Criminals Trick Bank to Send Customer Funds

Nicki Gillispie  0:07 

Welcome to The Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune it.

 

Jason Campbell  0:23 

There are more methods and approaches to fraud that confront companies and their baking partners. Two relatively recent examples seem to add new dimensions of how criminals are approaching fraud. If the criminal can remove layers of security, this leaves the company and perhaps the bank exposed to greater fraud. Examples of fraud can serve as a warning and be instructive in specifics and with the general security posture. The first example you wanted to cover had to do with removing bank security services, which were protecting an account. Can you go through that situation?

 

Craig Jeffery  0:57 

I’m excited about this one too, partly because these approaches are wicked, deceptive, and they’ve been very effective in some cases, and it’s good to be to be warned about them. So, this example of removing bank security services has to do with this ongoing escalation of you know, attacks and defense. You think about military activities. There’s a hardened vehicle and then there’s a tank and then you develop explosive strong enough to get to the tank. And then on the tank, they build these defensive devices where if there’s an incoming missile or mortar, it moves forward, takes the brunt of it, and so the missile doesn’t defeat the tank. They increase the missile so that the missile shoots something ahead of itself, taking out the defensive measure so that the regular missile can go and take out the tank. It’s just kind of like escalation like more defense, more offense, more defense, more offense. So, it’s constant and so that’s, that’s the war visualization. So, the situation here is some companies are leaders and they put on defensive measures that defensive measures, things like debit blocks, debit filters, ACH filters, EFT filters that make it automatically protected. You know, if anybody else tries to send in a debit to pull money out of an account, it’s blocked unless they’re on a permission list. There’s a situation where an account had been debited. And the company had looked and said, why was this debit? We have this security feature, they told the bank, this is an unauthorized debit on our account. And the bank said, well, you provided electronic prior authorization you provided a filter that allowed that to come through and they provided here’s the paperwork that shows here is here’s the authorization that lets you know that allowed for this, this debit and is this your signature? And they were like yeah, that’s our signature and that has that information, but we didn’t send it and so when they got down to the bottom of it, it was the criminals had found out that there was a block and the accounting had tried to pull some pull some money out of account that got blocked. Then they went back and communicate with the bank enough times to find out what are the forms to allow for this filtering activity to occur and allow activity to come through then they created fake documentation to allow for that sent that into the bank. The bank didn’t happen to confirm it because they received it in a way that seemed normal, seemed right, and at the time, they didn’t have this extra validation step. And so what happened is the bank realized okay, we had allowed this and should have not allowed this type of filters to be set up and therefore the bank was on the hook. But that type of situation is quite creative because it involves knowing the defensive techniques and figuring out a way around the defensive techniques to remove that particular layer.

 

Jason Campbell  3:58 

Well, you know, I’m going to be honest, I’m glad I’m not a criminal, even though, yeah, because like, that’s just way too much involved to do. That’s a lot of work there to get behind the scenes there. So, I don’t think I’d be a good criminal at all.

 

Craig Jeffery  4:08 

That’s just what a criminal would say.

 

Jason Campbell  4:13 

I would be terrible at doing those types of things, right. Oh, my goodness. But are there any summary points you want to leave with, with banks or corporations?

 

Craig Jeffery  4:22 

I think some of the ones are fairly obvious from that it’s, you know, it’s you can’t just trust what you what you have and think that why would someone sent in a pre-authorization letter or a filter to work around it? You know, like, nobody would do that. So, we don’t need to validate and it’s like, oh, yeah, you need to think about every security layer needs to have some sort of validation, just like we have multi-factor authentication to access accounts. So too we need to validate some of these other messages, just to ensure that you’re opening the door here. Who has authorization to that? So, be very careful and think like a criminal. If you’re a criminal, what do you think? How do I gain access? How do I remove defensive layers? And so, when you start talking about how would they remove defensive layers, how do we strengthen those defensive layers and prevent them from being removed?

 

Jason Campbell  5:11 

It’s almost really trying to find what that weak link is or that vulnerability within your process and continuously check it right?

 

Craig Jeffery  5:17 

Yeah, exactly. Any layer, any weakness, you know, any surface area, and particularly the weak areas.

 

Jason Campbell  5:24 

So, let’s move to the second example of fraud. So, this represented a type of account takeover that leveraged email compromise. So, what happened here?

 

Craig Jeffery  5:34 

So, I was talking to a friend, he’s at a bank, and he described this situation, and we know what business email compromises to some extent, it means that someone has either created a fictitious account, and acts like they’re from a company or they’ve gained access to the company’s email system, and sits there lurking, reading and learning. In this case, the criminals gain access to the email system, sat in there quite extensively. Were reading and monitoring emails, figuring out how communication occurred, who had the power and authorization, what were the messages like, to the banks and internally, and you know, as they had control of this activity they sent from the company’s mail system, they sent information to the bank, saying the previous CFO has left. Here’s the new CFO and had an email setup for them, a different email setup that wasn’t used by others, and the bank added them as the CFO. And so, the criminals use that and then after that had been set up for some time. They sent instructions to move money and started moving money, you know, northwards of $100,000 because it was authorized by the CFO, they knew the methods they had monitored it. So, they were able to provide specific instructions and correspondence that track then because now they were, you know, they had taken on the full persona, and in a sense had taken over the account in that they had the rights and privileges of the CFO. Now they’re able to move money out of out of those accounts. So compared to the size of the organization, it was a huge, huge, and significant loss there. So, very significant issue with being able to lurk long enough to learn how things are done and communicated, create changes. So, now it’s not monitored, and an act and move money out of the organization’s bank account.

 

Jason Campbell  7:30 

In normal life, when you see things from spam or text messages and emails, or even phone calls, robo calls and things of that nature and how, you know, we don’t want to take NSA for granted that that security is going to be so vital and crucial for us to always look at it, validate it to make sure it comes from a trusted source and you know, if it means that we got to do some additional validation, we probably need to take those steps, especially from a standpoint of, you know, banking and transmitting especially funds as well.

 

Craig Jeffery  7:57 

Yeah, you’re exactly right. You know, depending on the value of the conversation or the communication channel. The level of defense needs to match that. So that’s a really good point.

 

Jason Campbell  8:07 

So, what are some, some takeaway points here that that you have from this example that you would share with the viewers?

 

Craig Jeffery  8:13 

It’s one thing to create a spoof email. It’s another thing to gain email control and request some transcript to get someone else to do it. And it’s another level entirely where you’re sitting there learning how things work, and now you’ve created a persona, changed the rights and that you control what goes on. So, what does this mean? This means that your communication with your banks needs to be secure. They always need to be confirmed. You want to make that the standard, that it shouldn’t be…you shouldn’t be able to change whoever’s authorized by a single email. For bankers, anytime a main signer is changed, there should be a separate and secure validation process, maybe the bank relationship managers, part of that the treasurer officer is getting involved in that. So again, that’s another element of the confirmation or validation process that’s required. The other aspect of it is that if you create something from an external site, many of the email systems are smart enough to detect with the SPF settings, the underlying activity that there’s an email that originated from outside the system. And there’s usually a message printed out that you know, is in red or it says this, be careful, this email originated outside the system. But just because it doesn’t say that doesn’t mean you want to trust it automatically. Here were examples of people were reading, getting the forwarded information and tracking it. We need to be careful on that and validate every step whether we’re at the bank, or whether we’re in the company. And I think there’s a couple other lessons to be learned there when you think about who manages the email settings, access, the ability to track where people are logging into to gain access to their email, that tends to be easier if everybody’s working from the office, everyone working remotely, there’s probably some additional level of care that needs to be put in place. Not just say it’s open to every single email as long as they come in on the VPN. But validating location for where that’s happening and has that varied from the last time. Those are essential just like credit card payments, if you started traveling, what a decade ago or so, if you travel and you popped your card in for gas and your two states over and you didn’t only travel it’s like, okay, the second time it doesn’t work, and you have to call and I guess I’m driving across the country before they’ll open up the authorization. So too, location and how those have changed should create a higher level of concern and monitoring for that.

 

Jason Campbell  10:40 

So, I think from personal experiences, plenty of times where I’ve had that bank call that says validating Hey, are you in Nevada here and my guess I am you know, and there’s times where I’ve also caught it when the bank actually called me and said Hey, are you at Walmart right now? I am not and are you in Michigan I am not that many times. I’ve been thankful that the banks were able to do that verification to stop the criminals from depleting my accounts. So, I’ve been definitely very grateful for that in the past.

 

Craig Jeffery  11:08 

I thought I thought you’re gonna say you were thankful you weren’t in a Walmart, but we were just talking about a location. It’s like, I gotta go and shop again. I’d rather be home. No, that’s, that’s excellent.

 

Jason Campbell  11:19 

So, do you think that, especially as we talked about security as a whole, do you think that some most or all companies and banks may be a little too lax in this area?

 

Craig Jeffery  11:30 

I do think that people can be too lax, not necessarily that they’re not responding to the threat that existed in the recent past. I think people respond to those threats. I think the area where there’s too much laxity has to do with the increased threat levels and different attack methods. I think the idea of being ever vigilant means we need to keep learning, monitoring, seeing what’s going on. We need to think about those principles of security. You know, validation could have helped both of these both banks, as well as companies. Being a little more skeptical and thinking about how a criminal can compromise different layers, making sure that there are multiple layers and that each layer is protected. So, I think that’s where we’re failing. We’re not adapting as well to the increased threat. We continue to look backwards as opposed to forward, that’s where I think there’s a big concern the second, the second one is not necessarily just my guess or estimate. It has to do with people are overconfident. They’ve put in a number of security measures; they spend money and other like we’re in a much better position than last year. Despite the fact that a huge portion say the threat levels increased significantly. There’s a sense of overconfidence that we’re in a better position. We spent more despite the fact that the threat levels are increasing, and losses continue to pile up. You know, not everyone’s above average.

 

Jason Campbell  12:59 

But that covers today’s podcast episode. Craig, thank you so much again for your wonderful words of wisdom on this particular topic here especially as it relates to the two creative types of fraud. You can find a link to download a free eBook on payment security in the show notes. Click on it and you’ll be directed to strategictreasurer.com Thanks for listening.

 

OUTRO  13:22 

You’ve reached the end of another episode of The Treasury Update podcast. Be sure to follow Strategic Treasurer on LinkedIn, just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast, are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark strategictreasurer.com