Will You be the Next Headline? Payments fraud awareness & prevention FOCUS Spring 2017 Conference
On the agenda What s Driving the Security Landscape Terminology to know Planning ahead and best practices Q & A With a demographic shift towards social networking and using online channels and mobile devices for communication and transactions, fraudsters are taking advantage of the changing landscape. Areas of vulnerability are not as clear as they used to be. 3 4 out of companies were a target of cyber attack over the past 18 months companies surveyed in 2016 AFP Risk Survey 2 AFP is a registered trademark of the Association for Financial Professionals.
Payments fraud in the news Sony Pictures 100 terabytes of data Home Depot 56 MM customer records JPMorgan Chase 76 MM account holders ebay 145 MM user records Target 56 MM credit card records Source: http://www.informationisbeautiful.net/visuali zations/worlds-biggest-data-breaches-hacks/ (1) Wall Street Journal : White House Cybersecurity Event to Draw Top Tech, Wall Street Execs (Feb. 11, 2015) (2) The Province: Cyber Crime: Fake email from the boss is a popular fraud (March 30, 2015) (3) CNN: Insurance giant Anthem hit by massive data breach (Feb. 6, 2015) 4) The Washington Times: Despite evidence, FBI insists North Korea to blame for Sony hacking (Dec. 30, 2014) 3
What s Driving the Security Landscape? Innovation Government Data Compromises New entrants New technologies New business models Security mandates Payment networks Concentrated in North America Leading to card fraud (card-not-present as well as counterfeit fraud) 4
Terminology to know
What it all means DATA BREACH An incident in which sensitive, protected or confidential data is viewed, stolen or used by unauthorized individual MALWARE Software that is intended to damage or disable computers and computer systems SPOOFING Email messages with a forged sender address successful fraudulent transaction PHISHING/SMISHING Infected files/malicious links sent through email or SMS message MASQUERADING Attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification 6 AFP is a registered trademark of the Association for Financial Professionals.
How phishing works Looks like a legitimate correspondence from the company Wording does not have the level of refinement expected from an authentic company message Has an attention getter high dollar amount of a cell bill in this example Embedded links activate malware download on your device Some individuals click on the links and may not even recognize they don t have a relationship with the company 7
Headline HEADLINE.. Even University Fraudsters Prefer Direct Deposit of Their Pay University Adds Fraudsters to its Payroll 8
Headline HEADLINE.. Fraudsters Make Quick Work of Unsuspecting University and its Funds 9
How spoofing and masquerading work Once malware is in your system, fraudsters can Access credentials Read emails Collect business contacts Initiate emails to accounts payable pretending to be you Ask the recipient to process a payment From: Treasurer@mycompany.com Sent: Monday, February 2, 2015 11:17am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer This is the third one. We are pulling the confirmation now and will send to you. From: Treasurer@mycompany.com Sent: Monday, January 12, 2015 11:30am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer FYI, this needs to get processed today. I checked with?? to get your help processing it along. I will assume we take care of any vendor forms after the fact. I can send am email directly to??? or let you drive from here. Let me know. From: Treasurer@mycompany.com Sent: Monday, January 12, 2015 9:59am To: rebecca.dumornay@mycompany.com Subject: FW: Wire Transfer Process a wire of $73,508.32 to the attached account information. Code it to admin expense. Let me know when this has been completed. Thanks. ------------------------Forwarded message--------------------------------- From: CEO@mycompany.com Sent: Monday, January 12, 2015 6:45am To: Treasurer@mycompany.com Subject: Wire Transfer Nick - Per our conversation, I have attached the wiring instructions for the wire. Let me know when done. Thanks. Charlie 10
Headline HEADLINE.. University CFO Authorizes $500,000 Fraudulent Payment University Grateful to Make $1 Million Fraudulent Payment 11
Planning ahead & best practices
Collaboration is key Online Banking and Mobile Applications User authentication Device authentication Two factor authentication Client internal controls and policies Fraud detection and monitoring Entitlements and administrative controls Client education and awareness Fraud plan Fraud monitoring across channels to protect our clients Device authentication Online session activity Detect out-ofpattern transactions Electronic / IT standards Transaction protocols Segregation of duties Fraud prevention products Information compromise event response Awareness and education 13
File transmission connectivity security features CashPro Connect Layered features across the channel Transmission Content Self-Service Encrypted passwords (HTTPS/FTP protocols) Robust transmission channel, such as SWIFT FileAct Use notifications about file receipt and processing issues Test files in test environment with test data only If PGP is desired, double encryption (securing both contents and transmission channel) is required Digitally sign files with clientprivate PGP keys or 3SKey tokens Restrict access by integrating files directly to a corporate server Monitor payment file activity transmission status Use final release of file transmission payments in the bank s online portal Separation of roles and entitlements in ERP/TMS: Vendors Banks Accounts Manage 3SKey digital token assignments 14
Establish segregation of duties Requires (through dual approval) that two different users initiate and approve transactions Requires (through dual approval) that two different users initiate and approve creation of user accounts, as well as changes to entitlements Provides customized authorization/entitlement to set level of system access for each user by service, by function or by transaction amount Use the least privilege model, user doesn t need it, don t grant it Review user account and administration settings regularly Helps deter internal and external fraud Adds a layer of security to help protect high risk transactions 15
Protection solutions Best practices Check fraud reminder Reconcile accounts on a daily basis Segregate duties / auditing duties for financial activities Migrate to electronic payment products Become fraud focused on inquiries from other institutions regarding legitimacy of checks Escalate suspicious activities to management team Safeguard check stock with check stock security features Consider outsourcing check processing to secured vendor Positive Pay Automate review of items before decision to Pay or Return Teller Positive Pay Integrates check decision at teller in banking centers Payee Positive Pay Determine if payee names have been altered Reverse Positive Pay Notify bank of exception items identified on file Maximum Dollar Control Flag any check over a given dollar amount to decision Fraudsters have easy access to paper, printers and scanners to create phony checks with detailed personal banking information obtained from stolen paper or electronic image items 16
Wire and ACH fraud prevention Separate duties / auditing responsibilities across user credentials to provide additional security within cash management system Set individual user limits appropriate for payment / user Maximum dollar amount per transaction for initiating and/or approving wires and ACH Maximum daily cumulative dollar amount for wires initiated and/or approved Review procedures on regular basis, confirm user credentials updated and maintained to represent appropriate needs Use Repetitive Wire Templates to eliminate manual intervention/manipulation Establish a secondary channel for changes to beneficiary payment details to help address non-standard payment requests that come may from potential phishing scams Advancement in technology and information systems has provided companies with significant opportunities for greater productivity, efficiency and profitability. 2015 AFP Risk Survey ACH Blocks Block incoming ACH transactions from posting to accounts ACH Positive Pay Monitor / control transactions before post to bank account Allow transaction acceptance or rejection in real time ACH Authorization Post only incoming authorized ACH items ACH fraud prevention solutions for U.S. domiciled accounts only. 17 AFP is a registered trademark of the Association for Financial Professionals.
Headline HEADLINE.. Employee Has Big Black Friday on University Dime Big Limits + No Controls Equals Boon for Local Little League 18
Card industry: Best Practices to Prevent Misuse 19 1. Internal audit processes 2. Sample metrics 3. Client controls 4. Program administrators 5. Cardholders Create guidelines for card issuance and handling Determine who should be eligible to apply for a card Determine approval levels required Segregate duties of ordering and receiving of cards Create internal procedures Requirements for obtaining a card Administrative / Management Usage / Purchasing Accounts Payable/Accounting Online Cardholder Reconciliation Audit/Intellilink Create policies or business rules o o o o o o o Business versus Personal Use Cash access Card sharing Ghost cards Roles and responsibilities Training Audit exceptions
Make a cyber attack plan Prevention ESTABLISH sound internal COMMUNICATE and ESCALATE any transaction payment processes using best practices enforce processes across organization that does not follow the established process Response CONTACT your treasury representative and follow their instructions DISABLE impacted electronic equipment and user access YOU determine based on your internal controls 60% companies surveyed in 2015 AFP Risk Survey of companies do not have a response plan for a cyber breach 20 AFP is a registered trademark of the Association for Financial Professionals.
Other Considerations to Stay out of the Headlines 21 Do your employees have access to personal email or social media on their work computers? If yes, WHY??? Do you store any payment information in your system? Payroll, AP, Student Refunds? Who obtains this information and how is it validated? Where is this information stored and how does it get updated? Do you utilize any Alias Based payments? Paymode-X Digital Disbursements For your Pcard program, do you utilize online reconciliation? How do you educate your employees about these risks? Awareness is key for some these emerging fraudulent schemes Is Training mandatory? Bank experts and industry leaders share trends, tools and tactics for all business segments through video vignettes, case studies, podcasts, and featured white papers. Learn more: managing fraud risk website ACH fraud prevention solutions for U.S. domiciled accounts only.
Q & A Kevin Larkin SVP and Market Leader Bank of America Merrill Lynch 757-616-2174 Kevin.larkin@baml.com
Notice to Recipient "Bank of America Merrill Lynch" is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation ("Investment Banking Affiliates"), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered as broker-dealers and members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured * May Lose Value * Are Not Bank Guaranteed. This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business relationship as a consequence of any information contained herein. These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials are directly addressed and delivered (the Company ) in connection with an actual or potential business relationship and may not be used or relied upon for any purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A. We are required to obtain, verify and record certain information that identifies our clients, which information includes the name and address of the client and other information that will allow us to identify the client in accordance with the USA Patriot Act (Title III of Pub. L. 107-56, as amended (signed into law October 26, 2001)) and such other laws, rules and regulations. We do not provide legal, compliance, tax or accounting advice. Accordingly, any statements contained herein as to tax matters were neither written nor intended by us to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on such taxpayer. For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative. Investment Banking Affiliates are not banks. The securities and financial instruments sold, offered or recommended by Investment Banking Affiliates, including without limitation money market mutual funds, are not bank deposits, are not guaranteed by, and are not otherwise obligations of, any bank, thrift or other subsidiary of Bank of America Corporation (unless explicitly stated otherwise), and are not insured by the Federal Deposit Insurance Corporation ( FDIC ) or any other governmental agency (unless explicitly stated otherwise). This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any type of transaction as a consequent of any information contained herein. With respect to investments in money market mutual funds, you should carefully consider a fund s investment objectives, risks, charges, and expenses before investing. Although money market mutual funds seek to preserve the value of your investment at $1.00 per share, it is possible to lose money by investing in money market mutual funds. The value of investments and the income derived from them may go down as well as up and you may not get back your original investment. The level of yield may be subject to fluctuation and is not guaranteed. Changes in rates of exchange between currencies may cause the value of investments to decrease or increase. We have adopted policies and guidelines designed to preserve the independence of our research analysts. These policies prohibit employees from offering research coverage, a favorable research rating or a specific price target or offering to change a research rating or price target as consideration for or an inducement to obtain business or other compensation. Copyright 2015 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender. 23