Fraud Activities During COVID-19 & How to Protect your Organization

November 2020

Kerry O'Hare:

I'd just like to thank everybody who's joined us today for our cybersecurity webinar. Everybody probably knows that October is cybersecurity awareness month, fraud awareness month. And so we like to do this webinar towards the end of October, every year with our clients and prospects at KeyBank. And with our panel of experts, we like to just provide you with some industry trends, what's going on, what we're seeing, what our partners are seeing and what our clients are seeing in terms of fraud and cybersecurity issues. And then also bring you some best practices on what you can do to protect yourself and your company if any of this arises. So, want to thank everybody for joining us.

Kerry O'Hare:

On today's agenda we're going to obviously just discuss COVID-19, I think we can all agree that, COVID coming out in February. And so everybody working from home starting February, March timeframe, certainly not something people expected. And so it has created a bit of a breeding ground for fraud attempts, schemes, fraudsters to come out cybersecurity issues. So we'll talk a little bit about what that environment looks like. And then we'll also talk around how fraudsters have used this time to innovate, if we... Well, I don't want to use that word, but innovate on new and old ways of defrauding companies and individuals as well. And then we'll wrap up with what you can do to protect you and your company. So we've got a great panel today, lots of great expertise. I will pass it off to each of them to introduce themselves and tell us a little bit about what they do. So Robert, how about you?

Robert Gross:

Good afternoon, Kerry. Thank you for the opportunity to participate in today's webinar. I'm very excited to participate on behalf of the FBI today. Again, I'm Rob Gross. I'm a supervisory special agent with the FBI in Buffalo, New York. I have little over 35 years of service with the FBI. I am primarily responsible for complex financial crimes, healthcare fraud, public corruption, and civil rights matters. I hope everyone takes a little bit of value away from today. And with that, I will turn it over to Ryan Olson.

Ryan Olson:

Thanks Rob. I am Ryan Olson. I'm the Vice President of Threat Intelligence for Palo Alto Networks. And I lead a group that we call Unit 42. We created this team about six years ago inside of health and networks to look at all the data the company is collecting to better understand adversaries, how they're targeting our customers, what we can do to stop them and to share that information with people who can use it. I've been tracking cyber crime and espionage for the better part of 15 years now. And I have the opportunity here at Palo Alto Networks to do that in a way that gets a lot good data into other people's hands. I'll hand it over to Nick.

Nick Biasini:

Thanks, Ryan. My name is Nick Biasini. I'm a threat researcher with Cisco Talos. Like Ryan was just mentioning, Cisco Talos is the threat intelligence organization inside of Cisco. Our real goal is trying to identify and stop threats. As far as my experience, I've been working in security for about 15 years now, getting my start in government. But I've spent lots of times and lots of roles. Now I get to do the fun stuff and hunt the bad guys.

Kerry O'Hare:

Awesome. Thanks Nick. And I'm Kerry O'Hare. So I'm an employee here at KeyBank. I head up our payment commercialization team within enterprise payments. So I think most of the clients on this call are likely an enterprise payments client. And we just see in general, lots of fraud and cybersecurity issues as it relates to payments and payments processes. So, all right, guys, thanks.

Kerry O'Hare:

So let's start off with the next slide, let's go to, just reviewing just the past six, seven, eight months for us now, obviously unprecedented, something nobody was expecting likely and just the rapidity around how quickly things changed. I think just the environment that we have been in, just thinking around the increased need for certain goods and services, creating a lower consumer diligence and procurement. We've got vulnerable customers out there, particularly exposed. Is there a push to new payment methods? You got the PPP program, which we've all heard about that's creating all kinds of fraud opportunities.

Kerry O'Hare:

And then just the changing workplace structure. I think we can all probably felt that in one way, shape or form, on this call, just everybody moving from office to home in such a fast paced fashion. I think a lot of people's infrastructures probably weren't set up for everybody in their company working from home. Some were, some weren't, so a lot of flexing in terms of creating a new environment for people to work from home. And then obviously just managing the threats and the fraud schemes that come in through that way. So let's start with Ryan, based on what we've seen over the last six, seven, eight months, what have you seen just in terms of the environment that COVID brought in?

Ryan Olson:

So in February and March, when my team was first talking about, what's the impact of the coronavirus going to be for cybersecurity? At the time I think I wrote down, "The virus can't infect computers, the impact is going to be in response to what we do in response to the virus." So anything that we do an attacker may be able to take advantage of, to try to invade our computers. The way that we change our own behavior, they monitor that, they want to take advantage of that. And the first thing that we saw was taking advantage of our attention. When we think about phishing attacks, most of the time an attacker's sending an e-mail, they're trying to get your attention so that you actually read an e-mail and click on a link and open it up.

Ryan Olson:

So in the beginning of the pandemic, what we saw was a lot of attacks trying to capture that attention simply by saying they contain news related to the pandemic. At the time, there was very little reliable information. Everyone was seeking out something that they could use to protect themselves. And when you don't have a lot of trustworthy information, you're really open to clicking on new links, going to new sources. You may have never heard of a website in the past, but you never had a reason to look up how many people are infected with coronavirus in your state in the past. So when you're searching for those keywords, you're going to come up with these new things. We saw hundreds of thousands of domains registered with keywords like COVID and Corona and pandemic and virus on them, that we hadn't seen before. And many of them were being used to distribute malware or in other ways to conduct fraud.

Ryan Olson:

And that evolved over the course of the last few months. It started with just information, we saw apps that were trying to trick people into install them, to attract the virus. Later it turned into, how do I get masks and hand sanitizer? Later it turned to, "Hey, your Zoom meeting has started," because as we changed our behavior, the cyber criminals looked at how that behavior changed and said, "I can take advantage of this latest change." And it's interesting because this is the first time in my memory that everyone on earth is interested in the same topic at once. That's not normal, normally, phishers have to do a lot more work and find out what's going to be interesting to that person, "How do I get their attention in particular?" And they didn't have to do it this time and it continues on.

Kerry O'Hare:

Oh yeah. You don't even think about just the change in behaviors like you said, just searching COVID and the virus and stuff like that. I can tell you, I even saw a ton of new websites that popped up that I'm sure didn't exist prior to, that you don't even think about who's behind them necessarily. Nick, what about you at Cisco? What kind of did you see through this time?

Nick Biasini:

We saw much of the same stuff that Ryan is talking about. One of the big things that Ryan mentioned is this is one of those rare opportunities where basically everyone was thinking about the same topics. But what's been interesting is how that's continued to evolve. It hasn't just been COVID, you mentioned the PPP program, there's various other stimulus stuff has been attacked in the United States. We've seen stuff around racial issues and all the other things that are going on in society. This is one of those rare opportunities where you have a very large amount of disparate topics that adversaries can address, and a large amount of users are going to be interested in it. And what we've really seen is just everyone to move to that space. Once this hit, we saw basically every major group out there use COVID or one of these lures in their attacks in some shape or form.

Kerry O'Hare:

Wow. And then Robert, on your end, so knowing that all of this is happening, I'm sure you guys stayed very busy with phone calls, but did you see obviously a pickup in them, in terms of people reaching out and letting you know that they are having these problems there? So did you see anything major in terms of companies, falling for some of this stuff and just the amount of money and the amount of energy and resources that go into basically fixing what got broken or anything like that, by clicking on some of these links?

Robert Gross:

Well, as a direct result of working from home and people being sheltered in place for so long, one thing we have definitely seen as an uptick in these romance schemes, and typically that's going to be your elderly widow or widower, but not always. Occasionally we find where the victim is a 30 something professional, divorced, lonely, or both. The common denominator, however, is that they have so much more time on their hands now, spending so much more time on social media and putting their entire life out there for the subjects that prey on individuals like that.

Robert Gross:

And what we would expect to see in the future also, is again as a result of people being sheltered in place, more time at home, is embezzlements for a lot of companies related to gambling. An individual would spend a little bit of time at a casino. They didn't have that opportunity. Now they're sheltered home, the opportunity to gamble online could present a real problem. Another thing we expect to see is an increase in bankruptcy fraud, especially if you have an individual that is already suffering some degree of financial distress, and now the pandemic hits, and they're furloughed, laid off, maybe they've lost their job. Sure they get unemployment. They got the federal bumping on unemployment, but if they're living paycheck to paycheck and at some point they can no longer make ends meet and they file for bankruptcy, they're going to have their 341 meeting with the predators.

Robert Gross:

And at that point, the potential is there for them to hike, transfer assets and now bankruptcy fraud has been committed. One thing on that slide, if you would look at point number three, one thing we have not yet seen at least when that slide was put together, but just as of yesterday, we do now have an allegation of either an employee or a contractor has obtained multiple PPP loans and about a half a dozen EIDL loans, which if you don't know, those are the economic injury disaster loans also available through the small business administration all obtained using his employers six or seven companies.

Kerry O'Hare:

Oh, wow. And then I know just while PPP was a hot topic. Gosh, what was it back in? July or August I believe, maybe it was June, just going through that whole process, it seemed like there was also an uptick in just fraud related issues in terms of the different companies that were actually applying for the PPP loans, whether they should have, or should not have. Did you see that as well? And then also has that gone down, obviously? I don't think there's been a second wave of money infused into the market through the government like that, but are you seeing that as well?

Robert Gross:

We think we've honestly just seen the tip of the iceberg. And here in Buffalo, we have a handful of these PPP frauds already. And honestly there was a little over five million of these loans that were funded. The government I have to believe, at some point is going to legislate another round of stimulus. And we would fully expect that we're not going to see a let up in the PPP fraud.

Kerry O'Hare:

Yeah. Okay. And then let me ask you, I know, just from our own perspective here in payments, we saw a lot of this where, you'd have these companies that popped up that said, "Oh yeah, we can absolutely create, develop, produce, 700 ventilators for you." And this happened to quite a bit just in our public sector space with state but elsewhere as well. You think about just some of the PPE materials, masks and stuff like that, that companies were trying to obtain for their employees. Just the massive scale around it and just the amount of money that could be handed over to a fraudulent company. Have you seen that decrease a little bit now that we feel like there's probably a little bit more attention to verifying who the main vendors are, understanding where they're coming from? Do you feel like that's gone down a little bit or is obviously something that people still need to keep in the back of their head? Going through the vendor list and making sure they're doing their due diligence around who these vendors are?

Robert Gross:

You should always conduct the due diligence to the best of your abilities. It has definitely decreased. Early on in March, April, even into May, hoarding, price gouging was a problem, not as much here in Buffalo as it was in other parts of the country. But you should certainly always conduct as much due diligence as you possibly can to know that vendor you're dealing with. Hopefully you have some history with them, if you're brand new in your dealings with that vendor, I would really be careful.

Kerry O'Hare:

Yeah. So there's a couple of questions that have come in so I wanted to address them as we're going through. We've got one client who has struggled with fraud, wire fraud schemes, and we hear about this a lot, just being a bank and offering wire services. So Robert, maybe from your perspective, what can our clients and prospects think about as it relates to wire fraud protection?

Robert Gross:

I don't know exactly what kind of fraud they've experienced, but simply, if you think you've been defrauded in some fashion, I would suggest you contact your local FBI field office immediately to report it. And if it is significant enough, you will get a call back for follow up. If it is enough money, we certainly can't work every thing that we encounter. But if it is enough money, if it meets the threshold and the United States Attorneys Office agrees, we would certainly consider opening an investigation.

Kerry O'Hare:

Sure. Yeah. And I would say from the payment side, obviously wire fraud, we see fairly often, we hear about it from our clients. I think one of the big things is just the due diligence around understanding who the vendors are. We see instances where a client will get an e-mail telling them that they need to change their routing number or any kind of that identifying information. And just without thinking, you'll have an employee that goes in and does that, and then all of a sudden you wired money to somebody that is not actually your vendor.

Kerry O'Hare:

So again, it's really around due diligence, understanding who the vendors are, but then also making sure there's dual authorizations, making sure that you're just checking up on if you get an e-mail like that, making sure you're following all the right protocols that hopefully have been put in place through the company to understand if this is actually real or not. So we see that quite a bit. And I think it's just making sure you take that extra step to verify and also work with your employees to make sure that they can identify those types of schemes that come through.

Robert Gross:

We recently had a small company here just outside of the city of Buffalo. They got an e-mail purportedly from an employee, asking the payroll administrator to change their direct deposit to a bank in California. That should have been the first red flag that went up, why would an employee that lives in the area all of a sudden change from their local bank to a bank in California? Also, they could have simply called that employee to verify it. Well, the payroll administrator proceeded to make the change and two pay periods went by before the employee complained. And they found out that in fact it was an unauthorized change and it was a business e-mail compromise. Thankfully it was, I'm going to say only $8,500. That is a case that the United States Attorneys Office would never take a case federally for that much. But just to show that a simple control of calling the employee to confirm this is what they actually wanted to do, could have prevented that.

Kerry O'Hare:

Got you. Yeah. There's a few questions around PPP and EIDL, so is there a way for a company to monitor if a PPP or EIDL loan is applied for in their name? And then there's also a question around, "We've received notification that an SBA EIDL loan was fraudulently taken out in our company's name." And so what are the potential consequences to the owner and what actions should be taken? So they've notified SBA, the accountant, their bank but should they notify the IRS, social security, any other entities associated with the single owner LLC?

Robert Gross:

Should notify all of the above in addition to their local FBI field office, because I've talked about thresholds in the United States Attorneys Office, one thing that they at least turned the Western District of New York, they have not drawn a hard line on, is anything related to the stimulus fraud or the stimulus programs and fraud. So report it to the FBI field office. They should present that to the United States Attorneys Office. And I would think that an investigation will be opened and if some of that money was at some success here, and the people that have obtained these loans fraudulent, some of it is still sitting in a bank account, investment account somewhere where we can get our hands on and get a ceasure warrant to freeze it. But they should definitely report it to all of the above that you mentioned.

Kerry O'Hare:

Okay, great. And then another question around DocuSign, "So, we've been getting DocuSign e-mails recently from unknown sources. We don't open them, but is this a new trend and what's in those attachments?" So I'll say from KeyBank's perspective just having everybody move home versus in the office, we have started using DocuSign as well. And so I know from my own personal perspective, I will get e-mails with DocuSign, e-mails and I have no idea where they're coming from or who they are, or anything. So of course I don't click, but I would imagine that this is something you guys have seen as well, just based on just the different infrastructure that changed so quickly with work from home.

Ryan Olson:

Yeah. I would put this in the same bucket as trying to get people's attention based off their change in behavior. We've seen DocuSign themed e-mails distributing TrickBot, which is a piece of malware that often installs other ransomware, some of the bigger botnets out there. DocuSign in particular, you want to click a link when you see that, and if it's really relevant to you and your job, involves signing a lot of documents or managing a lot of documents, it's a really effective lure of getting people to go and engage on it. So that's another one where it is critical to be suspicious of things that look just a little bit off or coming from places that you wouldn't expect them.

Kerry O'Hare:

Yeah.

Nick Biasini:

Yeah. DocuSign is not the only example of that. There are lots of other services that are abused in the same way. So any of these types of mechanisms that are available that you have to use often, adversaries are going to try and take advantage of. So again, be skeptical, make sure you're expecting before you start clicking links and opening documents and things like that.

Kerry O'Hare:

Perfect. Good. All right. Let's move to some of the innovations in fraud and cybersecurity attacks. I think from what I've heard, you've got your tried and true, different types. You've got ransomware, malware, phishing, you think about business e-mail compromise. It's like since the dawn of the internet, these types of attacks have been happening, but obviously our change in behavior, everybody's change in behavior, change of workplace has basically opened up the world to that a little bit, in terms of being able to innovate on these tried and true schemes. So Nick, what do you think fraudsters innovate on in terms of these same old schemes? Basically the foundation is the same, but they've just adjusted a few things.

Nick Biasini:

So one of the biggest things that we've noticed has been the evolution around ransomware. So ransomware has been around for years now, but originally was more targeted at individuals where it would just randomly appear in inboxes and be spread that way. What we've started to see more and more of is more organized crime going into ransomware and delivering more of a targeted ransomware attack, something that is very, very specific to the enterprise. They are now becoming more aware that, not all compromise is created equal. So if you compromise a system that is someone's gaming laptop at their house, it is not at all the same as compromising the CTO of a Fortune 50 company.

Nick Biasini:

And what you're starting to see is they are increasingly aware of that fact and leveraging it to inflict a devastating amount of damage on enterprises. And additionally, they are also beginning to add a second level of extortion. They're not just extorting your data from you by encrypting it, they're actually taking that data off of your network, leading to a large data breach, and then ransoming you to prevent that data from being exposed publicly. It's a very, very dangerous time right now, especially for enterprises, is these groups are unfortunately making millions and millions of dollars right now doing this.

Kerry O'Hare:

[crosstalk 00:24:57]. Oh yeah, go ahead.

Ryan Olson:

I just wanted to add onto what Nick said there. That extortion component that's been added to these ransomware attacks has been obviously really effective. And there was an example just earlier this month of a finished psychiatric hospital that had been compromised and a bunch of patient records had been held for ransom. They had requested from the hospital 40 Bitcoin, which is somewhere on the order of half a million dollars right now and the hospital didn't pay up. So based off of that rejection, they started going to every individual patient whose records they had stolen and asking them to pay off or they were going to leak their confidential psychiatric records, which just shows you the level of, just completely corrupt innovation, is the only way I can describe it, continuing to push the ball forward and make money based off that compromise.

Kerry O'Hare:

Yeah. I read an article today and it was on CNN about the hospitals that are getting hit with a ransomware. I believe one of them said something about the RobbinHood ransomware. Does that sound familiar to you guys?

Nick Biasini:

Yeah, that's one of the ransomware variants at... Honestly, at this point, there are so many cartels and variants of ransomware doing this. It is extremely difficult to keep track. There's new ones every single day that keep popping up, unfortunately.

Kerry O'Hare:

Yeah. Okay.

Ryan Olson:

And massive ransoms as well. I think we saw one last week where the request was $14 million, the demand was $14 million to return the files and not leak them.

Kerry O'Hare:

Oh, wow, 14 million. And then what about malware, a little definition here for people that maybe don't understand the difference between malware and ransomware? And then can you guys go into a little bit of depth around the malware piece?

Nick Biasini:

Yeah. So malware is kind of a generic term for malicious software. So if you were to look at it, ransomware is a type of malware, but not all malware's ransomware. Malware is a very, very broad category that can include things like ransomware, banking Trojans, stealers, a whole plethora of various types of threats.

Kerry O'Hare:

Okay. And then, what have you guys seen on the phishing end? This one seems like we've been hearing about phishing for decades. So what are they doing now? Assume the goal is obviously to get people to open e-mails. So what new and innovative ways are they thinking about that?

Ryan Olson:

Yeah. I mentioned a couple of examples earlier related to the pandemic, but the most I'd say interesting innovation around phishing that we've seen in the last year is from the group that distributes the malware called Emotet, using a technique referred to as thread hijacking. Because once again, the goal is get somebody to open that e-mail, click on a link or open a file. And the way Emotet is working at the moment is, after it infects one computer, it actually harvests the e-mail account of that user and not just stealing the e-mail addresses of people they contact with, but also the subject information of the thread itself that they were recently replying to.

Ryan Olson:

And then sends an e-mail to those users with that same subject, with a reply at the front of it. So that when it shows up in their inbox, it looks like it's part of that legitimate thread that they had just been conversing in, which is great from the malware author's perspective because they no longer have to think about, "How do I get that person's attention?" They already know this is something that person's actively engaged in and all of the guidance that we've been giving around, "Don't open links from people you don't know who they are. If you're not expecting it, don't click on it." At that point it's become an expected thing. It's a reply with a link or a file that's inside a thread they were already looking at. And that's been really effective. A lot of the attacks that... We'll see a phishing e-mail come in with a piece of malware attached to it. And we think, "Wow, that's really, really specific to that user." But in fact, it's just Emotet harvesting out a very specific subject that was related to that user. And definitely an outstanding innovation there.

Nick Biasini:

Yeah. It's actually been so popular that we're seeing more and more threat groups start to take it on. So there's now, it's not just Emotet anymore. There's a whole plethora of threats that are now doing that same type of behavior.

Kerry O'Hare:

Wow. Okay. So a couple of questions have come in while we've been talking about the ransomware. One is, "What is the success rate of catching these criminals that are doing this?" Robert, do you have any insight into that?

Robert Gross:

No, I don't have numbers on that because that would be worked out of the cyber program. My sense is that they're not overly successful because that money moves pretty quickly overseas to places where even if it's a friendly country, which is not going to be most times, we are going to lose the ability to... We may figure it out on this end what happened, but actually being able to recover any money is going to be extremely difficult. Or someone responsible for it, because they're probably also in that hostile country.

Kerry O'Hare:

Right. And then I'm going to... Oh yeah, go ahead.

Nick Biasini:

I was going to say, just to put a fine point on that. There have been other groups that have done this in the past. One of the earliest ones was SamSam, and they actually did have a federal indictment come down for them a couple of years ago, but they obviously aren't located in the United States. So I don't know what actually came of it, but they are at least looking at this as a potential avenue for prosecution.

Kerry O'Hare:

Okay, great. And then I am going to assume I know the answer to this, but I'd like to hear it from you guys. Is there a particular size or a type of company that is more or less vulnerable to these ransom attacks? And is there a particular industry that is more vulnerable than others? It sounds like it's just any company and any industry, that they don't discriminate.

Nick Biasini:

Well, these guys are opportunists. They're opportunists, they're going to take advantage of whatever weakness is available to them. We've seen them hit all different types and sizes and verticals of companies. There hasn't really been much of a trend other than the recent reporting around healthcare, but that's not necessarily the only group that's being hit right now.

Ryan Olson:

And they definitely move as they need to. They change tactic as necessary. That innovation around extortion, in the past, if I were to go talk to a big company, a Fortune 500 company about ransomware, they would feel like they had it an under control. And the reason for that was, if they had a system that got infected and the files got encrypted, they had backups that they had well-protected, that were offline, that they could go and get them back and restore that system. It was just as though the user had dropped their laptop in a lake. But once you had extortion to that, where the data's now been exfiltrated as well and it's now being potentially sold or potentially just being released, it just opens an entirely new angle for the attacker to take advantage of, and you no longer have that same level of protection. At that point, it all comes back again to prevention from a protection perspective. You need to keep that malware from getting on that box for any amount of time, to be able to successfully say, you're not going to be vulnerable.

Nick Biasini:

And with that data, exfiltration comes a lot of breach concerns, especially for financial organizations that may have requirements to report that type of stuff. If your data is being exfiltrated, it becomes a much bigger reporting problem.

Kerry O'Hare:

Got you. And then how effective are the Norton, the Windows Defenders, those security apps and software at catching and stopping these types of threats?

Ryan Olson:

In general, anti-malware solutions can stop some malware, but the bad guys know that everyone is using one of these or another one, and they have a lot of money on the line, millions and millions of dollars. So those solutions do their best, layered defenses are important, especially for an enterprise being allowed to have multiple control points, to not just stop the malware when it came in, but on the box. And then when it's trying to talk to a command and control server, and then when the data may be being exfiltrated, those are all opportunities to stop the attack from being successful. Because relying on a host based anti-virus alone to keep all systems from getting infected is not an effective solution.

Nick Biasini:

And one other thing to point out with these groups specifically is, you may have multiple layers of malware before you ever even get to the end ransomware, or they may be coming out of an Emotet infection or a TrickBot infection, or some other commodity malware, and then multiple other payloads are being delivered and eventually ransomware will show up. So it is a challenging aspect to make sure you detect early in the space, if you can.

Ryan Olson:

And also ransomware as just generally as a business model of holding files for ransom or stealing data and extortion in those cases, isn't just applicable to your laptop or server. It can impact you in the cloud as well. It's any data, any system that they can restrict access to or limit your ability to use, if it has value to you and they can stop you from getting that value, they can hold it for ransom. So it's a broad issue.

Kerry O'Hare:

Yeah. All right. Two more questions. So you just said the cloud Ryan, so hold that thought, I've got a question around the cloud. But one other question is, "So we receive e-mails from people listed in our database, so they appear legitimate." So the question is, will the malware or ransomware be placed on their computer just by opening the e-mail, or does the problem occur when you open a link, click on the link or an attachment included in the e-mail?

Ryan Olson:

Most of the time at this point, it's very unlikely you're going to get an e-mail and directly by viewing the email, it will exploit a vulnerability and take control of your computer. That used to be more possible back in the early 2000s. Typically, now you click the link or you open a file and that's when either exploitation will occur or they ask for credentials or something else.

Kerry O'Hare:

Got you.

Ryan Olson:

Just one note in general, which is helpful for people who are asking this question, if you receive an office document from somebody and it says, "You can't see the content because you need to enable macros," do not enable macros, macros are extremely dangerous, whatever that says to enable that active content, you should be extremely suspicious of it and call that person and ask them why you really need to make a change to your computer to view their document. Because there's probably a better way to get it.

Nick Biasini:

Yeah. That points to the bigger issue. The user is a large part of this now. It's not going to happen in an automated way. You're going to interact and start the process at least at some level.

Kerry O'Hare:

Okay. So back to the cloud Ryan, Nick, Robert. So I know with the move from office to home, I think a lot of companies were moving their information, moving their documentation into the cloud. So we've got a question here around how safe are emails and documentation that are stored in the cloud? "Other than us changing our password often, should we be concerned that criminals hack into these storage spots in the cloud?"

Robert Gross:

Okay. My perspective on this, because the cloud can mean a lot of things, it can be using a software as a service, like Office 365, where you're putting your e-mail out there in the cloud, or it can be running your infrastructure in AWS or in Google's clouds. In any case, as we look at cloud related breaches, 65% or likely more of those breaches are due to misconfiguration. Somebody made a configuration choice, which enabled an attacker to get into their data in some way. Maybe there was a folder in some way or a bucket in a cloud provider, which they left overexposed, or they leaked a key or something else that could have been used.

Robert Gross:

And the fact that it's so heavily due to misconfiguration means that attackers are basically just going for low-hanging fruit. They're finding things that are easy for them to grab onto from cloud providers in one direction or the other. And the solution to that is doing a better job at configuration, making the changes that are necessary, but with such a rapid move to cloud providers due to COVID-19 and people working from home, and people not wanting to go and touch servers so much. I think in a lot of cases, people just wanted to get business back up and running and they weren't necessarily focusing on security first. So once that's done and you're working, it's a really good time to go back and do it right the second time, if you didn't get it done the first time.

Ryan Olson:

Yeah. Going back and auditing what you did and making sure that your infrastructure is as secure as you think it is, is extremely important right now.

Kerry O'Hare:

Yeah. Okay. And then a question around malware and social media accounts. So I know here at KeyBank, actually we are not allowed to access our social media sites unless you're in marketing. And so they put a ban on that and I know other companies do as well, but then there are others that don't. So thinking about those clients whose employees can access Facebook or Instagram or Twitter, are there additional things that they should be looking out for, or is that a right place for malware, ransomware attack?

Nick Biasini:

You're going to see adversaries use every avenue they possibly can. We talk a lot about e-mails and things like that, but you also have SMS campaigns and instant messaging campaigns and campaigns on social media and that are all using the same techniques and lures. You're going to see the same things about COVID, about PPP loans, about what's going on. The same idea to try and get users to be lured into clicking and doing things that they shouldn't do.

Ryan Olson:

And I just add to that, if you're looking at it from the perspective of working from home, my guidance to people is, don't do anything on your work computer that you wouldn't do in the office. So you have policies that are set up, your company is probably set up, hopefully you're connecting to a VPN to secure your connection, but there's going to be gaps in some places. If it's not a thing you would normally do on your work computer in the office, don't do that on your computer at home because you're just putting your company at more risk. And if that means social media, or that means other things, shopping, whatever it might be, searching for COVID-19 related news, do it on your personal computer because you're at home already. So that's my general guidance for people around how to keep safe from that perspective.

Kerry O'Hare:

Great. Okay. So let's move on to the next section where we can talk about what people can do to protect themselves in a little bit more depth. Robert, why don't we start with you, just to talk about what you at the FBI encourage people to do to protect themselves from a lot of these attacks?

Robert Gross:

My first bit of advice would be identify any potential single points of failure. It's probably going to be in a smaller to medium sized company. It's going to be the long-term, most trusted employee, add additional control. We've had a case here not too long ago, where again, it was a payroll administrator controller in the company. She simply invented an employee who she paid for several years, not only a salary, but bonuses. And it wasn't until an outside audit was conducted that the company found that she had embezzled about $900,000.

Robert Gross:

So are you sure you don't have any ghost employees? Are you sure that all of your vendors actually exist? We see a lot of various types of invoice schemes, which aren't overly complicated, but generally they go on for a long time before they're detected, because again, it's going to be a long tenured, very trusted employee. And so maybe conduct an audit, if you can make it a surprise audit, make it a surprise for employees, bring in some outsiders. It's going to cost some money, but to be absolutely certain that the employees you're paying, none of them are a ghost employee, all your vendors do actually exist. All human beings are fallible especially in this COVID-19 pandemic we're living in, there's a lot more stress, there's a lot more uncertainty in the world. I would just say, be absolutely sure that when you're paying an employee or a vendor, make sure that they really do exist.

Kerry O'Hare:

Okay. Nick, Ryan, anything from your perspective? I know you're the ones out there hunting and researching these threats, but based on what you guys have seen, if there are any advice you can give to our attendees on what they should be doing to protect themselves?

Nick Biasini:

Honestly, auditing is a good idea as well, but a different type of auditing where you audit the changes and things you had to do to either get your business online, get services moved into the cloud. You had a lot of people that took six months of work and had to complete it in a matter of weeks instead. Well you have to work on those types of timelines, it's very easy to make an oversight or a small mistake that could expose your company in a major way. So making sure you're going back and auditing all the things that you did, make sure that you understand the changes that you made and that they are the proper changes that you intended to make.

Ryan Olson:

The next point earlier, he mentioned that in a lot of cases and the majority of cases, there's a human being who played a factor in the compromise of that organization. Sometimes it's really easy for us to put all of the responsibility for keeping things secure on our information security department or a CSL, or whoever's the one who is going to get fired if we get breached. But this is everybody's responsibility. A choice that somebody makes around opening a file and getting compromised, which leads to a BTC event for that organization could kill an entire company.

Ryan Olson:

The impact of some of these events can be very serious. And it really is on all of us users who, no matter their level of awareness to at least know that this is a possibility, listen to the instructions and listen to the notifications they're getting here about the events, just so you know they're actually happening and that they're possible. Because that little bit of awareness, all the attackers are smart and they're innovative, can go a long way into stopping somebody from clicking that link right away and say, "Maybe I shouldn't do this right off the bat," because it really does come to all of us to stop things from being successful and all these bad guys making hundreds of millions of dollars.

Nick Biasini:

Yeah, absolutely. I think another thing just around auditing also, is looking at your [inaudible 00:44:52] policies and your procedures and just once a year, twice a year, however often, making sure those are fresh and refreshed based on what the current environment looks like, what's happening more and more. I think those are really important. And then also just the training.

Nick Biasini:

We tell that to our clients all the time, just around making sure your employees are trained on things to watch out for. We take training internally here at key as well. We do a lot of it around risk and fraud, and it's not just to protect key, it's also to protect our clients because it's just as much on us if we see something wrong, if we see something happening that we don't think is right to speak up as much as it is for obviously you guys, as clients and companies on your own. Anything else around just what people can do to prevent this from happening? And if not prevent it, then at first sight, what people can do in terms of obviously reporting it, but then also immediately taking care of it and handling it as quickly as possible.

Nick Biasini:

One of the things that doesn't necessarily get enough attention with this is that all humans, everyone is at their wits end and stressed out. When you're dealing with all the stuff that everybody's dealing with all the time, the chance that you're going to make a mistake and click something or open something that you shouldn't is probably going to be increased. If you're getting an e-mail at home while you're worried about COVID and your kids are trying to get help with homeschooling and your dog's barking at you, you may open an attachment that you didn't necessarily intend to. One of the most important things you can do is be honest about it and report it to your security organization as quickly as you can. Everybody makes mistakes, but trying to hide it and not report it when you know you may have done something you shouldn't do is a bad idea. These actors, in a matter of hours can take that small mistake and make it into a million dollar problem. So it's definitely in your best interest. If you do make a mistake, just talk to security, tell them what happened.

Kerry O'Hare:

Yeah, that's a great point. So there's a couple of other questions. Let me address these real quick. One is, how effective is VPN? So I know just from Key's side, we use VPN to get into the network. And it seems like every once in a while there's a new layer added, or it seems like there's a new enhancement made to getting into the VPN. And obviously I recognize it when I see it happen and know that they're just trying to enhance the process a little bit. But one of you guys could talk about that and VPN and how effective it is. That'd be great.

Nick Biasini:

Go ahead Ryan.

Ryan Olson:

Okay. I'll just say there's lots of different kinds of VPNs. They can be implemented in different ways. In some cases, your company is going to route all of your traffic back through their security which is great because it protects that computer from anything that might be coming in from the internet into the computer. In other cases, a company might use it just to allow access to their internal resources, split tunneling, that's the way we refer to it, which leaves you a little bit more open to some danger, because you might infect the computer through that clear tunnel and then have access to the things in the encrypted tunnel. Generally though, for users, don't turn off your VPN.

Ryan Olson:

Oftentimes there is a desire, especially if you're doing video conferencing and you feel like it's standing your way from good quality or whatever that might be. And you say, "Well, let me just turn this off," understand that when you do that, if that's something that's an option for you, it might be always on, you are removing that level of protection. So be aware that you don't want to do that on a regular basis, leave it on, it is there to protect that laptop, which you're there to do work on it. So that's what it's for.

Nick Biasini:

And from a company's perspective, they are extremely, extremely important. It is far better for you to use a VPN to allow access to your internal resources than allowing direct access to your internal resources from the open internet. So VPNs are extremely important from a business perspective to keep your internal assets in fact internal.

Kerry O'Hare:

Great. All right. And then I think the last topic is around how to report fraud. So I can talk about it from the KeyBank perspective and then Robert I'd like to hear from you in terms of the law enforcement side of it. So for KeyBank, if you recognize anything that looks off that you feel is fraud, we have a fraud hotline, it's up on the screen, it's 1-800-433-0124. And then we also encourage you just to reach out to your relationship manager and your payment advisor and let them know what you're seeing and what you've found. And then that way, they can speak to all of our internal teams and start to do the research around it. And so if there's anything that we can do on our end, we certainly want to, so we just need to know as soon as possible. And then Robert, from the law enforcement side, I know there's all kinds of resources for people to use. What would you encourage folks to do?

Robert Gross:

Oh, encourage anybody, if you think that you have information regarding any criminal conduct, contact your local FBI field office. Every day, there's a complaint duty agent whose role is to field those phone calls. You may get routed to our national threat operation center. We're going to be connected to someone who would take your information and forward it to the appropriate field office. Don't ever feel like it's not that important. Better to err on the side of caution and report the information you have and ultimately an FBI supervisor is going to receive that information. Let us worry about whether it is sufficient to predicate a federal crime or not. You would never be wasting our time by making that phone call. There's also IC3, which is just a website where you can simply go in and go through a few different pages and report it that way. But any contacting your FBI field office directly would be the most efficient way to get that done.

Kerry O'Hare:

Right. Awesome. So we're at the end of the presentation. Guys, are there any just last minute statements you want to make to our attendees, things to watch out for, just last minute advice?

Robert Gross:

Hey Kerry?

Kerry O'Hare:

Yeah.

Robert Gross:

Rob Gross, in addition to what was said during the presentation I always just like to take a minute whenever I get an opportunity to be in front of an audience. We talked about romance schemes earlier on, if you have been elderly, family member, friend of the family and especially if they are alone and if they're active on social media, if they have Facebook, just touch base with them, see what they're putting out there, who are they communicating with? Because generally by the time we receive the information, the money is gone, most of it is off shore, to either Ghana, Nigeria, Ukraine, and in places that once it gets there, our chance for recovering it for any of the victims is almost impossible. So again, just check in with those folks and make sure as best you can that they're not engaged in some kind of a scheme.

Kerry O'Hare:

Yeah. Hey Robert, before you walk away too, I've got a question here around IC3, we were told we could use www.ic3.gov, and we were told the FBI could interrupt a fraudulent transfer over $50,000 if it's less than 72 hours old. Is that true?

Robert Gross:

That is true. That's possible. Yeah. But I would encourage anybody that, if you find yourself in that situation, the best way for you to recover that money is to immediately call your bank and ask for that wire transfer to be reversed. Because that's the first thing we're going to ask you. If you haven't done it, we're going to ask you to do that. So reach out to the bank where the wire originated and see if they can reverse it. Because if it gets to, say it gets to Hong Kong, we may be able to get it, but the way it's set up over there, is you're going to have to hire an attorney in Hong Kong that you're going to have to pay to get your money back that's been frozen in the bank. So your best chance is to engage with the bank where the wire originated and see if they can reverse it for you.

Kerry O'Hare:

Great. All right, Ryan, Nick, any final words from you as well?

Ryan Olson:

I would just add, we've talked a lot about security of companies. It's really important for everyone to think of their personal cybersecurity as well. And if you're thinking about personal cybersecurity, the number one thing for you is thinking about passwords. Password management is absolutely key for everybody, in your company, outside your company, if you're repeatedly using passwords, so the same password on many sites, you are doing it wrong. You should have a better system for that, potentially a password manager. And that's the most important thing I feel like I can share with any other human being when it comes to cybersecurity.

Nick Biasini:

And for me, it's just to drive home that same point about, I know everybody had to make a lot of changes to be able to work from home or support cloud-based applications, make sure you're going back and looking at these big game hunting groups, these ransomware cartels are going to take advantage of those small mistakes you've made. It's much better for you to take the time and find it now, before they do.

Kerry O'Hare:

Yeah. Very good point. Good. All right. Well, thank you guys. I want to thank the panel for taking the time to share this information with all of our attendees. A couple quick sort of cleanup that, there'll be an e-mail that goes out either I think it's tomorrow or Monday and it'll have a link to the replay. And so you guys will be able to replay this if you weren't able to join the whole time or if you want to share it with any of your teammates, employees. Additionally, there were a lot of questions that came in that we just didn't have time to address.

Kerry O'Hare:

So we'll take these questions and we will put our heads together and try to figure out ways that we can maybe put some pieces together that go into a little bit more depth around some of these questions and then we'll reach out via our normal channels through to your RM or through your payment advisor and provide you that information. And then if there's any follow up questions or anything, make sure you don't hesitate to reach out to your payment advisor and your relationship manager or anybody else here at KeyBank. Always willing to answer questions. All right, well thank you for the time today, everybody. I really appreciate it.

Robert Gross:

You're welcome. Thanks for the opportunity.

Kerry O'Hare:

All right.

As the world settles into a new normal, cybercriminals are using different ways to creep into our business operations. Watch the replay of our live webinar with our elite panel of fraud experts.

KeyBanc Capital Markets is a trade name under which corporate and investment banking products and services of KeyCorp® and its subsidiaries, KeyBanc Capital Markets Inc., Member FINRA/SIPC, and KeyBank National Association (“KeyBank N.A.”), are marketed. Securities products and services are offered by KeyBanc Capital Markets Inc. and its licensed securities representatives, who may also be employees of KeyBank N.A. Banking products and services are offered by KeyBank N.A.

Connect With Us

  • Social Share Icon
  • Social Share Icon
  • Social Share Icon

Find an Expert