Business Email Compromise
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Guardian Analytics BEC Education Campaign
• Businesses • Financial Institutions
• Best Practices Kit • Unbranded materials you can use
to educate your clients • Materials for you and your teams
• Detection • Conversations with clients
• Example of scams • Fraud Update on BEC
• Promoting the kit nationwide to raise awareness
Guardian Analy,cs Best Prac,ces Kit www.GuardianAnaly-cs.com/BEC-FI
2
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
FBI Warning: Business Email Compromise
3
• Over 12,000 businesses victimized
• $1.2B in losses • Increase in 270% from
January 2015 to August 2015
• Institutions experiencing their clients victimized with increasing frequency – many seeing clients hit daily!
LatestBECimpact
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Different Forms of BEC
4
1. Business Email Spoof 2. Business Email Hack
Criminaldeterminesa>ackpa>ernbasedonwhoseemailtheyhave(CxOvsController/Procurement)FocusonCxO
@Redllaw @Redlaw @Redlaw
3. Business Email Hack / Vendor Email, Invoice Spoof
Vendor
@vendorr
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
1. CxO Masquerading – Domain Spoofing
5
1. Business Email Spoof
@Redllaw
Finance Staff
Createnewlookalikedomain(Redllawvs.Redlaw)
WhototargetAndimpersonateBestmessageResearch Target Business and Person(s)
General informa,on Personalinforma-onCustomers/partners
Company news Funding
Products/patents Travelplans
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Monitor CEO email
2. Business Email Hack – CEO Masquerading
6
2. Business Email Hack
EmailTakeover
Phishing
SocialEngineering
Breaches
Malware
• Rela,onships • Common phrases • Business ac,vi,es • Typical transac,ons • Calendar/travel
@Redlaw
• Move • Delete • Auto-forward
Hide email traffic using rules Finance
Staff
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Criminal “Payload” is Changing
7
Finance Staff
Wire Payment
Employee/W2 info
Finance / HR Staff
Wire Fraud
• Iden,ty theW • Tax fraud • New account
fraud
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Monitor vic,m email
Vendors Vendor email traffic Relevant “jump in” point Invoices
3. Supplier Masquerading – Hacked Internal Email
8
EmailTakeover
Phishing
SocialEngineering
Breaches
Malware
@Redlaw
@vendorr
3. Business Email Hack / Vendor Email Spoof Spoofed
Invoice
Newsupplierlookalikedomain
UseCCtofakeconversa-ons
abouttheinvoice
Vendor
• Move • Delete • Auto-forward
Hide email traffic using rules
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Criminals Use Simple and Complex Schemes
9
Email From: CEO
Subject: Need your help – pls keep it quiet
To: Dave, Controller
Message: Dave,Canyoupleasewire$56,000tothiscompany.I’minamee-ngrightnow,butyoudon’tneedanyfurtherapprovals.Ifyouhaveques-ons,pleasereplytothisemail.Yourprompta>en-ontothisiscri-cal.Thanks,CEO
Email From: Vendor
Subject: Invoice – New Process To: Finance, Accounts Payable
Message:
Pleasefinda>achedourlatestinvoiceforthepastbillingperiod.Alsonotethatweareimplemen-nganewpaymentprocess.Insteadofhowyouhavepreviouslymadepayments,pleasewirethefundsdirectlytoouraccount.Herearethewireinstruc-ons:Rou-ngnumber:xxxxxxxxxxAccountnumber:xxxxxxxxxx
Email From: CEO
Subject: Confidential – Attorney will call To: Dave, Controller
Message: DearDave,Iwouldliketobringyouinonsomethingveryimportant,buthighlyconfiden-al.Iwouldappreciateyour-melysupportaswellasyourdiscre-on,aswearenotreadytotellthewholecompanyaboutthis–weareintheprocessofacquiringacompanyoverseas.Thisisverystrategictoourbusiness.I’llbeconnec-ngyouwithalawyerinLondonwhoisbrokeringthistransac-onforus.Hewillprovidepaymentinstruc-onsforyou.I’mhandingthisprojecttoyoubecauseIknowIcantrustyou.I’llcheckinwithyouperiodically.Thanks,CEO
SimpleRequest§ Reliesonurgencyandunavailability
ComplexStory§ Reliesonsecrecy,senseofimportance§ Canresultinmul-plepayments
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Spoofed Vendor Payments Seen in ACH
10
Email From: Vendor
Subject: Invoice – New Process To: Finance, Accounts Payable
Message:
Pleasefinda>achedourlatestinvoiceforthepastbillingperiod.Alsonotethatweareimplemen-nganewpaymentprocess.Insteadofhowyouhavepreviouslymadepayments,pleasewirethefundsdirectlytoouraccount.Herearethewireinstruc-ons:Rou-ngnumber:xxxxxxxxxxAccountnumber:xxxxxxxxxx
Tradi,onal: Wire
New: ACH
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
• Prey on urgency/immediacy • Hard to detect amidst larger ACH volumes • Same Day ACH likely to replace some wire volume
Same Day ACH – Good Target For Criminals
11
ODFI
ACH Files
Morning Same Day Submission
AWernoon Same Day Submission
Standard Submission
Same Day Se_lement
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
• Variety of business types under attack • Title companies • Consulting firms • IT providers • Legal services
• Tend to have higher transactional volumes
• Businesses victimized multiple times • Multiple payments as part of one scheme • “Vendor” asking for multiple invoices • Multiple “vendors” (one business hit 7 times)
BEC Victim Trends
12
• Transportation • Food service • Banks!
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
• Amounts • Consistent with normal company amounts • Largest - $5MM • Average - $250K • Escalating amounts
• Case 1: $3K, $19K, $30K, $50K • Case 2: $8K to $80K
• Beneficiary FI and location • Mix of international and domestic • US - small CUs to largest banks • International – mostly Asia or Eastern
Europe
• Beneficiary • Individual - 1/3 • Businesses - 2/3
• Trading and export • Products • Logistics • Services • Catering
BEC Transaction Trends
13
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Country %ofincidentsUS 51.72%China 12.64%Hungary 8.05%Malaysia 5.75%Thailand 4.60%HongKong 3.45%Nigeria 3.45%Bulgaria 1.15%UK 1.15%UAE 1.15%Seychelles 1.15%Ukraine 1.15%Taiwan 1.15%UnitedKingdom 1.15%AU 1.15%Poland 1.15%
Global Distribution of Wire Destinations
14
A>emptedwires–volumeoftx
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
State %ofincidentsFL 18.75%NY 9.38%IN 9.38%CA 9.38%TX 9.38%NC 6.25%AZ 6.25%GA 6.25%MI 6.25%SC 3.13%WI 3.13%MS 3.13%ID 3.13%CT 3.13%OH 3.13%
Domestic Distribution of Wire Destinations
15
A>emptedwires–volumeoftx
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Impact of BEC Fraud On Financial Institutions
16
Increasedalertstotrytodetect
Increasedcallbacks
Increasedvolume&costofrecovery
Degrada-onintrust/experience
Reputa-onrisk
CostofEduca-on
Increase in bank cost
Poor customer experience
Be>erfraudpreven-oncanreduce
nega-veimpact
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Newbeneficiariescommon(40%ofwirestonewbeneficiaries)
BECbeneficiaryFIsvary(domes-c,interna-onal,banks,creditunions)
Why Detecting BEC is Hard
17
SpoofedCEOemail
Spoofedsupplieremail
Legi<mateuser
(CFOorcontroller)
Online
Fax
Branch
Criminalbeneficiaryormule
Criminalsdotheirhomeworkontheirtargetsandpreyonurgency,senseofdutyandimportance
Legi-mateuserlogsintoonlinebankingorrequeststhewire(legacyATOdetec-onmethodsdon’twork)
BECamountswithintypicalrangeofclientwires
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Typical Fraud Detection Not Working
18
Detec,on Rates
Alert Volumes
Low
Low
High
High
Trust too li_le
Know when to trust Know when NOT to trust
Trust too much
Over$100KAndinterna-onalAndnewrecipient
Over$100KOrinterna-onalOrnewrecipient
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Knowing When To Trust, When to Raise Risk
19
Learneachindividualoriginatorbehaviorover-metodeterminerisk
Learnnewrecipientra-o,typical
beneficiarypa>erns(i.e.keepsfalseposi-vesfor-tlecompaniesdown)
Looktoseeifwecanraiseorlowertrustofa
beneficiary
Ifmul-plewirestosame“bene”spreadout,canraisetrust Ifmanyinrapidsuccession,
lesstrustworthyUsewhatwe’ve
learnedfromotherfraud
MuleMatchinmuledb?
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
100+ Wire Attributes Analyzed
20
AddendaAddendaLength DisplayFields IntermediateFIName PaymentNo-fica-onIndicatorAddendaInforma-on DrawdownCreditAccount IntermediateFIStateProvince ReceiverFINameAmount DrawdownDebitAccount OBI ReceiverFIAddress1AmountCurrencyCode DrawdownDebitAccountAdviceInfoAddi-onalInfo OMADOutputCycleDate ReceiverFIAddress2BBI DrawdownDebitAccountAdviceInfoAdviceCode OMADOutputDate ReceiverFIAddress3BeneAddress1 ExchangeRate OMADOutputDes-na-onID ReceiverFICountryCodeBeneAddress2 IMADInputCycleDate OMADOutputSequenceNumber ReceiverFIIDCodeBeneAddress3 IMADInputSequenceNumber OMADOutputTime ReceiverFIIDBeneCountryCode IMADInputSource OrigAddress1 ReceiverFINameBeneFIAddress1 ImmutableCompanyID OrigAddress2 ReceiverFIStateProvinceBeneFIAddress2 ImmutableUserID OrigAddress3 RecurrenceBeneFIAddress3 InstructedAmount OrigCountryCode RepeatRequestBeneficiaryAdviceInfoAddi-onalInfo InstructedCurrencyCode OrigFIAddress1 RequestIDBeneficiaryAdviceInfoAdviceCode Instruc-ngFIAddress1 OrigFIAddress2 SenderFIBeneficiaryFIAdviceInfoAddi-onalInfo Instruc-ngFIAddress2 OrigFIAddress3 SenderFIAddress1BeneficiaryFIAdviceInfoAdviceCode Instruc-ngFIAddress3 OrigFICountryCode SenderFIAddress2BeneFICountryCode Instruc-ngFICountryCode OrigFIID SenderFIAddress3BeneFIID Instruc-ngFIID OrigFIIDCode SenderFICountryCodeBeneFIIDCode Instruc-ngFIIDCode OrigFIName SenderFIIDCodeBeneFIName Instruc-ngFIName OrigFIStateProvince SenderFIIDBeneFIStateProvince Instruc-ngFIStateProvince OrigIDCode SenderFINameBeneIDCode IntermediateFIAddress1 OrigName SenderFIStateProvince
BeneIden-fier IntermediateFIAddress2 OrigStateProvince SenderReferenceBeneName IntermediateFIAddress3 PaymentNo-fica-onContactFaxNumber Se>lementMethodBeneReference IntermediateFIAdviceInfoAddi-onalInfo PaymentNo-fica-onContactMobileNumber SourceBeneStateProvince IntermediateFIAdviceInfoAdviceCode PaymentNo-fica-onContactName StatusBusinessFunc-onCode IntermediateFICountryCode PaymentNo-fica-onContactNo-fica-onElectronicAddress Type_SubtypeDes-na-onType IntermediateFIID PaymentNo-fica-onContactPhoneNumber SubTypeDirec-on IntermediateFIIDCode PaymentNo-fica-onEndToEndIden-fica-on TemplateNameDisplayFields TransferDateDrawdownCreditAccount TypeDrawdownDebitAccount WireID
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Guardian Analytics Wire Finds Unusual Wires
21
Wouldbeneficiarybeexpected?(newbeneficiaryra3o,beneficiaryandFIloca3on/region)
Aretheoriginator’swireac<onsnormal?(3ming,velocity,type,accounts,direc3on,useofinstruc3ons,contentofinstruc3ons)
Arethewirestypical?(type,amount)
OriginatorModel
WireBehavioralAnaly<cs
Cross-ins<tu<onriskdata(Networkeffect)
BeneficiaryModel
Isthisahighorlowriskbeneficiary?(beneficiaryhistorywithotheroriginators,name/accountnumbermatch,suspectedmule)
SelflearningNorulestowriteNotthreatspecificAdaptstonewthreat
Automa-cupdatestoanaly-cs
100+a>ributesfromwiresystem
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Real-time Risk Scoring and Intervention
22
WireSystem
SendtoFed
ReviewAlerts
Riskscoreandhold/releaseinstruc-onsreturnedimmediatelytowiresystem
Mobile
Branch
ContactCenter
Online
Fileupload
Ini-ateWire
Wirecomesin;paymentfields
immediatelysenttoFraudMAPforanalysis
9.2 2.2
Hold Release
Analyze30+fieldsandnearly75a>ributesfrom
PAYPlus
Release/cancel
GuardianAnaly<csWire
©2016GuardianAnaly-cs,Inc. Confiden-al&Proprietary
Guardian Analytics Wire Successfully Detects BEC
FraudA>acksoveraseriesofrecentweeksatabankinTXAQack1 AQack2 AQack3 AQack4 AQack5(fourseparatewires)
BeneficiaryFI AZ-based CU Largena-onalbank Largena-onalbank LargeInterna-onalbank Chinese bank
BeneficiaryLoca-on
AZ(previouslysentwirestomanydifferentstates,andothercountries)
NY(previouslysentwirestoTX,WI)
HongKong(haddoneUSandUKwiresinthepast)
China(historyofUSwiresonly)
Beneficiary Individual Individual Individual Business Business
OriginatorVelocity
Firstwireinalmostfourmonths
OBIFrequencyNeworinfrequentuseofOBI
OriginatorAmount
$39K $20K(mostwires0-$1000)
$73K $125K $2,871,000$4,950,000$4,850,000$4,969,000
Originatorcharacteris-cs
Frequentwiresender–ITServicesCompany
Frequentwiresender–TitleCompany
Sporadicwiresender–LegalServices
Frequentwiresender–Transporta-onServices
Frequentwiresender–TitleCompany
Examples of documented BEC A_acks
Noonebankpa>ern–US/interna-onal,large/small,bank/CU
Nooneloca-onpa>ern
Combina-onofbusinessandindividual
Mixeduseofinstruc-onsAmountovenwithinrangeof
typicalbehavior
Couldbesingleormul-plehits
23
©2016GuardianAnaly-cs,Inc. Confiden-al&Proprietary
Accurate Detection, Low Alert Volume
Thecombina-onofspecific
a>ributesofthiswirewasunusualanduntrusted,andyieldedared
alert
GuardianAnaly-csprovidescompleteandconsolidatedviewofaccounthistory
24
©2016GuardianAnaly-cs,Inc. Confiden-al&Proprietary
Accurate Detection, Low Alert Volume
Thecombina-onofspecific
a>ributesofthiswirewasunusualanduntrusted,andyieldedared
alertNotethatbehavioraldevia-onsare
expectedanddonotyieldredalerts(top
row)
Notethevaria-oninwireamountdidnottriggerafalse-posi-ve
asFraudMAPrecognizedcombinedbehaviorasnormal
25
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
You’ve Detected It – Now On To the Client…
26
• Bepreparedwithdetails,bepreparedtospend-mewiththebusiness
• Startlikenormalverifica-oncall;getcustomertalking
• Helpthemtoseewhyyou’resuspicious
• Explainthescams
• Probeintothesitua-on–askiftheyreceivedtherequestviaemail,askforkeywords
• Pushfornon-emailbasedconfirma-on
• Remindthemyou’retheretohelp
• Redirecttheemo-on–focusonthepainofthebusinesslosingmoney
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Impact of BEC Fraud On Financial Institutions
27
Increasedalertstotrytodetect
Increasedcallbacks
Increasedvolume&costofrecovery
Degrada-onintrust/experience
Reputa-onrisk
CostofEduca-on
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Impact of BEC Fraud On Financial Institutions
28
Increasedalertstotrytodetect
Increasedcallbacks
Increasedvolume&costofrecovery
Degrada-onintrust/experience
Reputa-onrisk
CostofEduca-on
Reducedalerts
Reducedcallbacks
Increaseddetec-on,lessrecovery
Increaseintrust,enhancedexperience
Decrease in costs
Increase In Trust
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Guardian Analytics Successes with BEC
29
Fraudprevented
$19Mintwomonths
EfficiencygainsReducedreviewstoonly
wiresflaggedbyFraudMAP,allelse
automa-callyprocessed(50-100wires/day)
ClientexperienceReducedcallbacksReduc-oninalerts
freed-mefordeeperclientdiscussionoflikelyBECa>acks
Bankwith~4,000wiresperday
Fraudprevented
$500Kinsixmonths
EfficiencygainsPreviouslyheldall
onlinewires(250/day)FMWirescoresall1500wires/day,butholdsonly75fromany
channel,reducingbankeffortby70%
ClientexperienceFasterprocessingFewercallbacks
(1-5/day)
Bankwith~1,500wiresperday
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
• Accurate detection with low alert rates • Reduction in false positives reduces overall workload and
creates time for banks to spend with customers • Better client experience • Reduction of time spent on paperwork and funds retrieval • Reduced risk of lawsuits, reputation issues • Build deep client satisfaction and loyalty
Guardian Analytics Wire Benefits
30
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Guardian Risk Engine
Solutions to Detect Fraud Across Channels and Transactions
31
Guardian Analytics Solutions
Guardian Enterprise API
Guardian Visual Analytics
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
For More Information
• Email [email protected] • Request a one-on-one briefing
• Visit www.GuardianAnalytics.com • Sign up for a demo
• Download BEC Best Practices • www.GuardianAnalytics.com/BEC-FI
32
© 2016 Guardian Analytics, Inc. – Confidential & Proprietary
Business Email Compromise
33