SlideShare uma empresa Scribd logo

Iron Bastion: Preventing business email compromise fraud at your firm

Transferir como PPTX, PDF
Gabor Szathmari
Gabor Szathmari

What is BEC fraud? How does it affect my business? A practical guide for minimising cyber threats

Tecnologia
1 de 42
A practical guide for minimising cyber threats ISACA 24 October 2018
Nicholas Kavadias @nkav •Information Security Expert at Iron Bastion •15+ years of experience in IT •Practising solicitor (Disclaimer: this presentation does not constitute legal advice!) Who am I?
1. What is BEC fraud? 2. How does it affect my business? 3. How do I know if I am a victim of BEC fraud? 4. How can I protect my organisation from BEC fraud? 5. Where to go next? What we are covering today …
Let’s go!
What is BEC fraud? Social Engineering / Spear Phishing: “I am the CFO, pay this invoice urgently” • Display name spoofing – real name, but not email • Email address spoofing – real name, email. Different Reply-To address • Email account compromise – real email account is broken into (data breach credentials or spear phishing) Impersonation: “Our payment details have changed, use this bank account instead” • One of your staff’s mailbox is compromised • One of your vendor’s mailbox is compromised Display name Email address
Example 1 • Authority • Sense of urgency • Personal greeting • Sent from a phone to excuse lack of email signature Andy Penn <apen555@gmail.com> Real name gleaned from public source
Example 2 • Pixel perfect copy, cloned from a legitimate email • Urgency: Due today! • All the links go to actual AGL site except the “Download bill” and “Make a payment”
•Global Problem •At risk industries •Not “kids in basements” •A criminal’s cost-benefit analysis What is BEC fraud (cont’d)
BEC Fraud is a Global Problem https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718
How BEC affects Australia? * https://exchange.telstra.com.au/business-email-compromise-scams/ ** https://www.mailguard.com.au/blog/ceo-fraud-up-2370pc •The Australian Federal Government says businesses here have lost more than $20 million in 2017* •Damages are often more than $100,000 per incident •Increase of 2,370% since 2015**
At risk industries According to OAIC Report Apr-Jun 2018: 1.Health Service Providers 2.Finance 3.Legal, Accounting & Management services 4.Education 5.Business and Professional Associations * https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly- statistics-report-1-april-30-june-2018
Preconceptions about BEC Fraud and cybercrime…
Cost-Benefit Analysis: Classic Crime v Cyber Crime Armed Robbery • Aggravating circumstances i.e. weapon, assault means gaol++ • Profit: $10,000-$50,000? • Max 20 years in prison– s95 Crimes Act 1900 (NSW) • Security cameras everywhere, and everyone has a camera phone • Hard to make a fast getaway in Sydney traffic! Cyber Crime • Fraud – White collar crime • Profit: $100,000+ • Max 10 years in prison – s192E Crimes Act 1900 (NSW) • Minimum security prison? • Cross-jurisdictional law enforcement issue • Small fraud ($1-10k) so common, not investigated!
BEC is a Lucrative Business
Global Cybercrime: •$1.5 trillion in 2017 •Annual GDP equivalent to Russia https://www.information-age.com/global-cybercrime-economy- generates-over-1-5tn-according-to-new-study-123471631 This is a serious business…
* 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
* 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
•Large financial motivation •Play the long game •Multi-actors with specialised skills …and the sad reality is: organised crime
How are email accounts compromised? •Lousy passwords (Letmein1) •Stolen passwords (phishing) •Leaked passwords & password reuse)
Password Leaks Everywhere! • Websites get hacked • People reuse the same email and password across multiple online accounts. D’oh!
Secret: “hackers” log into your webmail
The BEC lifecycle
How does it affect my business?
How does BEC affect my business? •Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation •Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines? •Reputational damage – Negative media coverage & Twitter rage
A little
Reputation damage
• You won’t know until its too late: supplier: “Why you haven’t you paid my bill?” you:“But I have paid it, haven’t I?... • Email forwarding rules you have never set:O365 has 5 different locations to set rules • Colleagues receive emails/documents you never sent • Your talk to your customer/supplier and you have no idea what he/she is talking about How do I know if I am a victim of BEC fraud?
Hacked email account signs: • Password reset emails for accounts you have not requested a reset • 2FA SMS codes when you have not tried to log in • A password you use no longer works, and you know you didn’t change it • Strange emails/phone calls from clients asking you about a request you never made • Unknown logged-in devices How do I know if I am a victim of BEC Fraud?
How can I protect my organisation from BEC fraud?
“You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
How can I protect my organisation from BEC fraud? –> Quick win –> 2FA If you only do one thing to improve your cybersecurity posture, it should be to turn on 2FA for your email Advice evolves with threats & as criminals become more sophisticated. e.g. 2FA via SMS can be attacked with SIM swapping
Why we have just a few passwords? Problems: • Too many passwords to remember • Has my password leaked in a data breach? Password managers solve both
Password Wallets Remember a single password only: o LastPass o 1Password o Dashlane o RoboForm
Stop using email •Email: the default ad-hoc workflow! •Formalise business processes •Move collaboration to: •Secure business platforms (e.g. web portals) •Third-party platforms: Slack, Microsoft Teams, Skype, WhatsApp (Brazil), WeChat (China) How can I protect my organisation from BEC fraud? (cont’d)
BEC Fraud is a people, process, and technology problem
BEC Fraud – People Phishing simulation: • Phishing is a precursor of BEC fraud • Identify vulnerable segments of your staff by phishing them • Target the vulnerable people with training • Train and test your employees to follow payment procedures
Business: • Change your contracts • Set up processes for payments and payment detail changes/verification • Minimise use of email for payments/invoices Security: • Cyber Security team to scan for indicators of BEC fraud (e.g. suspicious email redirection rules) BEC Fraud – Process
BEC Fraud – Low tech/no tech solutions • Put payment instructions in your supplier/customer agreements • Specify payment instructions will never change by email • Phone it in payment confirmations disclaimer on all your emails?
• Advanced Email Security ( AKA: ATP, anti-phishing) • Two-factor authentication (2FA) • Password Wallets • DNS firewalls • Endpoint security (phishing protection) • Web proxies, Brower Extensions protect from phishing, fake login pages • General Advice: ASD Essential 8 BEC Fraud – Technology
Summary BEC is a lucrative business: •Organised crime •Relies on social engineering and phishing •Technology and human problem Defence: •Formalise business processes •Change people, process and technology •2FA (i.e. out run others!)
Where to go next? If you are hit by BEC fraud: •Activate your incident response plan •Assemble a breach response working group to coordinate response •Report incident to ACORN, IDCARE and OAIC as required •Get professional help if needed
Questions? Nicholas Kavadias @nkav nick@ironbastion.com.au 1300 883 420 Slides: https://ironbastion.com.au/ISACA

Recomendados

Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Isms
IsmsIsms
Ismspenetration Tester
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 

Recomendados

Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Isms
IsmsIsms
Ismspenetration Tester
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Information security awareness
Information security awarenessInformation security awareness
Information security awarenessCAS
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITNetwork Intelligence India
 
Isaca crisc-courseware
Isaca crisc-coursewareIsaca crisc-courseware
Isaca crisc-coursewareLaxmi Bank
 
Cyber crime types
Cyber crime typesCyber crime types
Cyber crime typeskiran yadav
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standardsVaughan Olufemi ACIB, AICEN, ANIM
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Trends in cyber crime
Trends in cyber crimeTrends in cyber crime
Trends in cyber crimeManish Singh
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Bill Gibbs
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charitiesBlake Morgan LLP
 

Mais conteúdo relacionado

Mais procurados

Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Information security awareness
Information security awarenessInformation security awareness
Information security awarenessCAS
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Isaca crisc-courseware
Isaca crisc-coursewareIsaca crisc-courseware
Isaca crisc-coursewareLaxmi Bank
 
Cyber crime types
Cyber crime typesCyber crime types
Cyber crime typeskiran yadav
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Trends in cyber crime
Trends in cyber crimeTrends in cyber crime
Trends in cyber crimeManish Singh
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 

Mais procurados (20)

Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
Isaca crisc-courseware
Isaca crisc-coursewareIsaca crisc-courseware
Isaca crisc-courseware
 
Cyber crime types
Cyber crime typesCyber crime types
Cyber crime types
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_Tyco
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Trends in cyber crime
Trends in cyber crimeTrends in cyber crime
Trends in cyber crime
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
 
Information security
Information securityInformation security
Information security
 

Semelhante a Iron Bastion: Preventing business email compromise fraud at your firm

Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Bill Gibbs
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charitiesBlake Morgan LLP
 
How to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsHow to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsGabor Szathmari
 
Cybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptxCybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptxAbdullaFatiya3
 
Common Consumer Frauds and How to Avoid Them-03-14
Common Consumer Frauds and How to Avoid Them-03-14Common Consumer Frauds and How to Avoid Them-03-14
Common Consumer Frauds and How to Avoid Them-03-14Barbara O'Neill
 
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingO365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingNCCOMMS
 
Internet Fraud #scichallenge2017
Internet Fraud #scichallenge2017Internet Fraud #scichallenge2017
Internet Fraud #scichallenge2017Alexandru Turcu
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraudtomciolkosz
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!tomciolkosz
 
Chase phising mail example
Chase phising mail exampleChase phising mail example
Chase phising mail exampleAldo Mayo
 
Cybercrime: A Primer
Cybercrime: A PrimerCybercrime: A Primer
Cybercrime: A Primerfwscholl
 
Article how can organisations tackle business email compromise - paul wright
Article how can organisations tackle business email compromise - paul wrightArticle how can organisations tackle business email compromise - paul wright
Article how can organisations tackle business email compromise - paul wrightPaul Wright MSc
 
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud Risk
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud RiskThe CFO’s Safe: Treasury’s Best Practices for Reducing Fraud Risk
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud RiskKyriba Corporation
 
Business Email Compromise Scam
Business Email Compromise ScamBusiness Email Compromise Scam
Business Email Compromise ScamGuardian Analytics
 
Callcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit123
 

Semelhante a Iron Bastion: Preventing business email compromise fraud at your firm (20)

Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity Cap Tech Talks Webinar April=l 2020 business email cybersecurity
Cap Tech Talks Webinar April=l 2020 business email cybersecurity
 
Fraud seminar for charities
Fraud seminar for charitiesFraud seminar for charities
Fraud seminar for charities
 
How to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scamsHow to protect your clients and your law firm from money transfer scams
How to protect your clients and your law firm from money transfer scams
 
Cybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptxCybersecurity Awareness for employees.pptx
Cybersecurity Awareness for employees.pptx
 
Common Consumer Frauds and How to Avoid Them-03-14
Common Consumer Frauds and How to Avoid Them-03-14Common Consumer Frauds and How to Avoid Them-03-14
Common Consumer Frauds and How to Avoid Them-03-14
 
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and PhishingO365Engage17 - Protecting your Users Against Email Spoofing and Phishing
O365Engage17 - Protecting your Users Against Email Spoofing and Phishing
 
Internet Fraud #scichallenge2017
Internet Fraud #scichallenge2017Internet Fraud #scichallenge2017
Internet Fraud #scichallenge2017
 
Phishing Technology
Phishing TechnologyPhishing Technology
Phishing Technology
 
FHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking FraudFHRBOC Preventing NFP Banking Fraud
FHRBOC Preventing NFP Banking Fraud
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!Preventing Nonprofit Banking Fraud and the Tools You Can Use!
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
 
IB Fraud
IB FraudIB Fraud
IB Fraud
 
Chase phising mail example
Chase phising mail exampleChase phising mail example
Chase phising mail example
 
Black Hat.pdf
Black Hat.pdfBlack Hat.pdf
Black Hat.pdf
 
Cybercrime: A Primer
Cybercrime: A PrimerCybercrime: A Primer
Cybercrime: A Primer
 
Article how can organisations tackle business email compromise - paul wright
Article how can organisations tackle business email compromise - paul wrightArticle how can organisations tackle business email compromise - paul wright
Article how can organisations tackle business email compromise - paul wright
 
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud Risk
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud RiskThe CFO’s Safe: Treasury’s Best Practices for Reducing Fraud Risk
The CFO’s Safe: Treasury’s Best Practices for Reducing Fraud Risk
 
Business Email Compromise Scam
Business Email Compromise ScamBusiness Email Compromise Scam
Business Email Compromise Scam
 
Callcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience streamCallcredit's Fraud Summit - Customer experience stream
Callcredit's Fraud Summit - Customer experience stream
 
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to doNEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 

Mais de Gabor Szathmari

Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyGabor Szathmari
 
Hacking law firms with abandoned domain names
Hacking law firms with abandoned domain namesHacking law firms with abandoned domain names
Hacking law firms with abandoned domain namesGabor Szathmari
 
How to manage your client's data responsibly
How to manage your client's data responsiblyHow to manage your client's data responsibly
How to manage your client's data responsiblyGabor Szathmari
 
Phishing stories from the trenches
Phishing stories from the trenchesPhishing stories from the trenches
Phishing stories from the trenchesGabor Szathmari
 
Help! I am an Investigative Journalist in 2017
Help! I am an Investigative Journalist in 2017Help! I am an Investigative Journalist in 2017
Help! I am an Investigative Journalist in 2017Gabor Szathmari
 
CryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopCryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopGabor Szathmari
 
Privacy for journalists introduction
Privacy for journalists introductionPrivacy for journalists introduction
Privacy for journalists introductionGabor Szathmari
 
Threat Modeling for Journalists
Threat Modeling for JournalistsThreat Modeling for Journalists
Threat Modeling for JournalistsGabor Szathmari
 
Privacy for Journalists Introduction
Privacy for Journalists IntroductionPrivacy for Journalists Introduction
Privacy for Journalists IntroductionGabor Szathmari
 
When the CDN goes bananas
When the CDN goes bananasWhen the CDN goes bananas
When the CDN goes bananasGabor Szathmari
 
PGP and Keybase (CryptoParty Belfast)
PGP and Keybase (CryptoParty Belfast)PGP and Keybase (CryptoParty Belfast)
PGP and Keybase (CryptoParty Belfast)Gabor Szathmari
 

Mais de Gabor Szathmari (12)

Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
Hacking law firms with abandoned domain names
Hacking law firms with abandoned domain namesHacking law firms with abandoned domain names
Hacking law firms with abandoned domain names
 
How to manage your client's data responsibly
How to manage your client's data responsiblyHow to manage your client's data responsibly
How to manage your client's data responsibly
 
Phishing stories from the trenches
Phishing stories from the trenchesPhishing stories from the trenches
Phishing stories from the trenches
 
Help! I am an Investigative Journalist in 2017
Help! I am an Investigative Journalist in 2017Help! I am an Investigative Journalist in 2017
Help! I am an Investigative Journalist in 2017
 
CryptoParty Tor Relay Workshop
CryptoParty Tor Relay WorkshopCryptoParty Tor Relay Workshop
CryptoParty Tor Relay Workshop
 
Privacy for journalists introduction
Privacy for journalists introductionPrivacy for journalists introduction
Privacy for journalists introduction
 
Threat Modeling for Journalists
Threat Modeling for JournalistsThreat Modeling for Journalists
Threat Modeling for Journalists
 
Privacy for Journalists Introduction
Privacy for Journalists IntroductionPrivacy for Journalists Introduction
Privacy for Journalists Introduction
 
Safe Browsing in 2016
Safe Browsing in 2016Safe Browsing in 2016
Safe Browsing in 2016
 
When the CDN goes bananas
When the CDN goes bananasWhen the CDN goes bananas
When the CDN goes bananas
 
PGP and Keybase (CryptoParty Belfast)
PGP and Keybase (CryptoParty Belfast)PGP and Keybase (CryptoParty Belfast)
PGP and Keybase (CryptoParty Belfast)
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Iron Bastion: Preventing business email compromise fraud at your firm

  • 1. A practical guide for minimising cyber threats ISACA 24 October 2018
  • 2. Nicholas Kavadias @nkav •Information Security Expert at Iron Bastion •15+ years of experience in IT •Practising solicitor (Disclaimer: this presentation does not constitute legal advice!) Who am I?
  • 3. 1. What is BEC fraud? 2. How does it affect my business? 3. How do I know if I am a victim of BEC fraud? 4. How can I protect my organisation from BEC fraud? 5. Where to go next? What we are covering today …
  • 5. What is BEC fraud? Social Engineering / Spear Phishing: “I am the CFO, pay this invoice urgently” • Display name spoofing – real name, but not email • Email address spoofing – real name, email. Different Reply-To address • Email account compromise – real email account is broken into (data breach credentials or spear phishing) Impersonation: “Our payment details have changed, use this bank account instead” • One of your staff’s mailbox is compromised • One of your vendor’s mailbox is compromised Display name Email address
  • 6. Example 1 • Authority • Sense of urgency • Personal greeting • Sent from a phone to excuse lack of email signature Andy Penn <apen555@gmail.com> Real name gleaned from public source
  • 7. Example 2 • Pixel perfect copy, cloned from a legitimate email • Urgency: Due today! • All the links go to actual AGL site except the “Download bill” and “Make a payment”
  • 8. •Global Problem •At risk industries •Not “kids in basements” •A criminal’s cost-benefit analysis What is BEC fraud (cont’d)
  • 9. BEC Fraud is a Global Problem https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718
  • 10. How BEC affects Australia? * https://exchange.telstra.com.au/business-email-compromise-scams/ ** https://www.mailguard.com.au/blog/ceo-fraud-up-2370pc •The Australian Federal Government says businesses here have lost more than $20 million in 2017* •Damages are often more than $100,000 per incident •Increase of 2,370% since 2015**
  • 11. At risk industries According to OAIC Report Apr-Jun 2018: 1.Health Service Providers 2.Finance 3.Legal, Accounting & Management services 4.Education 5.Business and Professional Associations * https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly- statistics-report-1-april-30-june-2018
  • 12. Preconceptions about BEC Fraud and cybercrime…
  • 13. Cost-Benefit Analysis: Classic Crime v Cyber Crime Armed Robbery • Aggravating circumstances i.e. weapon, assault means gaol++ • Profit: $10,000-$50,000? • Max 20 years in prison– s95 Crimes Act 1900 (NSW) • Security cameras everywhere, and everyone has a camera phone • Hard to make a fast getaway in Sydney traffic! Cyber Crime • Fraud – White collar crime • Profit: $100,000+ • Max 10 years in prison – s192E Crimes Act 1900 (NSW) • Minimum security prison? • Cross-jurisdictional law enforcement issue • Small fraud ($1-10k) so common, not investigated!
  • 14. BEC is a Lucrative Business
  • 15. Global Cybercrime: •$1.5 trillion in 2017 •Annual GDP equivalent to Russia https://www.information-age.com/global-cybercrime-economy- generates-over-1-5tn-according-to-new-study-123471631 This is a serious business…
  • 16. * 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
  • 17. * 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE …and the sad reality is: organised crime
  • 18. •Large financial motivation •Play the long game •Multi-actors with specialised skills …and the sad reality is: organised crime
  • 19. How are email accounts compromised? •Lousy passwords (Letmein1) •Stolen passwords (phishing) •Leaked passwords & password reuse)
  • 20. Password Leaks Everywhere! • Websites get hacked • People reuse the same email and password across multiple online accounts. D’oh!
  • 21. Secret: “hackers” log into your webmail
  • 23. How does it affect my business?
  • 24. How does BEC affect my business? •Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation •Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines? •Reputational damage – Negative media coverage & Twitter rage
  • 27. • You won’t know until its too late: supplier: “Why you haven’t you paid my bill?” you:“But I have paid it, haven’t I?... • Email forwarding rules you have never set:O365 has 5 different locations to set rules • Colleagues receive emails/documents you never sent • Your talk to your customer/supplier and you have no idea what he/she is talking about How do I know if I am a victim of BEC fraud?
  • 28. Hacked email account signs: • Password reset emails for accounts you have not requested a reset • 2FA SMS codes when you have not tried to log in • A password you use no longer works, and you know you didn’t change it • Strange emails/phone calls from clients asking you about a request you never made • Unknown logged-in devices How do I know if I am a victim of BEC Fraud?
  • 29. How can I protect my organisation from BEC fraud?
  • 30. “You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
  • 31. How can I protect my organisation from BEC fraud? –> Quick win –> 2FA If you only do one thing to improve your cybersecurity posture, it should be to turn on 2FA for your email Advice evolves with threats & as criminals become more sophisticated. e.g. 2FA via SMS can be attacked with SIM swapping
  • 32. Why we have just a few passwords? Problems: • Too many passwords to remember • Has my password leaked in a data breach? Password managers solve both
  • 33. Password Wallets Remember a single password only: o LastPass o 1Password o Dashlane o RoboForm
  • 34. Stop using email •Email: the default ad-hoc workflow! •Formalise business processes •Move collaboration to: •Secure business platforms (e.g. web portals) •Third-party platforms: Slack, Microsoft Teams, Skype, WhatsApp (Brazil), WeChat (China) How can I protect my organisation from BEC fraud? (cont’d)
  • 35. BEC Fraud is a people, process, and technology problem
  • 36. BEC Fraud – People Phishing simulation: • Phishing is a precursor of BEC fraud • Identify vulnerable segments of your staff by phishing them • Target the vulnerable people with training • Train and test your employees to follow payment procedures
  • 37. Business: • Change your contracts • Set up processes for payments and payment detail changes/verification • Minimise use of email for payments/invoices Security: • Cyber Security team to scan for indicators of BEC fraud (e.g. suspicious email redirection rules) BEC Fraud – Process
  • 38. BEC Fraud – Low tech/no tech solutions • Put payment instructions in your supplier/customer agreements • Specify payment instructions will never change by email • Phone it in payment confirmations disclaimer on all your emails?
  • 39. • Advanced Email Security ( AKA: ATP, anti-phishing) • Two-factor authentication (2FA) • Password Wallets • DNS firewalls • Endpoint security (phishing protection) • Web proxies, Brower Extensions protect from phishing, fake login pages • General Advice: ASD Essential 8 BEC Fraud – Technology
  • 40. Summary BEC is a lucrative business: •Organised crime •Relies on social engineering and phishing •Technology and human problem Defence: •Formalise business processes •Change people, process and technology •2FA (i.e. out run others!)
  • 41. Where to go next? If you are hit by BEC fraud: •Activate your incident response plan •Assemble a breach response working group to coordinate response •Report incident to ACORN, IDCARE and OAIC as required •Get professional help if needed
  • 42. Questions? Nicholas Kavadias @nkav nick@ironbastion.com.au 1300 883 420 Slides: https://ironbastion.com.au/ISACA