Fraud Awareness - Central Bedfordshire Council
Transcription
Fraud Awareness - Central Bedfordshire Council
Fraud Awareness: Protecting you, your business and the public purse 10th February 2015, 11am – 12pm Participants must register for this event via the link provided. rbs.co.uk Social Engineering Vishing • Contact is made by telephone • Caller purports to be from your bank, the police or a fraud agency • Purpose is to get you to reveal confidential information Phishing • Contact is made by email • Sender impersonates well known companies such as banks • Purpose is to get you to click on a link or attachment Malware • Malicious software such as Trojans or viruses • Downloaded from phishing emails, illegal websites and ad banners • Sits quietly in the background until you access a UK bank website rbs.co.uk 2 Vishing •Contact is made by telephone •Caller purports to be your bank, police or fraud agency •Purpose is to get you to reveal confidential information rbs.co.uk 3 Case Study – A re-enactment • Large Corporate Client • Call received regarding incoming payment • Some information was provided by caller • Caller suggested all payments were frozen • Requested information from the client to ‘unfreeze’ rbs.co.uk 4 Case Study – What was happening? • High pressure situation • Homework done • Used information given to her • Reference number given • Telephone number given • Line held open rbs.co.uk 5 Case Study – What happened next? • 2 x £70,000 • 1 x £7,000,000 • One beneficiary account • 10 transfers • Bank actions • Contact from the fraudster • Police involvement - OCG identified rbs.co.uk 6 Phishing • Contact is made by email • Sender impersonates well known companies • Purpose is to get you to click on a link or attachment rbs.co.uk 7 Phishing – Email examples ‘There is a multi-media message available for you to view’ ‘Confirmation of your recent booking is attached’ ‘We could not deliver a parcel to you’ ‘A complaint has been filed against you’ ‘Receipt of online VAT submission’ rbs.co.uk 8 Phishing – Email spoofing *Direct spoofing is replicating domains that we own; for example: [email protected] or [email protected]. ** Indirect email domain spoofing uses a non-affiliated email domain but often a spoofed (friendly) ‘From’ field. rbs.co.uk 9 Phishing – Case study rbs.co.uk 10 Phishing – Case study rbs.co.uk 11 Malware • Malicious software such as Trojans or viruses • Downloaded from phishing emails, illegal websites and ad banners • Sits quietly in the background until you access a UK bank website rbs.co.uk 12 Malware in action Fraudster’s view rbs.co.uk Customer’s view 13 Malware in action Fraudster’s view rbs.co.uk Customer’s view 14 Malware in action Fraudster’s view Customer’s view To complete log-in, please provide a response code from your Smartcard and reader rbs.co.uk 15 Malware – In summary Money sent Fraudster creates a new payment Log-on details captured A A Loading… A A Request intercepted rbs.co.uk A Smartcard challenge code given Delay experienced 16 Case Study – Malware infection? • Strict IT security relaxed • Employee inadvertently downloaded malware • Payment for c£2m created • Sent to UAE country • Bank actions • Company actions rbs.co.uk 17 Never, Never, Never We will NEVER ask for your full pin and password to log in to online banking We will NEVER ask you to provide PIN and password or smartcard codes over the telephone We will NEVER ask for any Smartcard codes to complete log-in; these are generally only used to authorise payments We recommend you download Trusteer Rapport – FREE security software available from rbs.co.uk/onlinesecurity rbs.co.uk 18 Online banking – best practices Use $tR0ng p@zzwOrds that are changed regularly Restrict payments to certain countries Do not allow employees to share their credentials Limit payment values Regularly review user roles and profiles Introduce dual authorisation of payments Limit access to only those who really need it Disable access for absent staff Keep log-on details safe and secure rbs.co.uk 19 !SCAM! Altered cheque - Handwritten rbs.co.uk 20 !SCAM! Cheque and payable orders fraud Good housekeeping When issuing cheques Limit the number of books you hold Do not leave any gaps Check the middle and back of book Recorded and special delivery Store cheque books securely Where possible, include references Reconciliation Reconcile frequently Reconciler should not be the issuer Verify why the cheque was issued rbs.co.uk 21 !SCAM! Mandate Fraud How does it work? Change of bank details instruction is given – sometimes by phone initially Following the phone call, a fax or email ‘confirmation’ may be received It appears to be on headed paper or from a genuine email address It may refer to genuine people within each business Purpose is to get you to change the details you make payments to This ensures future payments are now made to the fraudster rbs.co.uk 22 !SCAM! Mandate Fraud rbs.co.uk 23 !SCAM! Mandate Fraud Mr J Singh ABC Limited 8th Floor Building A Somewhere Somehow What can you do? Limited Check for irregularities Unit 1, An Industrial Estate, Somewhere, Somehow [email protected] Contact the supplier using an independently sourced number × Dear Mr Singh, Confirm correct details with supplier before payment is made Further to our telephone conversation, please accept this letter as written confirmation of our change of bank details. All future setlements should be made to Account number: Sort code: Email confirmation of payments that have been made to the supplier 12345678 000000 Undertake a proactive review of recent and pipeline requests I would be grateful if you could update your records without delay. × Please contact me directly on 07777 777777 should you have any queries. With kind regards, Speak with other employees responsible for this type of request Amanda Boxy Finance Manager, ABC Ltd rbs.co.uk 24 Reporting – Suspected, attempted and actual fraud Report to RBS: • 0845 300 3986* • Account number • Payment details • What’s happened • Action taken (if any) *Monday – Friday, 8am-8pm, Saturday, 8am-6pm, Sunday, 9am-5pm rbs.co.uk 25 Reporting – Suspected, attempted and actual fraud • Action Fraud • UK’s national fraud and internet crime reporting centre • Non-emergency service • Branch of the City of London Police • Reports are passed to the appropriate local police force rbs.co.uk 26 Action Fraud – Intelligence is essential rbs.co.uk 27 rbs.co.uk In summary and Q&A Please let us know your feedback: [email protected] rbs.co.uk 29