Will You be the Next Headline?

Similar documents
Wholesale Lockbox Standards and Options. US Sites Atlanta, Boston, Chicago, Dallas, Los Angeles, St. Louis

Tools, Tips and Techniques to Mitigate Fraud. September 2017

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.

Red Flags/Identity Theft Prevention Policy: Purpose

OBTAINING YOUR PIN# FOR UNIVERSITY PROCUREMENT CARD

Works. Works Quick Reference Guide. Managing Transactions for Accountholders

CashPro Online Getting Started Guide. Client Side Capture

Business Online Banking & Bill Pay Guide to Getting Started

huntington Business security suite user guide

Cyber Insurance: What is your bank doing to manage risk? presented by

Security and Fraud Prevention

CashPro Online. Information Reporting: BTRS Format. Introduction. BTRS Record Descriptions

CitiManager. Registering for CitiManager, Enrolling in Paper-Free Statements, and Viewing Your Electronic Statement

Prevention of Identity Theft in Student Financial Transactions AP 5800

Identity Theft Prevention Program. Effective beginning August 1, 2009

CashPro Online. CashPro Statements. Getting Started Guide

CitiManager Alerts

CashPro Online. Information Reporting: BAI2 Format. Introduction. BAI Record Descriptions

Capital Bank Express User Guide. The Tech Behind the Money

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

JHA Payment Solutions. MASTER Site Funds Verification jxchange. Client Training Guide. ipay Solutions December 2016

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

SANTANDER TREASURY LINK TRANSITION FREQUENTLY ASKED QUESTIONS (FAQ)

[Utility Name] Identity Theft Prevention Program

CashPro Online Getting Started Guide. Global Payments

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

Questions and Answers

Safeguard Your Assets ABCs to Mitigate Fraud in an Evolving Payments Environment. April 10, 2014

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Wire Fraud Scams: How to Protect

Mobile Cash Management

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

NOT-FOR- PROFIT SERVICES GROUP Client Information Bulletin

IDENTITY THEFT PREVENTION Policy Statement

Seattle University Identity Theft Prevention Program. Purpose. Definitions

CashPro Online. CashPro Online Quick Reference Guide Global Payments Using Bank-Defined Import File Formats

QNB Bank-ONLINE AGREEMENT

Mobile Cash Management

Cybersecurity in Higher Ed

Taking control of your finances... 5 Use these tips to manage your finances

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Detailed Conversion Steps to Transition from Business Online Banking Getting Started Business Continuity Checklist for CashManager OnLine

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

CashPro Online Getting Started Guide. Foreign Exchange Administration

Electronic Communication of Personal Health Information

Cyber Security Updates and Trends Affecting the Real Estate Industry

Adding and Removing User Entitlements

Small Business FRAUD PREVENTION Manual

When you provide personal information to us it will only be used in the ways described in this privacy policy.

Supervisor s Guide. supervisor s guide (continued) Welcome to NBT Online Banker for Business! Supervisor Functions NBT ONLINE BANKER FOR BUSINESS

Works 4 Quick Reference Guide. Managing Transactions for Accountholders

Works 4 Quick Reference Guide Managing Transactions for Approvers

Red Flag Policy and Identity Theft Prevention Program

The Guide below is to help assist Users in navigating our Cash Management Online Banking

Reference Guide (IRIS)

Cybersecurity and Nonprofit

University of North Texas System Administration Identity Theft Prevention Program

Legal Aspects of Cybersecurity

Set and Mobile Alert Messaging

Guide to Getting Started. Personal Online Banking & Bill Pay

Six Steps to Protect Your Clients and Protect Yourself from Identity Theft

Personal Online Banking & Bill Pay. Guide to Getting Started

Target Breach Overview

Regulatory Notice 10-21

Caribbean Cyber Security: Not Only Government s Responsibility

OVERVIEW TIMING AND DEADLINES PERMISSIONS, LIMITS, AND APPROVALS PROCEDURES REPORTS STOP PAYMENTS PROCEDURES...

Six Steps to Protect Your Clients and Protect Yourself from Identity Theft. Ley Mills IRS Stakeholder Liaison December 20, 2017

Best Practices Guide to Electronic Banking

( Utility Name ) Identity Theft Prevention Program

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

CSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK

Employee Security Awareness Training Program

CashPro Online Getting Started Guide. Remote Deposit

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

CashPro Online Getting Started Guide. Receivables

Web Cash Fraud Prevention Best Practices

GLBA. The Gramm-Leach-Bliley Act

Fighting Fraud: Safeguarding Your Business. November 5th, 2015

Regions Quick Deposit

Recognizing & Protecting Against Fraud

Terms and Conditions P2P Service E-Signature and Electronic Disclosures Agreement

On Audit of FOREX Transactions

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Who We Are! Natalie Timpone

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Business ebanking Online Wire Transfers

Red Flags Program. Purpose

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

June 2012 First Data PCI RAPID COMPLY SM Solution

Agreement Between the Per Diem Prepaid Cardholder and U.S. Bank National Association ( U.S. Bank ) (Dated January, 2014)

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

First Federal Savings Bank of Mascoutah, IL Agreement and Disclosures

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

CHAPTER 13 ELECTRONIC COMMERCE

Transcription:

Will You be the Next Headline? Payments fraud awareness & prevention FOCUS Spring 2017 Conference

On the agenda What s Driving the Security Landscape Terminology to know Planning ahead and best practices Q & A With a demographic shift towards social networking and using online channels and mobile devices for communication and transactions, fraudsters are taking advantage of the changing landscape. Areas of vulnerability are not as clear as they used to be. 3 4 out of companies were a target of cyber attack over the past 18 months companies surveyed in 2016 AFP Risk Survey 2 AFP is a registered trademark of the Association for Financial Professionals.

Payments fraud in the news Sony Pictures 100 terabytes of data Home Depot 56 MM customer records JPMorgan Chase 76 MM account holders ebay 145 MM user records Target 56 MM credit card records Source: http://www.informationisbeautiful.net/visuali zations/worlds-biggest-data-breaches-hacks/ (1) Wall Street Journal : White House Cybersecurity Event to Draw Top Tech, Wall Street Execs (Feb. 11, 2015) (2) The Province: Cyber Crime: Fake email from the boss is a popular fraud (March 30, 2015) (3) CNN: Insurance giant Anthem hit by massive data breach (Feb. 6, 2015) 4) The Washington Times: Despite evidence, FBI insists North Korea to blame for Sony hacking (Dec. 30, 2014) 3

What s Driving the Security Landscape? Innovation Government Data Compromises New entrants New technologies New business models Security mandates Payment networks Concentrated in North America Leading to card fraud (card-not-present as well as counterfeit fraud) 4

Terminology to know

What it all means DATA BREACH An incident in which sensitive, protected or confidential data is viewed, stolen or used by unauthorized individual MALWARE Software that is intended to damage or disable computers and computer systems SPOOFING Email messages with a forged sender address successful fraudulent transaction PHISHING/SMISHING Infected files/malicious links sent through email or SMS message MASQUERADING Attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification 6 AFP is a registered trademark of the Association for Financial Professionals.

How phishing works Looks like a legitimate correspondence from the company Wording does not have the level of refinement expected from an authentic company message Has an attention getter high dollar amount of a cell bill in this example Embedded links activate malware download on your device Some individuals click on the links and may not even recognize they don t have a relationship with the company 7

Headline HEADLINE.. Even University Fraudsters Prefer Direct Deposit of Their Pay University Adds Fraudsters to its Payroll 8

Headline HEADLINE.. Fraudsters Make Quick Work of Unsuspecting University and its Funds 9

How spoofing and masquerading work Once malware is in your system, fraudsters can Access credentials Read emails Collect business contacts Initiate emails to accounts payable pretending to be you Ask the recipient to process a payment From: Treasurer@mycompany.com Sent: Monday, February 2, 2015 11:17am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer This is the third one. We are pulling the confirmation now and will send to you. From: Treasurer@mycompany.com Sent: Monday, January 12, 2015 11:30am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer FYI, this needs to get processed today. I checked with?? to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send am email directly to??? or let you drive from here. Let me know. From: Treasurer@mycompany.com Sent: Monday, January 12, 2015 9:59am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer Process a wire of $73,508.32 to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks. ------------------------Forwarded message--------------------------------- From: CEO@mycompany.com Sent: Monday, January 12, 2015 6:45am To: Treasurer@mycompany.com Subject: Wire Transfer Nick - Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Charlie 10

Headline HEADLINE.. University CFO Authorizes $500,000 Fraudulent Payment University Grateful to Make $1 Million Fraudulent Payment 11

Planning ahead & best practices

Collaboration is key Online Banking and Mobile Applications User authentication Device authentication Two factor authentication Client internal controls and policies Fraud detection and monitoring Entitlements and administrative controls Client education and awareness Fraud plan Fraud monitoring across channels to protect our clients Device authentication Online session activity Detect out-ofpattern transactions Electronic / IT standards Transaction protocols Segregation of duties Fraud prevention products Information compromise event response Awareness and education 13

File transmission connectivity security features CashPro Connect Layered features across the channel Transmission Content Self-Service Encrypted passwords (HTTPS/FTP protocols) Robust transmission channel, such as SWIFT FileAct Use notifications about file receipt and processing issues Test files in test environment with test data only If PGP is desired, double encryption (securing both contents and transmission channel) is required Digitally sign files with clientprivate PGP keys or 3SKey tokens Restrict access by integrating files directly to a corporate server Monitor payment file activity transmission status Use final release of file transmission payments in the bank s online portal Separation of roles and entitlements in ERP/TMS: Vendors Banks Accounts Manage 3SKey digital token assignments 14

Establish segregation of duties Requires (through dual approval) that two different users initiate and approve transactions Requires (through dual approval) that two different users initiate and approve creation of user accounts, as well as changes to entitlements Provides customized authorization/entitlement to set level of system access for each user by service, by function or by transaction amount Use the least privilege model, user doesn t need it, don t grant it Review user account and administration settings regularly Helps deter internal and external fraud Adds a layer of security to help protect high risk transactions 15

Protection solutions Best practices Check fraud reminder Reconcile accounts on a daily basis Segregate duties / auditing duties for financial activities Migrate to electronic payment products Become fraud focused on inquiries from other institutions regarding legitimacy of checks Escalate suspicious activities to management team Safeguard check stock with check stock security features Consider outsourcing check processing to secured vendor Positive Pay Automate review of items before decision to Pay or Return Teller Positive Pay Integrates check decision at teller in banking centers Payee Positive Pay Determine if payee names have been altered Reverse Positive Pay Notify bank of exception items identified on file Maximum Dollar Control Flag any check over a given dollar amount to decision Fraudsters have easy access to paper, printers and scanners to create phony checks with detailed personal banking information obtained from stolen paper or electronic image items 16

Wire and ACH fraud prevention Separate duties / auditing responsibilities across user credentials to provide additional security within cash management system Set individual user limits appropriate for payment / user Maximum dollar amount per transaction for initiating and/or approving wires and ACH Maximum daily cumulative dollar amount for wires initiated and/or approved Review procedures on regular basis, confirm user credentials updated and maintained to represent appropriate needs Use Repetitive Wire Templates to eliminate manual intervention/manipulation Establish a secondary channel for changes to beneficiary payment details to help address non-standard payment requests that come may from potential phishing scams Advancement in technology and information systems has provided companies with significant opportunities for greater productivity, efficiency and profitability. 2015 AFP Risk Survey ACH Blocks Block incoming ACH transactions from posting to accounts ACH Positive Pay Monitor / control transactions before post to bank account Allow transaction acceptance or rejection in real time ACH Authorization Post only incoming authorized ACH items ACH fraud prevention solutions for U.S. domiciled accounts only. 17 AFP is a registered trademark of the Association for Financial Professionals.

Headline HEADLINE.. Employee Has Big Black Friday on University Dime Big Limits + No Controls Equals Boon for Local Little League 18

Card industry: Best Practices to Prevent Misuse 19 1. Internal audit processes 2. Sample metrics 3. Client controls 4. Program administrators 5. Cardholders Create guidelines for card issuance and handling Determine who should be eligible to apply for a card Determine approval levels required Segregate duties of ordering and receiving of cards Create internal procedures Requirements for obtaining a card Administrative / Management Usage / Purchasing Accounts Payable/Accounting Online Cardholder Reconciliation Audit/Intellilink Create policies or business rules o o o o o o o Business versus Personal Use Cash access Card sharing Ghost cards Roles and responsibilities Training Audit exceptions

Make a cyber attack plan Prevention ESTABLISH sound internal COMMUNICATE and ESCALATE any transaction payment processes using best practices enforce processes across organization that does not follow the established process Response CONTACT your treasury representative and follow their instructions DISABLE impacted electronic equipment and user access YOU determine based on your internal controls 60% companies surveyed in 2015 AFP Risk Survey of companies do not have a response plan for a cyber breach 20 AFP is a registered trademark of the Association for Financial Professionals.

Other Considerations to Stay out of the Headlines 21 Do your employees have access to personal email or social media on their work computers? If yes, WHY??? Do you store any payment information in your system? Payroll, AP, Student Refunds? Who obtains this information and how is it validated? Where is this information stored and how does it get updated? Do you utilize any Alias Based payments? Paymode-X Digital Disbursements For your Pcard program, do you utilize online reconciliation? How do you educate your employees about these risks? Awareness is key for some these emerging fraudulent schemes Is Training mandatory? Bank experts and industry leaders share trends, tools and tactics for all business segments through video vignettes, case studies, podcasts, and featured white papers. Learn more: managing fraud risk website ACH fraud prevention solutions for U.S. domiciled accounts only.

Q & A Kevin Larkin SVP and Market Leader Bank of America Merrill Lynch 757-616-2174 Kevin.larkin@baml.com

Notice to Recipient "Bank of America Merrill Lynch" is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ("Investment Banking Affiliates"), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered as broker-dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured * May Lose Value * Are Not Bank Guaranteed. This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any information contained herein. These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly addressed and delivered (the Company ) in connection with an actual or potential business relationship and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A. We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other information that will allow us to identify the client in accordance with the USA Patriot Act (Title III of Pub. L. 107-56, as amended (signed into law October 26, 2001)) and such other laws, rules and regulations. We do not provide legal, compliance, tax or accounting advice. Accordingly, any statements contained herein as to tax matters were neither written nor intended by us to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on such taxpayer. For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative. Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutual funds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and are not insured by the Federal Deposit Insurance Corporation ( FDIC ) or any other governmental agency (unless explicitly stated otherwise). This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein. With respect to investments in money market mutual funds, you should carefully consider a fund s investment objectives, risks, charges, and expenses before investing. Although money market mutual funds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived from them may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange between currencies may cause the value of investments to decrease or increase. We have adopted policies and guidelines designed to preserve the independence of our research analysts. These policies prohibit employees from offering research coverage, a favorable research rating or a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation. Copyright 2015 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender. 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback