PNC Ideas, INsIghts, aNd solutIoNs

Fighting Cybercrime:What You Need to Know Today

1

operator: And now, without any further delay, let’s begin today’s event. I’d like to introduce your moderator for today, and that is Maggie Dudley. Maggie, the floor is now yours.

Maggie dudley: Good afternoon, everyone, and welcome to our PNC Advisory Series webinar, Fighting Cybercrime: What You Need to Know Today. Thank you for joining us. I’m Maggie Dudley, and I’m a PINACLE Product Consultant for PNC Treasury Management. I will be your moderator today. Before we get started with our presentation, I wanted to highlight PNC’s ongoing commitment to providing market insights, new ideas, and best practices like you’re about to hear. Our commitment is reflected in the types of conversations our bankers are having with companies like yours every day. It’s also reflected in our PNC Ideas Thought Leadership series, which features a monthly e-newsletter, live webinars, and dedicated website at PNC.com/ideas. From brief videos, articles and economic reports, to financial market commentary and webinar replays, we continue to choose topics and formulate our ideas based on the input we get from you. So at the end of today’s session, please provide your feedback. We need to keep focusing on the right information for you and your company. Okay, let’s get started with our event. We’re excited to have Cyberthreat Special Agent Steve Lambo from the Federal Bureau of Investigation and PNC PINACLE Product Group Manager Howard Forman as our speakers today. They will discuss how anyone with access to funds movement services needs to be aware of the latest cyber fraud schemes and how to recognize potentially fraudulent or malicious activity. As I mentioned, today’s webinar will feature two speakers, and then we will conclude with the question-and-answer session. First, I will ask Steve a series of questions related to the current cyberthreat climate. We will touch on such subjects as common threats, real-world examples of cybercrime, and law enforcement actions. Then Howard will address a number of actions you can take to protect yourself and your business. Feel free to submit questions related to the content of the presentation using the questions widget found in the lower portion of your screen. The questions can be directed to either Steve or Howard. We will address these questions during the Q&A session following Howard’s portion of the presentation. Please note that we cannot answer any questions about your account, specific fraud incidents, or individual experiences on this call. Please direct those types of inquiries to your PNC relationship contact. With that said, let’s go ahead and get started. Steve, thank you so much for joining us today and helping to educate our clients on this important topic. I’m going to ask you several questions about the current cybercrime environment, but first, can you tell us about your FBI division and its area of focus?

April 22, 2015, 2 p.m. ET

2

steve lambo: Thanks, Maggie. Yes, I’m at the FBI’s Pittsburgh field office, which is one of 56 offices here at the FBI. And I’m assigned to a cyber squad. We have two of those in Pittsburgh, and the squad I’m assigned to focuses primarily on criminal computer intrusions, but we also do several national security threats as well.

Maggie dudley: Cybercrime seems to be so prevalent, but some of our attendees may not be familiar with what cybercrime really is. Can you explain the most common types of cybercrime activity our users should be aware of?

steve lambo: Yes. So there are a lot of cyberthreats out there, but a few that we’re seeing a lot, first of all, would be social engineering. And so how this applies is that often folks in the IT world are really focused on getting the latest and greatest technology to defend their systems. And while that’s important, the human element is one of the weakest points in information security. People are often influenced by authority figures or those who are appearing to be helpless. So someone who maybe gets called by someone who they think is one of their appropriate executives and they’re asking for information, they’re more likely to give that information out for fear of reprisal, and so they’re going to reveal things that they might not always reveal to somebody else. And kind of to go along with that, if they’re called by somebody who, you know, appears to be trying to solve a problem, they might make the wrong decision. So you’d be surprised how many people are willing to reset a password when the person on the other end of a phone call is a crying girl who’s frantic and is looking to solve that problem. And so there are a lot of people out there who exploit that and are very good actors when trying to exploit this particular threat. Another one that we’re seeing quite frequently is financial malware. And so as technology advances, the financial malware that’s out there is getting increasingly advanced. And you’ve got to understand that it’s not the folks that are behind this, they’re not kids living in Mom’s basement who are just messing around with the computers. The financial malware that’s out there today is supported by very highly advanced criminal groups, and they have roles for each component of their enterprise. They have coders who write the malware, people who are sending out spam to infect computers, components that are used to cash out and launder the money that they’ve stolen. And I’ll go into that in a little more detail shortly. But a third threat that’s out there is email compromise. And this kind of ties into the social engineering end of things. Because people are so dependent on email as well as social media, and so that becomes a very easy avenue for criminals to compromise computers or to obtain sensitive data. And again, I’ll go into a little more detail later and talk about how that’s done.

Maggie dudley Tell me a little bit more about financial malware, how malware infections spread and what it can do.

steve lambo: So financial malware is often spread through what’s called exploit kits. And so all the criminals really have to do to infect somebody is get them to a Web URL that’s hosting one of these exploit kits. Now, whether that’s getting a person to click on a link or open an attachment in an email, they can even do it with an infected ad on a site, where the person doesn’t really actively interact with it.

And so if a victim is sent to an exploit kit URL, their computer is scanned for vulnerabilities, and that can be anything from maybe they missed a patch for their Windows system, maybe they didn’t update their PDF reader, any vulnerability. The exploit kit’s going to detect that, and it’s going to download what they call a loader system, a loader program. And so the loader’s very small. It evades antivirus systems, and its main function is to download the actual financial malware. And so once the financial malware is on the victim’s computer, it will steal bank credentials. It waits to see that victim log into a bank account, and then it can do things like inject content into the victim’s Web browser, which has multiple functions. One of them is to delay the victim so that they can’t tell that actual money is being stolen because the criminals have actually piggybacked into the victim’s bank account at the same time. And it may pop up extra fields onto the victim’s Web page to extract additional information that the bank wouldn’t otherwise ask for — maybe a message that says, “Hey, there’s a problem with your account. Please enter your debit card number to verify your identity.” And the third thing that this might do is that the financial malware may install other malware. We saw an example of this when we investigated the GameOver Zeus malware in which that malware really targeted large businesses, but it infected everybody. So a lot of times, when our criminals couldn’t steal $100,000 or $1 million from a victim because they were just a regular person, they would push a malware called CryptoLocker, which would then basically encrypt the person’s hard drive, and they’d hold that person for ransom and maybe get $500 or $700 out of them.

Maggie dudley: Talk to us about email compromise — what is it and what are some of the typical scenarios used to perpetrate fraud?

steve lambo: So email compromise usually involves the impersonation or the takeover of a legitimate email address, though some of our very sophisticated cybercriminals will target a corporate executive and try to take over their email. A lot of this ties into the social engineering, because these folks know that a person at a company is usually going to open an email that maybe came from, it looks like it came from their CEO, so they’re probably going to click on any links or open any attachments that are in that email. So they’ll use that to target other people at a company, you know, as a target of opportunity. And they’ll also glean information directly from the messages. So there may be information about different proposals and bids that are going out by that company. So the targeting of an executive email is a large priority in the cybercrime world. Now, we also see people get exploited by emails that appear to come from their trading partners. So maybe your company does business with somebody. People there are going to trust emails from that business partner. And so the key trend here is to exploit trust relationships. It’s much easier to exploit somebody by pretending you’re somebody that they trust.

Maggie dudley: Please share some real-life stories of companies you have seen victimized by payment fraud and cybercrime.

steve lambo: Okay. There are a few of these we’ve seen recently. One example that we had was we had a company here in Pennsylvania that had an ACH compromise. Now, at the time we had a malware group that was sending out targeted spam messages, and they were pretending to be messages

3

4

from NACHA, which is the company that regulates the ACH system. We had a payroll clerk at our victim company who got one of these messages, thought it was legitimate, and clicked on a link in it, and that link caused her computer to be infected. When she logged into the company’s bank account, the criminals were there waiting for that, and they tried to make two transfers out of the company’s bank account. Now, fortunately, at that time the payroll clerk didn’t have access to actually make those transfers, so they were rejected. So our bad guys were doing an interactive fraud. They popped up a message on her screen that says, “Hey, we need an administrator to log in.” Well, thinking that this was a technical problem, she went and got her IT administrator, who came and logged in from the same computer to the company’s bank account. Our bad guys tried to do two more transfers out, but the IT administrator doesn’t have the ability to transfer money out either, so they popped up another window onto her computer and basically said, “Hey, we need the company controller to log on.” So they asked specifically for the guy that’s going to have access to that. Unfortunately, he logged on, and our victim at that point lost about $400,000 that were transferred out subsequent to that log-on. That’s one example. Another involved a wire fraud. We had a corporate account that was compromised in much the same manner, and our criminals wired out a large sum of money. And what they did to delay the bank and the victim company from discovering that was they did a denial of service attack against the bank’s website. And their goal here was, one, to keep the victim from logging in and ever being able to check their account to see if the money had gone out; and second, to keep the bank so concerned with getting their Web page back up that they weren’t actually looking for this wire either. And so our criminals basically want to just delay that for a day or two and wait for the wire to clear, because if they get that couple of days’ head start, the money can’t be called back. So those are a couple of examples. Another is an incident we had with some credential harvesting via bank malware. We had some customers who, when they tried to log into their Web bill-pay system at their bank, some criminals had changed a few things so that when they tried to log in, that the customers were directed to a page that caused them to be infected by credential-stealing malware. And so any log-ins to bank accounts, email accounts, social media, our criminals were then collecting. And so we actually were able to seize one of the servers that our criminals were collecting data on, and we saw everything that was being collected, including searches on dating sites. So everything that these victims were doing online was being collected by our criminals. So a lot of stuff like that out there.

Maggie dudley: Are criminals targeting banks and businesses of all size equally, or have they chosen to focus on certain types of organizations? For example, primarily smaller banks or perhaps mostly larger corporations?

steve lambo: So we see different types of targeting at all levels. So typically, really sophisticated cybercriminal groups are targeting large banks. And there’s kind of a tradeoff here, because the larger banks can afford to spend more money on better security, but there’s more money to be gotten if you can get into those accounts. Usually they’re managing the accounts of large businesses, and so we see sophisticated criminals trying to transfer out millions of dollars at a time by attacking large banks. Now, we see some smaller groups going after smaller banks and credit unions, who have less of a budget for security to protect their systems, but there’s not as much money to steal, so they’re going for volume on smaller businesses to try to get money.

And then businesses of all size are exploited for different reasons. We see business accounts being targeted, we see payroll accounts, which are right for things like income tax fraud. So we’ll see cybercriminals targeting a company’s payroll account basically to get enough information about their employees to file income tax returns on behalf of those employees, and they’re having — basically, nowadays, you can have your income tax refund sent back to you on an Amazon gift card. So they’re having these sent to bogus addresses and exploiting the data that way. Also, when businesses are compromised, there’s a lot of proprietary data that can be sold on the black market, and it’s turned into a big businesses in the cyber underground these days.

Maggie dudley: Where is most of the crime originating? And if outside the United States, is the FBI active in those countries or regions?

steve lambo: Yes. So it’s interesting that certain types of cybercrime will actually center on certain areas. So we have really, really organized hacking and malware operations that are focused on Eastern Europe, so we have a lot from Russia and the Ukraine, sometimes Romania and Moldova. And so these cybercrime groups kind of operate on an old traditional Russian organized crime model, so they’re very organized. And just speaking with people over there in a lot of the cases we’ve worked, it seems that there are a lot of people who have advanced IT degrees in those regions, and so they’re very technically skilled. But they’re realizing that they’re not making enough money to make a good living there, so they decide that they’re going to use their skills at cybercrime. So we see a lot of that there. We see money mules and low-level cash-out groups in the U.S., U.K., and Australia, as well as a few other places. But the reason for that is that money stolen by these Eastern European groups can’t be sent directly to Russia. If you do that, the bank is going to flag the transaction right away. And so they need people in the same country as the accountholder in order to cash that money out. So a high-level Eastern European group will steal some money from U.S.-based accounts, hire some people in the U.S., or send some people to the U.S. to actually cash that money out. And something that we’ve seen a lot lately is they’ll buy high-end electronics like iPads and they’ll send those back to Russia. And so if they steal $1,000 worth of money, they can buy $1,000 worth of iPads, send it back and sell it for twice as much as they bought it for here. So they’ll turn $1,000 into $2,000 right away. We’ll see hacktivists in primarily anyplace where there’s political unrest or really active political concerns. So you’ll see a lot of people who are very concerned with the political climate in the U.S., Europe, just because we have the freedom to express our opinions. And you’ll see a lot of hacktivism right now in the Ukraine, just because of the conflict that’s going there. And Brazil, I thought, was kind of odd when that popped up. But because there are a lot of poor people in Brazil, and the cyber laws are very much behind the times there. So they can, a lot of times, act and do their hacktivist actions without really worrying about being arrested for it. And so with all this going on, we have what we call the FBI Legat system, which we leverage to address all these things. So we have what they call Legat offices, which are attached to embassies around the world. I think the last count was we had about 64 of them. And so we have FBI personnel actually stationed at these locations to work with local governments and law enforcement.

5

And so what we can do is we can leverage those resources to request business records, get search warrants done, and we can sometimes have arrests done in countries where we have extradition treaties. And so we’ve done, through our Legat system, joint cases with other governments. We have very good relationships with the U.K., Netherlands, Germany, Australia. We have a detailee to the Europol Cybercrime Center. So over the past several years, the FBI has established a very effective world presence in fighting cybercrime.

Maggie dudley: What are the biggest challenges law enforcement is facing in apprehending cybercriminals?

steve lambo: So there are a number of them. One of the biggest is the anonymity of cybercriminals. So they’re using tools like Tor basically to mask their true IP addresses and true locations. So it’s very hard to actually track somebody down when they’re using a tool like that. Another thing is that they, a lot of cybercriminals operate online in criminal forums, where they only know each other by their online moniker. Even criminals who have been doing business together for a long time don’t know each other by their real name and don’t know where each other lives. So it’s very hard, even when you apprehend one of them, to get them to tell enough to track one of their partners down. In fact, some of these forums only speak Russian, and you don’t have to just — it doesn’t help just to know how to speak Russian in these forums. You actually have to know the Russian culture to be accepted, so it’s very hard to infiltrate them. One of the other things that we have to deal with is cooperation from foreign governments. Some governments actually have no interest in helping us, and that can be a hindrance. Some might want to help, but they have very lax cyber laws, so we may ask for help, but they basically will come back and say, “Look, what you’re asking about is actually not illegal here, so we can’t help you.” And in some countries, they can only open a case if there’s a victim there. And so we have some cybercriminals who have gotten very wise to this and say, you know, maybe they live in Russia, so they’ll target European and U.S. banks and businesses. And they know if they don’t target anybody in Russia, then they won’t be arrested. And one of the last things is the use of very advanced criminal tools. So we’re seeing more and more encrypted computers out there, criminals using encrypted file systems, encrypted email, other ways to encrypt communications. As phones get more advanced, they’re a lot harder to deal with because anything we seize, we have to do forensics on, and so it’s hard to keep up with all the changes as new phone technologies develop. And we’re seeing more advanced malware that either runs in RAM, so if you shut the computer off, it’s undetectable, or malware that will detect our forensics tools when we try to do analysis on it. So very, very advanced criminal tools out there that are making the job a lot more difficult.

Maggie dudley: How are government regulators addressing cybercrime?

steve lambo: So a number of things are happening right now. We do have lawmakers who are proposing bills that try to keep pace with technology, and it’s a good step forward. But it can take years for a new proposed law to actually be put into effect. So very likely, we’re always going to be trying to play catch-up with technology when it comes to our laws. So it’s just something we’ve had to deal with and accept to some degree.

6

7

Now, one of the things we’ve done from an FBI perspective is we’re adding additional cyber positions. Cybercrime is becoming a primary investigative priority for us, so we’re actively recruiting special agents with cyber backgrounds. We’re creating more computer scientist positions to support those agents. We have very targeted training for those people, very similar to information security experts in private industry. We’re taking a lot of the same courses. And more recently, we’ve developed cyber positions who are going to be posted out at our Legal offices around the world so that in the case we have an overseas cyber case, we have somebody on the ground there who can deal with the cyber issues. One of the last things we’ve done is we’ve strengthened our public and private partnerships. So we have an organization here in Pittsburgh that’s the National Cyber Forensic and Training Alliance. We actually have investigators for private industry who are actually co-located with FBI personnel, so we can actually work together and exchange information.

Maggie dudley: Steve, your comments have been so helpful and insightful for our listeners. Are there any other thoughts you want to share with the audience before we talk about how our clients can protect themselves from the threats that you just described?

steve lambo: Sure, sure. So you just have to realize that cybercrime, and it’s a growing threat, is not going to stop growing; it’s only going to get more complex. So while we can’t all be cyber experts, it’s a good idea to keep abreast of what’s been changing lately in the news, and you can see some tips being put out there on how to protect yourselves. Another thing is just realize that criminals are targeting banks and businesses of all size, so your business is going to have something that a cybercriminal might want, so you have to think about what’s valuable there and what criminals might do to get it. Realize that law enforcement is actually out there taking action, so if your organization does report a crime, we’re in a much better position to bring the perpetrators to justice than we were five years ago, ten years ago. And then just some basic steps to protect yourself. If, you know, you’re getting emails, messages with attachments, only open it if it’s from a trusted source. And if you’re in doubt of that, contact the person by another means; pick up the phone and verify. Just be careful, also, what you post to social media. Many people post information that would make them susceptible to social engineering. They may put out on their Facebook account data that would allow somebody to answer security questions and obtain your bank account or your credit card account, obtain access to it. And just realize that certain things like photos contain metadata, so let’s say you’re taking a picture with a phone. If your location is turned on, on your phone when you take that picture, that can be recorded in the metadata of the picture when you post it up to your social media account. People with the right knowledge can actually see that. They can tell you’re on vacation, or if you took the picture at work, they can now tell where you work. So just realize that that kind of thing is out there.

Maggie dudley: Thank you so much for your time today, Steve. We really appreciate it. I’m going to go ahead and turn it over to PNC PINACLE Product Group Manager, Howard Forman. Take it away, Howard.

howard Forman: Thanks, Maggie, and thank you, Steve, for sharing your insights and perspectives with us. Certainly a lot of scary things to talk about here.

8

Before I get into my content, I just wanted to make a couple of opening remarks. As Maggie said, I am the Group Manager for PINACLE, which is PNC’s corporate online and mobile banking portal. And my team is constantly in contact with our clients as we seek input on service enhancements and other things we can do to continue to meet the needs of our users. But really, we’re also constantly seeking to educate our clients on important industry topics such as cyber fraud and the actions you can take to help protect your accounts from fraudulent access. Our primary means of communicating security information to you will be through the PINACLE Message Center and your related Message Center email subscriptions, as well as through your Treasury Management Officer. But this webinar certainly is another way we’re working to provide you with detailed, actionable information for you to use in your organization. You know, today’s information is especially valuable, in my opinion, and I hope that you will share it broadly within your organizations. You’ll hear me give you that call to action a couple of times throughout the rest of the presentation. But really important to spread the word and educate as many people as possible in your organization. So with that, let’s jump right into the next set of slides. Now that Steve has told us about the current cyber fraud environment and the predominant threats, let’s look at some of the weapons available to you and the actions you can take in the fight against cybercrime. I’ve broken my information into three broad categories. First, education and awareness, ensuring you and your employees are educated and can recognize the warning signs of cyber fraud. And we’ll use some real examples to help, you know, really crystallize this information. Second, we’ll talk about online banking tools. And these are the features and services you can obtain from your banking partners through their corporate banking portals such as PINACLE. And third, what other actions you can take to help protect yourself and your accounts. So let’s start with financial malware, which as Steve described, is essentially a malicious program that is installed on your computer and is intended to capture your online banking credentials or, as Steve said, allow fraudsters to hijack your browser session to commit fraud. Malware can often be recognized in a variety of ways; degraded system performance, such as an unusually long log-in page load when accessing your online banking site, is a common warning sign. But beyond that, once the log-in page loads, you should also look for differences in what you typically see on the log-in page, such as maybe a different page layout, different nomenclature for key fields, missing links — that is, links that you would normally see but are not there, or even what we call dead links, which are links to other pages from the log-in page — for example, links to marketing content or help that don’t work. So they’re just dead. You click on them, and they don’t do anything. I’d like to point out, though, that the fraudsters, as Steve mentioned, have become very, very sophisticated. These are not, you know, kids in pajamas in the basement hacking at their computers. They’re very sophisticated. And while there are some things you can notice on the fake websites the malware will redirect you to, they are usually not overly obvious. So it’s important to be aware of the things that are much more noticeable. For example, the customer service telephone number that’s put on the fake site — that might not be the number you’re accustomed to calling. But even more noticeable than that would be pages

9

that don’t seem to follow your typical workflow. If you use the banking sites enough, you generally know how the pages are presented to you. When malware is involved, these pages are often presented out of sequence, or you get pages you’ve never seen before. You’ll see unusual prompting during your session, and we’re going to talk a little bit more about some of these and show you some real examples. But, you know, through all of this, this unusual prompting or these unusual screens, you might — there’s different ways this can manifest itself. So you might be prompted to answer your credentials, like your password, your one-time password or your token pass code. You might be prompted to enter that multiple times during the log-in process, when normally it’s only required during log-in or maybe when you perform certain tasks within the site, like approving a payment transaction. That’s a big red flag, right, so if you’re continually being prompted for your token pass code, that’s a big warning sign. And the reason the fraudsters are doing this is that they need to have current passwords and current pass codes while they’re active in the session, so they have your credentials, they’re logging into the site, and they’re taking actions that might require a token pass code. They’re going to prompt you for that to try to get that out of you so that they can continue their work in the site while they have your attention diverted by the malware. So, you know, that leads into another point. They hold your attention through the use of what we call stall screens. And again, I’m going to show you an example of that in a minute here. But these stall screens are designed to keep you engaged with the fraudster so that he can continue to prompt you for that additional information. And then usually what we see is prompting by the fraudsters to have a second operator provide credentials during the log-in process, because the fraudsters know that, you know, to initiate payments, they generally need two sets of credentials for initiation and approval, so they’re going to try to get that second set of credentials from you at the same time. So let me show you a couple of examples, because I think this will sort of hit it home for you. These are taken from PINACLE, and these are from actual fraudulent sites that were attempting to harvest credentials. On the left side of your screen we have an image of the legitimate PINACLE log-in page, and introduced on the right side of the screen, an image of a fraudulent page. And as you can see, the two are nearly identical. Side by side, you may notice a difference, but you can see how difficult it might be to recognize anything unusual about the fraudulent page, which is why I want to stress how important it is to pay attention to the other warnings signs, such as the dead links or, really, the unusual prompting after the log-in process. I’m not sure if any of you have spotted the difference between the legitimate page and the fraudulent page. Let me just show it to you quickly. There I’ve highlighted it for you. There’s the Forgot Your Password link is not available on the fraudulent page. But that’s really the only difference that’s noticeable between the two pages. So, you know, easy to see how the fraudulent page can trick you into providing your credentials because you think you’re on the legitimate site. So this next page here, page 18, is an example of what we call a stall screen that’s intended to keep you engaged in the session while the fraudster is using the user’s credentials that were just obtained from the log-in page. So the fraudster’s accessing the legitimate site and holding your attention with this stall screen.

10

As I mentioned earlier, the fraudster may need to obtain a token pass code to perform certain functions in the site, and they’ll use the malware to keep prompting you for a token pass code while you’re waiting on this page. Once the fraudster sees that the company whose credentials they’ve stolen and the user have access to funds movement services, like ACH or wire transfer, they’ll use that compromised ID to create payments and ultimately prompt you, as I said earlier, to have a second operator log into the site from the same PC in order to obtain a second set of credentials. The reason the fraudsters give for needing a second set of credentials may be to unlock the computer, or they may say, “We need another set of credentials as an additional security check.” Both of these, anything asking for additional credentials, is another really big red flag. Banks will typically never ask you to have a second user provide their credentials in order to do something like unlock a work station or a verification step for your first set of credentials. So really, those are two big warning flags. When you have these stall screens that say, you know, “Please wait while we’re checking your security,” and it just sits there for minutes on end, you know something’s definitely rotten, and you should be very suspicious. So now that we have seen some of the warning signs of malware, let’s talk about the warning signs for email compromises. Recall that, as Steve told us, in an email compromise, the fraudster is using a hacked email account or a spoofed email account under a name you would recognize to get you to initiate a fraudulent payment. The email might appear to come from within your company, or it may be in the name of a legitimate trading partner, like an e-supplier. The spoofed email address is often a slight variation of the legitimate email — for example, a W would be replaced by two V’s, or an l would be replaced by the number one — you know, something you’re not likely to notice unless you’re really carefully inspecting the details of the email address. And you know, it’s human nature, because the recognizable name is something you’re familiar with, and you’re preconditioned to see it correctly. Just think about how difficult it is to catch typos sometimes when you’re proofreading your own work. Your mind is conditioned to see it correctly, and you don’t notice that a W is actually two V’s in the domain name of the email address. So very clever ways of tricking you there. So the recognizable sender name is also typically a person of authority at your company. His name may be the CFO, the controller, the treasurer, sometimes even the CEO in a smaller or mid-sized company, where it’s not unusual for the CEO to interact regularly with the financial teams. Many times the email address is made to look like a personal email address like, you know, from Gmail or something, which gives the appearance of the executive using a personal account while they’re out of the office on vacation or travel. So with these email compromises, of course, as Steve said, the fraudster is exploiting a trusted relationship or some sort of hierarchical relationship. The fraudsters know you’re not going to issue a payment when the request comes from a complete stranger, but you’re much more likely to comply with a request and not question it as much when it comes from the CEO of your company or from a key supplier that’s expecting a payment. And what makes these incidents especially dangerous is that often the legitimate email account is in fact compromised, so the email on the surface truly looks legitimate. Especially if the email account is compromised, the fraudsters can often glean facts and valid information from other emails in the compromised mailbox, making the request seem that much more legitimate. So it really can be challenging to detect these email compromises.

11

Things that you can also notice is that these requests often create a sense of urgency. For example, the email may say, “We need to get a wire out as soon as possible. The supplier’s holding shipment until they receive this payment,” or, “Our CEO is personally involved. They want me to tell her as soon as the payment has been sent.” You know, with the combination of the request coming from a person of authority and a sense of urgency around the payment, you’re less likely to question the request, even if you have suspicions over its authenticity. So you really have to kind of look for many different warning signs there. Another trait we often see in these situations is the request will try to get you to bypass your established controls as part of the urgency. For example, the fake CFO may say, “We don’t have time to go through all the internal paperwork now. We can do it after the payment goes out,” or, “We can figure out the GL coding later. Just get the payment out of the door,” or, “I’m out of the office and don’t have my token. Have somebody else authorize the payment after you initiate it.” Something similar to that. We’ve also seen examples where the fraudsters provide kind of odd, you know, largely not sensible reasons for needing the payment to be sent. For example, one fake email that was purporting to be coming from a victim key trading partner noted, “Our account is undergoing banking updates and tax validation and cannot accept payments at this moment.” So you need to be on the lookout for reasons that just don’t make good sense based on your own business experience and for language that does not fit a business communication. This is true for company executive email compromises as well. Stop and ask yourself if your CEO or the CFO would say something like, “I lost my password and we need wire transfer sent urgently. Send me confirmation swiftly.” This is likely not a typical business communication you’re going to receive. Moving on to slide 20, let’s shift gears now and talk about what tools are typically available to you when using your bank’s online or mobile portal. Most banks will offer various security layers which, when combined, do create a very effective barrier to cybercrime. So let’s talk through some of that. The most basic sort of protection comes in the form of your access credentials. In addition to the standard user ID and password combination, you should look to employ additional controls, which may be optional or mandatory, depends on your financial institution. One-time passwords or token passwords are a common additional layer. It requires the use of something you have, the device generating the pass code, like a token, in addition to something you know, like your ID and password. Multi-factor authentication, which is the use of additional passwords or phrases to validate the user when the session log-in meets certain risk characteristics, is another control, as is limiting the number of failed access attempts — for example, three strikes before an ID is locked. This last control helps prevent random attempts to guess the password if other components of the access credentials, like the user ID and one-time password device, are compromised. In addition to access credentials, users will typically have various entitlements to services and functions which control the things a user can do within the portal. For example, can the user initiate payments? Can they approve payments? Or maybe they can perform both actions. What types of payments can the user initiate? Domestic? International? Repetitive or templated payments, free-form payments? What dollar limits does the individual have for various transaction types? All of these entitlements should be appropriate to the individual’s daily job responsibilities. And if your bank offers the capability, any changes to payment-related entitlements should require secondary approval by another individual with the authority to approve those changes.

12

I think this is an important point. Fraudsters will often attempt to alter user entitlements to suit their needs — for example, increasing transaction limits or entitling certain payment types, like international U.S. dollar wires. And requiring that change to be approved by a second administrator can be a very effective deterrent, as it requires compromising the second set of IDs that has payment authority as well as the authority to modify user entitlement. So that’s really a strong control I would encourage you to adopt. Let’s move from user access entitlements and look at some controls around the payment initiation and approval process that are important to have for both ACH and wire transfers. As with the other online options we’ve discussed thus far, these two do vary by financial institution and may be mandatory or optional, depending on your bank’s policies. We think that, at a minimum, you should ensure that all free-form payments require approval by an individual other than the individual creating the transaction. A free-form payment is one where the payment routing instructions, such as the beneficiary bank and account number, are entered at the time the payment is initiated. A payment template, on the other hand, is a predefined set of payment instructions with a fixed dollar amount or a dollar amount that can vary. Payments initiated from these templates are much less risky since the payment routing instructions are fixed and can’t be changed at the point of initiation. However, even with payment templates, we believe it’s a best practice for all new payment templates or changes to existing payment templates to require approval by a second user before those payments or payment templates are available for use. Other possible controls include yet another layer of approval for high dollar transactions, which would typically be defined by your organization. But as an example, you may choose to allow all payments under $500,000 to require only an initiator and an approver; however, payments over that amount require an additional approver, and an approver that has the authority to approve payments of that dollar amount. So you could get a total of three individuals being involved in the payment process for these large dollar payments. Now, outside of the actual payment initiation and approval controls that we just talked about, another effective tool is to use alerts or event notifications from your bank. These are typically available via email and/or text message and are available for various types of account activity. So, for example, you may be able to subscribe to a notification that there are wire transfers or ACH batches pending approval or that a user’s entitlements have been changed. And these notifications can alert you to actions that are taking place that may not have been performed by you or another authorized individual at your organization. So it’s really a good alerting mechanism. And finally, on the last point on this slide, some banks have started to offer free access to malware protection software, and I’ll mentioned Trusteer Rapport offered by IBM Security, which is perhaps the most prevalent of the offerings. These software products function similarly to antivirus software, but they are different. But the malware detection software will find malware and eliminate it from the PC and can prevent future malware infections should the user open an infected attachment. But malware protection software can also detect fake sites purporting to be the legitimate online banking site and stop the malware from redirecting the session. So really something to consider if you’ve not taken advantage of the protection offered by your bank if they are offering this. Now that we’ve looked at and reviewed the more obvious warning signs of malware infections and email compromises and we looked at how your banking partners should have the tools within their online banking services that can help you layer your protection, let’s take a look at some other precautions and best practices you can employ to help protect your accounts and your information.

13

Many companies have begun using dedicated work stations for their online banking activities. And we recognize this may not be practical for every employee — for example, an executive that travels frequently and needs to use a laptop. There are advantages to using a dedicated PC wherever possible. Ideally, that PC should not be used for email access, and it should have software tools that provide Internet access only to those certain trusted sites that you specifically allow. And in doing this, you know, blocking the email access and limiting the sites, really reduces the risk that the PC could become infected by malware in the first place that would be delivered through an email attachment or through somebody visiting a site where they may encounter infected files. Another precaution is to separate the initiation and approval process across different devices where possible. This helps prevent fraudsters from obtaining multiple sets of banking credentials should a PC be infected. And this practice is also a good reinforcement for something we discussed earlier, and that is the unusual prompting we see with malware asking you to have another user log in from the PC. You may be less likely to fall for such a scheme if you keep your payment initiation and approval activities physically segregated and you’re accustomed to using two devices, and it might just seem more unusual in that case if you’re promoted for two sets of credentials. Accessing online banking with a trusted bookmark reduces the risk of a simple typographical error in the URL, which could redirect you to a malicious site. I think we probably have all made errors when typing URLs, and we wonder how we ended up in a certain site that doesn’t look anything like what we were expecting. Well, fraudsters know how to exploit that, and they will resolve certain incorrect URLs to fake sites that are used to harvest your credentials, so they can create a fake site that looks like your banking site just by, you know, applying certain typos to the URL that are common. And finally, the last point on this slide seems obvious, but I cannot repeat it often enough. Never ever — ever! — provide your credentials to anyone, even to someone that is purporting to be from your bank. We have seen cases where the malware collects contact information from a user during an infection. The user then gets a telephone call from the fraudster, purporting to be from the bank, to ask for their banking credentials in order to restore their system access. They say, “Well, we can see that you’re having trouble accessing the site. Give us your log-in credentials, and we’ll unlock it for you and clear the security alert that’s on there, and you’ll be able to access the site.” I can assure you, your bank will never ask you for this information. On this next slide, slide 23, are a couple of points I think we can safely say we’ve covered on previous slides. However, they are worth reinforcing. Emails with very generic subject lines, such as those shown here on the screen, or others that say, “Payment Advice,” or, “Per Your Request,” or they just contain a link to a facts document, should definitely raise your suspicion. If you don’t recognize the sender or you’re not expecting a sender to send you what you just received from them, don’t open the attachment. If it’s a known sender, verify with the sender that what they sent you is legitimate. Pick up the phone and call them or walk down the hall and ask them. Because we have seen malware cases where the malware has compromised the sender’s email box to replicate itself, so the email looks like it’s coming from somebody you know, but it’s still sending some kind of kooky, bogus attachment, so there still should be suspicions in there. You might say, “I know this person and they’re sending me an attachment, but the attachment doesn’t look like anything this person would be sending me.” The last point on this slide is one we’re going to spend a few minutes discussing. Steve touched on it already, but it is really important. Many of us like to use social media for networking,

14

professionally and socially. And while these networks are a great way to stay in touch with colleagues and friends, criminals will use the information you post to piece together details about you, your organization, and activity taking place with your company. It’s not difficult for criminals to learn from the Internet who the senior leaders are at any organization. So very basic email compromises where a CEO or CFO is being impersonated are not difficult to carry out. However, with some of the information posted to social media, the fraudsters have more information to make the communication seem more legitimate. For example, a harmless picture posted on Facebook showing your CFO backpacking in the mountains today is really a great clue that he’s on vacation and makes an email compromise more authentic-sounding when it begins with, “Hi. I don’t have my token with me while on vacation. Can you please ask someone else to approve this wire?” Or maybe you posted your own vacation countdown on your Facebook wall, and the email from the impostor CEO begins with, “I need you to send this payment before you leave on vacation tonight.” Or maybe you post a comment on someone’s picture, mentioning you’re sorry you can’t join everyone for dinner because you have a really big transaction closing at work. So the fraudster uses that information to send an email from the controller with an urgent need to send the payment for the closing today. There are hundreds of other examples I could come up with. And I don’t want to suggest that you don’t use social media, but rather, I just want to emphasize how important it is to be vigilant about your payments and know how to spot the warning signs of these fraud schemes, because fraudsters are so adept at manipulating their victims. So that’s a great lead-in to the first point on our next slide, as we come into the home stretch here. Any time you’re asked to make a free-form payment — and again, that’s a payment where you’re given the payment routing instructions or if you’re being asked to make payment routing changes to existing payments — verify the request with the individual asking for it. And the verification must be in person or via telephone. Don’t rely on email. If a fraudster has hacked an email account or you are replying to a fake email account, guess what — you’re only confirming the request of the fraudster. So it’s really important you don’t use email to confirm those requests if you’re suspicious of them when they came via email. Some of the remaining points here on this slide relate back to things you already covered, so I won’t spend too much time on it. You know, talk to your banking reps about the security options and controls that are available to you. You may not know all of the options that are available. You may think you’re using a service or a protection that you’re not. It’s really a good idea to review these periodically. And likewise, it’s really a best practice to review your employees’ online access entitlements regularly. I’m going to move over to our final slide, just to wrap us up here and leave time for a few of the questions that have come in. You know, a couple of things here. You might not have noticed any errant transactions in your bank account, but during your online session, you’re being asked to provide information — maybe your telephone number or your token pass code or other credentials — in a process step where you’ve never been asked to provide that information. Call the bank immediately. I can speak for PNC, and I think most other banks would agree, we would rather you err on the side of caution and call us rather than you take the chance that financial malware is acting on your PC to harvest your credentials. Installing the latest patches and updates for your software programs is important, whether it’s for your Windows operating system or your browsers or even software programs such as the Adobe Reader. The updates and patches often contain security fixes to help prevent vulnerability exploitation, so it’s just another step you could take among the many we have been discussing.

15

And finally, I saved this one for last because it’s perhaps one of the most important things you can do. And I started out with this one. Educate your employees about the dangers and the fraud schemes we have been discussing. By attending today’s session, you are already armed with a ton of information to help you, but your defense will only be as strong as your weakest link. Fraudsters know this, and they will work tirelessly to find a victim. Once they have a user engaged during a malware session or once they get a response to an email, they will continue to leverage all of the tricks at their disposal to get access to your accounts. Take aggressive steps to educate your employees. Work with your technology partners on phishing education campaigns. Share the information we gave you today throughout your organization. Encourage your employees with banking responsibilities to listen to the replay of this session and continue to leverage the resources your banking partners make available to you — for example, the Security Center within PINACLE or our PINACLE Message Center, where we post alerts about the latest security threats once we are aware of them. So, Maggie, I know we’re running a little bit long here. That concludes the formal comments I wanted to share with our attendees today. I think we can move into the Q&A, and we have time for a few questions for Steve and I.

Maggie dudley: Thanks so much, Howard. We are going to take the last couple of minutes to answer a question or two. As a reminder, if we do not get to your question today, please feel free to reach out to your PNC Relationship Manager with any additional questions that you may have after the webinar. Okay, our first question is for Steve. Steve, how do you recommend a victim report a cybercrime? Should they report such things to local law enforcement, or should they contact the FBI? When do you think the victim should contact the FBI?

steve lambo: So if we’re talking about corporate victims, your company may be a victim of a crime, if it’s a large dollar loss, we definitely encourage bring that to the FBI. Now, one thing I would say is if you’re representing your company, follow your company’s policy in doing that. Don’t necessarily bypass your corporate security components and call the FBI directly. Your executives are going to have a specific policy, you know, that states at which point you should call the FBI. But typically, if we’re talking about losses of $50,000 or more, we’re usually ready to take on those kind of cases. Now, a case of, you know, $5,000 might be something that our U.S. Attorney’s offices might not pursue, and it might be more appropriate to go to local law enforcement. But that’s just a general guide. But definitely, you know, make sure your corporate security component of your company is aware of the crime, and let people at that level make the call on when to call the authorities.

Maggie dudley: Okay. Our next question is for Howard. Howard, can you be compromised by simply opening an email, or do you have to click on a link that is contained within the email?

howard Forman: You know, I would say clicking on the link is probably the more dangerous option than simply opening the email. Steve may have other experiences where the emails themselves, just by opening them, were infected. So I don’t know, Steve, do you want to add to that at all? Would you say it’s just safer not even to open it if you’re suspicious?

16

steve lambo: If you’re suspicious, yes, I agree with you, Howard. Most of the time, it’s going to be taking some action — clicking a link or opening an attachment. Now, if you do have emails that will resolve embedded graphics — you’ll see people that will embed a corporate logo or something like that in their email — depending on how your email client is set up, some of them will automatically open that. I know ours here at the Bureau, I mean, they automatically will block opening any type of embedded graphics and things like that and give you the option and say, “Hey, there are graphics here. We didn’t download them, but you can click here to download them.” So those are one of the little dangers there is you might want to configure your email client to not automatically open any type of embedded content. But that’s the only time I can think of, off the top of my head, where just opening an email might be dangerous.

Maggie dudley: Thank you both so much for your answers to those questions. Unfortunately, we did run a little bit long and couldn’t get to a lot of them. But as I said, please feel free to reach out to your PNC representative or Relationship Manager with any further questions related to this topic. A PDF of today’s presentation as well as a CDP certification credit and a Recent Investment Outlook update is now available for you to download. And it’s the green Resource List file folder widget in the lower center portion of your screen. You will also see a link to a short survey on your screen. Again, your feedback is very important to us, and we’d greatly appreciate your thoughts on today’s session and presenters. Thank you so much, Steve and Howard, for joining us today and providing us with that insightful and helpful information. And thank you all for joining today’s webinar.

The materials that you are viewing were prepared for general information purposes only and are not intended as legal, tax or accounting advice or as recommendations to engage in any specific transaction, including with respect to any securities of PNC, and do not purport to be comprehensive. Under no circumstances should any information contained in those materials or video be used or considered as an offer or a solicitation of an offer to participate in any particular transaction or strategy. Any reliance upon any such information is solely and exclusively at your own risk. Please consult your own counsel, accountant or other advisor regarding your specific situation. Any opinions expressed in those materials or videos are subject to change without notice.

Investment banking and capital markets activities are conducted by PNC through its subsidiaries PNC Bank, National Association, PNC Capital Markets LLC, Red Capital Markets, Inc., and Harris Williams LLC. Services such as public finance advisory services, securities underwriting, and securities sales and trading are provided by PNC Capital Markets LLC and Red Capital Markets, Inc. Merger and acquisition advisory and related services are provided by Harris Williams LLC. PNC Capital Markets LLC, Red Capital Markets, Inc., and Harris Williams LLC are registered broker-dealers and members of FINRA and SIPC. Harris Williams & Co. is the trade name under which Harris Williams LLC conducts its business.

©2015 The PNC Financial Services Group, Inc. All rights reserved. CIB ENT PDF 0415-0172-192042