CIBC’s Commercial Banking podcast series, Conversations in Commercial Banking, understands that your business is a living, breathing entity in need of nurturing to continue to grow. Whether you’re looking to navigate a tough economy, tap into current industry trends or identify key tools to take you to the next level, our team of experts are here to equip you with the information you need to make your vision a reality.
Announcer:
Welcome to Conversations in Commercial Banking, a podcast series dedicated to the pressing financial topics facing middle market business leaders today. We bring in experts from all facets of our North American institution to provide actionable insights that help you navigate today's environment. Our discussions include industry trends, strategies to identify and manage risk and unlocking opportunities for growth, all with the purpose of helping you realize your ambitions. And now for this week's episode,
Brad Fedosoff (00:32):
Hello and welcome to Conversations in Commercial Banking. My name is Brad Fedosoff and I'm the Senior Vice President of Technology, infrastructure and Innovation here at CIBC US, and I'm pleased to be your host today. Bad actors capitalizing on Business Vulnerabilities is a tale of as old as time, but luckily it usually comes in the form of predictable and preventable methods that are used year over year. On this episode of Conversations in Commercial Banking, we explore the blind spots that can leave your business vulnerable and we'll discuss counter-measures that you can take to stay on top or at least one step ahead of security risks. Joining me today to further discuss our three members of the CIBC Fraud and Information Security team. First off, I have David Griffin, who's our Chief Information Security Officer for our US region, Philip Fisher, who's the senior director of US Fraud Management, and Tom Schultz, who's the managing director of US and Fraud Risk Management. Thanks for joining me today, gentlemen.
David Griffin:
Thank you.
Brad Fedosoff:
David, let's kick it off with you. What blind spots do people have that make them particularly vulnerable to cyber risks these days?
David Griffin:
Yeah, I think first people generally just want to help and that good nature can be exploited. You see that in the physical security world with people holding doors open for people and not making them swipe in. And in the online world, you get kind of that similar nature. You may get an email from your CIO saying, Hey, we need money transferred immediately or we're going to miss out on this deal, and people just want to help and they don't check that it's legit. They just want to make it happen. And you see that a lot in the industry. Second, I think people always think that's security's responsibility, and the reality is security controls can only do so much. There are always constant new ways bad actors are getting in and new ways that you can compromise on unsuspecting users. I mean, for example, a bad actor can spin up a new domain in seconds and you just can't rely on your proxy or your email filter to know that it's malicious and block it. And then last, when you think of businesses and the increased reliance on third parties, I think businesses feel like they've shifted the risk over to that third party. And while that may be true, in some cases, it's still your name on the line and it's going to be your name in the headlines with the potential detrimental impact to that.
Brad Fedosoff:
Yeah, those are all great points, and I completely agree. What are some of the common countermeasures you're seeing prevented to prevent infiltration these days?
David Griffin:
Yeah, I mean, obviously there's the traditional security controls such as network security devices, firewalls, proxies, intrusion detection on everybody's laptops and endpoints. You've got antivirus, you've got encryption, data loss prevention, but a lot of these things are just table stakes, right? You have to go beyond that, and I think the first thing you can do is just assume your user's password has been compromised. And so you need to make sure they don't have administrative privileges on everything and that they have the least amount of privileges that they need. But more importantly, I think multi-factor authentication needs to be enforced. So this is where you have two or three factors to achieve authentication, something you know, something you have or something you are. And it used to be where people thought, no, we can't have our users do that. It's not user-friendly, but we're seeing this so much more common in the marketplace, and people are very used to these sort of second prompts. So people are adopting them more and more, and it's extremely important because if a password gets compromised, they still need one more aspect to get in. And then last I talked about the third parties and increased reliance on them. I mean, you just have to make sure that you have a strong third party risk management capability and you're ensuring that those third parties have a sound security program.
Brad Fedosoff:
Thanks, all. Great insights. David. Philip, over to you. What type of fraud are we seeing these days resulting from email compromises and email spoofing?
Philip Fisher:
Well, Brad, there's really two kinds of fraud that we're seeing across the industry. The first one is once the fraudster gets into your email, it's easy for them to go through your inbox, all of your saved items to see who you interact with from a bank perspective, so who your bank is, who your relationship manager is, and they can actually jump in on old conversations with the bank and start to ask for new things, start to ask for payments, start to ask for new users to be added to systems that allow you to do wire and ACH transactions. And of course it'll look reasonably legitimate to the bank because it will be coming from the client's legitimate email address. It will have a previous conversation on there, and it can make it appear more authentic to the bank. And so you have a risk of loss associated with that.
You also have the risk that the fraudster with access to your inbox will start identifying who all of your business partners are and start sending messages out to them saying, Hey, my banking information has changed. When you want to pay me next time, instead of using this account, I'd like you to use this new account. And then what happens when all of your business partners start to send you money? Then all of a sudden that money is redirected to an account belonging to the fraudster, and you're not getting the money right? And you may never know it because if the emails that are going out, the fraudster may have actually set up email filtering rules to prevent the real user of the email account from seeing the responses that are coming from the business partner. So you may never know that there's correspondence going on from your email account to others unless somebody phones you up to verify instructions. And that's why we always encourage our clients that if they do get changes in payment instructions that they pick up that phone, they call the originator of the request and say, Hey, just want to confirm you're changing your bank account with the information. I can make my future payments here. And that way it's safe.
Brad Fedosoff:
Yeah, that's super important. Some great insights there, Philip, and really does highlight the importance of having two-factor authentication on email that our clients should be using. Tom, over to you. What are some of the leading practices from a control environment perspective, and what are some of the known red flags you're seeing in the risk space?
Tom Schultz:
Thanks, Brad for the question. So I'll first tackle sharing some of the business email compromise red flags. Now, before I dive into those red flags, it is first important to point out that some bad actors can be quite clever and do a really good job at minimizing or eliminating red flags from their communication. The existence of one red flag may not mean that the communication came from a fraudster, but I always stress to err on the sign of caution and perform some of the controls I'll touch on in a bit. So the red flags we see, they quite often include a sense of urgency, the timing of email delivery, grammar, including an alternative telephone number for callback purposes, discrete differences in the sender's email address, and communicating a change in payment details. So I'll break one of these down just a bit. So regarding urgency, bad actors are really trying, what they're trying to do here is convince their targets that they should bypass their payment controls, which could inevitably detect fraud.
Fraudsters may also look to leverage the ideology that people have an inherent desire to help others in challenging times. I know David touched on this a little while ago, so that thus resulting in a rushed payment that helped the receiver or beneficiary ensure a business transaction goes smoothly or so the scammer set in their email around timing of delivery. So this could be considered a red flag if all prior payment requests were received at quarter or month end and all of a sudden there is an email that was sent mid-month or mid-quarter. It's also not to see a bad actor send an urgent email late in the day on a Friday when individuals may be distracted while focusing on wrapping up certain deliverables before departing for the weekend. From a grammar perspective, play close attention to writing styles and greetings. A bad actor could use a greeting such as dear or customer when the legitimate individual may have avoided greetings altogether.
And another tactic that's used is that frauds will include alternative telephone numbers and the email narratives. So that's a tactic deployed to really ensure that individuals don't speak to legitimate parties when validating the authenticity of payment instructions. There's often a story that's conveyed about how they're out of the office, so they can't be reached at their desk phone or their cell phone is lost or damaged, and they are instead available at a different number. And then discrete differences and sender email addresses. So this is where a scammer attempts to replicate as close as possible, the legitimate sender's email address domain with one they have created. For example, they may replace a lowercase I with a lowercase L or include two lowercase ls instead of one. And certainly last but not least, is the red flag that focuses on a change in payment instructions. Fraudsters obviously need funds, and Philip picked up on this earlier, they need funds directed to bank accounts that they control through either direct ownership or they have access to through an account takeover, an account that was maliciously taken over.
So any change in payment related beneficiary account information should be suspicious until payment legitimacy is confirmed. So now the other part, Brad, of your question, it's really around the control factors, right? So in speaking of confirming legitimacy, I'm a firm believer that organizations must prioritize fraud awareness and are absolutely doing the right thing when they do that. An employee that is authorized to initiate payments or has the ability to influence others to initiate a payment, that could be c-suite staff, that could be accounts payable personnel, that could be client relationship teams. They should all receive fraud training. It can be difficult to detect a red flag if one doesn't even know that business email compromise exists and the tactics that are deployed by scammers. So laying that foundation is really important. Next, confirming payment instructions and changes in bank account details associated with payment requests.
That's pivotal in avoiding business email. To compromise victimization procedures should require completing callbacks to trust the telephone numbers, and if possible, having someone place the call that would recognize the payment requester's voice related to email addresses. Again, thoroughly inspect sender email addresses in an attempt to identify any sort of discrete differences. And unfortunately, we've seen clients victimized in this space, and so we really suggest, I suggest that developing a business email compromise response plan that that matters. Hours and minutes also matter when it comes to minimizing financial losses. So organizations should know who they should engage internally, such as senior management or their information security team, and those they should engage externally such as the FBI's Internet Crime Complaints Center or their financial institution. These external partners can assist with recovery efforts. But again, time is of the essence and expedient reporting is absolutely critical in the pursuit of recovering funds. So Brad, I think I've covered that question. I'll now go ahead and turn it back over to you.
Brad Fedosoff:
Yeah, that's great, Tom. Yeah, thanks for such a comprehensive answer, and it was a big question and you really highlight some really key red flags. I know my spouse was showing me a request that she got through Facebook Messenger the other day from Facebook asking her to update her account security settings, and she showed it to me, and the first thing that my eyes went to optically was there was three O'S in the word Facebook. And so they truly are getting smarter, and it is amazing what the human eye will optically be tricked on as it relates to people clicking on things. So gentlemen, thank you. This was a very enlightening conversation and hearing all your perspectives, and thank you all for joining us on this podcast with a focus on protecting your business from cyber risks and fraud. If you have any additional questions, please reach out to me or your relationship manager at CIBC to assist. In the meantime, check us out at cibc.com/us or across our several social media platform presences by searching at CIBC us. Thanks for listening. Look forward to catching up with you all soon, Karen. Have a nice day.
Announcer:
CIBC is a member. FDIC and equal housing lender loans are subject to credit approval to the extent that information contained herein is derived from third party sources. Although we believe the sources to be reliable, we cannot guarantee their accuracy. The CIBC logo is a registered trademark of CIBC, used under license investment. Products offered are not FDIC insured may lose value and are not bank guaranteed.