FRAUD

& CYBERCRIME
HOW TO PROTECT
YOUR COMPANY?

BNP PARIBAS CASH MANAGEMENT Credit: Shutterstock

June 2018
A world of fraud
1. Fraud by impersonation: 2. Cyber-fraud: a
a growing risk rising threat

$3.1+ bn 40% annual

worldwide growth
Source: FBI 2016 quoted by Bank Info Security Source: Forbes, January 17th, 2016

5. Internal fraud: most 3. Data theft: a major risk

frequent cases 4. Client risk, still at stake

60% of $ billions $ millions

frauds worldwide per breach
Source: PwC Economic Crime Survey 2014 Source: IBM & Ponemon 2015 Cost of Data Breach
Various studies incl. 2016 Nilson report
Credit: Shutterstock 2
1. Impersonation fraud
The three most frequent impersonation fraud schemes:

Fake CEO Scam

Credit: Shutterstock

Fraud & Cybercrime | 2017 | 4

1. Impersonation fraud
From: john.smith@qwerty-analysis.com <john.smith@presidency.com>
Sent: Wednesday, December 30, 2015 at 3:44 PM
To: Kate 
Subject: Confidential file

Hello Kate,

Did Mr Tim Ryan from our Law Firm contact you?

Best Regards,
John Smith
Chief Executive Officer
"Sent from my iPhone"

Fraud & Cybercrime | 2017 | 6

From: Kate 
Sent: Wednesday, December 30, 2015 at 3:47 PM
To: ‘john.smith@qwerty-analysis.com’
Subject: RE: Confidential file

Yes, I just hung up with him.

But I did not understand the purpose of his call.

Regards,
Kate

Fraud & Cybercrime | 2017 | 7

From: john.smith@qwerty-analysis.com <john.smith@presidency.com>
Kate,
For the last months we have been working, in coordination and under the
supervision of the SEC on acquiring a Chinese company... This takeover bid
must remain strictly confidential, no one else needs to know for now. The public
announcement of this takeover will take place Friday, January 8, 2016 in our
office with the presence of the entire board.
I've chosen you for your discretion and great work within the company.
Please contact our law firm immediately (tryan.kpmq@finance.com). He will
give you the bank details to make the credit transfer immediately.
Please send me the balances of the accounts.
This is very sensitive, so please only communicate with me through this email
(john.smith@presidency.com), in order for us not to infringe SEC regulations.
John Smith
9
 Protect against fake CEO scam

Awareness raising (newcomers!)

and message from CEO
Segregation of duties
Avoid validation by fax
To raise awareness: “credit
transfer fraud” training kit
Credit: Shutterstock

1. Raise your team’s awareness about fraud, cyber risks and information dissemination risks.
Hold regular sessions (do not forget newcomers, short term employees) for various staff profiles: accounting, treasury, purchasing, P.A., etc.
11
1. Impersonation fraud
The three most frequent impersonation fraud schemes:

?
Fake CEO Scam Fake Vendor Scam

Credit: Shutterstock

Fraud & Cybercrime | 2017 | 12

 From: bob@cliert.com From: kim@vendor.net
Subject: duplicate invoices? Subject: our bank account
Hello Kim! Dear Bob,

kim@vendor.com

Beware of “Business Email Compromise” (BEC) bob@client.com

Beware of social engineering: fake
clients, fake auditors, fake tax
inspectors, fake public
administration, fake notary...
 OVERDUE INVOICE - URGENT

Hello,

Please find the original version of our invoice # 029077112/ 936451

Best Regards,

Shelia Bodo

Beware of data theft trough hacking and malware

REGISTERED LETTER

18
19
 Protect against fake vendor scam

Call-back procedure in case

of bank account change
Safe management of
vendor contact details
Focus on tier-1 vendors
and foreign beneficiaries
Credit: Shutterstock
 Protect against fake vendor scam
Call-back procedure
• Apply written call-back procedure in case of vendor detail modification Instructions
to check
• Use safe contact details, not those contained in the notification or invoices email headers
• Verify the email address of the request and do not check using “Reply to”
• Proceed on receipt of the notification (do not wait until you need to make the payment)
• In case of foreign beneficiary country or largest suppliers, use 2 channels (phone + email)
• Use local Account Check schemes (e.g. SEPAmail IBAN Check in France)
IBAN Check
Safe administration of vendor details SEDA
• Authenticate and trace accounts and details changes (phone numbers, email address...) SEPA e-Database
• Appoint few people authorized to modify vendor details (ex : 2 or 3 senior accounting staff) Alignment

• Train these people regularly and make them accountable

• If necessary, set up a reference data department (in-house or outsourced)
Against invoice and data theft (protect your clients)
• Apply written call-back procedures in case of accounting information request
• Regularly raise employees awareness against invoice theft, BEC and malware
Credit: Shutterstock

• Build a culture of risk (incoming call, mail, email, social network…)

1. Impersonation fraud
The three most frequent impersonation fraud schemes:

?
Fake CEO Scam Fake Vendor Scam Fake Technician Scam

Fraud & Cybercrime | 2017 | 23

Credit: Shutterstock
 Somewhere, abroad…
0 825 000.. Your e-banking will be migrating Could you please go to
Germany Mr Martin from BNP to a new version, and will be www.is.gd/migration so that I
Paribas speaking, unavailable for 72 hours. can proceed with verification.
do you remember me?

An
accountant
receives a
call…

Please enter your I have the control of your PC. I’m done. Wait 3 days before
session key 281 199 250. I’m checking the transfers… Go using your tool: meanwhile, send
for a coffee if you want! your payments by paper orders
Establish Support Connection
Type your name and the support key
received from your technician
Your Name: Support Key:

Credit: Shutterstock
Continue
- $355,087.11
 Protect against technician scam

Awareness raising
Call-back procedure
Option: “RAT1”black listing

List of authorised countries and/or

account numbers: “Secure Flows”
Credit: Shutterstock

1. RAT: Remote Administration Tools

25
1. Impersonation fraud
The three most frequent impersonation fraud schemes:

Anonymous Anonymous

€ 70m $ 47m € 42m $ 100m+ $ 100m € 2m € 1,5m

Anonymous Anonymous

€ 40m € 23m $ 17m € 15m € 1,6m € 1,4m € 1,1m

€ 1,5M ON AVERAGE RANDOM € 0,5M ON AVERAGE

Fake CEO Scam Fake Vendor Scam Fake Technician Scam

Beyond the financial damage,

such frauds cause human trauma, layoffs and even bankruptcies.
27
 1. Impersonation fraud

Purchase of public documents, Anonymous prepaid Voice over IP platforms

social networks card

Voice changer Remote Administration Tools, PC Diversion of

software and e-mail hacking, fake website … phone line
29
1. Impersonation fraud
Main countries of destination of transfers:
SEPA zone countries (intermediary bank accounts)

China and Hong-Kong

Israel

?
China Poland Cyprus Latvia Bulgaria Hong Kong Czech Rep.

France
Germany Greece United Kingdom Slovakia Hungary Spain Estonia Belgium

Turkey Lithuania Netherlands Austria Norway Switzerland Denmark Singapour

…
Romania Macedonia Italy Slovenia San Marino Portugal Sweden Croatia Monaco Cambodia 30
2. Cyber fraud: a rising threat
Frequent phishing attacks…
1. Reception of emails… … or SMS
06/03/2014 07:26
Message from: “BNP Paribas” < @bnpparibas.com>
To:
Subject: BNP Paribas messages

Dear client, Your BNP Paribas account

needs verification:
You have (2) new messages.
Check your mailbox, by clicking on the link below:

Your mailbox

40
2. Cyber fraud: a rising threat
2. Theft of password 3. Theft of SMS validation code

For security reasons, we need to check your mobile phone.

You will receive an SMS code within a few minutes.

Please enter your SMS code:

… or SIM card misappropriation

info: a SIM card
reissuing request has been
asked for your mobile
contract. If you are not
responsible for this request,
please contact immediately
the Help Desk at

41
2. Cyber fraud: a rising threat

Beware of attachments (MS Office,

zip…), links to documents
42
 2. Cyber fraud: a rising threat
invoice

1 3 5
invoice
invoice

An employee receives The malware creates Propagation and

an email beneficiary account or data theft
invoice

credit transfer

2 4

A malware installs on If needed, it asks for

the PC silently validation via a fake page

43
Credit: Shutterstock
 Regular login page Bogus page : signature request at login

Access your accounts To proceed with validation

1. Enter the challenge on your reader
2. Enter your PIN code
3. Enter the response and confirm
12345678
Challenge : 4702 3476

OK OK
Ransomware alert BUT... BUT...
AN EMAIL WITH URGENT LET’S GO, I DON’T
WHAT'S THIS THING?
ANTIVIRUS UPDATE... HAVE ALL DAY...

LOOK MARK! IT SAYS MY LOOK, IT'S CALLED DIDN’T YOU CHECK

FILES ARE ENCRYPTED, CRYPTOLOCKER IS IT THE EMAIL SENDER? UH NO...
AND I MUST PAY € 300 WHAT YOU GOT?
TO DECRYPT! NO I JUST OPENED
THE ATTACHMENT

46
 Protect against cyber fraud
Awareness raising
Good “IT hygiene”
Segregation of duties1
Frequent secured backups2
… And if possible, blocking VBA attachments

To assess your prevention:

« personalized risk assessment »
Credit: Shutterstock

1. If possible, use offline validation (e.g. one-time password) and raise user awareness against fake validation pages
2. Regular backup, disconnected from your IT network, regularly tested to make sure it is not encrypted
48
 3. Data theft: a major risk
Malware can steal:
 Your browsing history
 Your id and passwords (web banking,
webmail ...)
 Your credit card numbers
 Your contact information (address,
phone, email ...)
 Your lists of customers and suppliers,
account numbers...

This data can be sold and allow

other scammers to operate:
 Credit card frauds
 Direct debit frauds
 Impersonation frauds…
49
3. Data theft: a major risk
Massive data theft is a major risk to utilities, telco’s, large retailers, online merchants,
but also to SMEs, often less protected.
80% of
cyber attacks
Large
Medium
business
Business
Small
Business

 Malware on P.O.S. machines  Hacking of databases (client files, bank

 Theft of data of 70+ millions clients details…)
 Global cost of $170 m ($20 to 200 per client)  Espionage (secret process, pricing, RFPs…)
 CEO fired after 35 year of service  Damages (paralysed servers, unusable PCs, e-
 Multiples lawsuits commerce site defaced…)

Fraud & Cybercrime | 2017 | 50

3. Data theft: a major risk
BY PHONE, MAIL, EMAIL… …AND ALSO ON SOCIAL NETWORKS

Beware of fake customers,

auditors, tax inspectors, public
administration, surveyors, head
hunters, travel agencies... 52
 Protect against information theft

Awareness raising1
and culture of risk
Authentication
of correspondents2
Protection of files
To raise awareness: “Protecting
information” training kit
Credit: Shutterstock

1. Awareness in order to create a culture of risks, and identify sensitive information: be cautious when publishing info on social networks, over the phone, by email…
2. Verification procedures in case of sensitive solicitations (e.g. call-back to authenticate tax authorities requests, etc.)
53
4. Client risk, still at stake
Example: fake client fraud Example: supplier credit fraud



1. Order by a fake client (or a prospect) 1. Creation of a business relationship
2. Delivery at a bogus address and receipt of • Fraudster buys electronic devices from his victim
loaded trucks • Gradual increase in the amounts
3. Non-payment of invoices 2. Non-payment of the last delivery
• Provision of a copy of the credit transfer order
NB: affects particularly the businesses of the agri-food • Cancellation of the transfer order
industry
• Materials sent abroad
• Insolvency

NB: many other client frauds: supplier credit based on false information,
fake payment means (counterfeit money, loyalty card scam…)
54
 4. Client risk: collection risks
Collection means Risks (client frauds…) Collection guarantee Recommendation
+ CREDIT TRANSFER Very low (rare cases of At account credit To be favoured when possible
cancellation or dispute) (within 24 hours)

B2B DIRECT DEBIT Very low (rare cases of At account credit To be favoured when possible
cancellation or dispute) (within 24 hours)

CARD (WITH PIN Low (commercial contestation At account credit Best solution for point of sales
OR 3D SECURE) up to 13 months – mostly foreign cards) (within 24 hours) and e-commerce

BILLS OF Medium (risk of unpaid bill After ~ 15 days, even in To be used with trusted
EXCHANGE and commercial dispute) case of bill discount clients only
Trust

STANDARD DIRECT Medium (repudiation within 8 weeks without motive, After 8 weeks For trusted clients, moderate
DEBIT contestation for mandate nullity within 13 months) amounts, service offering…

CASH Medium (counterfeit money, theft of cash After 72 hours following Amount < €1,000
at point of sale or during transportation) the remittance to bank (15.000 for foreigners)

CARD (WITH NO PIN, High (repudiation within 8 weeks After 13 months To be used with trusted clients,
AND NO 3D SECURE) without motive) duly authenticated

CHEQUE High (rubber cheque, cheque theft After 15 days* To be used with trusted clients,
- and falsification, overpayment scams…) duly authenticated
* Loss / theft: 8 days - Fraudulent use: 10 days - Signature not in conformity / falsification / false / irregular or missing endorsement / obligatory mention absent: 60 days - Insufficient provision: the alert for insufficient provision occurs during the presentation for payment to the sending bank, which must inform the 55
issuer of this and invite him to regularize the position of his account. A period of 24 or 48 hours is quite commonly practiced by the banks, but the latter may last up to 7 days depending on the practices of the bank of the issuer of the check.
 Protect against client fraud

Upon order receipt,

authenticate your client1
Know and control the risks
of collection means

SEPAmail IBAN Check,

3DSecure, Mercanet, Ethoca©
IBAN Check

Vérifiance, SDD white and black list…

Credit: Shutterstock

1. Written procedure in case of receipt of order, request for quotation or request for opening a customer account, for example: call-back upon receipt of the order - In case of foreign country, check by two channels - Use
safe contact, not those contained in the order, not by replying to the email - verify the email address of the request carefully ...
56
 5. Internal fraud: most frequent cases Purchasing Fraud
Fake invoice, fake supplier…
20% Theft of receivables
Cash, cheques, Ponzi

Sources: PwC 2014 Global Economic Crime Survey – Association of Certified Fraud Examiners
schemes, fake discount… Asset Theft

Sources: PwC 2014 Global Economic Crime Survey – Association of Certified Fraud Examiners
Supply, tangible and
intangible assets
15%
Expense Reimbursements

10%
Unaccounted sales
Outgoing cheque
Payroll Fraud tampering
Fake employee,
fake timesheets…
5% Falsified Payments Receivables
transfer
Probability >

Average prejudice > 50 K€ 100 K€ 150 K€ 60

 5. Internal fraud: most frequent cases
Purchasing misappropriation Theft and forgery of cheques
by company’s Head of IT Operations by an employee with access to the mail
1. Subscription of leasing contracts 1. Misuse of cheque letters
• Fake delegations of authority 2. Cheques’ printed item tampering
• Purchase of electronic devices (not related to 3. Cashing in on several accounts
company’s activity)
2. Misappropriation and resale of purchased devices
• Use of bogus companies
• Passive complicity of the leasing company

Fraud & Cybercrime | 2017 | 61

 Protect against internal fraud

Procedures and
segregation of duties
Accounting follow-up
and bank reconciliation
Limitation of the means of
payment in circulation
Corporate Card, Purchasing Card, Virtual Card,
Secured Cheque Letter©, Chèque Confiance©,
Credit: Shutterstock

Forcash©, Smart Lock Boxes…

62
 Protect your business
Fraud is not inevitable: corporates can protect themselves
1. Train your staff
regularly
 Fraud and cyber risks and
information dissemination
 Accounting, treasury,
purchasing, P.A., etc.
 Regular sessions (newcomers,
short term employees) ...
Training kits
2. Authenticate your
counterparties
 CEO, vendor, technician, client
 Written procedure
 Not yielding to urgency and
confidentiality
 Safe contact details!
 Check email headers!
 SEPAmail IBAN Check (in France)
IBAN Check
Find all concrete good practices in our training kits
3. Secure your information
system
 Up-to-date OS, browser and
antivirus software
 Restriction of installation rights
 Auto-execution of macros
deactivated
 Protection of customer and
supplier databases
 Regular backups
65
 Protect your business
Fraud is not inevitable: corporates can protect themselves
4. Make good use of 5. Use improved 6. Build corporate

Find all concrete good practices in our training kits

your payment application
 Segregation of duty and limit
amounts
 Suppression of paper orders
and validations
 Authentication means
 Beware of private PC and
smartphones!
controls
 Daily monitoring of issued
payments
 Use of paper proofs
 Internal control and audits
 Secure Flows: authorised
countries…
governance
 Work with HR, IT, Purchasing…
 Culture of risk
 Watch of new fraud schemes
 Whistle Blowing Hotline
 Communication to clients
 Fraud risk assessment…

Bank call back

Secure Flows Assessment
66
 In case of fraudulent transfer (or suspicion)

1 2 BANK 3
NOTIFY YOUR CONTACT YOUR FILE A
MANAGEMENT AND BANK COMPLAINT WITH
PRESERVE EVIDENCE IMMEDIATELY THE POLICE

• Before it happens, train your staff to ensure they react appropriately in case of fraud
• Ask your legal department to be prepared to file complaint in the beneficiary’s country if necessary
• Check issued transfers every day, with special attention to high-risk countries
…
China HK Poland Cyprus Latvia Bulgaria UK Hungary Czech Rep. Greece Slovakia Spain Estonia Belgium Turkey Lithuania Netherlands Austria Norway Switzerland Germany Denmark Romania Macedonia Italy Slovenia San Marino Sweden Croatia Singapore Portugal Monaco

Credit: Shutterstock

Fraud & Cybercrime | 2017 | 67

Questions?
1. Train your staff regularly 3. Secure your information system
Regularly raise your team’s awareness to risks and Use up-to-date antivirus, restrict installation rights
limit information dissemination and protect your databases

4. Ensure proper duty segregation 2. Authenticate your counterparties

Ensure duty segregation, make good use of payment Have an identity verification procedure: CEO,
tool, and avoid paper orders vendor, technical officer, client, tax officer…

5. Use improved controls 6. Keep updated and talk about it

Monitor issued payments every day or use Raise your clients and suppliers’ awareness,
countries / beneficiaries closed lists and work with your banks

Ask your relationship manager for a diagnosis and personalized advice

69