preventing business email compromise fraud with guardian analytics real-time wire

Business Email Compromise

© 2016 Guardian Analytics, Inc. – Confidential & Proprietary

Guardian Analytics BEC Education Campaign

•  Businesses •  Financial Institutions

•  Best Practices Kit •  Unbranded materials you can use

to educate your clients •  Materials for you and your teams

•  Detection •  Conversations with clients

•  Example of scams •  Fraud Update on BEC

•  Promoting the kit nationwide to raise awareness

Guardian Analy,cs Best Prac,ces Kit www.GuardianAnaly-cs.com/BEC-FI

2


FBI Warning: Business Email Compromise

3

•  Over 12,000 businesses victimized

•  $1.2B in losses •  Increase in 270% from

January 2015 to August 2015

•  Institutions experiencing their clients victimized with increasing frequency – many seeing clients hit daily!

LatestBECimpact


Different Forms of BEC

4

1. Business Email Spoof 2. Business Email Hack

Criminaldeterminesa>ackpa>ernbasedonwhoseemailtheyhave(CxOvsController/Procurement)FocusonCxO

@Redllaw @Redlaw @Redlaw

3. Business Email Hack / Vendor Email, Invoice Spoof

Vendor

@vendorr


1. CxO Masquerading – Domain Spoofing

5

1. Business Email Spoof

@Redllaw

Finance Staff

Createnewlookalikedomain(Redllawvs.Redlaw)

WhototargetAndimpersonateBestmessageResearch Target Business and Person(s)

General informa,on Personalinforma-onCustomers/partners

Company news Funding

Products/patents Travelplans


Monitor CEO email

2. Business Email Hack – CEO Masquerading

6

2. Business Email Hack

EmailTakeover

Phishing

SocialEngineering

Breaches

Malware

•  Rela,onships •  Common phrases •  Business ac,vi,es •  Typical transac,ons •  Calendar/travel

@Redlaw

•  Move •  Delete •  Auto-forward

Hide email traffic using rules Finance

Staff


Criminal “Payload” is Changing

7

Finance Staff

Wire Payment

Employee/W2 info

Finance / HR Staff

Wire Fraud

•  Iden,ty theW •  Tax fraud •  New account

fraud


Monitor vic,m email

Vendors Vendor email traffic Relevant “jump in” point Invoices

3. Supplier Masquerading – Hacked Internal Email

8

EmailTakeover

Phishing

SocialEngineering

Breaches

Malware

@Redlaw

@vendorr

3. Business Email Hack / Vendor Email Spoof Spoofed

Invoice

Newsupplierlookalikedomain

UseCCtofakeconversa-ons

abouttheinvoice

Vendor

•  Move •  Delete •  Auto-forward

Hide email traffic using rules


Criminals Use Simple and Complex Schemes

9

Email From: CEO

Subject: Need your help – pls keep it quiet

To: Dave, Controller

Message: Dave,Canyoupleasewire$56,000tothiscompany.I’minamee-ngrightnow,butyoudon’tneedanyfurtherapprovals.Ifyouhaveques-ons,pleasereplytothisemail.Yourprompta>en-ontothisiscri-cal.Thanks,CEO

Email From: Vendor

Subject: Invoice – New Process To: Finance, Accounts Payable

Message:

Pleasefinda>achedourlatestinvoiceforthepastbillingperiod.Alsonotethatweareimplemen-nganewpaymentprocess.Insteadofhowyouhavepreviouslymadepayments,pleasewirethefundsdirectlytoouraccount.Herearethewireinstruc-ons:Rou-ngnumber:xxxxxxxxxxAccountnumber:xxxxxxxxxx

Email From: CEO

Subject: Confidential – Attorney will call To: Dave, Controller

Message: DearDave,Iwouldliketobringyouinonsomethingveryimportant,buthighlyconfiden-al.Iwouldappreciateyour-melysupportaswellasyourdiscre-on,aswearenotreadytotellthewholecompanyaboutthis–weareintheprocessofacquiringacompanyoverseas.Thisisverystrategictoourbusiness.I’llbeconnec-ngyouwithalawyerinLondonwhoisbrokeringthistransac-onforus.Hewillprovidepaymentinstruc-onsforyou.I’mhandingthisprojecttoyoubecauseIknowIcantrustyou.I’llcheckinwithyouperiodically.Thanks,CEO

SimpleRequest§  Reliesonurgencyandunavailability

ComplexStory§  Reliesonsecrecy,senseofimportance§  Canresultinmul-plepayments


Spoofed Vendor Payments Seen in ACH

10

Email From: Vendor

Subject: Invoice – New Process To: Finance, Accounts Payable

Message:

Pleasefinda>achedourlatestinvoiceforthepastbillingperiod.Alsonotethatweareimplemen-nganewpaymentprocess.Insteadofhowyouhavepreviouslymadepayments,pleasewirethefundsdirectlytoouraccount.Herearethewireinstruc-ons:Rou-ngnumber:xxxxxxxxxxAccountnumber:xxxxxxxxxx

Tradi,onal: Wire

New: ACH


•  Prey on urgency/immediacy •  Hard to detect amidst larger ACH volumes •  Same Day ACH likely to replace some wire volume

Same Day ACH – Good Target For Criminals

11

ODFI

ACH Files

Morning Same Day Submission

AWernoon Same Day Submission

Standard Submission

Same Day Se_lement


•  Variety of business types under attack •  Title companies •  Consulting firms •  IT providers •  Legal services

•  Tend to have higher transactional volumes

•  Businesses victimized multiple times •  Multiple payments as part of one scheme •  “Vendor” asking for multiple invoices •  Multiple “vendors” (one business hit 7 times)

BEC Victim Trends

12

•  Transportation •  Food service •  Banks!


•  Amounts •  Consistent with normal company amounts •  Largest - $5MM •  Average - $250K •  Escalating amounts

•  Case 1: $3K, $19K, $30K, $50K •  Case 2: $8K to $80K

•  Beneficiary FI and location •  Mix of international and domestic •  US - small CUs to largest banks •  International – mostly Asia or Eastern

Europe

•  Beneficiary •  Individual - 1/3 •  Businesses - 2/3

•  Trading and export •  Products •  Logistics •  Services •  Catering

BEC Transaction Trends

13


Country %ofincidentsUS 51.72%China 12.64%Hungary 8.05%Malaysia 5.75%Thailand 4.60%HongKong 3.45%Nigeria 3.45%Bulgaria 1.15%UK 1.15%UAE 1.15%Seychelles 1.15%Ukraine 1.15%Taiwan 1.15%UnitedKingdom 1.15%AU 1.15%Poland 1.15%

Global Distribution of Wire Destinations

14

A>emptedwires–volumeoftx


State %ofincidentsFL 18.75%NY 9.38%IN 9.38%CA 9.38%TX 9.38%NC 6.25%AZ 6.25%GA 6.25%MI 6.25%SC 3.13%WI 3.13%MS 3.13%ID 3.13%CT 3.13%OH 3.13%

Domestic Distribution of Wire Destinations

15

A>emptedwires–volumeoftx


Impact of BEC Fraud On Financial Institutions

16

Increasedalertstotrytodetect

Increasedcallbacks

Increasedvolume&costofrecovery

Degrada-onintrust/experience

Reputa-onrisk

CostofEduca-on

Increase in bank cost

Poor customer experience

Be>erfraudpreven-oncanreduce

nega-veimpact


Newbeneficiariescommon(40%ofwirestonewbeneficiaries)

BECbeneficiaryFIsvary(domes-c,interna-onal,banks,creditunions)

Why Detecting BEC is Hard

17

SpoofedCEOemail

Spoofedsupplieremail

Legi<mateuser

(CFOorcontroller)

Online

Fax

Branch

Criminalbeneficiaryormule

Criminalsdotheirhomeworkontheirtargetsandpreyonurgency,senseofdutyandimportance

Legi-mateuserlogsintoonlinebankingorrequeststhewire(legacyATOdetec-onmethodsdon’twork)

BECamountswithintypicalrangeofclientwires


Typical Fraud Detection Not Working

18

Detec,on Rates

Alert Volumes

Low

Low

High

High

Trust too li_le

Know when to trust Know when NOT to trust

Trust too much

Over$100KAndinterna-onalAndnewrecipient

Over$100KOrinterna-onalOrnewrecipient


Knowing When To Trust, When to Raise Risk

19

Learneachindividualoriginatorbehaviorover-metodeterminerisk

Learnnewrecipientra-o,typical

beneficiarypa>erns(i.e.keepsfalseposi-vesfor-tlecompaniesdown)

Looktoseeifwecanraiseorlowertrustofa

beneficiary

Ifmul-plewirestosame“bene”spreadout,canraisetrust Ifmanyinrapidsuccession,

lesstrustworthyUsewhatwe’ve

learnedfromotherfraud

MuleMatchinmuledb?


100+ Wire Attributes Analyzed

20

AddendaAddendaLength DisplayFields IntermediateFIName PaymentNo-fica-onIndicatorAddendaInforma-on DrawdownCreditAccount IntermediateFIStateProvince ReceiverFINameAmount DrawdownDebitAccount OBI ReceiverFIAddress1AmountCurrencyCode DrawdownDebitAccountAdviceInfoAddi-onalInfo OMADOutputCycleDate ReceiverFIAddress2BBI DrawdownDebitAccountAdviceInfoAdviceCode OMADOutputDate ReceiverFIAddress3BeneAddress1 ExchangeRate OMADOutputDes-na-onID ReceiverFICountryCodeBeneAddress2 IMADInputCycleDate OMADOutputSequenceNumber ReceiverFIIDCodeBeneAddress3 IMADInputSequenceNumber OMADOutputTime ReceiverFIIDBeneCountryCode IMADInputSource OrigAddress1 ReceiverFINameBeneFIAddress1 ImmutableCompanyID OrigAddress2 ReceiverFIStateProvinceBeneFIAddress2 ImmutableUserID OrigAddress3 RecurrenceBeneFIAddress3 InstructedAmount OrigCountryCode RepeatRequestBeneficiaryAdviceInfoAddi-onalInfo InstructedCurrencyCode OrigFIAddress1 RequestIDBeneficiaryAdviceInfoAdviceCode Instruc-ngFIAddress1 OrigFIAddress2 SenderFIBeneficiaryFIAdviceInfoAddi-onalInfo Instruc-ngFIAddress2 OrigFIAddress3 SenderFIAddress1BeneficiaryFIAdviceInfoAdviceCode Instruc-ngFIAddress3 OrigFICountryCode SenderFIAddress2BeneFICountryCode Instruc-ngFICountryCode OrigFIID SenderFIAddress3BeneFIID Instruc-ngFIID OrigFIIDCode SenderFICountryCodeBeneFIIDCode Instruc-ngFIIDCode OrigFIName SenderFIIDCodeBeneFIName Instruc-ngFIName OrigFIStateProvince SenderFIIDBeneFIStateProvince Instruc-ngFIStateProvince OrigIDCode SenderFINameBeneIDCode IntermediateFIAddress1 OrigName SenderFIStateProvince

BeneIden-fier IntermediateFIAddress2 OrigStateProvince SenderReferenceBeneName IntermediateFIAddress3 PaymentNo-fica-onContactFaxNumber Se>lementMethodBeneReference IntermediateFIAdviceInfoAddi-onalInfo PaymentNo-fica-onContactMobileNumber SourceBeneStateProvince IntermediateFIAdviceInfoAdviceCode PaymentNo-fica-onContactName StatusBusinessFunc-onCode IntermediateFICountryCode PaymentNo-fica-onContactNo-fica-onElectronicAddress Type_SubtypeDes-na-onType IntermediateFIID PaymentNo-fica-onContactPhoneNumber SubTypeDirec-on IntermediateFIIDCode PaymentNo-fica-onEndToEndIden-fica-on TemplateNameDisplayFields TransferDateDrawdownCreditAccount TypeDrawdownDebitAccount WireID


Guardian Analytics Wire Finds Unusual Wires

21

Wouldbeneficiarybeexpected?(newbeneficiaryra3o,beneficiaryandFIloca3on/region)

Aretheoriginator’swireac<onsnormal?(3ming,velocity,type,accounts,direc3on,useofinstruc3ons,contentofinstruc3ons)

Arethewirestypical?(type,amount)

OriginatorModel

WireBehavioralAnaly<cs

Cross-ins<tu<onriskdata(Networkeffect)

BeneficiaryModel

Isthisahighorlowriskbeneficiary?(beneficiaryhistorywithotheroriginators,name/accountnumbermatch,suspectedmule)

SelflearningNorulestowriteNotthreatspecificAdaptstonewthreat

Automa-cupdatestoanaly-cs

100+a>ributesfromwiresystem


Real-time Risk Scoring and Intervention

22

WireSystem

SendtoFed

ReviewAlerts

Riskscoreandhold/releaseinstruc-onsreturnedimmediatelytowiresystem

Mobile

Branch

ContactCenter

Online

Fileupload

Ini-ateWire

Wirecomesin;paymentfields

immediatelysenttoFraudMAPforanalysis

9.2 2.2

Hold Release

Analyze30+fieldsandnearly75a>ributesfrom

PAYPlus

Release/cancel

GuardianAnaly<csWire

©2016GuardianAnaly-cs,Inc. Confiden-al&Proprietary

Guardian Analytics Wire Successfully Detects BEC

FraudA>acksoveraseriesofrecentweeksatabankinTXAQack1 AQack2 AQack3 AQack4 AQack5(fourseparatewires)

BeneficiaryFI AZ-based CU Largena-onalbank Largena-onalbank LargeInterna-onalbank Chinese bank

BeneficiaryLoca-on

AZ(previouslysentwirestomanydifferentstates,andothercountries)

NY(previouslysentwirestoTX,WI)

HongKong(haddoneUSandUKwiresinthepast)

China(historyofUSwiresonly)

Beneficiary Individual Individual Individual Business Business

OriginatorVelocity

Firstwireinalmostfourmonths

OBIFrequencyNeworinfrequentuseofOBI

OriginatorAmount

$39K $20K(mostwires0-$1000)

$73K $125K $2,871,000$4,950,000$4,850,000$4,969,000

Originatorcharacteris-cs

Frequentwiresender–ITServicesCompany

Frequentwiresender–TitleCompany

Sporadicwiresender–LegalServices

Frequentwiresender–Transporta-onServices

Frequentwiresender–TitleCompany

Examples of documented BEC A_acks

Noonebankpa>ern–US/interna-onal,large/small,bank/CU

Nooneloca-onpa>ern

Combina-onofbusinessandindividual

Mixeduseofinstruc-onsAmountovenwithinrangeof

typicalbehavior

Couldbesingleormul-plehits

23


Accurate Detection, Low Alert Volume

Thecombina-onofspecific

a>ributesofthiswirewasunusualanduntrusted,andyieldedared

alert

GuardianAnaly-csprovidescompleteandconsolidatedviewofaccounthistory

24


Accurate Detection, Low Alert Volume

Thecombina-onofspecific

a>ributesofthiswirewasunusualanduntrusted,andyieldedared

alertNotethatbehavioraldevia-onsare

expectedanddonotyieldredalerts(top

row)

Notethevaria-oninwireamountdidnottriggerafalse-posi-ve

asFraudMAPrecognizedcombinedbehaviorasnormal

25


You’ve Detected It – Now On To the Client…

26

•  Bepreparedwithdetails,bepreparedtospend-mewiththebusiness

•  Startlikenormalverifica-oncall;getcustomertalking

•  Helpthemtoseewhyyou’resuspicious

•  Explainthescams

•  Probeintothesitua-on–askiftheyreceivedtherequestviaemail,askforkeywords

•  Pushfornon-emailbasedconfirma-on

•  Remindthemyou’retheretohelp

•  Redirecttheemo-on–focusonthepainofthebusinesslosingmoney



27


Increasedcallbacks



Reputa-onrisk

CostofEduca-on



28


Increasedcallbacks



Reputa-onrisk

CostofEduca-on

Reducedalerts

Reducedcallbacks

Increaseddetec-on,lessrecovery

Increaseintrust,enhancedexperience

Decrease in costs

Increase In Trust


Guardian Analytics Successes with BEC

29

Fraudprevented

$19Mintwomonths

EfficiencygainsReducedreviewstoonly

wiresflaggedbyFraudMAP,allelse

automa-callyprocessed(50-100wires/day)

ClientexperienceReducedcallbacksReduc-oninalerts

freed-mefordeeperclientdiscussionoflikelyBECa>acks

Bankwith~4,000wiresperday

Fraudprevented

$500Kinsixmonths

EfficiencygainsPreviouslyheldall

onlinewires(250/day)FMWirescoresall1500wires/day,butholdsonly75fromany

channel,reducingbankeffortby70%

ClientexperienceFasterprocessingFewercallbacks

(1-5/day)

Bankwith~1,500wiresperday


•  Accurate detection with low alert rates •  Reduction in false positives reduces overall workload and

creates time for banks to spend with customers •  Better client experience •  Reduction of time spent on paperwork and funds retrieval •  Reduced risk of lawsuits, reputation issues •  Build deep client satisfaction and loyalty

Guardian Analytics Wire Benefits

30


Guardian Risk Engine

Solutions to Detect Fraud Across Channels and Transactions

31

Guardian Analytics Solutions

Guardian Enterprise API

Guardian Visual Analytics


For More Information

•  Email [email protected] •  Request a one-on-one briefing

•  Visit www.GuardianAnalytics.com •  Sign up for a demo

•  Download BEC Best Practices •  www.GuardianAnalytics.com/BEC-FI

32


Business Email Compromise

33

preventing business email compromise fraud with guardian analytics real-time wire

Software