Cyber and Fraud Prevention is better than cure Kent County Council - - PowerPoint PPT Presentation

cyber and fraud prevention is better than cure
SMART_READER_LITE
LIVE PREVIEW

Cyber and Fraud Prevention is better than cure Kent County Council - - PowerPoint PPT Presentation

Dec 16, 2022 339 likes •671 views

Cyber and Fraud Prevention is better than cure Kent County Council Schools Finance Information Group Gill Pegrum October 2018 This presentation aims to assist to minimise the impact of fraud on your business. However, relying on the

slide-1
SLIDE 1

Cyber and Fraud Prevention is better than cure

Kent County Council Schools Finance Information Group Gill Pegrum October 2018

The content of this document is classified as PUBLIC This presentation aims to assist to minimise the impact of fraud on your

  • business. However, relying on the information in this presentation, although

it may help to reduce the risk of fraud, will not eliminate it, nor does it guarantee that fraud will not occur.

slide-2
SLIDE 2

The content of this document is classified as PUBLIC

Welcome – today we will discuss the following topics

Threat Landscape Social Engineering Online Banking Security Bogus Boss Fraud Invoice re-direct fraud Help & Support Questions

2

slide-3
SLIDE 3

The content of this document is classified as PUBLIC

Prevention is better than cure

Fraud undermines the credibility of the economy, ruins businesses and causes untold distress to people of all walks of life. For too long, there has been too little understanding of the problem and too great a reluctance to take steps to tackle it.

3

“ ”

Theresa May, 2016

slide-4
SLIDE 4

The content of this document is classified as PUBLIC

Threat Landscape

4

slide-5
SLIDE 5

The content of this document is classified as PUBLIC

Government View

5

‘…the scale of the threat is significant:

  • ne in three small firms, and 65% of

large businesses are known to have experienced a cyber breach or attack in the past year. Of those large firms breached, a quarter were known to have been attacked at least once per month.’

‘My message today is clear: if you’re not concentrating on cyber, you are courting chaos and catering to criminals.’

Matt Hancock, former Minister for Digital and Culture March 2017

slide-6
SLIDE 6

The content of this document is classified as PUBLIC

Social Engineering

Noun

(In the context of information security)

‘the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.’

Oxford Living Dictionaries, 2016

6

slide-7
SLIDE 7

The content of this document is classified as PUBLIC

Social engineering

7

Vishing

contact is made by telephone. Caller will purport to be from your bank, the police, a fraud agency or any other trusted

  • rganisation.

Purpose is to get you to reveal information they need

  • Never

r give your full online banking details or card reader codes over the telephone, even if the caller claims to be from the bank or police

  • The caller ID displayed on your

phone can be easily spoof

  • fed

ed, don’t rely on it to verify the caller

  • Unexpected or suspicious call?

Always ys verify the caller using an independently verified number

slide-8
SLIDE 8

The content of this document is classified as PUBLIC

Social Engineering

Smishing contact is made by text message. Sender impersonates well known companies –

  • ften banks.

May refer to suspicious activity on an account. Purpose is to get you to click on a link or phone a telephone number

8

! No UK bank will send an email or text message containing a link to their online banking service !

Suspicious text message? Please forward it to us at: 88355

slide-9
SLIDE 9

The content of this document is classified as PUBLIC

Social Engineering

9

Malware

malicious software such as Trojans or viruses. Downloaded from phishing emails, illegal websites, ad

  • banners. Financial

malware sits quietly in the background until you access a UK

  • nline banking

service

  • Update software and your

browser – these fix security bugs and loopholes

  • Only connect devices you trust

to your computer

  • Anti-virus and firewall software

alone is not enough

  • Trusteer Rapport – provided

by IBM

slide-10
SLIDE 10

The content of this document is classified as PUBLIC

Social Engineering

10

Phishing

contact is made by email. Sender impersonates well known companies or a colleague /

  • friend. Purpose

is to get you to click on a link or

  • pen an

attachment Please forward suspicious emails to us –

  • phishing@natwest.com
  • phishing@rbs.co.uk
  • phishing@ulsterbank.com

! No UK bank will send an email or text message containing a link to their online banking service !

slide-11
SLIDE 11

The content of this document is classified as PUBLIC

Data breaches

11

  • 6.5m accounts in 2012
  • 167m accounts in 2016
  • LinkedIn only aware when hacker

tried to sell the stolen credentials

  • Data included un-encrypted

security questions and answers (mother’s maiden name, first school etc.)

  • Five bitcoins - $2,300USD
slide-12
SLIDE 12

The content of this document is classified as PUBLIC

haveibeenpwned.com

12

slide-13
SLIDE 13

The content of this document is classified as PUBLIC

haveibeenpwned.com

13

slide-14
SLIDE 14

The content of this document is classified as PUBLIC

14

Bogus boss fraud

Malware

slide-15
SLIDE 15

The content of this document is classified as PUBLIC

Malware in action

15

Fraudster’s view Customer’s view

slide-16
SLIDE 16

The content of this document is classified as PUBLIC

Malware in action

16

Fraudster’s view Customer’s view

slide-17
SLIDE 17

The content of this document is classified as PUBLIC

Malware in action

17

Fraudster’s view Customer’s view

slide-18
SLIDE 18

The content of this document is classified as PUBLIC

Malware – In summary

18

Request intercepted Log-on details captured Delay experienced Fraudster creates a new payment Smartcard challenge code given

Money sent

slide-19
SLIDE 19

The content of this document is classified as PUBLIC

Online banking – best practices

19

Use $tR0n 0ng g p@zzw zwOr Ords ds that are changed regularly Do not allow employees to share their credentials Regularly review user roles and profiles Restrict payments to certain countries Limit payment values Introduce dual authorisation of payments Limit access to only those who really need it Disable access for absent staff Keep log-on details safe and secure

slide-20
SLIDE 20

The content of this document is classified as PUBLIC

20

Social engineering – What can you do?

  • Your bank will never ask you to transfer funds to protect you from fraud
  • Understand your bank’s process – when will they not ask for PIN and password details?
  • Be cautious of requests to download screen-sharing or remote control software
  • Don’t trust caller ID and if you receive a sus pious call – use an independent number to call your

bank back

  • Do not reply to unsolicited text messages
  • Do not log on to your bank’s online service via a link in a text message
  • Verify any phone numbers you have been prompted to call
  • Report any suspicious contact
  • Ensure websites are secure – look for the ‘https’ and a locked padlock or unbroken key symbol
  • Install a firewall and up-to-date anti-virus software
  • Keep your browser and other software up to date. Suppliers regularly release updates to fix

security bugs

  • Be aware of what you connect to your computer.
  • Be suspicious of unsolicited or unexpected emails, even if they appear to originate from a

trusted source

  • Be alert to emails sent from an internet account such as Yahoo!, Hotmail or Gmail
  • Don’t click on a link unless you’re sure it is genuine and never enter sensitive information into a

link from an email

  • Be aware of attachments in emails – they could contain malware
slide-21
SLIDE 21

The content of this document is classified as PUBLIC

21

Bogus boss fraud

slide-22
SLIDE 22

The content of this document is classified as PUBLIC

Bogus Boss fraud

  • Criminal spoofs or hacks senior

executives email address

  • Urgent payment request is made
  • Urgent language may create

pressure

  • Purpose is to get you to make

the payment without question

22

slide-23
SLIDE 23

The content of this document is classified as PUBLIC

Bogus Boss fraud – What can you do?

  • Check for irregularities
  • Consider the language used
  • Always contact the sender
  • Use independently sourced

contact details

  • Follow laid down procedures

23

FROM: sajid.singh@yourcompany..com TO: hazel.murphy@yourcompany.com SENT: 28 September 2016 16:48 SUBJECT: Urgent payment Hazel, I’m stuck in a meeting and need you to make an urgent payment. Pay new supplier £35,000, quoting reference ‘New Contract’. Sort code: 111111, Account number: 22222222 Let me know when the payment has been processed. Sajid.

slide-24
SLIDE 24

The content of this document is classified as PUBLIC

24

Invoice re-direct fraud

slide-25
SLIDE 25

The content of this document is classified as PUBLIC

Invoice re-direct fraud

  • Change of bank details

instruction is given – sometimes by phone

  • This could be followed by a fax
  • r e-mail ‘confirmation’
  • Headed paper and genuine

details within the instruction

  • Purpose is to get you to change

the details payments are made to

25

slide-26
SLIDE 26

The content of this document is classified as PUBLIC

Invoice re-direct fraud – What can you do?

  • Contact the supplier using an

independently sourced number

  • Confirm the correct details

before a payment is made

  • Undertake a review of recent

and pipeline requests

  • Speak with other employees

responsible for this type of request

26

×

×

Limited

slide-27
SLIDE 27

The content of this document is classified as PUBLIC

Customer take aways

27

Prote tect t online e privacy acy – personal information is used by criminals Use stron

  • ng passw

swords

  • rds – use phrases that include numbers and characters

Mobile le devices es are also a target et – verify the authenticity of text messages Email secur urit ity y – don’t react to unsolicited emails, be sure they’re genuine Who’s calling? – criminals will impersonate the bank, police and fraud agencies Shop, pay and bank safely y onlin ine e – be scam aware and use trusted websites Trust stee eer Rappo port rt – free software offering protection from financial malware Update tes s – software, browser and operating system updates are essential

slide-28
SLIDE 28

The content of this document is classified as PUBLIC

Take Five to stop fraud

28

slide-29
SLIDE 29

The content of this document is classified as PUBLIC

Help and support

29

  • Take Five:

e: takefive-stopfraud.org.uk

  • Get

t Safe e onlin ine: e: getsafeonline.org.uk

  • Cyber Aware:

: cyberaware.gov.uk

  • Bank Safe

e Onli line: e: banksafeonline.org.uk

  • Acti

tion

  • n Fraud:

: actionfraud.police.uk

  • Fi

Financi ncial al Fr Fraud Acti tion n UK: K: financialfraudaction.org.uk

slide-30
SLIDE 30

The content of this document is classified as PUBLIC

Questions

30

slide-31
SLIDE 31

The content of this document is classified as PUBLIC

Disclaimers

This document has been prepared by The Royal Bank of Scotland plc, National Westminster Bank Plc, Ulster Bank Limited (together being “RBS”) and/or Metropolitan Police, as applicable, exclusively for the benefit and internal use of the RBS customer to whom it is directly delivered (“Customer”). It has been prepared for training, discussion and information purposes only. The information contained in this document is confidential and proprietary to RBS and/or Metropolitan Police, as applicable, and should not be distributed, directly or indirectly, to any other party without the written consent of RBS. None of RBS or Metropolitan Police make any representation or warranty (express or implied) of any nature, nor do we accept any responsibility or liability of any kind, with respect to the accuracy or completeness of the information in this presentation. None of RBS or Metropolitan Police undertake a duty or responsibility to update these materials or to notify you when or whether the analysis has changed. This shall not, however, restrict

  • r exclude or limit any duty or liability to a person under any applicable laws or regulations of any jurisdiction which may not lawfully be disclaimed.

While the information contained in these materials is believed to be reliable, no representation or warranty, whether express or implied, is made and no liability or responsibility is accepted by RBS or Metropolitan Police or any of their affiliates as to the accuracy or completeness thereof. None of RBS or Metropolitan Police are, by making this presentation available, providing investment, legal, insurance, tax, financial, accounting or other advice to the Customer or any other party or recommending the services of any party. None of RBS or Metropolitan Police are acting as an advisor or fiduciary in any respect in connection with providing this information, and no information or material contained herein is to be relied upon for the purpose of making or communicating investment or other decisions nor construed as either projections or predictions. Specific legal, tax, financial and/or accounting advice should be taken before acting on any of the topics covered. By submitting a question during or following this presentation, you consent to the disclosure of personal and/or company details to the presenters and their organisations for the purposes of responding to such question. The Royal Bank of Scotland plc. Registered in Scotland No. 90312. Registered office: 36 St. Andrews Square, Edinburgh EH2 2YB. National Westminster Bank Plc. Registered in England and Wales No. 929027. Registered office: 135 Bishopsgate, London EC2M 3UR. Ulster Bank Limited, Registered in Northern Ireland No. R733. Registered Office: 11-16 Donegall Square East, Belfast,BT1 5UB.

31