Fraud Prevention Detective Constable Sam Kinkaid, PSNI Maggie - - PowerPoint PPT Presentation

March 2018

Cyber Security and Fraud Prevention

Detective Constable Sam Kinkaid, PSNI Maggie Hunter, RBS

• Risks – Cyber Security / Fraud
• Common threats
• Case Studies – what we are seeing in Northern Ireland
• Social media risks
• Help and Support
• Questions
• Take Away’s

Welcome

Key Message

The majority of cybercrime is preventable by taking simple steps to secure your cyber security.

3

Data Security

• WHAT do I have that is worth protecting?
• WHERE is your information held?
• WHO do I want to protect it from?
• HOW is your information protected?
• WHO has access to your information?
• WHAT are the risks and consequences of a data breach?

4

2017 Cyber Security Breaches Survey

Just under 46% of businesses surveyed identified at least one breach or attack last year Of those: 72% reported staff receiving fraudulent emails 33% reported viruses / malware 27% reported people impersonating the company 17% reported Ransomware Reflective of cyber incidents experienced by NI businesses 5

Criminal Office

Email attacks

• Identifying the most effective phishing ‘hooks’ to get the highest

click-through rate – run as a business

• Enclosing genuine logos and other identifying information of

legitimate organisations in the message

• Providing a mixture of legitimate and malicious hyperlinks to

websites in the message – e.g. including authentic links to privacy policy and TOS of a genuine organisation

• An increasing use of compromised ‘genuine’ accounts as the source
• f phishing emails as a means of bypassing mail filters and previous

guidance 7

8

Case Study – Account Compromise

9

Case Study – Account Compromise

10

Emails

• Search your personal / work email

addresses at www.haveibeenpwned.com

• Will reveal any data breach involving your

email address and what other data may have been compromised.

11

Email Passwords

• If I can compromise your email account I have the means to

attack reset any account you have linked to it.

• Advice you probably use was created in 2003 by Bill Burr – US

Institute of Standards & Technology – he apologised in 2017

• Current advice is to use 3 random words together with any
• ther requirement i.e. number, special character to create a

strong separate password for your email.

12

Case Study – Malware

13

Case Study – Ransomware

• Infects system as a malicious email

attachment or through remote desktop vulnerability

• Runs quietly in background encrypting files

with common extensions i.e. .jpg, .xls, .docx

• New variants will spread from infected

machine throughout network

• Will encrypt any backup found accessible

from the network

14

Protect against Ransomware

Remote Desktop

• Remote Desktop is an application available through the Windows

Operating System.

• A useful system if the correct security settings are in place
• Recent Ransomware attacks have involved the use of remote

desktop access and not email attachments – maybe a reaction to a rise in awareness

• If compromised, malware including Ransomware, keyloggers,

remote access tools can be uploaded. 15

Remote Desktop

Ask the right questions:-

• Is RDP on?
• Who set the password and how secure is it?
• Is the system protected from a brute force attack?

Passwords seen by PSNI include: Password123, Passw0rd, guest, Administrat0r, querty123

16

Case Study – Network intrusion

• System compromised and username / passwords obtained
• Suspect gains remote access to network
• Corporate information or access to financial

transactions obtained

• Internal and External

risks 17

Noun

(In the context of information security)

‘the use of deception to manipulate

individuals into divulging confidential

• r personal information that may be

used for fraudulent purposes.’

Oxford Living Dictionaries, 2016

Fraud Risk - Social Engineering

Social Engineering

Contact is made by email. Sender impersonates well known companies or a colleague / friend. Purpose is to get you to click on a link or open an attachment. Contact is made by text message. Sender impersonates well known companies – often

• banks. May refer to suspicious activity on an
• account. Purpose is to get you to click on a

link or phone a telephone number. Malicious software such as Trojans or viruses. Downloaded from phishing emails, illegal websites, ad banners. Financial malware sits quietly in the background until you access a UK online banking service.

Phishing

Contact is made by telephone. The caller will purport to be from your bank, the police or a fraud agency (amongst others). Purpose is to get you to reveal information they need.

Vishing Smishing Malware

Case Study - Vishing

• Call received into the accounts team
• Caller claimed she was from the

bank’s Money Laundering Team and was investigating an incoming payment

• Some information provided by caller
• Caller said all payments were frozen
• Requested information from the client

to ‘unfreeze’ the account

21

We will NEVER ask a customer to: disclose their online banking log-on details, including Smartcard codes transfer money to another bank account to protect them from fraud enter a card PIN into their telephone keypad hand over plastic cards or cash to protect them from fraud

Preventing Vishing

!

Immediately terminate a call where you have been asked to provide

• nline banking credentials or other

personal information Do not feel pressurised Verify the caller is and why they are calling If unsure, do not reveal any information Call the bank as soon as possible Independently find a number to use Where possible, use a different phone line

Case Studies - Call Spoofing and Remote Control

! Please note – these are genuine products that are being abused by criminals !

Case Study – Remote Access

Victim received a phone call from a person claiming to represent their broadband service provider. During a 2 ½ hour phone call, victim provided details to caller and access to her computer via remote access tool Victim made 1 online banking transaction to suspect, however, a further 3 transfers were made without their knowledge during the

• call. Loss £19,000

Also - over payment/reimbursement Note - Internet providers will not cold call customers

Criminals spoofed email address, so that the message looked as if it had come from an executive within the company

1

An urgent request was made to an employee to make a payment Request timed to make it difficult to verify the instruction Out of Office? .

1 2 3

Case Study - Phishing (Email Spoofing – Bogus Boss)

2 3

• Beware of fraudsters posing as a supplier or creditor who tells you

that the company’s bank details have changed

• If you receive a request to make a new payment or to change

bank details:-  contact the supplier or creditor independently to validate  avoid using contact details contained within the request  confirm with your supplier or creditor that the payment has been received

Invoice Redirection IN Invoice Redirection

Case Study - Invoice Redirection

26

Case Study - Smishing case study

• SMS code manipulated so that they appear genuinely from

your bank

• A sense of urgency…’Fraud on account’
• Contain an embedded link or a telephone number to call

Social Media Risk

Bespoke Solutions

Secure your device

It takes just 2 minutes to protect yourself

• nline

Help and Support

• Ulster Bank: Security Centre
• Take Five: takefive-stopfraud.org.uk
• Get Safe online: getsafeonline.org.uk
• Cyber Aware: cyberaware.gov.uk
• Bank Safe Online: banksafeonline.org.uk
• PSNI: Portal
• Action Fraud: actionfraud.police.uk
• Financial Fraud Action UK:

financialfraudaction.org.uk

• @CyberProtectUK
• #PSNICyberProtect

31

Advice

www.ncsc.gov.uk/smallbusiness

32

We will never ask for your full PIN & password online:

• nly 3 random digits from each are needed to log-in

We will never ask for your PIN & password or any

smartcard codes over the telephone: beware of imposters

We will never ask for smartcard codes to log-in:

these codes are used to authorise payments

We recommend you download Trusteer Rapport -

free security software from ulsterbank.ie/rapport

Bankline’s Golden Security Rules

33

Take Away’s

• Discuss threats and advice with five others
• Think about the Case Studies – would you or your staff

know how to respond safely?

• Don’t wait for the call, e mail, text or malware to arrive –

plan now

• Print off the Business advice and place within your

Business or Office 34

Disclaimer

This presentation was prepared by Ulster Bank and PSNI for information purposes and is for the sole use of the attendees at the presentation. Please do not reproduce the content in part or full without the prior permission of Ulster Bank and PSNI. The views expressed are not intended to be and should not be viewed as individual advice or as a recommendation. The presentation and any supporting documents should not be seen as advice or an invitation to offer any product or enter into any transaction in relation to the subject matter. Prior to entering into any transaction, you should consider the relevance of the information contained herein given your own objectives, experience, financial and operational resources and any other relevant circumstances. The presentation should also not be construed as investment, legal, credit, accounting or tax advice or that any investment or strategy is suitable for your individual circumstance. You should seek independent advice in respect of issues that are of concern to you.

35