Fraud Awareness - Central Bedfordshire Council

Fraud Awareness:
Protecting you, your business and the public purse
10th February 2015, 11am – 12pm
Participants must register for this event via the link provided.
rbs.co.uk
Social Engineering
Vishing
• Contact is made by telephone
• Caller purports to be from your bank, the police or a fraud agency
• Purpose is to get you to reveal confidential information
Phishing
• Contact is made by email
• Sender impersonates well known companies such as banks
• Purpose is to get you to click on a link or attachment
Malware
• Malicious software such as Trojans or viruses
• Downloaded from phishing emails, illegal websites and ad banners
• Sits quietly in the background until you access a UK bank website
rbs.co.uk
2
Vishing
•Contact is made by telephone
•Caller purports to be your bank, police or fraud agency
•Purpose is to get you to reveal confidential information
rbs.co.uk
3
Case Study – A re-enactment
• Large Corporate Client
• Call received regarding
incoming payment
• Some information was
provided by caller
• Caller suggested all payments
were frozen
• Requested information from
the client to ‘unfreeze’
rbs.co.uk
4
Case Study – What was happening?
• High pressure situation
• Homework done
• Used information given to her
• Reference number given
• Telephone number given
• Line held open
rbs.co.uk
5
Case Study – What happened next?
• 2 x £70,000
• 1 x £7,000,000
• One beneficiary account
• 10 transfers
• Bank actions
• Contact from the fraudster
• Police involvement - OCG identified
rbs.co.uk
6
Phishing
• Contact is made by email
• Sender impersonates well known companies
• Purpose is to get you to click on a link or attachment
rbs.co.uk
7
Phishing – Email examples
‘There is a multi-media message available for you to view’
‘Confirmation of your recent booking is attached’
‘We could not deliver a parcel to you’
‘A complaint has been filed against you’
‘Receipt of online VAT submission’
rbs.co.uk
8
Phishing – Email spoofing
*Direct spoofing is replicating domains that we own; for example: [email protected] or [email protected].
** Indirect email domain spoofing uses a non-affiliated email domain but often a spoofed (friendly) ‘From’ field.
rbs.co.uk
9
Phishing – Case study
rbs.co.uk
10
Phishing – Case study
rbs.co.uk
11
Malware
• Malicious software such as Trojans or viruses
• Downloaded from phishing emails, illegal websites and
ad banners
• Sits quietly in the background until you access a UK
bank website
rbs.co.uk
12
Malware in action
Fraudster’s view
rbs.co.uk
Customer’s view
13
Malware in action
Fraudster’s view
rbs.co.uk
Customer’s view
14
Malware in action
Fraudster’s view
Customer’s view
To complete log-in, please provide a response code from your Smartcard and reader
rbs.co.uk
15
Malware – In summary
Money
sent
Fraudster creates a
new payment
Log-on details
captured
A
A
Loading…
A
A
Request
intercepted
rbs.co.uk
A
Smartcard
challenge code
given
Delay
experienced
16
Case Study – Malware infection?
• Strict IT security relaxed
• Employee inadvertently downloaded
malware
• Payment for c£2m created
• Sent to UAE country
• Bank actions
• Company actions
rbs.co.uk
17
Never, Never, Never
We will NEVER ask for your full pin and password to log in
to online banking
We will NEVER ask you to provide PIN and password or
smartcard codes over the telephone
We will NEVER ask for any Smartcard codes to complete
log-in; these are generally only used to authorise payments
We recommend you download Trusteer Rapport – FREE
security software available from rbs.co.uk/onlinesecurity
rbs.co.uk
18
Online banking – best practices
Use $tR0ng p@zzwOrds that
are changed regularly
Restrict payments to certain
countries
Do not allow employees to
share their credentials
Limit payment values
Regularly review user roles
and profiles
Introduce dual authorisation
of payments
Limit access to only those
who really need it
Disable access for absent
staff
Keep log-on details safe and
secure
rbs.co.uk
19
!SCAM! Altered cheque - Handwritten
rbs.co.uk
20
!SCAM! Cheque and payable orders fraud
Good housekeeping
When issuing cheques
Limit the number of books you hold
Do not leave any gaps
Check the middle and back of book
Recorded and special delivery
Store cheque books securely
Where possible, include references
Reconciliation
Reconcile frequently
Reconciler should not be the issuer
Verify why the cheque was issued
rbs.co.uk
21
!SCAM! Mandate Fraud
How does it work?
Change of bank details instruction is
given – sometimes by phone initially
Following the phone call, a fax or email
‘confirmation’ may be received
It appears to be on headed paper or
from a genuine email address
It may refer to genuine people within
each business
Purpose is to get you to change the
details you make payments to
This ensures future payments are now
made to the fraudster
rbs.co.uk
22
!SCAM! Mandate Fraud
rbs.co.uk
23
!SCAM! Mandate Fraud
Mr J Singh
ABC Limited
8th Floor
Building A
Somewhere
Somehow
What can you do?
Limited
Check for irregularities
Unit 1,
An Industrial Estate,
Somewhere,
Somehow
[email protected]
Contact the supplier using an
independently sourced number
×
Dear Mr Singh,
Confirm correct details with supplier
before payment is made
Further to our telephone conversation, please accept this letter
as written confirmation of our change of bank details.
All future setlements should be made to Account number:
Sort code:
Email confirmation of payments that
have been made to the supplier
12345678
000000
Undertake a proactive review of recent
and pipeline requests
I would be grateful if you could update your records without
delay.
×
Please contact me directly on 07777 777777 should you have
any queries.
With kind regards,
Speak with other employees
responsible for this type of request
Amanda Boxy
Finance Manager, ABC Ltd
rbs.co.uk
24
Reporting – Suspected, attempted and actual fraud
Report to RBS:
• 0845 300 3986*
• Account number
• Payment details
• What’s happened
• Action taken (if any)
*Monday – Friday, 8am-8pm, Saturday, 8am-6pm, Sunday, 9am-5pm
rbs.co.uk
25
Reporting – Suspected, attempted and actual fraud
• Action Fraud
• UK’s national fraud and
internet crime reporting centre
• Non-emergency service
• Branch of the City of London
Police
• Reports are passed to the
appropriate local police force
rbs.co.uk
26
Action Fraud – Intelligence is essential
rbs.co.uk
27
rbs.co.uk
In summary and Q&A
Please let us know your feedback: [email protected]
rbs.co.uk
29