Fraud Alert: Current Trends & Prevention Techniques

The latest technological innovations are bringing enhanced customer experiences to financial organizations, but with those milestones come new cybersecurity threats. As protecting firms and clients becomes a growing and evolving concern, it’s more important than ever to stay one step ahead of cyber criminals.

NICSA members tackled this topic during a breakout session on best practices aimed at protecting investors during the 2018 GMM.

Scott Nussbum, Director of Global Investigations and Compliance, Navigant, moderated the panel, which featured experts from Dechert,M3Sixty, and PwC.

Joe Divito, Principal of Cybersecurity & Privacy Services, PwC, began with a high-level overview of current fraud concerns.

“If you look at the history of data breaches, the good news is that we’ve yet to have a loss of life or any major destruction as a result of a breach,” Divito said. “But the increasing frequency and disruption to global businesses continues to challenge the infrastructure and the processes that many organizations have in place.”

PwC is advising clients on how to become more cyber-resilient. To that end, Divito said “threat actors” exist among severalprimary lines ranging from least to most sophisticated:

  1. Hacktivists: “They are interested mostly in disrupting your business or your reputation in some respect,” Divito said.
  2. Insiders: “These remain the number one risk that most organizations face,” he said. “You are more likely to suffer a data breach as the result of one of your employees than you are from an external hack.”
  3. State-sponsored organizations: “North Korea, China, Russia, and Iran tend to lead the pack,” Divito said. “Espionage and sabotage are their principle objectives.”

HilaryBonaccorsi, Associate, Dechert, LLP, brought the group up to speed on the latest phishing schemes. “We’re most familiar with them impacting our personal email — maybe someone sends us an email that says, ‘Click on this link and you’ll win these sweepstakes,’ or you get a business email from someone posing as your ‘CEO’ asking to wire money immediately,” she said.

Bonaccorsi said most people have their guard up for these types of fraud. Unfortunately, phishing schemes now are transitioning into sophisticated social engineering processes that pose additional risks to companies over time. In these scenarios, hackers psychologically manipulate potential victims to gain access to information that is then used for malicious purposes.

“Traditional phishing emails are turning into something that poses more risks to the organization and can expose flaws in incident reporting and inter-company dynamics around security,” Bonaccorsi said.

Andras Teleki, Chief Legal Officer, M3Sixty, said malware is “any type of executable software designed to harm the computer user or the system that it’s on.”

“Malware typically is manufactured for nefarious purposes, but it’s also any software that basically has undisclosed, behind-the-scenes purposes,” he said, pointing to three common types of malware:

  1. Worms. This earlier form of malware will self-replicate and seek out its own target. “Probably the most famous example of this was Stuxnet, which was used to attack the Iranian centrifuges,” Teleki said.
  2. Viruses. “Usually the user has to do something to introducethem into the system,” Teleki said. “This used to be extremely common with people engaged in file sharing.”
  3. Trojanhorses. “Trojan horses are most commonly used to install backdoors to the system, and this is what system administrators are terrified of,” he said. “A backdoor allows the user to get into the system, through the firewall, without knowing any passwords or normal protocol.”

Trojan horses are also used to install ransomware, which encrypts data on individual computers as well as entire networks. Usually the encryption is so powerful that the target entity ends up paying to unlock the system.

PROTECTING INVESTORS

Bonaccorsi said from a legal perspective, it’s important to conduct due diligence on website providers by requesting security documents. “Really understand the procedures they have in place and what their risk profile is,” she said.

Divito agreed, adding that risks associated with various third parties can be evaluated through on-site assessments. “We definitely see increased interest in third-party risk from regulators,” he said. “If you look at the GDPR in Europe, for example, there is clearly an expectation that you understand what data you’re sharing and what controls third-party vendors have in place to protect individuals’ information.”

Teleki said it’s also important to have an incident response plan in place. “In the ideal world, this plan lays out all the various steps, who the stakeholders are, and what they have to do,” he said. “Stakeholders typically include people from IT, compliance, management, and legal.”

Bonaccorsi added that documenting the incident is an important follow-up to these plans. “Even with smaller incidents, you still want to document the incident in a one- to two-page report, explaining what information was at issue, what happened, when it happened, how it was resolved, and any remedial actions that were taken,” she said.



Leave a Reply

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560