310 likes | 325 Views
Learn about the latest trends in cybercrime, their impacts, and how to safeguard yourself and your business. Discover the motivations behind cybercrimes and the risks associated. Stay informed to protect against identity theft, data breaches, and email compromises.
E N D
Cybercrime: How it Really Happens, New Trends, & How to Protect You & Your Company September 11, 2019 Southwest Ohio Association for Financial Professionals (SWOAFP)
Darrin Steinmann Director & Vice President Fifth Third Bank Corporate Investigations darrin.steinmann@53.com Kevin Carpenter Director, Risk Consulting Services RSM US LLP kevin.carpenter@rsmus.com
What is Cybercrime? In the most broad sense cybercrime, or computer related crime,is crime that involves the internet, a computer system or computer technology.The computer may have been used in the commission of a crime, or it may be the target. Source: https://en.wikipedia.org/wiki/Cybercrime
The Cost of CybercrimeCybercrime costs are unprecedented @ $22 Million per Year • Organized criminals are exceptionally well-funded; the cost of cybercrimeis expectedto reach $2 trillionthis year 90,909 NFL Quarterbacks 48,000 miles cost $499B in 2016 dollars Could replicate 4x over with cyber losses Source: http://www.gartner.com/newsroom/id/2828722; https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#47a242633a91 Photo: sportingnews.com By SPUI - National Atlas, Public Domain, https://commons.wikimedia.org/w/index.php?curid=945257
Who is Behind Cybercrime? What are Their Motivations? Hacktivists Org Crime/Fraudsters Nation-States Destruction Theft Disruption
Social Media: A Fraudster’s Dream 33% of Web users are attacked by cyber criminals through social networks You have a 69% chance of falling victim to cyber crime in your lifetime 3.5 new threats pop up every second (that’s12,600 per hour) Source: Fraudwatch International
Threats on Social Media • Criminals LOVE social media • They share information and sell services to one another • Facebook offers the ability to see friends (and friends of friends) depending on privacy settings • Very easy to create fake accounts Source: Barracuda Labs Social Networking Analysis
The Stakes Have Never Been Higher Anatomy of an Attack
Identity Fraud Reached an All-time High in 2017…….and Continued in 2018 8% • 16.7 • MILLION # of identity fraud victims in the U.S. • 35% For the first time ever, SSNs (35%) were compromised more than credit card numbers (30%) in breaches • $16.8 • BILLION • Amount stolen from U.S. consumers due to identity fraud Image: https://commons.wikimedia.org/wiki/File:Fingerprint_picture.svg Business Wire - Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, According to New Javelin Strategy & Research Study: https://www.businesswire.com/news/home/20180206005363/en/Identity-Fraud-Hits-Time-High-16.7-Million
2017 Cybersecurity Timeline Yahoo! reveals breach impacted all 3 billion of its users NotPetyaransomware attack emerges globally; total losses could exceed $1B Equifax credit bureau announces data breach impacting 143 million consumers; Apache Struts is cause Uber disclosed 2016 breach and payment to hackers to delete stolen data Apache Struts remote code execution vulnerability reported JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC WannaCry ransomware worm first struck; most notably forcing some UK hospitals to shut down. Honda motor plant shutdown due to WannaCry Blueborne Bluetooth vulnerabilities first disclosed; exposed nearly all operating systems to risk KRACK WiFi vulnerabilities disclosed; enables attackers to bypass WPA2 WiFi security • $600 billion • lost to cybercrime globally in 2017 Lesson learned: The importanceof timely patching Sources: 2017 Year in Review: Cyber-Security Faces Challenges Old and New: http://www.eweek.com/security/2017-year-in-review-cyber-security-faces-challenges-old-and-new Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data: https://www.nytimes.com/2017/11/21/technology/uber-hack.html https://haveibeenpwned.com/ Have I Been Pwned?
Business Email Compromise (BEC)The Art of Deception Compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. • A business is asked to wire funds for invoice payment to an alternate, fraudulent account • Email accounts of high-level business executives are compromised • An employee of a business has their email hacked
Business Email Compromise (BEC) The Art of Deception • 17% increase in BECattacks last year Averagenumber of people targetedin an organization; (Attacks are typically low in volume, but more people are being targeted across more units and more identities are being spoofed) • 13 • 1/3rd • of BEC messages contain the word “payment” in the subject line; (Most attacks are designed with wire transfer fraud in mind) • 11% • of all email fraud attacks use ‘fake email chain’ messages, to give a realistic experience and appear more credible
Recent Headline Insider at Heart of $1.8 Billion Fraudulent Transfer
Internal Fraud • Typical organizations lose 5% of revenues each year to internal fraud • The higher the perpetrator’s level of authority,the greater fraud losses tend to be • Most fraud attempts go undetected for an average of 18 months • 87% of occupational fraudsters have never been charged or convicted of a fraud-related offense • Organizations with hotlines are much more likely to catch fraud by a tip • Separation of Duties • Reconciliation Functions • Analyze Resumes • Establish referral process
Internal On-Line Banking ScamNovember 2018 Finance Director 16 Month Embezzlement 20 Yr. Employee No Prior Issues Detected by Bank This Photo by Unknown Author is licensed under CC BY-SA
5 Security Things You Must Do Know what’s on your network Configure what’s on your network Patch what’s on your network Protect your administrative accounts Train your employees
1. Know what’s on your network If you don’t know what you have, how do you know if you need to patch it? Did you know it was here?
2. Configure what’s on your network Apply consistent security settings across your network
3. Patch what’s on your network • Apply patches consistently • It’s not just Microsoft! • 6 out of the top 10 vulnerabilities used in breaches and ransomware this year were not Microsoft patches
4. Protect your administrative accounts • IT People: Do not use an administrative account for everyday activities • Consider implementing two factor authentication
4. Protect your administrative accounts, ctd. Removing administrative rights from employee desktops will have a significant impact in reducing security issues
5. Train your employees Of security breaches caused by an employee, 77% were unintentional Subject: Microsoft Outlook Upgrade Completed We have successfully completed an important upgrade of Microsoft Outlook. The upgrade will provide unprecedented security and greater flexibility. As part of this upgrade your collaboration is required to avoid any disruption in email service. Please click the link below to login and confirm access to the upgraded service. Click here to login. Your prompt attention is appreciated. Failure to validate your information by November 18th, 2016 may cause disruption in your email service.
Best Practices Summary • Dual control • Up to date patches / anti-virus software • Strong authentication practices, dual factor • Unique passwords for each site / system • Do not click on links / attachments from unknown senders • Red flags training and overall employee education • Secure websites • Set privacy controls on social media sites • Consider cyber Insurance • Do not access confidential sites via public networks • Limit access authority, delete former employees, limit the ability to move money • Utilize tools (people and tech) to monitor for suspect transactions
Cyber Security is a Shared Responsibility We’re all in this together!
So….will you tell me your password? Jimmy Kimmel Cybersecurity
Questions?Thank you. This Photo by Unknown Author is licensed under CC BY-SA-NC