Stories from the Front - A Treasury Update Podcast Series

Episode 115

Stories from the Front:
Pandemic Impact on Payments

On this episode of the Stories from the Front series, The Treasury Update Podcast Host Craig Jeffery sits down with Doug King, Payments Risk Expert at the Federal Reserve Bank of Atlanta, to discuss the impact of COVID-19 on payments. Topics of discussion center around consumer behavior, fraud tactics and trends, and response measures to mitigate and recover data breaches. Listen in to this candid conversation to find out more.

Read the Take on Payments blog here

Host:

Craig Jeffery, Strategic Treasurer

Craig - Headshot

Speaker:

Doug King, FRB of Atlanta

Lena Pennington, BELLIN
Federal Reserve Bank of Atlanta
Episode Transcription - Episode 115: Stories From The Front Pandemic Impact on Payments

INTRO: 

On this episode of the Stories from the Front Series, host Craig Jeffrey sits down with Doug King, Payments Risk Expert at the Federal Reserve Bank of Atlanta to discuss the COVID-19 impact on payments. Topics of discussion center around consumer behavior, fraud tactics and trends, and response measures to mitigate and protect against escalating attacks. Listen in to find out more. 

Craig Jeffrey: 

Welcome to The Treasury Update Podcast. This is Craig Jeffrey, your host today for Stories from the Front Series, talking with Doug King, who’s a Payments Risk Expert at the Federal Reserve Bank of Atlanta. Welcome to the podcast. 

Doug King: 

Thanks for having me here, Craig. It’s great to heading down to Peachtree City today. 

Craig Jeffrey: 

We are live in our boardroom, safe six feet apart. So, this is good. Thanks for doing this in person. We’ve been doing all of the podcast remotely before. 

Doug King: 

Probably more than six feet apart. So, we are hopefully extra safe today. 

Craig Jeffrey: 

Excellent. Doug, I wanted to start off by hearing about your role at the fed. I know you’re in the payment sector but I wanted to hear a little bit about your background and your career, what brought you to this point, what you’re doing at the fed, and then I know you spend a lot of time in the retail, payments’ forum. So, maybe give some background on that. 

Doug King: 

My world in the payments space began back in 2007, had finished grad school and a little side note went to grad school because I was going to be the next great general manager of a NFL team, or MLB team. And I mistakenly found out that an MBA was probably not the best route for that. So, lo and behold, I found my way into payments with a management consulting firm. And with that firm spent a whole lot of time working with several global card networks where I really learned the ins and outs of the card based payment systems, worked on a whole host of projects with those guys. 

Doug King: 

And as I mentioned to you before we got started, Craig, was doing a whole lot of traveling and family obligations wanted me to get somewhat off the road. And I found my way over to the Federal Reserve Bank of Atlanta with a role in the payments, Retail Payments Risk Forum. So, I’ve been with the Fed now while coming up on this January will be 10 years. 

Doug King: 

Our group, the Retail Payments Risk Forum as the name forum implies, it’s really a collaborative effort of bringing parties across the payments value chain together alongside other regulatory bodies, law enforcement, corporates, merchants, really anybody who touches payments to understand what is going on in the payments’ ecosystem. And most importantly, what are the risks? What types of fraud are we seeing within these payments systems? And then how can we mitigate those risks? 

Doug King: 

So, it’s really a collaborative effort. We host events, we attend events, we do a weekly blog, we put out publications, but it’s really working with the industry, researching alongside folks in the industry, and then educating the industry at large around payments fraud and payments risk. 

Craig Jeffrey: 

So, just one item that you had mentioned there about the blog that comes out Monday, you said every- 

Doug King: 

It’s usually every Monday. In this COVID year of 2020, we’ve actually had a blog every single Monday. Years past, we’ve taken certain Monday holidays off. I laugh because this past Monday was Labor Day and we actually had a blog come out for the first time on Labor Day. So, as the world has changed, which we’ll talk a little about in the payment space, we know it’s changed other parts of our lives as well. 

Craig Jeffrey: 

We’ll make sure that there’s a footnote in the podcast section that links to the blog, just to give everybody an opportunity to look at that. 

Doug King: 

Sure. And I should add as we talk payments, a lot of people know the Federal Reserve from a monetary policy standpoint, perhaps, or from a supervision and regulation of financial institutions. But payments is a very big piece of what the Federal Reserve does, whether that’s ACH payments, processing checks in the wire space, and all of that payments work, all of the retail payments work is done through the Federal Reserve Bank of Atlanta. So, the payments’ office for the Federal Reserve is housed here at the Federal Reserve Bank of Atlanta. 

Craig Jeffrey: 

Yeah. So, as we continue this theme in the series of Stories from the Front, COVID has had an impact on many individual organizations, companies. It’s certainly had an impact on payments. And I wanted to spend a little bit of time on there. So, one of the things that you had shared as we were talking had to do with the consumer shopping and payment behaviors, I guess. How has COVID-19 impacted this space? 

Doug King: 

Sure. And there’s two key things I would say and then an offshoot. And these probably won’t come as a huge surprise to the listeners of this podcast. But for one has been the shift from in-person shopping to online shopping or in the payment space as we like to call a shift from card payment or in-person card present transactions to card not present or you might hear me use the acronym CNP as we go through this podcast. 

Doug King: 

And that shift has been occurring for numerous years. I mean, we all know that Amazon’s growth in the retail space has been phenomenal over the last 10, 15 years. So, people have been shifting to that card, not present environment, but when this happened, when COVID-19 hit in March, I mean, this really put the pedal to the metal, so to speak, the accelerator on that shift. 

Doug King: 

The other shift that we’ve seen is for those folks who are still doing in-person shopping is a shift from contact transactions where you’re dipping your card into a reader and perhaps entering a pin to contactless transactions, either tapping your card or tapping a phone that’s got a mobile wallet, or maybe even using a retailer’s own app that could have a barcode, the Starbucks model, so to speak, in making that payment. And we can dive in to both of those. 

Doug King: 

But then the other third interesting thing is as we talk card not present more online shopping and we talk contactless, interestingly, what about cash? And early on in COVID-19, there was a lot of banter about cash could be dangerous, cash could carry the virus. And that’s kind of been disputed as a myth at this point, but no doubt that created fear in people. 

Doug King: 

And so, you’ve seen more and more retailers who’ve said, “Hey, we’re not going to accept cash now.” I’m a big NASCAR fan and of all the places at Talladega in June, they did not accept cash at their vending sites. The world has definitely changed over these past six months. Again, I’ve got some statistics we can jump into. And then the interesting thing to watch is, are these becoming habits? Is this going to be temporary when the world returns to normal? 

Craig Jeffrey: 

I have two things that we didn’t talk about, but this conversation made me think of it is when you talked about the cash, no cash. I mean, I think we’ve seen that. I don’t really use too much cash other than in a couple of situations, but some of the retailers have the signs of about the national coin shortage. And if nobody’s using cash, how come there’s such a coin shortage? I don’t know if there’s an easy answer for that, but just seems odd. 

Doug King: 

So, there’s been a lot of pieces, documents, put out about the cash shortage or the coin shortage. And I won’t go into too much detail. But when you think about the fewer cash transactions, there are still people transacting in cash. When you transact in cash, Craig, and you get coins, what do you generally do with those coins? 

Craig Jeffrey: 

I stick them in a sorter that eventually gets wrapped and brought to a bank. 

Doug King: 

Eventually is the key word. So, I think what you had when you had fewer transactions occurring, by nature, people stick the change that they receive in their pocket, throw it in the cup holder of their car, put it in a piggy bank, whatever. And so, as those cash transactions are fewer, but still happening and coins are paid out, no coins were actually coming back into the system by those people. So, that’s how we ended up with that shortage. 

Craig Jeffrey: 

I look forward to an update when we have this coin overload when everybody brings this back. The other item that was interesting that you said is, did COVID create new habits, or is it a one-time event? We’re just adapting to something. But I wonder if you could comment on your thoughts on that, if you’re able to take projections on that. But I think back to 2001, 9/11, we’re playing stop moving and Check 21 came in and there was a pretty significant shift of moving paper around to settle. 

Craig Jeffrey: 

And so, for those of you who are from Europe and other parts of the world were like, “What are checks?” We had a lot of checks and moved and we stopped it because everything’s imaged and sent around. And it really made pretty significant changes at that point. I mean, do you think COVID is comparison to what 9/11 was to checks? COVID will be to coin in some other behaviors with card et cetera. 

Doug King: 

So, first looking at the card not present perspective, I think there’s been some interesting verticals, so to speak, where I think we could see changes and take, for instance, grocery. Grocery, online ordering, and either having it delivered to your house or picking up has been around for several years. Some surveys that were out there and some studies found that in early March, about 4% of consumers were doing online grocery shopping. 

Doug King: 

Updating that survey in the post COVID world, that number had increased from 4% to 18%. That is a massive jump. And I think what from March- 

Craig Jeffrey: 

March to- 

Doug King: 

… to June is when the survey was read on. 

Craig Jeffrey: 

So, one quarter. 

Doug King: 

Right, one quarter, and this was a survey, it was 2000 consumers, but sponsored by PayPal and payments.com. But that is a massive shift. And I think some of that will stick. And fortunately, we got some research, because that was obviously a followup question that was done. And 13% of those people said that they plan to maintain that shift as it relates to grocery. So, that is a massive change there, but brick and mortar is not going away and it’s going to be around. I think it’s about 90 to 92% pre COVID. All commerce was brick and mortar. And whether changes is left to be seen and by changed, I mean maybe more showrooming where you’re not necessarily going to a brick and mortar store to purchase something. You’re going to look at the couch or look at the television and then you’re going back home to purchase it, or you’re purchasing it from the mobile app there and it’s being delivered or picked up. 

Doug King: 

I think the more dramatic shift is going to be in the stickier shift is going to be on this whole contactless. Here in the US, we’ve been trying, or contactless has been… If you go back to the early 2000s, contactless cards came about, and it was a, I hate to use the word massive failure, but it didn’t catch. We’ll say that it didn’t catch on. 

Craig Jeffrey: 

mean, that’s to say the least. I remember going into a very famous fast food restaurant that had this. And they would say it’s $4 for whatever I had and I would swipe it, just tap the thing and I would make the payment and they go, “No, you have to swipe it in the reader,” like I didn’t understand how to swipe a card. And I was like, “No, it took the payment.” And they would want to argue with me. And I was like, “Look, see, it’s taken it. And they’re like, “I’ve never seen anybody do that.” And I never saw anybody use those back then. 

Doug King: 

I mean, contactless cards again or… So with EMV, when we migrated to EMV, some issuers went to EMV contact plus contactless cards, dual interface cards that could be used for either. And had you gone to a retailer that accepted them say, 2017, I’m just throwing out a year, you probably would have had the same experience as you had with that fast food retailer in the early 2000s. And everybody had said that the catalyst here in the US and this was kind of what it played out in other markets was going to be transit, mass transit. Contactless and mass transit is your bang up use case for it. 

Doug King: 

And interestingly, the MTA, the New York Transit Authority had launched a contactless pilot, and it had been extremely successful and they intended to continue rolling out that pilot. And then here we came in March and COVID happened and we’ve seen what’s happened in New York city, but then for contactless, COVID also is that boon. So, I hate to go back to a horrible moment in our history, but you talk about an inflection point for contactless. 

Doug King: 

I really view this as COVID will be contactless’ inflection point. And it’s interesting, The National Retail Federation has recently done a study and they’re moving away from the contactless name, believe it or not and calling it no touch payments. And we can use contactless, no touch today, interchangeably. But I mean, in effect, I could still make a contactless payment that would require a touch because there are certain instances where I make a contactless payment and I still might have to put in a pin. 

Doug King: 

So truly that could be contactless but touch. I mean, I’ve used contactless more over these last three months. What has your experience been with contactless? 

Craig Jeffrey: 

A couple places it said, “You can touch.” I went to one of those large big box, you only buy all your food at once. And it actually didn’t allow you to touch it. It had a sign saying it, but it wasn’t registering on my card, but I would use it all the time because why swipe it or insert it if you can just tap the screen? So, I don’t know if that’s typical. 

Doug King: 

I mean, I’ve found myself using it more. Today, about two thirds of retailers take contactless or as NRF now calls no touch payments. 94% of retailers expect contactless payments to increase over the next 18 months. Since January, the NRF has found there’s been a 70% increase in contactless payments. From a consumer perspective, during the pandemic, 19% of consumers have said they‘ve made a contactless payment for the first time. That’s a pretty large number there. And then 57% of that 19% said they would likely continue once the pandemic has subsided. 

Doug King: 

So, I think that’s where I’m seeing the future and the change and that stickiness and change in consumer behaviors. I think this was for those people who wanted contactless in the US and struggled to get it there. I hate to say like, unfortunately I believe it took perhaps a pandemic to do that. 

Craig Jeffrey: 

The big accelerator, for sure. 

Doug King: 

Absolutely. 

Craig Jeffrey: 

Yeah. That’s interesting. When you said the 94% of retailers expect it to increase, I’m like, “I would think it would be almost 100% increased by how much?” Certainly by these 19%, I would think, what’s the trade off. I mean, I’ve got to stick it in or swipe it versus contactless. 

Doug King: 

And with contactless, you can use a mobile phone or the card. From a fraud perspective, might be jumping ahead a little here. But- 

Craig Jeffrey: 

That’s just good timing. This is a good time because I wanted to shift to some of the fraud examples, but go ahead. 

Doug King: 

That mobile contactless transaction is about as safe of a transaction as you can get at a quarter reader, given the fact that… And I don’t want to dig too deep into the weeds, but that transaction is using tokenization. And so, what that means is for that retailer who accepts that mobile wallet, and when we talk mobile wallets, Apple Pay, Google Pay, where you can load a credit card or debit card into your phone to be used at a retailer. So, when you tap that Apple Pay or Google Pay transaction, that merchant, that retailer never actually sees or touches the credit card or debit card PAN, the account number. They’re getting a tokenized number. 

Doug King: 

So, when you talk about data protection, securing data, hearing about data breaches, that retailer is no longer touching those PANs. So, when you think of a big mass merchant who had a data breach five years ago when all these card numbers were exposed, if all transactions were done through these mobile wallets, then that would not be a concern like it is when they accept regular traditional cards. 

Craig Jeffrey: 

Yeah. You can’t steal the card number if you just have a token, which you can’t do anything with or not effectively. Yeah. And so, thanks for explaining the tokenization aspect. And you had mentioned EMV, Europay MasterCard Visa Network as well. So, I don’t know if you wanted to give an explanation for that or? 

Doug King: 

The contactless payments or using a EMV, thank you for spelling it out or calling out. We love acronyms and perhaps some people might not recognize that acronym. It’s a chip based transaction. It’s truly a computer chip and when it interacts with the POS system there, it turns on that computer chip basically in a dynamic cryptogram is created in that transaction, which makes it very hard to replicate or to use a counterfeit card based on that dynamic cryptogram. 

Doug King: 

And the good news is that in the contactless card transaction, it is also using that dynamic cryptogram. So, whether you’re dipping your EMV card or tapping it, you’re getting that same type of security with that transaction. And then when that mobile wallet, as we touched on, you’re getting even an additional layer with a tokenization. 

Craig Jeffrey: 

Yeah. Excellent. Thanks for diving into that. There’s a lot of people who love card payments and payments experts that listen to the podcast, but some are not. And so, that’s some good details. But let’s shift over. You talked about fraud, some of the things that… There’s a number of things going on, we saw from the Treasury Coalition, we did surveying, we saw that 36% of organizations said they had experienced increased levels of fraud attempts or different attack types. 0% said it had decreased and this was once everybody moved to the work from home environment. I know we’re talking more broadly about card and other things. 

Craig Jeffrey: 

What’s the COVID impact on fraud or what’s going on with fraud lately? I’m sure you have some stories that will be humorous and stories that may scare us. So, what do you have on that front? 

Doug King: 

I hate to throw humor and fraud together, but it’s more scary. First looking at cards, the Federal Reserve does a training on payment study and over the last two studies have collected fraud data and done follow up fraud surveys with some of our participants. And card not present transactions, the fraud rate for those transactions are about double the fraud rate for card present transactions. So, just inherent by their nature card not present transactions are more risky. 

Doug King: 

So, as we go to a more card not present environment, we’ve touched on or during this COVID time, we’re dealing with more risky transactions. The good news is a whole lot of work is being done in the industry to mitigate those risks, whether it’s using technology, using artificial intelligence, big data, to understand how you and I and other consumers operate. So, I look for that fraud rate to come down, but it’ll still no doubt be higher than that card present rate. 

Doug King: 

But interestingly, as I talked about using big data and trying to understand our habits as issuers and merchants look at accepting these transactions, all of our habits were turned upside down on our head come mid-March. So, how I shopped online in April was very different than I was shopping online a year ago, April. So, all these risk scoring models, how effective were they? Were we able to determine, is this a good transaction or is this a bad transaction, a fraudulent transaction? 

Doug King: 

And I think there were some challenges there. So, I think that’s it. When we look back, we’re going to find that there were definitely challenges. I also wonder as we talked about shopping more at home and that grocery shopping example, a whole lot of people were ordering takeout from restaurants that perhaps might not have had a huge takeout business. 

Doug King: 

So now you’re giving your local restaurant down the street from you, a card number over the phone. How are they protecting that card number? So, you perhaps have introduced new vulnerabilities into that card space. But again, I want to reiterate that while card not present transactions have been substantially higher than card present transactions, the fraud rates a whole lot is being done to mitigate that so that there is some positive news there. 

Doug King: 

I touched on the contactless piece where I actually think that’s a positive as we talk card transactions, but the real dollars lost is probably not on somebody getting a hold of my credit card or your credit card. I know you’ve got enormous credit limit though. So, perhaps you more than me would be the target for the fraudsters. 

Craig Jeffrey: 

But yeah. Certainly, when those things come, you get these little warning signs is like someone charged, whatever it’s like, “No, that wasn’t me.” 

Doug King: 

Yeah. So, I mean, it’s a problem, but what most of your treasury listeners listening to the podcast today, they’re probably more concerned with much bigger dollar losses, and clearly COVID has opened the door for bigger dollar losses for corporates from a really two primary means that the fraudsters are doing, and that would be in ransomware and business email compromise. 

Craig Jeffrey: 

Let’s start with ransomware. I know we’re in Atlanta, the city of Atlanta had been hit with ransomware where, I’ll just say, stuff was encrypted. They didn’t pay the ransom. And they spent North of a hundred thousand dollars, well, North a million dollars- 

Doug King: 

Several million, I think. 

Craig Jeffrey: 

… to recover from that. So, what’s going on with ransomware? 

Doug King: 

This COVID environment as we’ve gone more virtual in school and in work is a huge open door for the fraudsters. They see this environment is this is wonderful. While we might all be yearning to get back to the office, the fraudsters are thinking, “Wow, can we keep this virtual world going?” And why is that? Just because perhaps the security is a little more lax and the virtual world and when we’re all working from an office. 

Doug King: 

CyberArk software, a report that they recently put out found that nearly 30% of remote workers let their kids and other family members use their laptops for online shopping and gaming. Or if that laptops in the office kids or your spouse aren’t logging in. And again, all that does is open the door you’re visiting in sites that could have vulnerabilities. 

Doug King: 

According to research from IBM, Craig, 53% of remote workers have used a personal device to perform work functions. This whole work environment, virtual work environment, is opening the door for fraudsters. And we’re seeing that. The FBI, as of May 28th, this year had received about 320,000 internet crime complaints, which was nearly the double rate from 2019. 

Craig Jeffrey: 

Oh, I didn’t realize it shot up that much. And then your stats on people letting kids on their work computers that seems like a pretty significant violation, but I think we know everyone moved home and a lot of people didn’t have laptops from work, so they’re forced to do that. And that’s another vulnerability. The environment creates this vulnerability. 

Doug King: 

And then they’re using a home network or Wi-Fi router whose password’s the family dog’s name. Perhaps they’re not using a VPN. Don’t want to get overly technical, but it’s just created vulnerabilities. And ransomware coming into this environment was a huge challenge for corporates and treasuries. 

Doug King: 

One firm, Emsisoft, estimated that the global cost of ransomware demands paid in 2019 were over $6.3 billion. Today, a ransomware attack is occurring every 11 seconds. That doesn’t mean they’re successful, but just the ransomware attack is occurring every 11 seconds. And then here’s a huge piece. We always talk about these ransoms. You mentioned the city of Atlanta and what they’ve cost. 

Doug King: 

So, going back to the first quarter of 2019, the average ransom payment was around $10,000. By the first quarter of this year, it was over $100,000. Manufacturing, government entities, and education entities have been the hardest hit recently. You’ll love this. Healthcare was a huge target prior to 2020, but apparently the fraudsters have somewhat of a heart. They have actually taken it easier on healthcare organizations over these last three months. 

Craig Jeffrey: 

That’s really interesting. I don’t know about the having a heart, I think they would take advantage of anything, but you’re right. Maybe they have a relative and they’re like, “Well, okay, we’re going to go easy for a month or two,” because they were hammering them. 

Doug King: 

They were hammering them. I know we jumped into ransomware and stats, but I imagine most people on the podcast know, but what we’re talking about with ransomware is the fraudsters will come in and either lock down files with encryption, so you can no longer access those files. They’ll completely lock out the system. So, not only can you not access your files, you can’t even operate your Turn On your computers. And recently, what we’ve seen over the last six months they started doing in 2020 is not only locking down files or locking down your computer. Before they do that, they’re also exfiltrating the data. So, you have a data breach on top of not being able to access. 

Doug King: 

And so, they’re using all this to their advantage to say, “Hey, if you want access to your files back, if you don’t want us to dump this data out onto the open market, then we expect you to make a payment.” 

Craig Jeffrey: 

Accelerating that sense of urgency for pay. 

Doug King: 

That’s right. And so, the healthcare was a huge target because if you’re shutting down healthcare systems, not only are you impacting their billing, but perhaps what does that do to patient care? And so, the fraudsters like to hit where it hurts. And you mentioned the city of Atlanta. So, government has been a huge target for them. 

Doug King: 

Education has been a huge target. Got a couple of recent stories. If- 

Craig Jeffrey: 

Yeah. Let’s hear them. 

Doug King: 

So, do you like to hear some stories? 

Craig Jeffrey: 

Yeah. 

Doug King: 

So, we can start in the education space. We’ll leave the names out, but people can definitely Google them after the podcast and find out who they are if they’re interested. But West Coast State University was struck on June 1st and they actually did hit the school’s medicine’s IT system. So, the medical school’s IT system. Couple of ways you can get into a system or get ransomware into a system. 

Doug King: 

One would be by emailing a malicious file. Someone within that organization opens that PDF document, or perhaps a word document and boom, it executes the ransomware. You’re actually seeing the attackers could use the word weasel since they are fraudsters, but weave their way into a system by actually gaining access to a system. Now, VIP coming in remotely, finding a hole where perhaps the organization hasn’t done a proper security patch or an upgrade and getting into the system. And once they’re into the system, they’re able to deploy the ransomware. So, that’s what happened for this West Coast State University. 

Doug King: 

Fortunately, though, it was the medical school. It did not impact any patient care delivery operations or the overall network. But these fraudsters were able to exfiltrate data, then encrypt the data. So, here they were dangling this carrot, “Hey, we have all this data, plus you can’t access any of it.” And they initially made a $3 million demand to not share the data and to send them the decryption keys. So, this is what‘s great. 

Doug King: 

Now, ransomwares, the fraudsters are willing to negotiate. So, the administrators negotiated with the fraudsters and they eventually paid a little over a million dollars to receive the decryption keys. And the fraudsters also agreed to delete the files that they had exfiltrated. Now, the problem with paying ransoms is that all that does is proliferate the crime. If people are going to pay, then the fraudsters behind the ransomware are going to say, “Wow, this is a great business. Let’s keep doing it.” 

Doug King: 

So, law enforcement recommends not making payment and that’s easy for you and I sitting here seven and a half feet apart to say, “Yeah, people shouldn’t make the payments.” But when it’s your data and it’s your business, and it’s your operations, and your clients, your customers, your patients, you got to do what’s best for you, maybe not, it’s what’s best for the fraudsters. So while I am fully on board with law enforcement’s recommendation not to make payments, I totally am sympathetic with the entities that do decide to make these payments. 

Craig Jeffrey: 

Yeah. It’s very disruptive. You mentioned business email compromise, where there’s a spoofing going on, or there’s either a compromising email itself or spoofing that you’re a finance head or a CEO asking to do activities. What do you have for us there? 

Doug King: 

So, business email compromise, it is interesting because it’s become more morphed into this spoofing methodology. Then in prior years, they were actually getting access to, say, a CEO’s email, and they’re still doing that. But primarily what we’re seeing are these examples of where they’re spoofing a CEO’s email and there are several ways they can do that. They are either using a domain name that’s very close to the company’s domain. 

Doug King: 

So, if you just quickly look at that email address, you’re going to say, “Oh yeah, that’s the right email address,” though the domain could be a letter or two off. Or, they’re using a legitimate email, but the sender and the receiver name attached to that email is the actual executive that they’re posing as or as the actual vendor that they’re posing as. So, for instance, somebody could send an email with, from Doug King, but if you actually looked at the address, it could be a totally different email address, but you just see that name, Doug King. And they’re targeting CFOs, the finance organization, the finance function of organizations, as well as human resources. 

Doug King: 

So, those are the three big targets. And what these fraudsters are doing is they’re trying to convince the person on the receiving end of that email to move money. If they’re hitting HR, they might be trying to access files or data of an employee, but these fraudsters are extremely sharp and smooth at doing this. For example, I’ll give you two examples here, not funny, but you want to see how the depths that these folks will go. So, a Texas energy company several years ago was hit for a little over $3 million, a business email compromise scheme. And the fraudster pulled it off by just going online and finding an employee list. Once he found that employee list, he created a deceptive email address under the company CEO name, used that address to email the CEO’s assistant, which he also pulled straight from the website and had an invoice attached with wiring instructions of where funds should be sent to fulfill this invoice, sent to the assistant three o’clock on a Friday. 

Doug King: 

So, time was of the essence. “We got to do this before the weekend.” This fraudster had also done their research and knew that the CEO coached his daughter’s soccer team and that they had a soccer tournament over the weekend. So, included in this email to the assistant was, “Hey, I’m going to be out of touch this weekend because I’m at my daughter’s soccer tournament,” which the assistant probably he was very aware that, “Yes, he’s got a soccer tournament.” 

Doug King: 

So again, even more believable. So, unfortunately what happened, she sent the wire out per her instructions from she thought, who was the CEO, someone posing, and that money was out the door on a Friday afternoon. Monday you come into office and say, “Hey, I fulfilled that wire for you boss.” And guess what, “What wire are you talking about?” 

Craig Jeffrey: 

And by then there was enough time to move that money out of the banking system and it’s gone. 

Doug King: 

So, one other crazy story, and this is outside of the US but there was an Italian company whose Indian subsidiary got hit for over $18.5 million through a business email compromise scheme. And what happened here was that the CEO of this Italian company emailed the head of the subsidiary from an account or emailed the head of the subsidiary based in India. Again, though, it wasn’t actually the company CEO, it was a deceptive account. The subject of the email was about a secretive and highly confidential acquisition in China. 

Doug King: 

So, again, in the previous example, we had time is of an essence to almost the weekend. “I’m not going to be available.” This was, “Hey, this is highly secretive, confidential. Let’s keep this under wraps.” So, they even set up conference calls, Craig, with the would be acquisition company and this a subsidiary of the Italian company in India, and they’re hashing out the deals of this, but there was a kink. The Italian company, according to the CEO, this deceptive CEO, was not allowed per regulations to send the wire for the acquisition. So, it had to come from India. So, that Indian subsidiary over a course of a week sent out three separate wire transactions to close the deal for $18.5 million. 

Doug King: 

But you and I both know, we’re talking with business email compromise, there was a no deal. And the money was out the door. They were wired to accounts that were opened with fake identification documents. And as soon as they figured this out, the accounts were closed and the money was gone. 

Craig Jeffrey: 

Yeah. Nice, scary stories there. But yeah, it is amazing the amount of effort and intelligence to deceive people. Open this email, respond to this with a sense of urgency, whether it’s a business email compromise, including other personal information or the example of ransomware, some different stories there. So, definitely an environment of accelerating fraud attacks. And have seen this increase consistently? 

Doug King: 

Absolutely. As we’ve said, the ransoms are rising, people are paying them. Ransomware has become a software as a service platform. So, you have bad guys who are designing the software or going into the dark web and selling it where you and I could go purchase it and then execute the attack. I mean, it’s a multifaceted multilayer crime fraud situation. And then when the business email compromise and even ransomware, if you’re opening a file that’s executing ransomware. We are our own worst enemies. We can have and we can talk technology. 

Doug King: 

Actually, I want to say we can’t talk technology because I’m not your guy to talk to you on this podcast for technology, but we can employ firewalls and have the latest and greatest gadgets. But at the end of the day, the biggest firewalls are human beings and we’re subsetted to being duped and looking at, for instance, that one business email compromise story, where the bad guys knew the CEO coached his daughter’s soccer team and they have a tournament, we’d love to share things. 

Doug King: 

So, what these bad guys can find out about these individuals that they prey on to attack. A lot of times, we’re just putting it out there for them to get. It’s not even that challenging for them to find it. And that’s scary. I mean, there’s been examples of job postings on LinkedIn that have led to attacks or the fraudsters that said, “Oh, they’re looking for somebody who’s experienced in this software.” So, we know that this company is using that software and we know the vulnerabilities of that software. And if they’re looking for somebody on the security side, perhaps they’re not up to speed or they’re not where they need to be and they want to build up to it. The fraudsters are good. 

Craig Jeffrey: 

Yeah. Good in a bad way. Yeah. The criminal behavior is amazing. It’s more sophisticated, greater payoffs. We can’t overlook them anymore. But, Doug, as we’ve talked through the change in COVID, we’ve looked at some of the trends in fraud, both due to COVID, but also just in this regular environment, I’d love to hear some of your final thoughts maybe around recovering from having some type of breach to moving to protection. What are some of those measures to mitigate or prevent this type of fraud? I know you talked about some things that the card industry is doing for the CNP type of situations, but what else should people be doing to help with prevention and mitigation? And I know you talked about systems and people, but maybe you could just highlight a few things as a takeaway for the audience. 

Doug King: 

Sure. So, I think making sure your software is updated, every patches are being installed. Krebs on Security is a big a website, call it a website blog, who talks about security or in payments and then online. I guess it was two days ago just was discussing the Microsoft patches that they had just put out. And there was something like 20 or 25 patches that were all related to security. So, making sure you’re updating your operating system software from rare on all devices. 

Doug King: 

User permissions is another great way to somewhat mitigate these risks. So, restrict user permissions. Not everybody in your office needs access to everything that you have. So, in the instance that perhaps say, “I fall victim to this type of attack.” Well, guess what? I don’t have access to that sensitive information. You can’t get that if you gain access to my computer. So, knowing where your data is and who has access to it. Cold storage backup of your data because that’s the huge. I mean, people are paying ransoms because they need that data back. So, if you have a recent backup in a cold storage, then you maybe you can say, “I don’t have to pay that ransom because I have it backed up from two days ago or a week ago. And we still have access to that and you don’t.” 

Doug King: 

From an email perspective, I think one of the great things you can do is mark is the email from an external account, somebody outside of your organization. I know many companies are doing that now. So, if I send you a message up at the top of the email, it’ll be in bold or in a different color, say, from outside the organization, not from your company, whatever it may be, but tip off that, “Hey, this is from an outsider.” And then also from an email, there’s some new, we know we’re not going to dive deep into technology, but a new authentication tool that’s being used, Domain-based Message Authentication, Reporting and Conformance called the DMARC. And that is I think going to become more and more of a industry standard, perhaps. 

Doug King: 

So, for the folks listening on the podcast, I would definitely look into a solution or a DMARC type of policy and what it can do for your organization. 

Craig Jeffrey: 

Yeah. That’s some good stuff. On the email side, some of the system providers they add things like exfiltration checks if it’s sensitive information. It either creates an alert or it even blocks the email until you approve that, “Oh, this looks like a Spanish telephone numbers or a Spanish tax ID.” Sometimes we’re sending stuff around. I was like, “Why are we getting this blocked?” And it’s like, “Okay, there’s a number in something that looks like it’s a telephone number to someone.” But the way we formatted it made it look like a… the telephone number and the system blocked it from sending out. It wasn’t just an alert that had happened. It stopped. And so, I think that’s probably some elements there too. 

Craig Jeffrey: 

And I really liked your point about the user permissioning, that principle of least privilege. Why have promiscuous access to every system? Like, “Well, I’m honest, I’m trustworthy, whatever,” whether you’re in finance or you’re on IT. If someone gets your credentials and you have free reign across the system, across all these credentials, you’ve given up a lot of it. So, those are some really good points, Doug. 

Doug King: 

And I would like to add the one thing. So, using wires, wires, the primary technique to move this money and a lot of people aren’t familiar with this. The FBI has a financial fraud kill chain to try to stop these wires. We usually think of once the wire is gone, it’s gone. And while it is hard to get those funds, the FBI in conjunction with FinCEN has created this financial fraud kill chain. Not going to go into full detail, but the one key aspect is it has got to be initiated within 72 hours of the wire being sent. There’s a whole host. 

Doug King: 

You can go to FinCEN, look up financial fraud kill chain and see everything that’s required. But there are ways to actually get some of the money back if a wire goes out to fraudsters. It’s not guaranteed, but you have law enforcement financial institutions on both the sending, the originating, and the receiving end who are willing to work to make that corporate whole. 

Craig Jeffrey: 

That’s great. I think we’re going to need to do another podcast on that because this idea of time is of the essence is important. Instead of sitting there, I’m embarrassed because we got fooled out of sending $7 million, $2 million, $500,000, and we can’t get that back. Time is of the essence, report it. You have a chance to perhaps stop it while it’s still in the banking system because once it’s out, there’s no chance. 

Doug King: 

Like I said, there are definitely avenues. And as you’ve talked, the banking system, we know international wires aren’t necessarily the swiftest financial transaction. So, again, that is why time is of the essence and that financial fraud kill chain is for international wires, but the FBI has also created what’s called a RAT, the Recovery Asset Team, and that is for use in domestic wires. 

Craig Jeffrey: 

There’s a RAT. Awesome. This is some really good information. I hope everybody enjoys listening to this. Doug, thank you so much for sharing some of your stories from the front. 

 

Global Recovery Monitor - September 2
Global Recovery Monitor

Join us in our ongoing market research throughout the coronavirus crisis. Take this 5-minute survey and receive early access to the results report. 

Stories from the Front - A Treasury Update Podcast Series
Stories from the Front – A Treasury Update Podcast Series

This series within The Treasury Update Podcast features interviews with treasury and finance leaders exploring: challenging situations; fresh ideas, innovative approaches, case studies and recommendations from senior treasury practitioners. These stories from the front provide a transparent look at various industries and challenging situations that provide insights and wisdom to help guide the profession into a proper mindset and approach as we continue the path of recovery.