CYBER FRAUD: AN INCREASING RANGE OF THREATS

Transcription

1 CYBER FRAUD: AN INCREASING RANGE OF THREATS April 28, 2016, 2 p.m. ET Unidentified Participant: With that, let s go ahead and begin today. This is today s PNC Advisory Series event, and it is my pleasure to turn today s call over to our moderator for today, and that is Daniel Larkin, Senior Manager for Cyber Fraud, Enterprise Fraud Group, for PNC. Dan, with that, I ll turn the floor over to you. Okay, thank you. Good afternoon, everyone, and welcome to our PNC Advisory Series webinar, Cyber Fraud: An Increasing Range of Threats. Thank you for joining us today. As he mentioned, I m Dan Larkin. I m the Senior Manager for Cyber Fraud Investigations and Intelligence within PNC s Enterprise Fraud Group, and I will be your moderator today. Before we get started with our presentation, I wanted to highlight PNC s ongoing commitment to providing market insights, new ideas and best practices like you ll hear about here. Our commitment is reflected in the types of conversations our bankers are having with companies like yours every day. It also is reflected in our PNC Ideas Thought Leadership series, which features a monthly e-newsletter, live webinars, and a dedicated website, PNC.com/ideas, as illustrated on the slide you re seeing now. There are certain resources that are previous webinars, there are forecasts for upcoming education and webinar series that you can leverage through these resources. PNC is pleased to offer CPE credits for this web session. It s imperative that you hear the following instructions to obtain CPE credit. To receive credit, you must be in attendance for a minimum of 50 minutes. PNC is not responsible for late arrivals or connection issues. There will be required polling questions, as mentioned, throughout the session, all of which you must answer. Please remember to click on the Submit button after choosing your answer. If you complete all the above, please allow up to five business days from the date of today s session to receive an regarding your certification. This will contain instructions for how to download and print your CPE certification. Okay, so let s get started with today s event. We re excited to have Howard Forman and Ann Mele with us today to present, and you can see their bios there on the screen. They will discuss how anyone with access to funds movement services needs to be aware of the latest fraud schemes and how to recognize potentially fraudulent or malicious activity. We will facilitate a Q&A session at the end, as mentioned. You can submit questions any time throughout the presentation using the Questions widget found on the lower portion of your screen. Also, for some guidance on Q&A questions, we d ask you to try to keep your questions to some of the higher-level issues that will be relevant to the larger audience. If you have specific incident issues that you want to submit, you can add those in the survey that you ll be offered to take at the end of the presentation. And if you need some follow-up from additional PNC resources, we can possibly reach back out to you through that means. Okay, so before we get started, let s go to our first polling question. You can see it on your screen. Has your organization experienced any attempted or actual cyber-related fraud incidents in the last year? Now, again, this question is worded pretty broadly because cyber fraud is a broad topic. It s continually changing. I can tell you one thing, or a couple of things about the nature of the threat out there. It s often international, it s changing all the time, the criminal elements that are behind this are extremely creative and resilient. 1

2 We re committed to learning more from folks like you and from other subject matter experts in the industry regarding what that changing nature of the landscape is. I ll give you a couple more seconds here and move on to see what the results are. Okay, so as you can see on the screen, we have about 65% of people who say yes, about 20% say no, and about 15% not sure. That s actually, I think, a fairly predictable percentage, and I think you re going to find today s presentation offering you some very good specific content about the nature of the threat out there today and some best practices you might consider and some other resources you might consider employing against that threat. That said, I m going to turn it over now to Howard Forman, who s going to pick up on his portion of the presentation. Howard? Thank you, Dan. Welcome, everyone, and thank you for joining us to discuss this very important topic. On this slide, we just have the topics we ll be covering in our session today. One of our goals for the session is to give you the information you need to create awareness within your organization of a few of the major types of cyber threats that can have a direct financial impact on your business. We re going to spend a fair amount of our time on compromises, where we have seen dramatic increases in attempted and successful incidents across the financial services industry. We ll go through a detailed analysis of these schemes and how you can recognize when they re occurring. And then we ll walk through some real case studies so you can see how some organizations were conned into making fraudulent payments. Another goal we have for today is to give you some very actionable fraud prevention ideas, techniques and tools that will help you protect your business from these threats. So we ll spend a good bit of time there as well. We do want to leave plenty of time for your questions, so we ll cover financial malware and ransomware if time permits. However, if we do run short on time, there is some really good information about those topics in the presentation materials you ll receive at the conclusion of the event that you ll be able to share and put to use. So if we don t get to cover those topics, you ll absolutely still get the information. So we ll begin our discussion of compromises, which can go by a variety of names. You might hear them referred to as CEO impersonation, vendor compromise, impostor fraud. But let s look at some headlines and statistics first, and then we ll talk about the details. So one of the reasons why these compromises are proliferating with criminals is because they are, quite frankly, so effective. Just look here at the top of the screen and this news story, which I would encourage you to Google this information that was recently released by the FBI so you can really read the whole release. But just from this headline, you could see the magnitude of the problem. The $2.3 billion amount referenced is within the last two years or so, so that s really a shocking number for that period of time, to be sure. And another sobering statistic that is not on the screen here, but since January of 2015, the last 16 months or so, there s been a 270% increase in these reported incidents. Some of the individual losses throughout the industry involve eye-popping sums of money, I can tell you in the tens of millions of dollars. But for many businesses, even a loss in the tens of thousands or hundreds of thousands of dollars can be devastating. So you don t need to lose millions to really have a significant negative impact on your business. And that s really why we re here today. So looking at our next slide here, this is some statistical information from the Association for Financial Professionals most recent payments fraud survey, which was just released a few weeks ago. And while that first data point encompasses all types of payments fraud, not just those of cyber origin, but you could see how closely this compares to what we just saw with our own poll among our audience participants here, where well over 60 I think it was 65% of you responded that your organization has experienced actual or attempted cyber fraud. So when we expand that to beyond just cyber fraud, it s not surprising we re getting a 2

3 little bit higher percentage here in this study. We know from some of the other statistics on the screen that the sharp increase in payments fraud, to 73% in 2015, is largely due to compromises and, to a lesser extent, financial malware, both of which typically use wire transfers to carry out their heists. And you can see the quite dramatic increase in wire transfer fraud in that third statistic on the screen, the incidence more than tripling over the last two years. So we ll move on and start talking about the specifics of compromises so we can start giving you the information you need to help create awareness in your organization. These attacks are not really very technically sophisticated, but they do rely on a good bit of social engineering and deception to carry out their crime. The basic scheme is a fictitious account, or in some cases, a compromised or hacked account which is used to communicate a request to initiate a payment or a request to change payment instructions for a common recurring payment, such as a supplier or a vendor payment. The s are very effective because, to the recipient, they appear to be coming from someone that the recipient knows and trusts for example, an executive at the company where they work or a known supplier. And the s can be quite authentic-sounding because the criminals know how to gather the facts necessary to tell a compelling story, and they use social engineering to do that. And we ll talk more about those and share some examples with you in a moment. So I want to break down the fraud scheme into its components. They are fairly unsophisticated methods that criminals are employing. For example, they can create a public account in an executive s name, or they will create an domain that can appear to be the legitimate domain for the sender. Or in our third example, they create domains that are visually very close to the domain, with letter combinations that create a visual trick. So you can see these examples here pnc.co, so the m is missing, lowes.com, where the w is replaced by two v s. homedepot.com, the m is replaced by the r and the n. With all of these examples, the alias, which is that s the name that appears in your mailbox as the sender, that can be whatever the criminal specifies on the bogus account. For example, it could be the name of your CEO. Only upon close inspection and looking at the headers, which you may not even be able to see in your system unless you try to reply or forward the , can you see the domain name. And even then, only upon really careful review might you notice the visual tricks or the variation in the domain name. Now, I ll mention here as a best practice, many companies are registering these variations of their company names to help cut down on the incidence of these types of fraud. So if you own the domain names that are close variations of your company s name, that can really be a best practice to help you reduce the likelihood of a fraudster or criminal creating a fake domain name. In this fictitious example, we ve highlighted how the fake domain was crafted with a visual trick, replacing a w in the company name ABC Steelworks with two v s. When you re reading the , as I said before, you may not even see the domain name. And if you do, you re expecting to see it correctly, so the visual trick may not even be noticed unless you are really doing a very careful inspection. Some other common variations of how the domain name can be altered are shown in the larger blue box on the right side of the screen. And as you look at this example, there are other warning signs to be aware of. For example, here we have the salutation from John, the CEO, to Sue, the CFO. Maybe John doesn t refer to Sue as Susan when he communicates with her. And there are some other telltale signs, like warning of negative consequences if the payment isn t executed. And we ll be talking about those in a bit more detail on subsequent slides. I m not going to get into them here, but I just wanted you to have this visual example to see what we were talking about with the domain name spoof and how some of these s play out. 3

4 Let s take a couple of minutes to further step through another component of these effective fraud schemes, and that is the way the criminals construct the requests that compel the recipient to take action. Again, some of these methods are really not very sophisticated, but they are clever and they are effective. You might ask what s available on the Internet aside from a listing of your executive team. You might have public documents, like your SEC filings that list key financial employees. You might have dates and times of executive presentations at conferences or to industry analysts which, to a criminal, is a good indication that the executive is out of the office. Criminals scan social networking sites to learn about an organizational financial management hierarchy or to determine if somebody in that hierarchy is on vacation. Related to that, sending spam s, looking for out-of-office replies from an executive. Again, any time you can determine if somebody s out of the office, that s a great time to try to pull off an impersonation of that individual. There are more sophisticated attacks that involve actually compromising legitimate addresses, which usually occurs from a virus or some other type of software vulnerability exploits. Those fraud attempts using a compromised box are especially dangerous. The domain names are correct and even the content of the can be very, very legitimate-sounding because the criminals can use the knowledge obtained from the compromised mailbox when crafting their fraudulent request. You know, I recognize some of the information sources are just part of doing business. It s unavoidable to have some information on the Internet, like posting your SEC filings or other investor relations type of information. And we also recognize that if a supplier s is compromised, it is really very difficult for you to know you re receiving s from a criminal actor and not your trusted supplier content. So what we want to make sure you understand, it s your reaction, your employees reaction to these requests, and the processes you follow when you receive one, that can really mean the difference between discovering the bogus request or sending potentially tens or hundreds of thousands of dollars to a criminal. And we ll keep touching on that theme and giving you some ideas on how you can improve your reaction, if you will, to these events as we go through the presentation. On this next slide, we have the most common fraud scenarios we are seeing. I m not going to go through all of these. My co-presenter, Ann, will be reviewing a number of case studies that give examples of these. But I do want to call out the last scenario on the slide, which is a relatively new variant of the scheme that we re seeing. There s not really a direct payment impact with this one, but this variation, posing as an executive that s requesting or needing employee W-2 information, which is pretty common around tax time, can result in a significant exposure of PII, or personally identifiable information, for your company. And when that happens, there are a number of cascading impacts I m sure many of you are aware of, such as reputational damage, the need to provide identity theft monitoring and protection services to impacted employees, possible compensation for monetary losses. So while not a direct sending of money to a criminal, once they get that PII, there still can be some meaningful monetary damage that comes out of it. Moving along here and looking at some characteristics of these s in terms of what the requester is saying, you know, when we looked at that fictitious example we saw a few slides ago, we noted the visual trickery in the domain name, which was, again, replacing that w with two v s and noted that there were other warning signs in that example. And on this slide and our next slide, what we re seeing is the most common traits contained in these bogus requests. Typically, the request insists that the recipient not discuss it with anyone because it pertains to a very confidential transaction an acquisition or an investment of some sort. And usually, the implies there is some sort of negative consequence, like a fine, a late fee or a horribly negative business outcome if the payment is not executed. So the fraudsters are looking to create a heightened emotional response with the recipient. 4

5 We also typically see the requester asking for immediate confirmation when the payment is executed, which allows them to begin the process of quickly moving the funds throughout the financial system to impede any recovery efforts. And finally, the requester will often insist on communication to avoid the recipient trying to contact the legitimate sender via telephone to confirm the payment, which would, of course, reveal the fraud if you did that. Some other characteristics can include poor grammar and punctuation, which I m sure we ve seen a lot of that if you ve received some of these types of s. Or the s will have vague information on how to account for the transaction on your company s books. That s also a very common characteristic that we re seeing. The examples on this page are not really about the common narrative and tactics the criminals use, but really more about the nature of the request itself and what s typical for your business and the sender being impersonated. So really need to think through this. This is where awareness and diligence is invaluable in helping your company avoid falling victim to one of these schemes. You know, you have to look at, is receiving an from the executive requesting that a wire be sent a typical way of processing payments for your company? How is the addressed to you or the recipient? Would the sender typically use that salutation, or would they typically sign their s with a formal closing for example, signing the as Robert instead of Bob? We ve had victims that really caught these crimes just through some small clue like that. The CEO never signed their formally as Robert. He always signed his s as Bob. An came in signed by Robert. It created an alarm for the recipient, who then questioned the CEO directly, and that s when the fraud was discovered. These are really valuable clues to the recipient that something may not be right about the request. One point this slide illustrates is the importance of having a well-defined process for your payment-related activities. And we re going to talk about this again in just a few slides. But relying on an for moving large sums of money would not really be considered a best practice for such an important function. And while some senior executives may want to have the flexibility to request payments on demand as needed, stepping them through the mechanics of these compromise schemes can help them understand the risk of relying on informal mechanisms for payment initiation and really underscore the need for a well-thought-out process and procedure. But nonetheless, if using is what your business prefers or needs, creating awareness of the typical patterns will certainly help the recipient more easily recognize those potentially fraudulent requests when they do occur. So with that, I think we should move to our next participant poll, and I ll ask Dan to take that over for us. Howard, I got it. So you heard a lot of good examples from Howard on how cyber criminals exploit breakdowns in processes or procedures or the fact that certain processes or procedures don t exist. As he mentioned, the bad guys often try to make the situation very urgent and emotional. So we re asking now, Does your company have documented policies and procedures in place for initiating and approving payments? Let s take a couple of seconds to consider that question and answer the polling question. As an example, as we ve walked through some of these BEC scenarios that we ve encountered over the past year or so, we ve suggested to certain clients that they have the CEO put out a communication to the entire staff saying, You will never receive an communication from me as the only means of authorizing a money movement request. There will always be another means to authenticate that. And that s been helpful, to take that at least option out of the bad guys consideration. So that said, let s move on to the answers. Okay, great. Almost 83% do have documented policies and procedures in place. A pretty low number don t. 5

6 So now you re going to hear from Ann Mele, who s going to get into some specific case examples that we ve experienced and show you some additional examples of how the bad guys have exploited these breakdowns. Ann? Thanks, Dan. What I ve prepared today for the audience are a few case samples which really demonstrate some attributes and techniques that are used for these types of frauds. And you will see on the slide there, we ve also indicated a few flags, or a flag noted on this first case study, which relate back to the red flags that Howard covered a few minutes ago. So let s take a look at our first case study, and it s titled, The CEO s $80,000 Vendor Payment Request. The CSO from an online wholesaler received an purporting to be from his CEO asking for a payment to be sent via wire transfer to a new vendor. So in examination of the , it looked similar to many requests that they had received from the CEO over the years. It included new payment instructions, and then it insisted that all communications be sent via . So that is a red flag. From an communications standpoint, that would be a red flag to the recipient to say, Hey, well, am I not permitted to call this CEO? It does look familiar, but maybe there s a desire to reach out to validate. But also, an emotional response to say, Hey, I m being instructed to communicate via . So there s hesitation there. The CFO had no reason during this event to suspect fraud and subsequently sent the payment to the requested account. And after hours, when they were meeting for lunch, actually, the CFO and CEO were having a conversation and the CFO confirmed that he sent the wire, and it was at that time that the CEO was puzzled and questioned, What wire? So again, it happened since they re at lunch that day, they re having a conversation, and the CEO is puzzled over that a wire transfer was sent without his authority. So the CFO, of course, left lunch, went back to the office and called the bank so immediate action could take place. But this really demonstrates, from a scenario perspective, that the dollar amount may not appear significant to many businesses. But again, mentioning earlier by Howard, it could be very devastating to smaller businesses or corporations when an $80,000 fraudulent activity takes place. So all the scams that we re talking about today, and in the case studies as well, they do affect businesses and corporations of any size, any type. So let s move on to the next case study, which you will recognize is much larger. Our second case study, Attorney in the Middle Gets $6 Million. The treasury manager for a large international corporation received an purporting to be from her CEO indicating that the company was making a major acquisition in the next several days. And in the message, they demanded confidentiality and urgency. They warned if the word got out, the company could be fined by the SEC, which of course elevated the importance and the criticality to the reader. They named a law firm that was assisting with the purchase, and they said that the attorney would be authorized for the payments. So basically, it was the actual indicating it was okay to a treasury manager for dealing with the attorney versus the CEO. So within an hour, the attorney called the treasury manager to request the first of two payments. So that was very persistent. It was more of an urgent situation within the hour, again tricking the treasury manager to feel that this is a trustworthy transaction. The treasury manager sent two wires over a six-day period to a foreign bank, and it totaled over $6 million. And then once that transaction and the second transaction was completed, she did call her CEO to indicate that the acquisition funding was complete. So that took place after six days. And at that point, that was when the CEO asked the question, who was making an acquisition? So again, it took a long period of time to conduct those two transactions, and towards the end of it, or within the six days after completed, is when the CEO got involved and indicated that it was not a legitimate transaction. So again, another example of the scam in a much larger size. 6

7 So moving on to our final case study titled, Supplier Doesn t Really Have a New Bank Account or Their $200,000 Either. So this really points to something that was mentioned earlier by Howard, that the scam could also impact companies who are frequently making payments to a vendor or a supplier, so there s an expectation that a payment will be made on a recurring basis. In this scenario, an accounts payable manager for a small manufacturer received an from a large supplier communicating a need to use a different bank account for an upcoming payment due to a bank account audit. The AP manager verified the address and sender as a recognized supplier, so at that point it did look legitimate. The contained new bank account details for a legitimate payment that was coming due. So again, the AP manager updated the payment instructions on the bank s online system. There was no independent verification of the new account or any call back to the supplier at that point. And several days after the $200,000 payment was sent, the legitimate supplier contacted the AP manager inquiring about the payment status. And it was at that time that the supplier replied that they did not change their account number. So it was a clear indication that this was a scam. It was realized as fraud, and actions were taken. So you may ask, Well, what happens next in these types of scenarios? What s kind of the protocols? And in all three of these cases, the victim companies did contact PNC as soon as the fraud was identified. And on behalf of the company victims, PNC does attempt to recover the fraudulently obtained funds. And we leverage certain protocols wire recall opportunities, beneficiary bank indemnifications and, of course, the law enforcement assistance. And in these three case studies, PNC was able to successfully recover full or partial reimbursement for our customers. But I do want to point out that even in these three cases, and many others where recovery efforts are successful, the process is laborious and can extend over a period of time, so it can impact the business for a period of time until an investigation is complete and until we re able to receive recovery from funds from beneficiary banks. So on to the next slide. I wanted to call out also for the audience that we do rely, as a financial institution, on support from federal and local law enforcement entities. And I pointed out here a few things that we rely upon in our partnership with law enforcement. We do rely on their assistance to lead a multi-agency international task force to help identify significant criminal groups impacting the financial industry. They implement proactive efforts to take control of the threat actor s network, so they re able to hone in on them and take the appropriate action to cease the activity. They lead proactive threat intelligence development and information-sharing protocols with PNC and other financial institutions, so we have intelligence and information that we can prepare as best as possible and help to respond. They develop and deliver PSAs, or public service advisories, on a consistent basis to better educate consumers and businesses regarding the changing cyber threat landscape. They also help to coordinate what they call an international kill chain. And this is really the effort that they leverage to enhance freezing and recovering monies that are fraudulently transferred on behalf of banks and clients. And they also lead proactive operations to aggressively target international subjects, which does result in positive arrests and prosecutions, domestic and internationally. So with that said, I will go ahead and turn it back over to Dan Larkin, and we would like to step the audience through fraud prevention. Okay, thank you, Ann. Okay, so we re up to our next polling question. And as illustrated in this webinar today, I think you can take away the fact that we think that training is absolutely vital, and it s an ongoing effort that we re committed to stay part of with this ever-changing threat. 7

8 That said, our next polling question is, Does your company provide cyber awareness training to employees to help them recognize phishing s, ensure that they know not to open attachments from unknown senders, and know not to share company or personal information on social media sites? Again, as I said, we believe that training is going to be an ongoing component that we re going to continue to stay involved with. And hopefully, with your input throughout today s session, we ll have more meaningful sessions in the near future. So let s move on to the answers. Okay, so we ve got about 65% that say they do; that s great. 30%, no, and a smaller percentage don t know. So we re going to get into some fraud prevention specifics that we take part in here at PNC, and I m going to turn it back over to Howard to continue from here. Great, thanks, Ann and Dan. So I think the information we re sharing with you on this slide and the next slide is actually some of the most important information in the presentation, as it can really help you implement changes in your organization that you might need to help prevent falling victim to fraud. And, although we have not yet discussed financial malware and ransomware, some of these actions can help protect you against those threats as well. So these are pretty much some good practices all around. So, wonderful that 83% of you I think our poll said 83% of you had documented policies and procedures around payment initiations. That s fantastic. Hopefully, you can pick up, still, some good information here and tighten up those policies and procedures. And for those of you that don t have them, we really hope this encourages you to get something in place. But really, having those documented policies and procedures around payment initiation and managing updates to your supplier information, for example, in your accounts payable system is really one of the best ways to protect against these rogue payment requests. You could see on the screen some examples of components that should be part of your policies and procedures. For example, ensuring that requests are reviewed and approved by at least two individuals at your company, both changes and requests that touch your internal systems, like your accounts payable system or your vendor management master file, and in the bank system, the online portals that you re using to initiate payments. Requiring out-of-band verification really important. Calling your known contact at a known telephone number can protect you if your supplier s is truly compromised. With some of the scenarios we discussed today, like a supplier changing their bank account, that s a legitimate business need. Companies change bank accounts from time to time, and they need to communicate that to you. So it s how you respond to the request that can mean the difference between making a legitimate change and making a change that s going to send a payment to a criminal. So really important, that if you get something from the vendor saying change the payment instructions, you pick up the phone and call them at a phone number you know, not a phone number that s in the . You don t respond to the . Get a phone number that you know you ve spoken to this contact before, and use that to make the verification. So just to kind of close out this thought, if all the payment requests follow specific processes or workflows in your organization, it becomes really much easier for employees to identify requests that fall outside the normal pattern. Whether you require a physical piece of paper or you have a completely digital process, whatever works for your business, what s important is that the process is repeatable and it s enforced consistently. And I talked about this a little earlier, and again, I m going to repeat myself because it s important. Senior executives have to support and follow the process, because it does two things. First, it helps employees more easily identify requests that fall outside of the agreed-upon procedures. And second, it empowers employees that question the legitimacy of a request that originates outside of the agreed-upon procedure. Those employees need to feel that their actions, which are really intended to protect the company s assets, are not going to be met with negative consequences from an executive that doesn t adhere to the standard payment 8

9 initiation process. So that s a really important point. Dan touched on it; I touched on it. And ensuring that the executives are buying in and supporting and agreeing to follow the process is really quite critical. So also critical is having ongoing employee education about current fraud threats. So it s great that 65% of our audience here does some form of training. But there s definitely some room for improvement there among the folks joining us today. The education has to be continuous, and that s because the threat landscape changes as the criminals refine their schemes, and what was previously an effective defensive technique can become less effective. General cyber security education and training needs to be a part of your employees typical or formal learning curriculum. Just as you educate them on other important policies and procedures and industry developments or facets of your business, you need to educate them on cyber best practices. Employees that don t have direct payments responsibility can open the door to criminals if they open an infected attachment or visited an infected website and your virus defenses aren t able to stop the infections that they re getting. Likewise, if employees share information about your company on social media sites, or even something innocuous on a personal social media site about something related to work, can be just enough information that gives criminals what they need to help stitch together these very effective and compelling s. With the training, the regular, formal assessment of the employee s awareness level, what you could do in-house or you could use an outside party to do that, can really help you identify some knowledge gaps and target future training and education efforts. So it s important to see how that training is playing out in your company and if folks are really learning from it and are being good stewards of your cyber defenses. The ideas on the next couple of slides are just some additional things your organization may want to do or some services you may want to use as part of your general payments practices and fraud prevention strategy. I won t review these in detail, but I would highlight a couple of these and definitely encourage you to review them when you receive the presentation materials. And treat them as a checklist of sorts that you can use as you re creating or reviewing your payments procedures. Some of these are best practices, but implementing an executive approval for certain high-dollar payments, that s something you may want to look at with your financial institution, where payments over a certain dollar threshold require one additional approval in the system before they re sent out. That might just give yet another independent review of the transaction and somebody might question why the payment is being made. And some financial institutions offer malware detection software, which is different than antivirus software. Malware detection software can detect things that antivirus software cannot, and that s really important for protecting you against malware that can harvest your online banking credentials. Again, we have some information on there, and I think we might get to that, or certainly you ll have it in the presentation materials. Other banking services worth noting that you may want to look at are text or notifications for certain types of account activity. For example, if you have wires pending approval, if there are entitlement changes being made to your users online privileges, if there are certain types of transactions posting against your account, getting a current-day view of information, not just a previous-day view. Those types of things can be very important and give you a clue when certain activity is occurring, so even if fraud does occur, the sooner you are notified of the fraud, the better your chances of recovery in that situation. So these are really good services to think about as augmenting your toolkit. And lastly, I ll point out another best practice is having your system identify to the recipients when an is received from an external source. It may be to just trigger that, you know, they should be extra cautious about opening an attachment or clicking on a link, as the example shows here. Or it could just be to create an awareness of, hey, this is coming externally from the CEO or the CFO. That doesn t make a lot of 9

10 sense. Why would I receive an external from the CFO to initiate a payment? So it could just be another trigger to help get somebody thinking about what have they received, who is it from, and what steps should I take now that I ve received this external asking me to do something like open an attachment because it s offering me free tickets to the football game this weekend. So with that, Dan, I think we should probably take a few of our participants questions before we get into malware. And if time permits, we ll get into the malware discussion, but I want to make sure we get time to answer some questions. Okay, thanks, Howard. Again, we d like to open up the session for Q&A. And as a reminder, you can ask questions using the Q&A window located on your screen, if you haven t already. Click on the Q&A widget in the lower left-hand corner. Let s take a look at our first question here. Okay. Okay, a question from one of our participants. Where do I find additional information and keep up to date on new types of threats that are out there? Howard, I think that would probably be something that you would want to take. Yes, I ll answer that, and of course, Ann can add anything as well. So there s a number of information sources. So for thinking just about PNC for a moment, for our clients, especially clients that use PINACLE, which is our corporate online and mobile banking portal, we will often post alert messages advising customers of the latest fraud schemes as we re made aware of them. Or if there s something particularly dangerous that we need to make our customers aware of, we will use our alerting capabilities. And there s also a security center in PINACLE, which is reachable from any page inside the portal. There s a blue shield icon that a user can click on. And in our security center is a lot of documentation. It contains links to replays of webinars like this. We have a number of white papers out there. We have information on all of our security controls that are offered in PINACLE so your company can evaluate what additional tools and settings you want to take advantage of. We also provide some links to other information sources outside of PNC and outside of PINACLE, like the Internet Crime Complaint Center, I think, is there. We provide links, I think, to the FBI site. So there s really a number of external sources in addition to what the bank is providing. But we do provide an awful lot of information through PINACLE, through these PNC ideas, webinars and white papers. Ann, would there be any other external sources we should identify that I didn t name? I think you covered everything. Great. Thank you. Okay, next question, and there s been a couple of variations of this question, but we ll try to make it a little more comprehensive. Is there cyber insurance available for recovery of funds lost due to online criminal events? Ann, I think you ve had some experience in that arena. Yes, I do know that it exists, even though I couldn t really say what companies are better than others. But there is cyber insurance that is available. From a [inaudible] perspective, it is worthwhile taking a look into it. Again, it s typically assisting the business to recover funds, but that insurance does assist when needed. And I think it is something that is worthwhile looking into. I think you have to look at the specific policies that are available. Some forms of cyber insurance are protecting against data breaches. So if your organization is compromised and your data is stolen and there s PII or PHI in the data or trade secrets are stolen, they might insure that. You have to really make sure that the policy is covering something like we ve talked about today, which is more of a theft issue. The money s been stolen from you. 10

11 There s some interesting information on the web about how these policies are constructed and the things that they do cover and don t cover. They can be pretty specific about what constitutes a theft versus somebody that is tricked into sending money to a fraudster may not be characterized as a theft. So like with anything like this, you have to do your homework and make sure you know what the policy s covering. And that s why I think these types of webinars, where you can articulate the specific cases that you re trying to protect against and get your insurance company to enumerate whether a particular case is covered or not. Great. Again, this next question came in, in a couple of different ways, so I ll try to package it a little more comprehensively. The question was, Are there available documented best practices for policies and procedures that companies could implement? Ann, I think maybe you but I think you both can touch on this one, actually. So you first. I m sorry. I had [inaudible]. So yes, from the sampling of documented policies and procedures, I would say more of a best practice approach. And some of the sites that Howard did relay earlier, there are best practices or tips or guidance that are available. And Howard, I know you ve pointed to some policies and procedures quickly in this document as well that are best practices known in the industry from a protection perspective. Yes, I think a lot of the information we provided is really a good foundation for building those policies and procedures. We will be posting some additional documentation throughout the course of the year to the PINACLE Security Center, and your relationship contacts will have access to it as well. It has a little bit more of a packaged approach to some resources, whether it s links to external sites to get additional sources of information or some of these best practices and checklist kinds of items that you can go through literally and check off: Do we do this? Do we have this in place? So we have some of that, actually, on its way to being delivered out to our customers very shortly here. Okay, there s a couple of questions again and we re trying to merge them together. One of the questions said, How do I, or should I, involve law enforcement? And a separate, more specific question said, I ve received several CEO-crafted s in the recent past. Should we report this to a law enforcement agency? Ann, I ll tee that up to you first. So absolutely, we do recommend reporting to a law enforcement agency whenever you are victimized. So not only is it important to notify your financial institution, but absolutely any suspicion of such event should be reported to a local, state, federal law enforcement agency as well. And I believe, Howard, within the documentation we mailed to have guidance, and if not, we ll be sure to get that out to the audience as well. Anything you want to add there, Howard? No. Ann covered it really well. Okay. One more question here. What type of activity should not be posted on social media sites? Can you give us some examples, like LinkedIn? Oh, gosh. So I think some aspects of social media are important. They re an important part of doing business, and some connections, it s difficult to avoid making the connections you want to make. I think whatever privacy settings you can set that allows only people in your network to see who you re connected with, that s probably an important setting to have. And that follows on that you only let people into your network that you know personally so that only people you know and trust are really able to see who you re connected with. 11

12 As far as posting personal details again, things like if you re going to be on vacation, or if you are on vacation and a criminal knows that your role in the organization is the CFO, posting vacation pictures is something that a criminal might see and assume that you re on vacation. And that s a good time to craft an , telling the treasurer, While I m out on vacation you know, right away it sounds authentic, because he knows you re out on vacation carry out the following payment request for me, and so on and so forth. So it just gives criminals bits and pieces of information they need to stitch together their stories. So even on your personal social media sites like Facebook, again, look at your privacy settings. See who s allowed to look at things that you post, and you may want to tighten that up and just, really, only the people that are personally connected to you can look at the pictures that you re posting or the things that you re saying on social media. You just never know what you say, how that can be carried down the line and turned into something that becomes a data point in an . Okay, thank you. Okay, so we ve got a question here. Are there any patterns detected on who these cyber criminals are backgrounds, geographies, anything else that you can share? Ann, do you want to take that one? Well, I ll do my best there. So there are patterns that are recognized by the banks and law enforcement, domestic and international patterns that we see based on the criminal organizations that are generating these types of scams. So we do pick up on that. It could also pertain to patterns of beneficiaries, foreign institutions or domestic institutions, so we re able to pick up on that as well. So when we talk about patterns and trends, it could relate to location of the bank, the beneficiary bank. It could be the dollar amount of the transaction. I mean, you can notice patterns that certain criminal groups leverage. Maybe they stay within the $80,000 to $100,000 range or multimillion-dollar range. So there s absolute patterns that we pick up on, and that also is a source of great intelligence for law enforcement agencies, is they re also working with multiple banks to aggregate information and be able to identify the criminal actors. Okay, good. A couple of variations of this question, too, but the question was posed about how often training should be scheduled or refreshed. Howard, why don t you take a stab at that? Yes, gosh, I don t think I have a standard answer to that. I would say annually at a minimum. I think that s typically what we see, is that the training itself is done annually at a minimum. But if you re testing employees for their awareness in other words, you kind of see if they are clicking on links or opening attachments in intentionally designed phishing s, that could indicate whether you need to do more frequent training or even more targeted training on specific fraud schemes, where you may want to try it quarterly. And if you re seeing improvements, then you could start stretching out the training. So I m not a training expert, but I don t think there s any prescribed period. It seems like annual would be the minimum, but it could be more frequent, based on just the cyber awareness maturity level, if you will, of the folks in your organization. Once companies really start to push the education and even just make it a part of routine communications on your company s intranet site, where you might post an article here and there about cyber fraud issues, we see awareness going way up inside organizations, and the need for that sort of really formal training, where you re walking people through slides and having them take assessments afterwards, probably diminishes a little bit. Okay, thanks. I think we re running tight on time here, so I m going to go with one last question here and combined from a couple of folks, asking, Do these criminals ever get caught and prosecuted, and how helpful is law enforcement chasing down cyber criminals domestically and overseas? And does the banking industry actually find them helpful? So I think, Ann, you have some good details there. 12

13 Of course. Sure, I could answer that. Well, I ll answer the last one first, with the banking industry finding it helpful. I mean, it s extremely helpful. I mean, it s a partnership when you re dealing with organized crime that you cannot live without. I mean, you need the law enforcement liaison, whether it s domestic or international. And they do, you know, quickly respond. They understand how large and how widespread and the magnitude of the issues that we spoke about earlier. They have, like I mentioned earlier, also a task force approach to it. So you re not stifled by just dealing with the United States law enforcement, but they have connections overseas as well. So it s a whole network of law enforcement that really rally around this threat to the financial industry, with the intent to identify the actors, bring down the criminal organizations. So it is definitely a relationship and a power, a strength that we have as financial organizations to leverage and work with our law enforcement partners. So I can t recall, Dan, the first part of your question, or did I answer it? It was pretty much a blended question about does anybody ever get caught, and does the financial industry find law enforcement useful in tracking down and catching them? And I will say there have been many successful arrests and prosecutions, domestic and internationally. Even though we did not go into the malware topic, I would speak to that same comment for malware as well. So not just only from a business compromise perspective, but also malware. So law enforcement also has many successful arrests and prosecutions in that space as well. Okay, thanks a lot. In answer to a question that was asked repeatedly, yes, there will be a copy of this PDF available. And we re just about out of time. But I d like to thank, again, Howard and Ann for a great presentation today. You both provided really great insight and perspective. I d especially like to thank all of you for attending, though. And again, a PDF of today s presentation, as well as a CTP certification credit and Trending Topics article called, Internal Threats to Your Company s Cyber Security, is now available for you to download from the green resource list file folder widget in the lower center portion of your screen. You also see a link to a short survey on the screen. Again, your feedback is important to us, and we greatly appreciate your thoughts on today s session and the presenters and any other topics or enhancements to this presentation that we might consider going forward. This concludes our presentation for today, and thank you all again for attending. The materials that you are viewing were prepared for general information purposes only and are not intended as legal, tax or accounting advice or as recommendations to engage in any specific transaction, including with respect to any securities of PNC, and do not purport to be comprehensive. Under no circumstances should any information contained in those materials or video be used or considered as an offer or a solicitation of an offer to participate in any particular transaction or strategy. Any reliance upon any such information is solely and exclusively at your own risk. Please consult your own counsel, accountant or other advisor regarding your specific situation. Any opinions expressed in those materials or videos are subject to change without notice. Investment banking and capital markets activities are conducted by PNC through its subsidiaries PNC Bank, National Association, PNC Capital Markets LLC, Red Capital Markets, Inc., and Harris Williams LLC. Services such as public finance advisory services, securities underwriting, and securities sales and trading are provided by PNC Capital Markets LLC and Red Capital Markets, Inc. Merger and acquisition advisory and related services are provided by Harris Williams LLC. PNC Capital Markets LLC, Red Capital Markets, Inc., and Harris Williams LLC are registered brokerdealers and members of FINRA and SIPC. Harris Williams & Co. is the trade name under which Harris Williams LLC conducts its business The PNC Financial Services Group, Inc. All rights reserved. CIB ENT PDF