FRAUD & CYBERCRIME HOW TO PROTECT YOUR COMPANY?

BNP PARIBAS CASH MANAGEMENT June 2018

Credit: Shutterstock

A world of fraud

2

1. Fraud by impersonation:

a growing risk

2. Cyber-fraud: a

rising threat

3. Data theft: a major risk 5. Internal fraud: most frequent cases 4. Client risk, still at stake

Credit: Shutterstock

$ millions per breach $ billions

worldwide

40% annual growth

60% of frauds

$3.1+ bn worldwide

Source: PwC Economic Crime Survey 2014

Source: Forbes, January 17th, 2016 Source: FBI 2016 quoted by Bank Info Security

Various studies incl. 2016 Nilson report Source: IBM & Ponemon 2015 Cost of Data Breach

1. Impersonation fraud

Fake CEO Scam

The three most frequent impersonation fraud schemes:

| 2017 | Fraud & Cybercrime 4

Credit: Shutterstock

1. Impersonation fraud

htt

p:/

/en

treprise

s.b

npp

ariba

s.f

r/rs

c/c

ontr

ib/v

ideo/d

ossie

rs/H

ello

_

He

re_

Is_

Yo

ur_

Ch

airm

an.m

p4

From: john.smith@qwerty-analysis.com <john.smith@presidency.com>

Sent: Wednesday, December 30, 2015 at 3:44 PM

To: Kate

Subject: Confidential file

Hello Kate,

Did Mr Tim Ryan from our Law Firm contact you?

Best Regards,

John Smith

Chief Executive Officer "Sent from my iPhone"

| 2017 | Fraud & Cybercrime 6

From: Kate

Sent: Wednesday, December 30, 2015 at 3:47 PM

To: ‘john.smith@qwerty-analysis.com’

Subject: RE: Confidential file

Yes, I just hung up with him.

But I did not understand the purpose of his call.

Regards,

Kate

| 2017 | Fraud & Cybercrime 7

From: john.smith@qwerty-analysis.com <john.smith@presidency.com>

Kate,

For the last months we have been working, in coordination and under the supervision of the SEC on acquiring a Chinese company... This takeover bid must remain strictly confidential, no one else needs to know for now. The public announcement of this takeover will take place Friday, January 8, 2016 in our office with the presence of the entire board.

I've chosen you for your discretion and great work within the company.

Please contact our law firm immediately (tryan.kpmq@finance.com). He will give you the bank details to make the credit transfer immediately.

Please send me the balances of the accounts.

This is very sensitive, so please only communicate with me through this email (john.smith@presidency.com), in order for us not to infringe SEC regulations.

John Smith

9

Awareness raising (newcomers!)

and message from CEO

Protect against fake CEO scam

Segregation of duties

Avoid validation by fax

11

1. Raise your team’s awareness about fraud, cyber risks and information dissemination risks.

Hold regular sessions (do not forget newcomers, short term employees) for various staff profiles: accounting, treasury, purchasing, P.A., etc.

To raise awareness: “credit transfer fraud” training kit C

redit: Shutterstock

?

1. Impersonation fraud

Fake CEO Scam Fake Vendor Scam

The three most frequent impersonation fraud schemes:

Credit: Shutterstock

| 2017 | Fraud & Cybercrime 12

kim@vendor.com

bob@client.com

From: kim@vendor.net

Subject: our bank account

Dear Bob,

From: bob@cliert.com

Subject: duplicate invoices?

Hello Kim!

Beware of “Business Email Compromise” (BEC)

Beware of social engineering: fake

clients, fake auditors, fake tax

inspectors, fake public

administration, fake notary...

Hello,

Please find the original version of our invoice # 029077112/ 936451

Best Regards,

Shelia Bodo

OVERDUE INVOICE - URGENT

Beware of data theft trough hacking and malware

REGISTERED LETTER

18

19

Call-back procedure in case of bank account change

Safe management of vendor contact details

Protect against fake vendor scam

Credit: S

hutterstock

Focus on tier-1 vendors and foreign beneficiaries

Protect against fake vendor scam

Credit: S

hutterstock

Call-back procedure • Apply written call-back procedure in case of vendor detail modification • Use safe contact details, not those contained in the notification or invoices • Verify the email address of the request and do not check using “Reply to” • Proceed on receipt of the notification (do not wait until you need to make the payment) • In case of foreign beneficiary country or largest suppliers, use 2 channels (phone + email) • Use local Account Check schemes (e.g. SEPAmail IBAN Check in France)

Instructions to check email headers

IBAN Check

Safe administration of vendor details • Authenticate and trace accounts and details changes (phone numbers, email address...) • Appoint few people authorized to modify vendor details (ex : 2 or 3 senior accounting staff) • Train these people regularly and make them accountable • If necessary, set up a reference data department (in-house or outsourced)

Against invoice and data theft (protect your clients) • Apply written call-back procedures in case of accounting information request • Regularly raise employees awareness against invoice theft, BEC and malware • Build a culture of risk (incoming call, mail, email, social network…)

SEDA SEPA e-Database

Alignment

?

1. Impersonation fraud

Fake CEO Scam Fake Technician Scam Fake Vendor Scam

The three most frequent impersonation fraud schemes:

Credit: Shutterstock

| 2017 | Fraud & Cybercrime 23

Establish Support Connection Type your name and the support key received from your technician

Your Name: Support Key:

Cre

dit:

Shu

tters

tock

I have the control of your PC. I’m checking the transfers… Go

for a coffee if you want!

I’m done. Wait 3 days before using your tool: meanwhile, send your payments by paper orders

Mr Martin from BNP Paribas speaking,

do you remember me?

Your e-banking will be migrating to a new version, and will be

unavailable for 72 hours.

Could you please go to www.is.gd/migration so that I can proceed with verification.

Please enter your session key 281 199 250.

Somewhere, abroad… 0 825 000..

Germany

An accountant receives a call…

- $355,087.11 Continue

Awareness raising

Call-back procedure

Protect against technician scam

Option: “RAT1”black listing

1. RAT: Remote Administration Tools 25

List of authorised countries and/or account numbers: “Secure Flows” C

redit: Shutterstock

1. Impersonation fraud

Fake CEO Scam Fake Technician Scam Fake Vendor Scam

The three most frequent impersonation fraud schemes:

Beyond the financial damage,

such frauds cause human trauma, layoffs and even bankruptcies.

27

$ 47m € 70m € 42m

€ 23m $ 17m € 40m

€ 1,5M ON AVERAGE

€ 2m € 1,5m

€ 1,4m € 1,1m

€ 0,5M ON AVERAGE

$ 100m+ $ 100m

€ 1,6m € 15m

RANDOM

Anonymous Anonymous

Anonymous Anonymous

1. Impersonation fraud

Purchase of public documents,

social networks

Anonymous prepaid

card

Voice over IP platforms

Voice changer

software

Remote Administration Tools, PC

and e-mail hacking, fake website …

Diversion of

phone line

29

1. Impersonation fraud

?

Main countries of destination of transfers:

Israel

China and Hong-Kong

SEPA zone countries

France

(intermediary bank accounts)

Greece

Cyprus

Macedonia

Bulgaria

Slovakia

Czech Rep.

Hungary

Romania Croatia

China

Cambodia

Turkey

Hong Kong Poland Latvia

Estonia

Lithuania

United Kingdom Germany

Sweden

Austria

Belgium Spain

Netherlands Norway Denmark Switzerland

Italy Slovenia San Marino

…

Singapour

Monaco Portugal 30

2. Cyber fraud: a rising threat

Frequent phishing attacks…

40

Your BNP Paribas account needs verification:

06/03/2014 07:26

Message from: “BNP Paribas” < @bnpparibas.com>

To:

Subject: BNP Paribas messages

Dear client, You have (2) new messages. Check your mailbox, by clicking on the link below: Your mailbox

1. Reception of emails… … or SMS

2. Cyber fraud: a rising threat

41

2. Theft of password

… or SIM card misappropriation

3. Theft of SMS validation code

For security reasons, we need to check your mobile phone.

You will receive an SMS code within a few minutes.

Please enter your SMS code:

info: a SIM card

reissuing request has been

asked for your mobile

contract. If you are not

responsible for this request,

please contact immediately

the Help Desk at

2. Cyber fraud: a rising threat

42

Beware of attachments (MS Office,

zip…), links to documents

2. Cyber fraud: a rising threat

invoice

An employee receives

an email

Propagation and

data theft

The malware creates

beneficiary account or

credit transfer

1 3 5

2 4

invoice

invoice

invoice

If needed, it asks for

validation via a fake page

A malware installs on

the PC silently

Credit: Shutterstock 43

Bogus page : signature request at login Regular login page

OK

12345678

To proceed with validation 1. Enter the challenge on your reader 2. Enter your PIN code 3. Enter the response and confirm

OK

Challenge : 4702 3476

Access your accounts

AN EMAIL WITH URGENT ANTIVIRUS UPDATE...

BUT... BUT... WHAT'S THIS THING?

LET’S GO, I DON’T HAVE ALL DAY...

NO I JUST OPENED THE ATTACHMENT

LOOK MARK! IT SAYS MY FILES ARE ENCRYPTED, AND I MUST PAY € 300

TO DECRYPT!

LOOK, IT'S CALLED CRYPTOLOCKER IS IT

WHAT YOU GOT? UH NO...

DIDN’T YOU CHECK THE EMAIL SENDER?

46

Ransomware alert

Protect against cyber fraud

1. If possible, use offline validation (e.g. one-time password) and raise user awareness against fake validation pages

2. Regular backup, disconnected from your IT network, regularly tested to make sure it is not encrypted

48

Cre

dit:

Shu

tters

tock

Awareness raising

Segregation of duties1

Frequent secured backups2

Good “IT hygiene”

… And if possible, blocking VBA attachments

To assess your prevention: « personalized risk assessment »

3. Data theft: a major risk

Malware can steal: Your browsing history

Your id and passwords (web banking,

webmail ...)

Your credit card numbers

Your contact information (address,

phone, email ...)

Your lists of customers and suppliers,

account numbers...

This data can be sold and allow

other scammers to operate: Credit card frauds

Direct debit frauds

Impersonation frauds… 49

| 2017 | Fraud & Cybercrime

3. Data theft: a major risk

Malware on P.O.S. machines

Theft of data of 70+ millions clients

Global cost of $170 m ($20 to 200 per client)

CEO fired after 35 year of service

Multiples lawsuits

Massive data theft is a major risk to utilities, telco’s, large retailers, online merchants,

but also to SMEs, often less protected.

Hacking of databases (client files, bank

details…)

Espionage (secret process, pricing, RFPs…)

Damages (paralysed servers, unusable PCs, e-

commerce site defaced…)

80% of

cyber attacks

Medium Business

Small Business

Large business

50

3. Data theft: a major risk

Beware of fake customers,

auditors, tax inspectors, public

administration, surveyors, head

hunters, travel agencies...

…AND ALSO ON SOCIAL NETWORKS BY PHONE, MAIL, EMAIL…

52

Awareness raising1

and culture of risk

Authentication of correspondents2

Protect against information theft

Protection of files

1. Awareness in order to create a culture of risks, and identify sensitive information: be cautious when publishing info on social networks, over the phone, by email…

2. Verification procedures in case of sensitive solicitations (e.g. call-back to authenticate tax authorities requests, etc.) 53

To raise awareness: “Protecting information” training kit C

redit: Shutterstock

4. Client risk, still at stake

54

1. Order by a fake client (or a prospect)

2. Delivery at a bogus address and receipt of

loaded trucks

3. Non-payment of invoices

NB: affects particularly the businesses of the agri-food

industry

Example: fake client fraud Example: supplier credit fraud

1. Creation of a business relationship • Fraudster buys electronic devices from his victim

• Gradual increase in the amounts

2. Non-payment of the last delivery • Provision of a copy of the credit transfer order

• Cancellation of the transfer order

• Materials sent abroad

• Insolvency

NB: many other client frauds: supplier credit based on false information,

fake payment means (counterfeit money, loyalty card scam…)

4. Client risk: collection risks

55

Tru

st

Collection means Risks (client frauds…)

CREDIT TRANSFER

B2B DIRECT DEBIT

CARD (WITH PIN OR 3D SECURE)

STANDARD DIRECT DEBIT

CASH

CARD (WITH NO PIN, AND NO 3D SECURE)

CHEQUE

Recommendation Collection guarantee

Very low (rare cases of cancellation or dispute)

Very low (rare cases of cancellation or dispute)

Low (commercial contestation up to 13 months – mostly foreign cards)

Medium (repudiation within 8 weeks without motive, contestation for mandate nullity within 13 months)

Medium (counterfeit money, theft of cash at point of sale or during transportation)

High (repudiation within 8 weeks without motive)

High (rubber cheque, cheque theft and falsification, overpayment scams…)

At account credit (within 24 hours)

At account credit (within 24 hours)

At account credit (within 24 hours)

After 8 weeks

After 72 hours following the remittance to bank

After 13 months

After 15 days*

To be favoured when possible

To be favoured when possible

Best solution for point of sales and e-commerce

For trusted clients, moderate amounts, service offering…

Amount < €1,000 (15.000 for foreigners)

To be used with trusted clients, duly authenticated

To be used with trusted clients, duly authenticated

+

-

BILLS OF EXCHANGE

Medium (risk of unpaid bill and commercial dispute)

After ~ 15 days, even in case of bill discount

To be used with trusted clients only

* Loss / theft: 8 days - Fraudulent use: 10 days - Signature not in conformity / falsification / false / irregular or missing endorsement / obligatory mention absent: 60 days - Insufficient provision: the alert for insufficient provision occurs during the presentation for payment to the sending bank, which must inform the

issuer of this and invite him to regularize the position of his account. A period of 24 or 48 hours is quite commonly practiced by the banks, but the latter may last up to 7 days depending on the practices of the bank of the issuer of the check.

Upon order receipt, authenticate your client1

Know and control the risks of collection means

Protect against client fraud

1. Written procedure in case of receipt of order, request for quotation or request for opening a customer account, for example: call-back upon receipt of the order - In case of foreign country, check by two channels - Use

safe contact, not those contained in the order, not by replying to the email - verify the email address of the request carefully ... 56

SEPAmail IBAN Check, 3DSecure, Mercanet, Ethoca©

Vérifiance, SDD white and black list…

IBAN Check

Credit: S

hutterstock

Sou

rces

: Pw

C 2

014

Glo

bal E

cono

mic

Crim

e S

urve

y –

Ass

ocia

tion

of C

ertif

ied

Fra

ud E

xam

iner

s

Unaccounted sales

Theft of receivables Cash, cheques, Ponzi

schemes, fake discount…

Purchasing Fraud Fake invoice, fake supplier…

Outgoing cheque

tampering Payroll Fraud Fake employee,

fake timesheets…

Expense Reimbursements

5%

10%

15%

20%

Falsified

transfer

100 K€ 50 K€ 150 K€

Asset Theft Supply, tangible and

intangible assets

5. Internal fraud: most frequent cases

60 Average prejudice >

Pro

babi

lity

>

Payments Receivables

Sources: P

wC

2014 Global E

conomic C

rime S

urvey – Association of C

ertified Fraud E

xaminers

5. Internal fraud: most frequent cases

| 2017 | Fraud & Cybercrime

Theft and forgery of cheques

by an employee with access to the mail

1. Misuse of cheque letters

2. Cheques’ printed item tampering

3. Cashing in on several accounts

by company’s Head of IT Operations

1. Subscription of leasing contracts

• Fake delegations of authority

• Purchase of electronic devices (not related to

company’s activity)

2. Misappropriation and resale of purchased devices

• Use of bogus companies

• Passive complicity of the leasing company

Purchasing misappropriation

61

Protect against internal fraud

Accounting follow-up and bank reconciliation

Limitation of the means of payment in circulation

62

Corporate Card, Purchasing Card, Virtual Card, Secured Cheque Letter©, Chèque Confiance©,

Forcash©, Smart Lock Boxes…

Credit: S

hutterstock

Procedures and segregation of duties

Protect your business Fraud is not inevitable: corporates can protect themselves

Up-to-date OS, browser and

antivirus software

Restriction of installation rights

Auto-execution of macros

deactivated

Protection of customer and

supplier databases

Regular backups

3. Secure your information

system

Fraud and cyber risks and

information dissemination

Accounting, treasury,

purchasing, P.A., etc.

Regular sessions (newcomers,

short term employees) ...

1. Train your staff

regularly

2. Authenticate your

counterparties

CEO, vendor, technician, client

Written procedure

Not yielding to urgency and

confidentiality

Safe contact details!

Check email headers!

SEPAmail IBAN Check (in France)

Fin

d all co

ncrete g

oo

d p

ractices in o

ur train

ing

kits

Training kits IBAN Check

65

Protect your business Fraud is not inevitable: corporates can protect themselves

Work with HR, IT, Purchasing…

Culture of risk

Watch of new fraud schemes

Whistle Blowing Hotline

Communication to clients

Fraud risk assessment…

6. Build corporate

governance

Segregation of duty and limit

amounts

Suppression of paper orders

and validations

Authentication means

Beware of private PC and

smartphones!

4. Make good use of

your payment application

5. Use improved

controls

Daily monitoring of issued

payments

Use of paper proofs

Internal control and audits

Secure Flows: authorised

countries…

Fin

d all co

ncrete g

oo

d p

ractices in o

ur train

ing

kits

Secure Flows

Bank call back

Assessment 66

In case of fraudulent transfer (or suspicion)

• Before it happens, train your staff to ensure they react appropriately in case of fraud

• Ask your legal department to be prepared to file complaint in the beneficiary’s country if necessary

• Check issued transfers every day, with special attention to high-risk countries

CONTACT YOUR

BANK

IMMEDIATELY

FILE A

COMPLAINT WITH

THE POLICE

NOTIFY YOUR

MANAGEMENT AND

PRESERVE EVIDENCE

BANK 1 2 3

Credit: Shutterstock

| 2017 | Fraud & Cybercrime

Greece China Poland Latvia Estonia Lithuania Bulgaria Slovakia Czech Rep. Hungary HK Cyprus UK

… Germany Sweden Austria Belgium Spain Turkey Netherlands Norway Denmark Macedonia Croatia Slovenia San Marino Romania Switzerland Italy Singapore Monaco Portugal

67

Questions?

Ask your relationship manager for a diagnosis and personalized advice

1. Train your staff regularly Regularly raise your team’s awareness to risks and

limit information dissemination

4. Ensure proper duty segregation Ensure duty segregation, make good use of payment

tool, and avoid paper orders

5. Use improved controls Monitor issued payments every day or use

countries / beneficiaries closed lists

6. Keep updated and talk about it Raise your clients and suppliers’ awareness,

and work with your banks

2. Authenticate your counterparties Have an identity verification procedure: CEO,

vendor, technical officer, client, tax officer…

3. Secure your information system Use up-to-date antivirus, restrict installation rights

and protect your databases

69