Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Fraud and Cyber Insurance

Cyberwarfare, Payments Fraud
and Email Compromise
Webinar

Housekeeping
• 1 CPE credit in Information Technology - be sure to
participate in the polls to be eligible
• Webinar is being recorded - Slides and recording will
be emailed after the webinar
• 50 minute session
• 10 minute Q&A
• Send in your questions!

The contents contained within this slide deck may contain
basic and preliminary observations. We also refer to some
generally accepted principles for forensic investigations.
All observations are subject to further investigation and
explanation of facts and are therefore subject to change.
Additional evidence and forensic analysis may be required to
support any findings or observations.
Disclaimer

Objectives
 Introductions
 Understanding the Threats
 Cyber Criminals Monetizing Your Data; Fraud and Phishing and so much more
 B2B Fraud Statistics
 How a Cyber-threat actor(s) can destroy your business and why you are a target…
 Cyber Threat Intelligence: Know your enemy & vulnerabilities…
 How to Protect your business…
 Final Thoughts
 Ask an Expert…

Matthew Ferrante, Partner at Withum
Summary Accolades
• Sony Network Intrusions, Target Data Breach, Neiman Marcus, Banner Health Networks, etc..
• Cyber Services to SMEs, Global Enterprises, Businesses, Energy, Technology, Crypto, Manufacturing, Medical, etc..
• Criminal, Civil, Regulatory Actions, Class Action Lawsuits Technical Experts
• Barclays Global Security Transformation
• US Secret Service Top Electronic Crimes Expert
• Awarded by Debit & Credit Card Industry
• US Secret Service’s Director’s Citation
• US Department of Justice Awards for Invaluable Expertise
• Designed the First Title III Computer Network Wiretap in United States
• 65+ hackers apprehended Globally…
Summary Special Operations
> Disaster Recovery | Business Continuity Rebuild of NYFO after 09/11 Attacks
> Operation Firewall / Operation ‘Get Rich or Die Tryin’
> Joint Terrorism Task Force (USSS E-Crimes Support)
> 50th & Broadway: PBX Hacking, Access Device Fraud & Shoulder Surfing
> Al-Qaeda Network Takedowns: Netherlands, Middle East, etc..
This presentation is protected by U.S. copyright laws. Reproduction and/or distribution of the presentation without written permission of Withum is prohibited.
©2020 WithumSmith+Brown, PC All rights reserved.

Eric Jackson
vCISO for Withum Cyber Team
Background
• Developed Endpoint Security Programs for a Fortune 500 financial
• Director of security program for life and safety organizations, to include 911 services
• Incident Management Lead – multiple DOD organizations
• Trained offensive and defensive security teams for DOD and civilian orgs
• Developed “Internet range” for training offensive and defensive security teams
• Developed multiple custom offensive and defensive security tools
Technical Background
• Worked hundreds of incident cases for the military
• Experienced penetration tester
• Emulated hackers for DOD exercises
• Years of experience running security operations centers, thousands of incidents from cradle-to-grave
• Expert Lockpicker

Meet the Withum Cyber Team
US Secret
Service
US Central
Command US Air Force US NAVY

What We Do….

Steve Susnak
SVP Capital One Commercial Banking
• Steve joined Capital One in 2019 and is currently the Northern Region
Director for Treasury Management(TM) with responsibilities for both the
core middle market and multiple specialty segments.
• Prior to joining Capital One, Steve spent 15 years at PNC Financial leading
a nationally based TM sales segment covering both general diversified
industries and financial institutions.
• His professional affiliations include membership with the National
Association for Financial Professionals (AFP), as well as multiple regional
associations. He has been a featured speaker on a variety of industry
topics at the regional and national levels.
• Steve received his B.S. in Economics from Allegheny College. He currently
serves on the board of the not-for-profit Laurie Ann West Community
Resource, where he resides in Pittsburgh, PA with his wife and two sons.

Understanding the Threat Landscape

Breakdown Cybercrime Economy in Profits
• Illicit Online Markets: $860 Billion
• Theft of Intellectual Property or Trade Secrets: $500 Billion
• Data Trading: $160 Billion
• Cybercrime-As-A-Service: ~$1.6 billion
• Ransomware: $1 Billion

Cyber Security Stats and Facts
Source: IBM/Ponemon
$1.5 Trillion
$6 Trillion by 2021
14 Sec. | 11 Sec. 2021
USA
146 Billion
$242 per record
$8 Million
• Cybercrime economy in profits:
• Cybercrime Damages:
• Ransomware Attacks:
• Top Country Targeted:
• Est. Records Exposed 2018 - 2023:
• Est. Cost Per Record Exposed:
• Average Cost of Data Breach:
• Dark Web Cybercrime Toolkit Cost:

COVID-19 Related Cyber Attack Statistics
Since COVID-19 pandemic began:
• Cyber attacks up 500%
• Google has been blocking 18 million COVID-19 related phishing emails and
malware daily
• Spear-phishing attacks increased 667%
• FBI complaint center for internet crime has received over 3,600 COVID-19 related
scam complaints
• COVID-19 related phone scams are on the rise
• Ransomware attacks increased 148%
• Average amount demanded for ransomware attacks increased 33%
Source: techjury

COVID-19 Related Cyber Attack Statistics (Cont.)
• 46% of businesses that started working remotely have experienced at
least one form of a cybersecurity attack
• Phishing websites have increased by 350%
• Between March 9th and March 23rd, over 300,000 coronavirus
keyword-related websites were created.
• Banks have experienced a 238% increase in cyberattacks
Source: techjury

Cyber Insurance

Accountability for Executives,
Board Members and Positions of Trust
Corporate Executive Accountability Act, which would impose jail time
on corporate executives who "negligently permit or fail to prevent" a
"violation of the law" that "affects the health, safety, finances or
personal data"

Motivation of Threat Actors
Impacts by Cyber Security Incidents

What Makes an Easy Target
• Complacency & Groupthink: Not us; besides it’s a quiet place!
• No Security Strategy: Lack of Chief Information Security Officer (“CISO”) CISO or vCISO
• Security as an Afterthought and/or Expensive
• Limited IT and IT Security Expertise
• Misconfigurations, Misconceptions, Miscalculations (“3M”)
• We’re in the Cloud!

2019 Reported Cyber Crime by Victim Loss
Source: FBI

Confidential
22
Confidential
22
The Scope of the Threat
66%
of respondents report
experiencing some form
of B2B payment fraud
attack within the past 2
years
Source: Capital One B2B Payment Security Research

Confidential
23
Confidential
23
Informational Purposes Only
Not a
priority for
leadership
Minimal
value add
Disruptive to
operations
Too
expensive
Difficult to
implement
In the
process of
updating
Need to
retrain
employees
User
friction
33%
29%
24%
20%
17%
15%
31%
11%
Businesses Report their Top Barriers to Updating Fraud Security
Neglecting the Significant Impact of Fraud

Confidential
24
Confidential
24
https://www.capitalone.com/learn-grow/business-resources/avoiding-business-fraud/
Source: 2020 AFP Payments Fraud and Control Report | www.AFPonline.org . The information contained herein is shared for educational purposes only to help clients protect themselves from fraud. It does not provide a comprehensive list of all types of
fraud, all departments that are vulnerable to fraud, or all best practices to tackle fraud. Nothing contained herein shall give rise to, or be construed to give rise to, any obligations or liability whatsoever on the part of Capital One.
Percentage Distribution of Organizations
Popular Targets of Fraud Within an Organization
Departments Most Vulnerable to Being Targeted by Business Email Compromise Fraud

Confidential
25
Confidential
25
B2B Payment Fraud by Attack Method
Within the past two years, has your organization experienced any of the below fraud attacks in regard to B2B payments?
Phishing/
Business Email
Compromise
Data
Breach
Note: N=225
Malware/
Ransomware
28% 27%
Account
Takeover
15%
Cashflow
scams
14%
Internal fraud /
Employee theft
13%
Other
1%
36%
The Most Common Methods of Fraud

Confidential
26
● A spoofed sender
domain
CEO fraudsters usually register a domain
similar to its target. Examples
About Business Email Compromise
From:
Sent: Wednesday, April 18, 2018 2:11 PM
To:
Subject: Re: INVOICE NO 17150 CIS# 105013
Were you able to initiate wire to ???
From:
Sent: Wednesday, April 18, 2018 3:48 PM
To:
Subject: Re: INVOICE NO 17150 CIS# 105013
Kindly, advise when wire is released.
● An urgent email
subject requesting
immediate
fund transfers
BEC scams typically use subject lines
that imply urgency regarding payment
inquiries or fund transfers.
● Position of the email sender
Cybercriminals employing CEO fraud typically pose as
someone influential in an organization.
● Body of the email
Scammers make it appear as if the fund
transfer is urgently needed and should be
executed as soon as possible.
From:
Sent: Friday April 6, 2018 3:07 PM
To:
Subject: Invoice No 17150 LLC
Could you please process this invoice from LLC. Kindly,
send me Wire Slip.
Thanks!!

How to protect a Business from Cyber Attacks
“Know your enemy and know yourself - Sun Tzu”

Business Destruction via Cyber
• Complacency
• False Sense of Security | Rubber Stamping Environment
• Check the Box Security | No Validation of Controls
• Not us…yes you!
• No Strategy / Plan
• Lack of Independent Security Audits
• Lack of Accountability
• Fix-on-Failure

Protect Your Business (Assessments)
• Threat Emulation Security Assessment
• vCISO / vCCO Analysis of Sec. Control Framework
• Business Continuity & Backup Assurance
• Incident Response Exercises
• ‘Trust; but Verify’
• OSINT (Open Source Intel Report)

Security Measures for Businesses
Secure workstations
• Lock our systems (Ctrl-Alt-Delete)
• Shut down systems not in use
• Run up-to-date virus scanning software
• Password protect files
• Apply software patches
• Run a desktop firewall
Backup Data
• Test backups
• Securely store backup media (offsite)
• Restrict access to who can perform restoration
Control Access to Data
• Only allow access that is absolutely required
• Don’t grant accounts because access “may” be
required
• Use least privilege access policies that state access
will only be granted if required, not by default
• Are accounts removed and passwords changed
when someone changes jobs or is terminated?
Physical Security
• Control access to sensitive areas
• Install cable locks
• Limited the amount of people who has access?
• Are sensitive documents secured?
Incident Response
• Do you Have a plan?
• When was it last reviewed and updated?
• Who gets alerts when something is wrong?
• Who contains/remediates it?
Perform Audits
• Evaluate internal/external controls
• Use third party for non-bias reporting
• Conduct regular penetration testing/scanning

Security Measures for Businesses (Cont’d)
Teleconferencing
• Create Virtual Waiting Rooms
• Use unique meeting ID’s and Passwords
• Lock down your meeting (If Applicable)
Remote Work
• Use VPN (Virtual Private Networks)
• Use 2FA / MFA
Others
• In-House CFI / Security
• Understand your Cyber Security Policy, e.g. what is REALLY covering
and under what terms and conditions
• Cloud: Use the right licensing to protect your staff and your
customers data, e.g. M5 vs O5 (Microsoft Example)
• Data Loss Prevention
• FIM Solution
• Threat & Intel

How to Protect your Businesses
Assess the Risks and Formulate a Plan
• Perform an objective analysis of your information, systems and processes. Your IT team is probably qualified, but a third
party with experience in cybersecurity is recommended to avoid any bias.
• Look for weak spots in your network and data security. Make evaluations and scans a regular part of your internal audit
processes. Conduct regular external assessments and scans to identify vulnerabilities.
Avoid Human Error
• Cyber risks are not just a problem with technology. It all comes down to protecting information, and anyone with access to
that information (staff, contractors, vendors, and even customers) must be responsible and accountable.
• Establish a culture of cybersecurity awareness. All staff should regularly be made aware of the most current threats and
attacks being used by criminals.
• Provide mechanisms to enable remote workforces to perform their functions securely, while limiting the organization’s
risk exposure due to human error.

How to Protect the Businesses (Cont.)
Be Prepared for the Worst
• It is important to plan your response in the event you are hit with an attack. A comprehensive and documented Incident Management
Plan is designed to guide the organization through a suspected security incident.
• Roles and responsibilities should be defined, such as who will carry out key tasks like forensic investigation and legal response. Most states
have requirements for reporting data security breaches. It is important that your team know who is responsible for understanding the
breach reporting requirements and reporting to the applicable state(s) in a timely basis to avoid potential fines and penalties.
Commonly Overlooked Risks
• Even with the best of planning, there are still risks that are often overlooked. Problems can arise from disparate IT systems, poorly
configured personal devices used on the corporate network, and when services are integrated with third party vendors.
• Hackers will find and exploit your systems weakest link, whatever it may be. It is important to know where all of these weak links are and
work toward securing them.

Confidential
36
Tech Tips
Make It Hard
for Them
Don’t Know….
…..Don’t Click
Process Tips
Please note the information and tips contained herein are shared for educational purposes only to assist our clients in the joint fight against fraud and should not be construed to
create obligations on the part of Capital One
Tips to Help Tackle B2B Fraud

Confidential
37
● Use strong and different passwords.
● Never put sensitive data
on unsecured computers.
● Consider adopting multi-factor
authentication.
● Use controls available to you.
● Never respond to suspicious emails,
open attachments or click hyperlinks.
● Use known phone numbers
to verify changes.
● Check sender’s email addresses.
Make It Hard
for Them
Don’t Know…
...Don’t Click

Confidential
38
● Carefully monitor account activity and
review all transactions on a daily basis.
● Leverage reporting and alerting tools
that your FIs provide.
● Evaluate your internal controls and
conduct an annual risk assessment.
● Maintain a high level of awareness
across your staff.
● Insist that your suppliers use the same
methods of identity authentication as you.
● Always update software and systems.
● Use anti-virus and anti-malware
software that updates automatically.
● Dedicate a computer exclusively for online
banking transactions, nothing else.
● Restrict administrative rights to install
software to IT staff.
Tech Tips Process Tips

For More Information, Please Contact
Withum Cyber
WCyber.info@withum.com
Eric Jackson
+1 (402) 867-7432
ejackson@withum.com
Stephen Susnak
+1 (646) 988-6035
stephen.susnak@capitalone.com

Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Fraud and Cyber Insurance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Fraud and Cyber Insurance

Similar to Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Fraud and Cyber Insurance (20)

More from Withum

More from Withum (20)

Recently uploaded

Recently uploaded (20)

Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Fraud and Cyber Insurance