Among the things you'll learn:
- The variety of technical and non-technical approaches available for financial institutions for identifying, monitoring, and preventing check fraud events.
- Specific "knowledge nuggets" are based on real-life discussions with bankers, trade associations, law enforcement partners and other key stakeholders to provide real-time insight into check fraud environment.
- Three industry suggested practices, easily implemented by organizations large and small, that serve as the foundation to protecting organizations from fraud.
Transcription:
Rusty Pickering (00:09):
All right, it's nine o'clock. We're going to get started. Your nine o'clock panel is how to safeguard your organization from fraud, and hopefully we're going to have a robust discussion about check fraud and other kinds of fraud in the financial institution industry. My name is Rusty Pickering. I'm The President Chief Operating Officer of Ingo Money. We're an invaded banking finance company with a full money mobility payment stack. But before we did that, we have been a check risk management company for 20 years. We do check risk management for the alternative financial services industry. We're the instant check funding solution for PayPal and Venmo and Green Dot and Netspend and income, and also for the last 10 years have been doing that with our good partners at Regions Bank. So with that, I'll introduce my co-panelists for today, Jeff Taylor. Jeff Taylor is a 27 year banking veteran.
(01:11):
He's held positions in treasury management with other financial institutions as well as experience in sales and management and industry segments. He joined regions in 2014. He leads the bank's efforts to evaluate, mitigate, and educate commercial and corporate clients regarding payments fraud. Jeff has also led the treasury management products and services team responsible for payables, receivables, and fraud solutions. Would like to also mention that we were supposed to have a third panelist today, Lloyd McIntyre from the FDIC. Unfortunately, Lloyd got dozed and I'm sure I didn't just coin that verb. I'm sure somebody's using it out there, but all non-enforcement travel for the FDIC was suspended and so unfortunately Lloyd could not be here with us today. But you've got me and Jeff and I think we're going to hold down the fort. So Jeff's got a presentation for us. And Jeff, I'm going to turn it over to you.
Jeff Taylor (02:09):
Alright, thanks Rusty and thank you all for being here and joining us today. I am blessed to have the opportunity to travel across our 15 state footprint and talk with our clients about fraud and fraud education, helping them become more aware of the fraud attack vectors that they face, and hopefully providing them with some remediation techniques and some industry suggested practices that we will talk a little bit about today. Fraud's a hot topic. We all know that it's not going away anytime soon. We actually even heard that said on the stage in the B room yesterday, and I suspect that each one of you either has a story or knows someone who's been impacted by fraud. A recent bank rate survey that I saw this morning indicated 34% of the individuals were respondents to that survey indicated that they themselves had been victims of fraud and 37% of those that responded indicated that they lost the money as a result of that fraud. So it's a very impactful issue. It's a very impactful topic and hopefully we'll be able to help provide some today. So today I want to make sure to satisfy my compliance partners. So I will read this disclaimer. The opinions expressed in the presentation are statements of the speaker's opinion of my opinion, and Rusty's I'll cover him too.
(03:33):
Are intended only for informational purposes and are not formal opinions of nor binding on Regents Bank, its parent company, Regents Financial Corporation, and their subsidiaries. And any representation of the contrary is expressly disclaimed. I always try to do that like the Federal Express commercial guy, if you remember that Federal Express commercial can't quite speak as quickly as he does.
Rusty Pickering (03:54):
I'm a recovering lawyer, Jeff, so I appreciate that somebody wrote that for you.
Jeff Taylor (04:00):
So we're going to talk a little bit about the payment fraud control survey that's administered by the association four financial professionals. We'll talk about three of the most impactful and most recent commercial fraud schemes that we're seeing, some industry suggested practices and then resources. And we'll take some time for questions at the end if you don't mind holding those to the end. I'd appreciate that so that we make sure that we get through all of the material. So the Association for Financial Professionals is a worldwide organization. This is the 20th year that AFP has published this survey. Unfortunately, this data is from 2023. You'll see where we go from 2019 to 2023. This is the 20th year for their survey, but the data actually updates around middle of April or so of the year.
(04:56):
So I don't have the 2024 data as of yet, but we will certainly have that soon. And given the latest intel that I'm seeing, I expect these numbers to be at least equal to if not greater than what we see here. So you can see from 2019, there was a fairly steady decline in the number of companies who responded being victims of fraud over those four years. And we all know what happened in 2020. The fraudsters turned their attention more to PPP loans and government assistance programs. So there were fewer attacks on the actual companies and more on those types of efforts where they felt like the fraudsters could attack those individuals and those platforms instead. So when all of that went away and we began to see the closures of the government assistance programs, we see this 15% increase in jumping in 2023. So these are 80% of the companies responding to their survey indicated that their company had been a victim of some sort of payment fraud.
(06:09):
If you look at the graph on the right checks were the number one, that's the tallest one. 65% of the companies responding to that survey indicated that their company had been a victim of check fraud. And you can see the other payment modalities there, Wirecard ACH debits and credits. One of the interesting things, the IC three is the Internet Crime and Complaint Center. It's the central reporting Agency for internet crime. It's managed by the FBI. It at one time was a joint venture between Homeland Security, the FBI and the Secret Service, but now it's primarily the FBI. But if you'll look at the difference between 20 20 22 and 2023, we saw a 10% increase in the number of claims filed with I c3.gov, the number of complaints that they filed. But look at the difference in the dollars, a 22% increase in the dollars, and you see the rapid increase when you go back even to 2021.
(07:12):
Between 21 and 23, the numbers doubled. So we're talking about 12.5 billion in complaints reported in losses. Complaints reported to ic3.gov. The FBI readily, I do these presentations a great deal with some partners with the FBI that I partner with across the country, and they readily admit that these numbers could be two or three times less than what the actual numbers are for two reasons. One, people are reluctant to report, they're embarrassed. They don't report to ic3.gov. The second one is they don't know to report. So we are constantly trying to make sure that our clients understand that this is one of the first things that you need to do. You need to contact your bank when you become a victim. You need to contact federal law enforcement and you need to file a complaint with ic3.gov. So the first thing we're going to cover, the first fraud attack vector that we're going to cover is that one that 65% of the companies responded that they were victims of.
(08:21):
We've seen a dramatic increase in check fraud across the industry, and I don't believe it's going away anytime soon. I think what we have seen is certainly a decline in consumer payments, but because of the use of bill payment software, the use of other ways to generate a payment by a consumer. But what what's driving the volume in check fraud are business to business payments. So companies are still writing checks, especially in the small to medium business space. They're still writing checks. They're still paying their vendors and suppliers through a paper check. As a matter of fact, in that AFP survey, 30% of the companies that responded to that survey indicated they didn't see any possible way that they would ever eliminate checks completely from their payment process. So I can remember back in the day when we thought, oh, by 2025 we won't see any checks anymore. We'll see all that check volume will have declined. Well, obviously that's not the case, and we're going to continue to see that B2B processes and payments through check.
Rusty Pickering (09:30):
I think if you ask anybody out here in Silicon Valley, Jeff, they think that checks have already gone away.
Jeff Taylor (09:34):
Yeah,
Rusty Pickering (09:36):
That's right. And interestingly, consumer written checks are dropping dramatically. But to your point, business to consumer checks have not dropped significantly. In fact, they were increasing until just about three years ago and they've sort of leveled off. But as we really get into more digital payment modalities, the check volume will eventually go down. But there is a massive amount of check volume. And then the biggest victim of check fraud are still the financial institutions. And so if you look at the Fed surveys on financial institution, fraud and losses checks remain the single largest bucket of fraud and losses that financial institutions face. And it's been going up something like 30 or 40% annually. And I think that part of that is that people are still writing checks. And other part is I think as the payment card payment systems have become more secure, the fraudsters are being pushed over to checks because check fraud is relatively easy. You don't have to be a genius to do check fraud.
Jeff Taylor (10:40):
That's right. Well, and the largest, largest writer of checks in the United States is the US Treasury. So if we could ever convince them, speaking of being dozed, if we could ever convince them to stop writing checks and use an electronic modality, I think we would be able to see a number of those situations decline. So you think about, well, how does this happen? And I know we've all seen the stories in the news regarding the assaults on the US Postal Service workers stolen checks out of the mail, the fraudsters who are acquiring the universal keys, the arrow keys to be able to unlock those blue mailboxes or the series of mailboxes that are maybe in condominium complexes, apartment complexes where the fraudsters are then able to open those boxes and steal that mail out of that. And typically what happens is they will take that mail that they have acquired and they'll go back to a central location.
(11:37):
They've got folks in a hotel room or an apartment, and they'll go through all of that mail and they're looking for credit card mailers, bank statements obviously checks that they can pull out of that mail. And then they will wash those checks or cook those checks to be able to have a blank document, or they'll wash the payee name off of that check and to be able to then alter the payee name and deposit it into an account that they have control of. So you see the alteration changes to the front of the check creating those nonconforming checks that they're able to negotiate. The second one is creating the counterfeit check. So once they cook that check and they make it completely blank, they've still got that routing and transit and account number. It's easy for them to go. Rusty and I were talking about this yesterday, it's so easy for them to go to an office supply store and buy a blank check stock. And with really inexpensive software, they can apply the routing and transit and account number off of that stolen check and that cook check onto this counterfeit check and then try to negotiate those items too.
Rusty Pickering (12:46):
And I would say, as we look at literally billions of dollars of checks a year, the counterfeit checks, the counterfeits used to be pretty lazy. It was pretty easy to identify a counterfeit check because they would steal the account routing number off of Joe's Hardware store and then print a check on Sally's Flower Shop. Well, if you pull up the last good check that you saw from that account routing number, it's pretty clear that those two companies shouldn't have the same account routing number, but they always had the fonts wrong. They always had the check numbers wrong. They always had, there were a lot of mistakes and errors, and it used to be really easy to see counterfeit checks. I'll tell you that they're getting very sophisticated now and the counterfeits are better and better and harder to distinguish from the original. And if you go out on the dark web, and I'm sure you all are there on a regular basis, there is an entire ecosystem for counterfeit checks.
(13:45):
So the images of good checks are their instructions on how to counterfeit the checks on how to make a check that looks like those checks, how to get the check number in the right range. So that's one way that you catch counterfeits. It has become harder and harder and harder to identify counterfeits as they come through because the fraudsters are getting more sophisticated. And as we catch them, they figure out why and how we caught them, and then they get better. They adjust, and it's a cat and mouse game, right? We adjust our risk management systems, they get better at what they do. We adjust our risk management systems again, and they change a little bit. And it's a daily battle to identify new fraud vectors and new methods of how they're doing the fraud that they do. And if you're not on it day to day to day, you can lose a lot of money in a very short period of time.
Jeff Taylor (14:36):
Yeah, you're right. And they're so sophisticated in the way that they communicate. So they're selling these checks on telegram platforms like telegram.
Rusty Pickering (14:44):
Telegram is exactly where it is.
Jeff Taylor (14:45):
They're even using YouTube. So you can go on YouTube today and you can find video evidence and videos posted on YouTube that tell you how to do what Rusty's talking about. And so it's really a fraud and an organized crime ecosystem that they've created within those social media platforms.
Rusty Pickering (15:06):
Checks are just an inherently insecure payment method.
Jeff Taylor (15:11):
So we also, the other is forgeries. We see so many of those items that are created and the use of synthetic identification and creating a synthetic ID makes it so much easier for the fraudster to open those mule accounts and be able to leverage those accounts to negotiate these items.
Rusty Pickering (15:33):
That's also a dark web
(15:36):
Effort is that they will come in and offer citizens to, if you'll go in and open an account at Regions Bank, not at Regions. Well, not at Regions Bank. No, it would never happen at Regions Bank if you open an account at some bank other than Regions Bank, and then they'll pay you and then you transfer your credentials to these guys wherever they happen to be, Eastern Europe or Nigeria or wherever. So when you do your KYC and you do the geolocations, everything's good because it actually is somebody in the United States, but then they transfer all their credentials over to Nigeria. And that's why you have to be incredibly diligent about not only when you open the account, but on every transaction, making sure that you're still dealing with who you think you're dealing with.
Jeff Taylor (16:23):
And they do that through work from home schemes, all kinds of different ways that the fraudsters will convince a legitimate client to participate unwittingly in the movement of this money. So these are some industry suggested practices that's a little harder to read than I was hoping that it would be, but the first one,
Rusty Pickering (16:42):
The colors are fantastic.
Jeff Taylor (16:44):
Yeah, yeah. Thank you. Region's Green. So the first is that we always suggest that clients regularly reconcile their accounts. If you can reconcile daily, if you are typically in your commercial online banking platform, you're able to look at your previous day and even your current day activity to be able to see what items are going to post to your account. Because the speed of reporting is really important in the commercial space. So it's not like in consumer where you may have 30 days or more to be able to report a fraudulent check. In the business world, you've got 24 hours, and so you've got to be able to recognize that that item is fraudulent and report it back to your financial institution so that they can return it to the bank of first deposit. The second one is converting, obviously converting as much as you can to a digital payment channel.
(17:37):
There are so many options using ACH real-time payment, even wire to convert those vendor payments to a digital modality as opposed to leveraging checks. And from a consumer standpoint, being able to use your bill payment software and there are great options that you allow the bill payment company to then determine how is this going to be processed? Is it going to go through ACH real-time payment or card or wire? The third one is to make sure that you are securely storing your check stock so that you don't have the option to have those checks assigned checks floating around. You'd be amazed at the number of cases I investigate where the principal check signer of the business was going on vacation in Europe for a couple of weeks and he signs 10 or 15 blank checks and leaves them with somebody in the office just in case they need to make a payment.
(18:36):
Please don't do that. You're really creating some vulnerability that you don't have to create. And then lastly is the use of positive pay with payee name verification. I will tell you this, and I'm financial institution agnostic with this. Rusty, if your company is still writing checks and you do not have positive pay with payee name verification on that account, I encourage you to contact your financial institution this afternoon and add it. Please do that because that is going to be the number one way that you're going to be able to recognize these fraudulent items as they are attempting to post to your account and you can get 'em returned.
(19:24):
Excuse me. A couple other suggestions is avoiding the use of window envelopes. There have been cases where it has been proven that the fraudster was able to squeeze that window envelope and be able to see what the dollar amount of that item was, and then they will actually sell those checks to another fraudster on Telegram or even in the parking lot of the postal service office to be able to make money. They're conspiring with that fraudster to negotiate those checks and steal those checks. And from a consumer standpoint, it's a little easier to do this if you're a consumer, not necessarily for a business, but if you'll use a gel-based ink and Rusty, you may be able to collaborate this, but if you use a gel-based ink, the gel ink sinks into the fabric of the check and makes it a little more difficult to wash. So while it's still possible and it's not quite as easy and it makes it a little easier for it to be recognized
Rusty Pickering (20:28):
In our check risk management system, we come at it sort of from the other direction, not how to companies prevent fraud against their accounts. But how do financial institutions prevent fraud? I mean, those are mostly other than the financial institution victimless because the financial institution is the one one who's getting attacked directly and losing money. And so we've got a whole slew of risk management things that we would recommend to financial institutions, and it's sort of a three or four pronged approach. You've got a risk manage the person who gave you the check. You need to know your customer, you need to know their patterns of behavior, you need to know how long they've had their account, and you need to adjust their access to things like remote deposit capture based on the parameters of their relationship with you. You need to risk manage the check that you've received.
(21:22):
You need to use third party data, like early warning systems to verify that the account is real, that the account is open. You need to compare that check to maybe a prior check from the same account routing number, make sure it's from the right person. It looks the same font, same format. You need to use third party data. So there are, Ingo has a proprietary database of check fraudsters. I know that Socure is putting together a first party fraud consortium that you can use to identify people who've committed check fraud in the past. And most importantly, for remote deposit capture, you need to manage the device. The device is the key to catching fraud. In a lot of instances. I know most people are using some SDK like from Iovation or threat metrics or somewhere to do device identification. You need to do that not only at account opening, but every single transaction.
(22:16):
You have to look at where the device was manufactured, what data services it using, what's the currency, what's the language, what's the time zone? Look at the geolocation. Interestingly, if a geolocation is being spoofed, the geolocation will be identical from moment to moment to moment out to six or seven digits. Well, that's not how geolocation works, even though my phone is sitting here on the table and it's not moving, satellites are only accurate within three or four feet. So if you look at the geolocation of my phone over time, it's actually going to move around a little bit so that sixth and seventh digit are going to change. So you not only have to look at the geolocation and statically and make sure that the person is where they're supposed to be or close to where they're supposed to be. If somebody is supposed to be has an account with regions in Birmingham, they probably shouldn't be in the middle of a field in northern California.
(23:11):
But also if you look at that geolocation over a short period of time, if it's not moving, it's not real. And so you've been spoofed and that account has been taken over and you've got to shut down the check. And then I think most importantly what financial institutions need to do is look at the returns as they come in in real time or near real time because that's how you identify new fraud vectors, bad actors and systematic fraud. And you've got to be able to identify that in minutes or hours and then feed that information back into your system to shut down those vectors. Because if you're not doing it in real time, near real time in minutes or hours, if you're taking days or weeks, you're going to lose a lot of money from a new fraud vector before you figure it out and you shut it down.
Jeff Taylor (23:58):
Yep, that's exactly right. So the next attack vector that we wanted to talk about is ransomware. I think we've all probably seen the headlines of companies that have reported data breaches reported being victims of ransomware. It's typically a cycle that begins with phishing and social engineering. So the fraudster will build a dossier on the company and individuals within the company and began to look for people that they believe that they might be able to fish or that they might be able to send one of these phishing emails to when the individual, the victim or targeted victim either clicks on a link in that email or they download an attachment to that email, they're also downloading a malware or malicious software that will then impact the network and allow the fraudster a back door past their firewalls into the network. And so then becomes the demand for ransom.
(25:01):
So the company's contacted, they've seen the skull and crossbones on there. It's not like the movies where you see that actual skull and crossbones on your screen, but you may get a message that says your system is no longer available. And so the fraudster then will contact the company and demand a ransom. Now, federal law enforcement does not encourage the payment of ransom. I always try to make sure to say that because it's important that you know that because you don't know where that money is going and what might be funded as a result of the ransom payment, and you could actually be prosecuted for some ancillary violations when you are paying that ransom. So you've got to make sure that you deal with your attorneys and make sure that you have gone to the right sources before you make that payment.
Rusty Pickering (25:58):
Are you saying that the people who do ransomware might be on the sanctions list?
Jeff Taylor (26:02):
I do.
Rusty Pickering (26:02):
Okay.
Jeff Taylor (26:03):
I do. I am saying that without saying it. And so you may pay for the encryption key required to unlock your system from that malware, but don't be fooled into thinking that you're going to get your data back because your data is gone. They are going to retain your data and then likely sell that data on the dark web. And then believe it or not, they may come back to you and demand an additional ransom payment because they've got other data that they didn't tell you about to begin with, and they are now going to hold you and extort you for that data also. So this vicious cycle of extortion is basically what it is. And the ransom itself, the payment of ransom may actually be secondary to the sale of the data on the dark web. They may make more money on the dark web sale of your data than they're making in the actual ransom.
(27:05):
So it's really important that you create secure backups that you are backing up on a regular basis, on a real-time basis if you possibly can, so that then you know that you are not going to lose any of your information when you deny the fraudster that payment of the ransom because you can recover your systems fairly easily without any losses. Then also, it's really important that you partition your most sensitive data into areas of your network that and require additional authentication and additional controls in order to access that information. So you make it more difficult for the fraudster to navigate through your network to get to that most sensitive data. And obviously you see the reports to ic3.gov, 2,800 of those reports, those complaints in 2023 and 59.6 million, almost $60 million in losses that were reported. And I always try to say, many of the companies that I work with and talk with will say, oh, my business is too small.
(28:14):
I'm too insignificant. They'll never get to me. These frauds are completely indiscriminate. They don't care who it is that they're targeting. There used to be this thought that critical infrastructure, nonprofits, those hospitals, those kinds of businesses, that the frauds at least had some morals and wouldn't attack those. It's just not true, not true. The hospital, you think about the amount of patient data that a hospital has in their database and the controls that they are lacking around their firewalls and that information, the fraudsters get their hands on that information. There's so many illegal things that they can do with that, creating synthetic IDs and using that information for the illicit purposes.
Rusty Pickering (29:06):
What's interesting is that because everyone has been, so many people have been breached, all of our information has been breached multiple times on the dark free market. The value of a social security number has plummeted. Almost nobody will pay for a social security number on the dark web anymore because they've all been exposed. So the fact that we're all still using secret numbers to verify people's identities that are no longer secret, the secret numbers are not secret. An email address is actually much more valuable today than a social security number because, and when people ask me, I need you to give me your social security number, I'm like, well just go look. Look it up.
(29:47):
I mean, you could find it as easily as I can.
Jeff Taylor (29:51):
As is our cell phone numbers. I mean, you can be assured that your cell phone number is out on the dark web, and that's the reason why you're receiving some of these spoof text messages and smishing messages. They have acquired those numbers fairly easily.
Rusty Pickering (30:07):
And then so that's why they were willing to pay for good email addresses and good phone numbers because then they can use those as the attack vectors for phishing exercises. And now we all get a ton of those daily. I mean, I do,
Jeff Taylor (30:21):
So ransomware gets a lot of headlines, but business email compromise is still the number one fraud attack vector that we see across the industry. Business email compromise typically occurs in these three different ways. You can see over 21,000 reports and complaints filed with ic3.gov and look at the numbers here, $2.9 billion in losses reported as the result of business email compromise. They typically target accounts payable, payroll vendor management, those individuals that work in those companies. And again, all industries are at risk in this. It's not the fraudsters, as I said before, completely indiscriminate. And so one of the important things that we always try to communicate is that we spend a lot of time talking with the CFOs and the C-suite executives of companies about these attack vectors. We always want to encourage them to filter this information down into their organization, to these departments that are the most likely going to be victimized.
(31:25):
So you can be assured that the fraudsters are trolling social media and things like LinkedIn, Instagram, Facebook, and they're looking at the individual profiles. Once they identify these folks and find a person who works in accounts payable as an example, and they find that on LinkedIn, then they'll go to the other platforms and build information to build this dossier on those individuals. They'll find out their dog's name, their children's name, where do they live, all those different things because guess what? Some of that information may be used for their password. And so once they find that information out and they know that about that individual, it makes it so much easier for them to fish that individual and seem to be creating a legitimate request. So these three ways, typically the first one is executive impersonation. It's normally a C-F-O-C-E-O of the company requesting that a payment be made or a change in an existing payment be made.
(32:28):
So typical scenario, and these are real life scenarios that I'll give you. The CEO is working remotely today and he is unable to, he's having trouble with his internet, he's unable to connect to the company network. So he's using his personal email address in order to send this request. The ease at which a fraudster can create a Gmail or one of the free email services, an email address on one of those platforms where he may transpose a letter in the executive's name, add a one. It is a plausible circumstance, right? So the individual in accounts payable doesn't know what my personal email address is. And so they take for granted that whatever that email address looks like, that's personal. If it has my name in it or it has some connection to me, then they're going to think that that's a legitimate request coming from my personal email address.
(33:29):
The second one is vendor impersonation. We'll probably see this more across the industry than we see anything else, and it's where the fraudster is impersonating a legitimate vendor, and they may transpose a letter in that vendor name, and they're requesting either a change in an existing payment or the request for a new payment and even a change in payment modality. So they may say something like, we're no longer accepting checks. Now we want you to pay us through ACH or real-time payments, and here's the routing and transit and account number that you need to use when you send us your next ACH payment. And then thirdly is employee impersonation. And this one hits pretty hard because it has to do with direct deposit of payroll. So again, the fraudster spoofing an email address using one of those free email services, sends an email to the payroll department indicating that I've changed my banking relationship, which happens all the time.
(34:27):
So they are changing the banking relationship. Please send my next paycheck to this routing and transit and account number at my new bank. And so Friday rolls around, the payroll department has done what you requested. This individual, the true employee, legitimate employee, doesn't get paid. So he's calling payroll and asking, Hey, why did I get paid today? What happened? Did I get reduced, enforced and didn't realize it? Do I need to get my resume together? What is it that happened here? And they say, well, we acted on the request that you sent to us. And of course the employee says, that wasn't me. And you go back and look and realize that the email address was spoofed or changed in some way, and the folks acted on that.
Rusty Pickering (35:14):
My HR department actually redirected the payroll of my CEO one time. One time. Yeah,
Jeff Taylor (35:21):
One time.
Rusty Pickering (35:22):
That won't happen again.
Jeff Taylor (35:26):
In the bottom right hand corner, that red star indicated there. I always want to say this and make sure that clients understand this because your financial institution is going to do everything in their power to help your company recover the funds that are at risk in these transactions. The unfortunate thing is, is that we're not always successful. And so in the AFP survey, 51% of the companies responded in that survey that they were able to recover less than half of the dollars at risk. And so the chances of recovery are getting less and less the fraud. I'm surprised,
Rusty Pickering (36:06):
So because they recovered half.
Jeff Taylor (36:07):
Yeah, that's remarkable, right? The fraudsters are getting better and better at moving the funds faster than ever before. They will typically move those funds into a crypto wallet that makes it even virtually impossible to be able to recover that money once it goes into that platform.
(36:27):
So the important thing here is the speed at which you report these cases to your financial institution. It's extremely important. The faster you let us know, the greater the likelihood that we're going to be able to recover because we will reach out to within the network of financial institutions, we'll reach out, we'll attempt to freeze the funds that are available. And I tell our clients often, we're not recovering your money, we're recovering somebody else's money because the fraudster is reusing that mule account over the course of time. So our client's money may have already been transferred out, but somebody else's money's coming into there. So it becomes this first come, first serve type process through the recoveries. So we need to make sure that the faster you let us know, the better we are. And if you think about the typical business to business collection cycle, it may be 30 or 60 days before your vendor tells you that they didn't get paid.
(37:29):
So you've got to stay on top of those situations, and it's obviously better to try to manage those situations upfront before they ever occur. So these are some of the ways that these deceptions occur. When you think about how does this happen, obviously we mentioned phishing, the email spoofing, the slight variations in email addresses the creation of lookalike domains where the fraudster has created domain, a payment platform within a domain. So you think you're going to the legitimate payment platform to make your payment online when in fact you are making a payment to a domain controlled by the fraudster. And then there's this thing called nesting, and it typically occurs in the vendor. And this is where the fraudster has compromised the vendor platform in order to their vendor's email platform, and they nest themselves into this platform. So what they're doing is they're watching communication back and forth between the vendor and the payor and payee, and when they realize that a payment is going to be made, the fraudster will insert themselves into the conversation and then request that change in payment terms be made.
(38:47):
So it's the takeover of that legitimate, the legitimate vendor's email. And then of course, most of these always begin, as I said, with social engineering. So public service announcement, be really careful about what you're posting on social media and share this with your family members, your 2020s and 30 something family members, your older family members, because they are the ones that are most likely going to be targeted in terms of these kinds of events. The younger ones, because they live on their devices and the older ones because we're more trusting and we're more likely to fall for these kinds of things. So I'm always asked Rusty, what keeps you up at night? A lot of things, but I do sleep fairly well, but these things are concerning. The introduction of artificial intelligence to create deep fake audio and video just scares me to death because there are so many things that can be done here, and I'm sure you've probably heard the stories of the Deepfake video conferences where there was a UK company who the individual was convinced to create a $25 million payment and that the entire conversation on their video platform, the entire conversation was fake.
(40:20):
Fraudster was able to deepfake video the boss who encouraged and approved the transaction be made, and even able to spoof three or four of the individual's coworkers within this deepfake audio and deepfake video. So leveraging artificial intelligence, as artificial intelligence continues to grow in adoption, the fraudsters are continuing to grow in their use of it. Also, the use of ChatGPT to create legitimate looking email communications. So at one time, if you think about the old Nigerian print scam, it was pretty easy to recognize that those emails were fictitious, the grammar was poor, the Senate structure was poor, spelling was poor. I mean, all those different things that were red flags to be able to help you recognize that this communication was fraudulent. Well, because the frauds today are using ChatGPT and even a platform because it's open source code using creating a platform called fraud, GPT, that's available on the dark web, they're able to create this messaging that looks like it is absolutely English Speaking is clear and concise, and so it's really scary to think about how they're able to use those platforms that we're intended for good and they're using for illicit purposes.
(41:53):
The other thing that I worry most about is the trusted partner and imposter scam. It's where the fraudsters are using spoof to phone numbers and text messages to look like these messages are coming from your trusted partner, when in fact it's the fraudster behind that. A lot of work is being done with telecom companies to try to help keep this from happening. They are engaged across the industry to help to stop some of this, but it's still occurring and it's becoming more difficult for us to recognize that that phone number that you think is your trusted partner calling when it's really not your trusted partner. Also, the use of spoofed websites, as I mentioned that earlier. Oftentimes what the frauds will do is they will go for relatively no money, they will establish a fraudulent URL and they will redirect a user to that fraudulent URL by paying for search engine optimization.
(43:00):
So their fraudulent URL is at the top of the search engine. So you use your search engine, you go in and you enter what you think is the correct name of your banking software. You enter that into that search engine, and at the top of the sponsored ads, there is one that you look looks like it's it. You click on it, it takes you to maybe a Google Doc or even to a login page that looks very similar to your banking software. You enter your user ID and password, and in fact, what you have done is you've given that information to the fraudster. And so one thing I always want to make sure to communicate is that your bank will never ask you for your user ID and password. We don't need that information. We don't want that information. It's private to you. You need to hang on to that. If someone calls you or you and you are asked for your user ID and password, I can pretty much assure you it is not your bank calling.
Rusty Pickering (44:08):
It's remarkable that these things still work. I mean, we're all getting so many phishing emails every day. I'm sure most of you who are in the financial services industry, financial institutions, you educate your employees. We go through severe education on a probably monthly basis. I'm sure you're all using spoofing, phishing emails so that you can identify your employees who are vulnerable to those sorts of things and bring their educational levels up. And with all of these efforts, people are still getting tricked. You can't trust anything from anybody ever.
Jeff Taylor (44:46):
That's right,
Rusty Pickering (44:47):
Pick up the phone and call.
Jeff Taylor (44:50):
We always encourage clients to create a bookmark for their legitimate URL or to even create a desktop icon, a desktop link to go to that legitimate URL and not use your search engine when you are attempting to do that. So we believe that education and awareness are the keys to prevention. A lot of the work that I do as I mentioned, is meeting with our clients and talking with them about education and helping them become more aware of these type of attack vectors. These are some questions that you can ask yourself when you start reviewing your different processes within your company. And these are three industry suggested practices that we always try to communicate with clients. The first one is guard your house, work with your IT department or IT provider to make sure that you are updating your firewall software and your protection software on a regular basis.
(45:46):
If there is a patch out there for your firewall software, make sure that it's being applied quickly as soon as it's available. You want to make sure that you're using multifactor authentication and secure passwords that you're requiring that, and even pass phrases as opposed to a password. And then leveraging the fraud prevention tools that your financial institution provides you. Secondly is to create an associate training program. As I mentioned before, make sure that this information is disseminated down into your organization so that the individuals who are most likely going to be targeted by these phishing ands fishing campaigns are aware of what's going on in these different red flags and attack vectors at regions. We provide. These are three publicly available websites, and I'll provide you at the end, there's a slide of resources, but you're welcome to go to these websites, look at this information.
(46:41):
If there's things there that you would like to be able to use, that's data. I'm perfectly fine with you rebranding this information and using it to communicate with your clients. It's all about spreading the message. I always say the frauds are communicating rusty, and if we are not communicating together and trying to solve this as financial institutions, we're never going to catch up because they are going to always be ahead of us. So again, please feel free to use any of this information that you'd like to use. I also encourage that you perform regular and repeated training for employees because the fraudsters change their technique, and we need to make sure that we're still able to recognize those red flags. It's about creating, as Rusty said, it's being a little cynical, but it's also about creating this fraud awareness mindset. You've got to start thinking through these situations to make sure that what you're being requested to do is legitimate.
(47:40):
And then thirdly is to develop your fraud risk and governance plan. You got to understand what your risk tolerance is going to be. You're probably not going to chase every thousand dollars item that might be victimized, but you've got to realize and think about what is that threshold? Where is it that I want to really get involved in these situations to try to recover and try to help prevent? You want to make sure that you've got a strong vendor management program. I always suggest, and it's interesting when you get this kind of response, companies may or may not have the kind of communication with their vendor that they need to have. So you want to make sure what is your vendors doing with your data? So the information that you're providing to them, are they protecting their firewall in a way that's going to help protect that information so that a fraudster who may penetrate your vendor's network won't be able to get your information that you have been providing to them?
(48:41):
And you really want to make sure that you've got a really strong response plan when you become a victim. Not if, but when. It's just like your business continuity plan. You're going to have a plan to recover your business in the event of a natural disaster. When you become a victim of fraud, you need to make sure that you know, who am I going to call? What are they going to do to help me recover, and how are we going to recover quickly? If you think about in a ransomware environment, you may actually not have access to your network at all. So you've got to have all of that contact information in a place where you can get to it easily outside of your network. So having that document on your phone or on your tablet to be able to access that information and be able to act when you become a victim,
Rusty Pickering (49:27):
You not only have to have a plan, but you have to test your plan. Exactly. You've got to do tabletop exercises on a regular basis if your plan is not good until it's been put to the test.
Jeff Taylor (49:36):
That's right
Rusty Pickering (49:37):
And tested regularly.
Jeff Taylor (49:38):
And I always suggest to review your cybersecurity insurance coverage. Oftentimes in cases that I investigate, the client believed that they were covered when in fact, the fine print in their plan, they weren't covered. They may cover you for a data breach, but they may or may or may not cover you in the event of human involvement. So like business email compromise, if I act on that email and make that change in payment, that may not be covered. So you want to make sure that you have read through your cybersecurity insurance coverage and that you are being covered for the events that you think that you're covered,
Rusty Pickering (50:13):
And that may actually be under crime coverage. So you've got to look at comprehensively at all your policies. You said that it's maybe not if, but when. Interestingly, just this week, I got an email from Krell. Krell is one of the largest, most sophisticated cybersecurity forensic investigators and cybersecurity companies in the world. We actually use Kroll Cybersecurity systems in our system, and I know a lot of financial institutions do too. I got an email from Krell just this week. They had been hit with a social engineering attack. They got all their client information and their clients were receiving fake invoices from Krell, and they said, don't pay any invoices you get from us. If Krell can be compromised, everyone can be compromised.
Jeff Taylor (50:54):
That's right. And so you also want to make sure that you are reviewing your controls and establishing things like lease privilege, access only giving employees access to the information they need to be able to perform their job. And then validation procedures for changes in payments and utilization of dual control. So I saw a lot of you taking pictures of slides. Please take a picture of this one. This is the most important thing that I'm going to tell you about today and share with you today. We encourage clients as a result of business email compromise to put in a control that we call, it's a callback control. We call our stop call and confirm the FBI, federal law enforcement. Other agencies have similar requests or similar options that they communicate. We call our stop call and confirm. And it's basically a very simple old school process that Rusty mentioned just a minute ago.
(51:51):
If you get a request for a payment to be made or a change to an existing payment, stop your process. Pick up the phone and call the requester at a number that don't call the number in the email or text message. Don't respond to the email or text message, but call them at a number that you know and confirm that that request is legitimate. I always say this, y'all have heard me say this before that have heard me speak before that it is a five minute phone call, and I promise you it is a whole lot easier to explain why I'm calling to verify this transaction than it is to explain a half a million dollar loss. So it is something that you need to put in place and make sure that you are communicating when these kind of situations arise. So as I said, these are the websites and resources that we always try to communicate.
(52:48):
These are mostly government websites that have different ways and different suggestions on how to create your response plan, how to, obviously the IC three.gov site for reporting, and then the three region's websites that are publicly available also for you to use. Most of these have social media channels, also social media platforms. So if you follow like fbi.gov, you follow their Instagram and LinkedIn platform, you get more up to date information on what things that they're seeing on a regular basis. I try to follow all those platforms and then communicate out to our clients the things that we're reading and the things that we're seeing about seeing there. So as we said, fraud's not going away. We certainly know how impactful it is for our families, for us as individuals, our businesses, we're seeing more and more victims than ever before. More sophisticated attacks, more information that's out as a result of data breaches.
(53:55):
So it requires more and more vigilance. It's about, again, about creating this fraud awareness mindset. We call our hashtag is Be Fraud aware. And so you'll see that if you follow us on social media, you'll see a lot of that information that we use that hashtag. So again, I want to personally thank American Banker for giving me the opportunity to be here today. I'm passionate about education and awareness. I spend so much of my time doing this. I get a lot of these kind of head nods when we talk through these kinds of situations. And so it's really, really important that we are able to spread this message. So I want to, again, thank you for your attention and your interest, and I think we've got a few minutes, maybe Rusty, if we have any questions. I'm glad to,
Rusty Pickering (54:49):
We have one minute.
Jeff Taylor (54:51):
One minute. I'm sorry.
Rusty Pickering (54:54):
If anybody has a question. We have a few minutes. Holly's in charge, not us. That's right. She says we have a few minutes.
Jeff Taylor (55:01):
Yes, sir.
Audience Member 1 (55:03):
What are you guys seeing in the realm of organized crime environments?
Jeff Taylor (55:10):
Yep. Just what we talked about. This is organized crime, right?
(55:14):
The ransomware and situations, it's literally extortion. I mean, it's the old organized crime extortion. And many of these organized crime syndicates are, we think they're in foreign countries, and some of them are. Some of these situations, they're nation state actors that are literally supported by that nation because they're taking a percentage of the money that the fraudsters are using. This is what I said earlier about you don't know where that money's going, and as Rusty said, they're on the SD analyst and the possibility of an OFAC violation just because you paid that ransom or even paid the in business email compromise. When you have allowed that, are you able to see the linkages between the local resources back through the filters? I'm hearing that from federal law enforcement that they're able to trace a lot of that back. But you're exactly right. A lot of those cases, the foreign entity has recruited a domestic crime ring, especially in check fraud.
Rusty Pickering (56:28):
In check fraud or just a consumer.
(56:31):
They'll recruit a consumer and pay them to participate in the fraud. And it's organized in the sense that, especially in check fraud, a lot of it is organized attacks on financial institutions. But it's organized now more loosely in that there are chat rooms on the dark web who are sharing information with each other. And that's the way that they get organized today, is that they're all talking to each other on the dark web. They're sharing information, they're sharing techniques. They're sharing new fraud vectors. And so once a new fraud vector comes up, it becomes prevalent very quickly because they're all sharing this information with each other. And that's why you've got to be vigilant about identifying and detecting that systematic fraud quickly and shutting it down. Because you won't get hit just from one group. They may share a bunch of information. You may get hit with 10 groups at the same time, and if you don't shut it down very quickly, you can lose a lot of money in a short period of time before you realize even what's happening.
Jeff Taylor (57:30):
And we see these rings migrate geographically, so you'll see they're hitting one geographic area really hard. And then they may migrate over to a different geographic area.
Rusty Pickering (57:42):
And they're not all foreign actors. I mean, we have pet names for some of our organized groups, like there's one in Memphis, we call 'em the Memphis Blues. They're really good at check counterfeiting. There is some hotbeds of check fraud. Memphis is one South Florida Compton in California. I mean, you see sort of places and we identify where they're coming from, and we do work with law enforcement to try to identify these people, but they're hard to pin down. Okay. And Holly says, we're done.
Jeff Taylor (58:13):
Yep. Holly says, we're done.
Rusty Pickering (58:15):
That means we're done. Yeah. Thank you. Thank you all very much.