frauds and Solutions
Clarice_Wilson
 
Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft ppt
Cut 2 Shreds
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
jagannath ojha
 
Types of Fraud.pptx
Types of Fraud.pptxTypes of Fraud.pptx
Types of Fraud.pptx
Suchita Rawat
 
Fraud Presentation
Fraud PresentationFraud Presentation
Fraud Presentation
mbachnak
 
The Mobile Wallet
The Mobile WalletThe Mobile Wallet
The Mobile Wallet
midhun jose
 
Frauds & Scams in Banks
Frauds & Scams in BanksFrauds & Scams in Banks
Frauds & Scams in Banks
Akshay Virkar
 
Cyber Fraud
Cyber Fraud Cyber Fraud
Cyber Fraud
Dixita S
 
Cyber Crime - What is it ?
Cyber Crime - What is it ?Cyber Crime - What is it ?
Cyber Crime - What is it ?
Mubaraka Halvadwala
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
Elijah Ezendu
 
Frauds in banking
Frauds in banking Frauds in banking
Frauds in banking
Vinayak Halapeti
 
E-money
E-moneyE-money
E-money
Zakaria Hasan
 
Electronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationElectronic Payment System (EPS) Presentation
Electronic Payment System (EPS) Presentation
Devansh Aggarwal
 
cyber stalking
cyber stalking cyber stalking
cyber stalking
Rishabh Kataria
 
E Cheques
E ChequesE Cheques
E Cheques
Sumant Diwakar
 
Bank frauds & its safety
Bank frauds & its safetyBank frauds & its safety
Bank frauds & its safety
BISWAJITGHORAI2
 
Cybercrime & Security
Cybercrime & SecurityCybercrime & Security
Cybercrime & Security
Shreeraj Nair
 
Cyber crime and fraud
Cyber crime and fraudCyber crime and fraud
Cyber crime and fraud
FCA - Future Chartered Accountants
 
Fraud in Ecommerce
Fraud in EcommerceFraud in Ecommerce
Fraud in Ecommerce
Martyn Sukys
 
E banking
E bankingE banking
E banking
National University FAST
 
Electronic payment system for e-commerce
Electronic payment system for e-commerceElectronic payment system for e-commerce
Electronic payment system for e-commerce
Akash Pallod
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
Ramiro Cid
 

More Related Content

What's hot

Fraud Presentation
Fraud PresentationFraud Presentation
Fraud Presentation
mbachnak
 
The Mobile Wallet
The Mobile WalletThe Mobile Wallet
The Mobile Wallet
midhun jose
 
Frauds & Scams in Banks
Frauds & Scams in BanksFrauds & Scams in Banks
Frauds & Scams in Banks
Akshay Virkar
 
Electronic payment system for e-commerce
Electronic payment system for e-commerceElectronic payment system for e-commerce
Electronic payment system for e-commerce
Akash Pallod
 

What's hot (20)

Identity theft ppt
Identity theft pptIdentity theft ppt
Identity theft ppt
 
Bank frauds
Bank fraudsBank frauds
Bank frauds
 
Types of Fraud.pptx
Types of Fraud.pptxTypes of Fraud.pptx
Types of Fraud.pptx
 
Fraud Presentation
Fraud PresentationFraud Presentation
Fraud Presentation
 
The Mobile Wallet
The Mobile WalletThe Mobile Wallet
The Mobile Wallet
 
Frauds & Scams in Banks
Frauds & Scams in BanksFrauds & Scams in Banks
Frauds & Scams in Banks
 
Cyber Fraud
Cyber Fraud Cyber Fraud
Cyber Fraud
 
Cyber Crime - What is it ?
Cyber Crime - What is it ?Cyber Crime - What is it ?
Cyber Crime - What is it ?
 
Internet Fraud
Internet FraudInternet Fraud
Internet Fraud
 
Frauds in banking
Frauds in banking Frauds in banking
Frauds in banking
 
E-money
E-moneyE-money
E-money
 
Electronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationElectronic Payment System (EPS) Presentation
Electronic Payment System (EPS) Presentation
 
cyber stalking
cyber stalking cyber stalking
cyber stalking
 
E Cheques
E ChequesE Cheques
E Cheques
 
Bank frauds & its safety
Bank frauds & its safetyBank frauds & its safety
Bank frauds & its safety
 
Cybercrime & Security
Cybercrime & SecurityCybercrime & Security
Cybercrime & Security
 
Cyber crime and fraud
Cyber crime and fraudCyber crime and fraud
Cyber crime and fraud
 
Fraud in Ecommerce
Fraud in EcommerceFraud in Ecommerce
Fraud in Ecommerce
 
E banking
E bankingE banking
E banking
 
Electronic payment system for e-commerce
Electronic payment system for e-commerceElectronic payment system for e-commerce
Electronic payment system for e-commerce
 

Viewers also liked

Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Christopher Uriarte
 
Credit card fraud detection
Credit card fraud detectionCredit card fraud detection
Credit card fraud detection
kalpesh1908
 

Viewers also liked (11)

Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacy
 
Managing Payment and Fraud - Ecommerce Masterclass
Managing Payment and Fraud - Ecommerce MasterclassManaging Payment and Fraud - Ecommerce Masterclass
Managing Payment and Fraud - Ecommerce Masterclass
 
Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...
 
Counterfactual evaluation of machine learning models
Counterfactual evaluation of machine learning modelsCounterfactual evaluation of machine learning models
Counterfactual evaluation of machine learning models
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
 
Credit card fraud
Credit card fraudCredit card fraud
Credit card fraud
 
Credit card fraud detection
Credit card fraud detectionCredit card fraud detection
Credit card fraud detection
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
 
LinkedIn’s Culture of Transformation
LinkedIn’s Culture of TransformationLinkedIn’s Culture of Transformation
LinkedIn’s Culture of Transformation
 

Similar to Payment fraud

FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
tomciolkosz
 
Internet Threats and Risk Mitigation
Internet Threats and Risk MitigationInternet Threats and Risk Mitigation
Internet Threats and Risk Mitigation
BrandProtect
 
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud SolutionsFortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Perficient, Inc.
 

Similar to Payment fraud (20)

Be prepared to deal with fraud for web
Be prepared to deal with fraud for webBe prepared to deal with fraud for web
Be prepared to deal with fraud for web
 
CRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdfCRC Alert November 2019 Final.pdf
CRC Alert November 2019 Final.pdf
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charities
 
IB Fraud
IB FraudIB Fraud
IB Fraud
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
 
Identity theft 10 mar15
Identity theft 10 mar15Identity theft 10 mar15
Identity theft 10 mar15
 
12 c business i environment i society mba 2016
12 c business i environment i society mba 201612 c business i environment i society mba 2016
12 c business i environment i society mba 2016
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIME
 
2.Cyber law and Crime.pptx
2.Cyber law and Crime.pptx2.Cyber law and Crime.pptx
2.Cyber law and Crime.pptx
 
How to Safeguard Your Business from Payment Fraud _ Regions Bank.pdf
How to Safeguard Your Business from Payment Fraud _ Regions Bank.pdfHow to Safeguard Your Business from Payment Fraud _ Regions Bank.pdf
How to Safeguard Your Business from Payment Fraud _ Regions Bank.pdf
 
Credit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptxCredit Card Fraud PPT - Reena Prajapati.pptx
Credit Card Fraud PPT - Reena Prajapati.pptx
 
Internet Threats and Risk Mitigation
Internet Threats and Risk MitigationInternet Threats and Risk Mitigation
Internet Threats and Risk Mitigation
 
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud SolutionsFortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
Fortify Your Enterprise with IBM Smarter Counter-Fraud Solutions
 
Identity Theft Information for Businesses
Identity Theft Information for BusinessesIdentity Theft Information for Businesses
Identity Theft Information for Businesses
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB's
 
Infographic - What is Vishing?
Infographic - What is Vishing?Infographic - What is Vishing?
Infographic - What is Vishing?
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
10 Essential Strategies to Safeguard Your Business from Credit Card Fraud 1.pptx
 

More from Ramiro Cid

More from Ramiro Cid (20)

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridad
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagen
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for sale
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodology
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Thinking on risk analysis
Thinking on risk analysisThinking on risk analysis
Thinking on risk analysis
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructure
 
Space computing
Space computingSpace computing
Space computing
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Risk optimization management inside it governance
Risk optimization management inside it governanceRisk optimization management inside it governance
Risk optimization management inside it governance
 
Summit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governanceSummit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governance
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Payment fraud

  • 1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid Payment Fraud
  • 2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Definitions Page 3 2. Why you should be concerned ? Page 5 3. Potential Impact Page 6 4. Fraud: Basic Controls Page 7 5. Changing Payment Fraud Landscape Page 8 6. Red Flags - Managing Payments Page 9 7. Risk and Controls: Beneficiary Change Requests Page 11 8. Combat Payment Fraud: Best Practices Page 12 9. Sources used and to expand knowledge Page 13
  • 3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Fraud: An act by one party, whether successful or not, to deprive another of something (goods, services, money, etc.) by deception. Fraud also occurs when dishonest acts are committed without personal gain but are intended to create a loss or risk of loss for another person or entity. This includes the intentional misrepresentation of financial condition.  Social engineering: In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.  Cybercrime: It is also known as Computer crime, is any crime that involves a computer and/or a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime is criminal exploitation of the Internet, inherently a cybercrime. Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
  • 4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Definitions  Cyber Security: It is also known as “IT security” or “Computer security” is information security applied to computing devices such as servers, computer networks and mobile devices (as smartphones, tablets, etc.), as well as computer networks such as private and public networks, including the whole Internet.
  • 5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Why you should be concerned ? Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM system, etc. All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks. People is normally “the weak link in the chain”.
  • 6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Potential Impact • Financial loss • Increased management time • Loss of public trust & loss of corporate image • Legal penalty fee • Loss of new/existing customers • Increased external/internal audit costs • Company Morale • Etc.
  • 7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Fraud: Basic Controls  Understand the risk (internal / external)  Trust vs. Process (knowledge of people vs. formal processes in action)  Know your customers / suppliers  Know your employees (from recruitment to last day on the organization)  Training (best practices, awareness, etc.)
  • 8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Changing Payment Fraud Landscape Classic schemes (still alive) Local structures & processes New fraud opportunities rising Changing to harmonized services Faked manual payment orders Direct debit fraud Bank cheque fraud Organized crime Psycological expertise Corporates as targets Technology Corrupted communicationSocial networks Local business knowledge Different ERP systems Established external relationships Diverse processes Stricter segregation of duties One system Less local knowledge Distance to business New environments bring new risks
  • 9. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Red Flags - Managing Payments Alarmist or perhaps overly complimentary language Abusive or aggressive requests to transact Changes in a customer’s usual tone or demeanor Suggestions of losing money if you fail to act Senior officer name-dropping to rush transactions Customers/suppliers calling in before callbacks can be made Changes in a customer’s/supplier’s usual callback number Customers/suppliers are rarely available via official channels Customers/suppliers seem anxious to complete transactions Customers/suppliers contact details that aren’t on file Unfamiliar suppliers or altered transaction details Additional system login steps or transaction pages System instructions that “appear” mysteriously Poorly written grammar, syntax or spelling Fake letterhead, faxed or email instructions Email address variations or domain name changes Have you noticed?
  • 10. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Red Flags - Managing Payments Receive unsolicited calls from unknown contacts Contact alleged customers on unusual numbers Accept enclosed or unconfirmed contact details Receive or act on unsolicited instructions Click on unexpected, unfamiliar or fake links Circumvent procedures with plausible reasons Deal with a first-time or unknown beneficiary Carry out instructions after a profile change Make immediate or urgent payment changes Remove close to all or an entire account balance Approve an unknown or unfamiliar transaction Transfer funds by or before an extended holiday Transfer funds to a known secrecy haven Transfer a small followed by a large sum to a beneficiary Transfer funds to an alternative jurisdiction
  • 11. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Risk and Controls: Beneficiary Change Requests The problems with fraudsters are that they . . . • Make attempts to redirect payments. • Seek to change beneficiary bank details. • Hope you will accept forged letterheads. • Attempt to notify you of new bank changes. • Pose as new account managers/bank technicians. • Hack senior email accounts to request a payment. • Operate across markets, sectors, geographies. • Work in more creative, sophisticated ways. The ways to reduce risk of fraud is to . . . • Independently validate all change requests that you receive. • Confirm agreements in writing with known contacts. • Never deal with agreements from unknown requesters. • Validate only via approved channels and contacts. • Ensure beneficiary payment processes are robust. • Always be vigilant to unusual or requests that contain red flags.
  • 12. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Combat Payment Fraud: Best Practices • You want to PERFORM checks to reduce payment fraud risk » Validate payment instructions for any new counterparty, the same authentication should be applied for any subsequent change requests received. • You want to MANAGE High-value or -risk transactions » Set additional approval levels in your electronic banking system. • You want to REDUCE business-wide transaction risk » Segregate duties for sensitive and high-risk activities. • You want to better UNDERSTAND social engineering » Ask IS and/or group treasury for advise. Promote trainings. • You want to know how to CHECK suspicious activity » Review transaction reports and conduct frequent user audits. • Follow at any time the best IT Security best practices regarding Information Security management • Make yourself familiar with policies like the Electronic Banking Security Policy and Best Practices for Payments • Whenever fraud (attempt) happens: Report immediately to your manager in order to allign with FICO, Treasury and coordinate next steps! • After resolve the attack, it is important to do a lesson learner exercise to improve the knowledge we got from the real attack for futures similar situations
  • 13. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Sources used to expand knowledge “Types of Phishing Attacks” | PC World URL: http://www.pcworld.com/article/135293/article.html “Hacking with Social Engineering. Techniques for Human Hack. Hacker World” (book in Spanish) URL: http://www.ra-ma.es/libros/HACKING-CON-INGENIERIA-SOCIAL-TECNICAS-PARA-HACKEAR-HUMANOS-MUNDO- HACKER/89345/978-84-9964-539-1 “Stop, Thief! Best Practices in Fighting Payment Fraud” | Citibank | Author: Cheryl Gurz URL: http://www.citibank.com/transactionservices/home/about_us/articles/docs/fraud_best_practices.pdf “Bank fraud” - Wikipedia URL: https://en.wikipedia.org/wiki/Bank_fraud
  • 14. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro