Managing Cybersecurity and Fraud Risk

– [Steve] Hello everyone. My name is Steve Calehere. I’m the team leader forCIBC’s public sector and not-for-profit group and on behalf of my colleagues at CIBC, I’d like to welcome youto our webinar today. We’re delighted that you’reable to join us for this session which is going to address a topic that is continuing to be a majorchallenge for public sector and not-for-profit organisations in Canada and that’s cybersecurity and cyber fraud. It’s very unfortunate butthe frequency and severity of cyber attacks in thesector is increasing and whether those attacks are in the form of electronic transaction fraud or the hacking of patients’medical records or ransomware, these types of incidents can significantly impactyour organisations.So today my colleagues from CIBC, Susan Welstead and Jack Nunno, will discuss cyber fraud trends and examples of attack scenarios as well as some best practises you can implement to mitigate your risk. So by way of introductions, Susan Welstead is Director of Education and Awareness with CIBC’s enterprise security team and really part of her role involves giving presentationssuch as this one both to clients and to employees to create greater awareness around cyber and fraud security issues and our second speaker, Jack Nunno, is Market Vice Presidentwith CIBC Commercial Banking and Jack has responsibility for the banks mid-marketcash management group in Eastern Canada and Jack’steam provides cash management and treasury solutions toa broad range of clients including many public sector in not-for-profit organisations. So Susan and Jack are going to take us through a PowerPointpresentation on screen which we’ll make availableto you afterwards through your CIBC relationship manager and also after they concludetheir prepared remarks, we’d encourage you to ask questions by clicking the icon atthe top of your screen and on that note, Susan I’llturn things over to you.- [Susan] Great, thanks very much Steve. So yeah, I’m, I do hosta lot of these calls for various client bases at CIBC and our internal groups as well and what we’ve been seeingover the past several years is just an increase incybercrime and cyber fraud. So we do find it to be really beneficial to try to get ahead of itby making people aware. So I’ll jump right in, if I can progress my slide (Susan chuckles) and so some of the firstthings I want to talk about and I know the slide, there might be a littlebit of a lag on the screen are some of the threatactors in the tactics that we’re seeing in the landscape. By threat actors we basicallymean they’re cybercriminals and apologise if there’s a techsupport gentleman on the line I can’t actually see anything but yeah so of our threatactors include things like hacktivists, nation state actors. I’m going to take control back. Get back to my first slide here.Apologies everyone. Nation state actors as well as some of our hacktivist groups. So nation state actors are, you know some of the players we’veheard about in the news like China and the Ukrainebut also Canada and the U.S. We also have skin in the game there. There’s internal fraudstersand internal cyber threats. Some are malicious andsome of them are unknowing. Here we go. My apologies. Organised crime is a big one as well. You know the days of, you know horse and carriage and holdupshave pretty much passed and we see that attacks are happening much more in an online space and these attacks can bequite simple although the technology behind themis very sophisticated. So some of the kind of tacticswe see are social engineering which I’ll go into a littlebit more detail about later but that includes things like phishing, which most people have heard of.Those are fraudulentemails that purport to be from real sources. There’s also a vishing and smishing which are voice phishing or phone fraud as well as a text message phishing and we’ve seen quite a bit of that in the text message space recently and spear-phishing of course is a more targeted type of attackwhere these cybercriminals they look up a lot of informationabout particular targets. So maybe it’s the, aboard of director’s member or maybe a CEO of anorganisation or a president and target them specificallywith things that, that’ll make them respond and some of the items that you would see as a result of thesephishing attacks are things like malware and viruses.So those can infect your systems. They can take down servers. Insider threats are abit of an interesting one where we talk about both malicious and non-malicious insider threats. So of course our maliciousinsider threats are people who actively andintentionally plan to do harm. Where our non-maliciousinsider threats are actually every one of us because we want to do good and we want to be timelyand we click on things that perhaps we shouldn’t click on. There’s some more detail thereabout exploits and denial of service but there’s sortof the more technical side of things but suffice it to say these are, exploits are vulnerabilitiesthat are known in the wild and sometimes not known and it’s, you know when you get those software update requests on your computer and everybody likes to delay those because nobody wants to beoffline for any period of time but that’s where a lot of times if you see there’s a security update, it means that there wasa vulnerability found and by not patching ornot updating your computer or allowing your OS to be updated, so your operating systems to be updated, you leave yourself vulnerable to attack.So some of the backgroundfrom a cyber risk perspective. This is a major, majorprofit driven industry. We’ll get into some of the numbers later but this is a billionsof dollars industry. So we’re seeing thefrequency of attacks continue on the rise and these areprofit motivated criminals and they’re really looking to upset business and operations ofany kind of organisation including, you know all ofour not-for-profit group, including large organisations,small organisations. They’re looking to steal your data. So healthcare recordsare incredibly valuable on the dark web which is sort of the nefarious end of the internet, system availability,so that’s shutting down access to sites for CIBC for example that would be blockingaccess to our online banking and knowing that kind ofimpact and what that can do to our client base and our reputation and then of course, fraud. Theft and manipulation ofinformation, market manipulation and these are all threats that can then impact your reputation. Regulatory bodies can come after you and of course loss ofconfidence in your organisation.So as I mentioned theattacks sophistication is definitely increasing and we’re seeing a lot ofcollaboration in the space. When I talk about the dark web, this is a part of theweb that’s not indexed. So it’s not an areayou get to by Googling. This is something sort of below the layers and cybercrime as a service is a trend we’re seeing as well. So this means for example, inthe past you’d have to have a real tech savvy mindto be able to, you know write code and cause problemsand we’re seeing now that people can actually buy packages of code, malicious packages ofcode and have it deployed by service providers who arecybercrime service providers and it’s a peculiar setup butthey have even support lines and things like that.So for example, ransomware, which we’ll talk aboutin a minute as well. Ransomware’s a means by which the cybercriminal gets into your system and then locks down all of your files and they ask for ransomas a matter, like a way, with usually payment through Bitcoin in order to unlock your files and in the past thiswould have been something, again that you’d haveto have a sophisticated coder in the background, youknow, running this through but now you can buy that packageand it costs about $20,000 but the average ransomware pay out at the end is around 180,000. So you can see when you have a returnon investment like that, we’re up against groups of people who are just eager to really make a lot of money off of the backs of everyone else. I wanted to take a lookat some recent examples and you’ll see some come up on the screen with some, you know bigger companies that we’ve heard in the news as well but the data breaches andcybercrime has been targeting, we’ve been seeing the targeting into municipality groups alot more in the past few years as Steve mentioned as well.For example Wasaga Beach area is a small municipalityNorth of Toronto, quite small and in 2018 they were victimsof a ransomware attack. So their, all of their city records, so payroll for various services like fire service and things. Everything was locked down and it means that everybody’s computer inthe city administration offices were locked down with the samemessage on the screen saying, “If you don’t pay this ransom, “we will destroy all of your records.” They did able, they were asking for about 110 or $130,000 worth of Bitcoin and Bitcoin is used oftenbecause it’s not traceable. Any kind of cryptocurrencytends to be untraceable and the Wasaga Beach folksmanaged to actually negotiate with this crime body and they got the payout down to $34,000 in Bitcoin. However, there’s all these other costs that are associated with this as well. So it’s not just paying out that 34,000, here’s your files back.Now they have to look through, you know, the hardware setups that they have. Do they have the rightsecurity for their hardware? Do they have the right software? Do they need to have asecurity consultant group come in to do an assessment? And they did. And the bills started racking up and in, by the end of 2018 Ithink they had spent about just over, just shy of 300,000 and then in the next year in 2019 another about $100,000. So shy of half a milliondollars for that one incident. Midland, they were subjectto a cyber attack as well. City of Burlington, theyhad a half a million dollar phishing cyber attackwhere they ended up having, they lost half a million dollars there. Stratford city hall. They had some shutdownattempts last year as well and we’re just seeingthis become more prolific, more common and these external actors,again they’re looking to exploit vulnerabilities thatexisted on the system. So a lot of ransomware takes advantage of maybe even not phishing, maybe even not justsending an email to someone but actually leveraging gapsin the system that they have and also taking advantage ofpeople inside the organisation who maybe have access todata that they can take, they can steal from the company.So one of the veryfrustrating tactics right now is actually around COVID-19 and it preys on the sensitivity around this particular topic of course and we’re seeing a lotof scams around this and I imagine a lot ofthe people on the phone have probably experiencedsome of these as well. I’ve been gettingthreatening calls from groups purporting to be the CRAand the RCMP telling me that there are police outside my house which is really easy to validateby just opening my curtain and also that’s really nothow the CRA or RCMP function but you can imagine thatthere are groups of people who just don’t know thator they get nervous. Sometimes it’s, you know, older people, sometimes it’s just peoplewho aren’t familiar with how a municipality or a hospital or a bank gets in touch with them normally.So these COVID-19 attacks are,they look quite legitimate, they look like often they’re emails with links to, “Oh here’s the latest”, you know, “data science on this.” And you click on the linkand what’s actually happening is some malware is downloading on your machine in the background and unfortunately there’s no flags, there’s no alerts that saythis is happening often and you don’t know what’s happening and then they get access to your computer, your personal computer or even at work and try to find information. Maybe it’s your banking information or perhaps again it’s medical records or city records or things like that and they’re trying to,they’re kind of bringing up these old scams that wehaven’t seen as much recently or hadn’t seen as muchrecently until COVID, which is these phone attacks and they’re not just going after large corporations or banks.We’ve been watching this andmaking sure that we’re alert. We actually collaborate with other banks when we talk about thiskind of threat landscape. This isn’t a space where we compete this is a space where wecollaborate so that, you know if we are seeing aparticular kind of attack we’re going to be sharing that with our financial institution peers but we’re seeing, you know,banking, the cybercriminals are pretending to be banking officials or financial advisors andtrying to get people to disclose their financialinformation over the phone. Health and government agenciesare being impersonated and the local hospitalsare being impersonated and again, this is coming up with the, well the CRA and the RCMP. Unless they have a, you know,an outpost right by my house I don’t know why I getcalls everyday saying that they’re right there.So I’m just trying to getaccess to, there we go. So I want to talk about someof the other types of fraud and while cheque fraud is notwhat we’d call a cybercrime, it actually very muchlinks into it because a lot of the mentalitybehind it is the same or they’ll the leveragesomething like a phishing attempt and to get you to disclosecertain information in order to perpetrate cheque fraud. So this is cheques that are, you know, we know we’re moving away from cheques but with things like remotedeposit capture on our phones and even at a certain kind of businesses, we do see that cheque fraud is continuing and the cybercriminalsare taking advantage of a couple of things.Sometimes it’s, it hasto do with the delay in processing of a chequeor clearing of a cheque and sometimes it’s just the ease of being able to alter something. So seeing, just to runthrough them quickly because I know it’s not a big use but I know even with, you know,I have friends and relatives who have small businessesand they end up using cheques with vendors andthings for services rendered. Worthless deposits and cheque kiting, the cheques with no value and fraud just take advantage of the funds and the funds on hold in order to, so the cheque is depositedbut it has no value or it’s not even a valid cheque but they withdraw the money right away.Altered cheques of course are ones where the payee name and amounts are altered. You can scratch this off. If anyone ever saw thatfilm “Catch Me If You Can” or heard of Frank Abagnale, these are the sametactics that were deployed 20, 30, 40, 50 years ago. Where they just, theyuse chemicals to lift or adjust the lettering on cheques. Counterfeit cheques of course would that, that just hold the same serial number and just repeat it over and over again and then forged endorsements of course which is the signature.Just forging signatures and then moving into wire fraud. So these schemes are becoming more common. There’s wire fraud, electronicfraud or even kind of that like the Western Union kind of fraud and just as a personal asidethe reason I joined CIBC’s security team, I actually came from atechnology background, is my parents were victims of two cybercrimes in a single year and one of them was awire fraud where they were victims of what they callthe grandparents scam. Where a relative calls youand the phone is cut off and they were told thatin order to secure bail or get a bail hearing theyhad to wire money immediately and it created a big panic and what a lot of times thesewire frauds start from is a sense of urgency or a sense of panic and so that you’re respondingnot how you normally would, not taking the careyou would normally take in order to actually checkwho the person is requesting.So sometimes these are a long kind of game where trust is set upover a matter of months and then they have you wire money. We’ve heard about thingslike romance scams and things like that but these can happenin organisations or to personal accounts as well and we’ll talk more aboutbusiness email compromise ’cause that one in particularwe’ve seen has impacted and I can give you a bit of an example of one of the healthcare providers in Ontario who ran into this just recently. So in some cases, again,these are perpetrated by people gaining access tosomeone’s work email account and sometimes it’s about justslightly altering it, right? So it would beSusan.Welstead from C1BC.com instead of CIBC but maybe you didn’t see that it was a one and notan I and taking advantage of kind of some of the differences in font and as I mentioned before, interms of how prolific this is and how profitable it is, 12 billion between October,2013 and 2018 in wire fraud and that was, we’re stilltrying to get the numbers now because that 12 billionin between those dates I don’t even think scratchesthe surface of what’s happened in, since May, 2018 to date.So let’s take a looka bit of a deeper look at what I mentioned earlier,business email compromise or BEC these are coming up in the news a lot more frequently as well and we’re seeing how groupscan be victimised by this. So for how this really works. There’s actually three types. One is a CEO fraud, whichwe’ll walk through an example, one is a vendor fraudand then one is basically like an impersonation of an employee. So an impersonation fraud and the healthcare facilitythat I was mentioning, they ran into a situation where an employee’s emailaccount had been hacked and they were, the cybercriminal was intervening in themiddle of conversations about where a paycheck should be routed or if an account should be changed and there was a request thatcame from the cybercriminal sort of sitting in themiddle of the communication.So if you think of the employee on one end and payroll on the other end, this particular threat actorsat in the middle of that and it’s kind of like aman in the middle attack is actually a turn of phrase that we use and actually was reroutingemails that were coming back from payroll trying toclarify are you sure? Is that the transit? Is that the right place to go? So that the employee was never actually seeing that side of the communication but the payroll was never seeing the side of the communication thatactually came from the employee and it happened repeatedlyand money was moved to an account that wasn’tthe employee’s account. So they basically ended up paying out for a period of timeto a couple of accounts that weren’t actuallyowned by the employees and the part that’s the hardestto get your head around is how many cheques andbalances you can put in place but when the email looks like it’s coming from the employees it’s the right email that you can check in their directory and that’s the right person, the person on the otherend on the payroll side feels like this is valid.We’ll give you some, we’lltalk through a couple of tips on how to make sure that doesn’t happen but know that, you know,the cybercriminals, when we’re talking in thebillions of dollars a profit, they definitely, (Susan chuckles) they try to stay one step ahead. So business email compromise. The first step really isjust identifying the target. So as I mentioned before, this can be done througha number of different ways but one of the easiestthings to do is look online. We tend to post informationon different platforms and different amounts of information and it doesn’t take a lot to start aggregating that information. So your LinkedIn profile andyour Facebook and Instagram and what other chat bottype things that you use and build a profile of who you are. It’s very easy to go on LinkedIn and see, “Oh, Susan Welstead worksfor enterprise security “and well what might I have access to?” I’d feel bad if they hacked my account, they’d just get a bunch ofPDFs trying to educate people but maybe that wouldmake them learn something but for someone like a CEO,they might have access to major client lists or someonein a healthcare facility who has access to those healthcare records that are super valuableonline or maybe it’s about account numbers where aparticular municipality is sending large dollar transactions to.So the second step is that grooming. So using that spear phishing,also some phone calls to try to target someone in a company, payroll is often hit up,finance is definitely hit up, anybody who has the abilityto enact transactions and then of course in step threeexchanging the information. “Here’s the new transit. “Here’s the account, Ineed you to send that to” and kind of creating abit of a story behind it and then the wire transfer occurs and the trouble with wire transfers as much as they are super convenient, is that they’re very hard to roll back. When you complete a wiretransfer, it’s a very complete, it’s a very closed loopkind of transaction. We would say that if you run into that and you feel like you’ve been a victim of something like that andthe sooner you can notify your financial institution and proper like policing bodies, do it.The faster you react and respond, even if you, maybe you’re only suspicious and maybe you’re not reallysure the faster you respond the faster a bank can respond or a financial institution can respond or a vendor can respond. So an example of this CEO fraud, which is a very common one and it can be like anyhigh ranking official. We’ve seen this with a numberof clients as well where someone at the highend of the organisation is basically impersonated.So in this example accounts payable receives an email from afraudster pretending to be the CEO requesting an urgent wire transfer. There’s this sense of urgency and as I mentioned, weall want to do good. We all want to do well and so often these emailsdon’t come, you know, at 10 o’clock on a Tuesday when you have time to validate something and they almost always comewith a sense of urgency. So there should be an example of it that’ll come up on your screen and this is actually a real example and we have a number of them. We did change the name ofthe companies that were listed just to make it a littlebit, you know, less pointed but yeah, so you’llsee that they’re asking for an immediate wire and that the person that you’re trying to, thatyou would normally validate with is on vacation and not reachable and sometimes it’ll bethat they, you know, they don’t have a phoneor their phone was stolen or something like that and the red flags arereally about the urgency and the fact that it’screating a response, an emotional type responseor an urgency type response that you normally wouldn’t havefor a transaction that was, you know, transferring money and that it’s just not a normal, it’s not something that anexecutive would necessarily do is reach out for a wire transfer like that to another employee and we did have that occurwith some clients as well where there was a VP who had sentan email to payroll saying, “Look, I just got off the phone with HR “and they told me tocontact you specifically, “I’m travelling, I can’t getto a computer again today.”I need you to, I found outmy account’s been hacked, “my bank accounts been hacked, “I need you to send mypaycheck that’s”, you know, “payroll cutoff is in like three hours. “I need you to send mypaycheck to this new account.” And the payroll associatefelt uncomfortable with it and the transit number seemed strange, it seemed to be missing a digit, so they did what wewant you to do which is, they picked up the phone and tried to call that particular VP and the VP’s response was very much in line with, “What are you talking about? “I don’t, I’m not, I’m away but I “there’s no problem with myaccount as far as I know.” And had that associatenot made that phone call the money could have been rerouted similar to what happened in thatother healthcare facility. So they’re intentionally tricky,very intentionally tricky and picture this thesame with something like a supplier scam, right? So a vendor scam and there’s, what was her name? Barbara Corn from “Shark Tank”does the investor type stuff.She came out a little while agotoo where they admitted that her payroll, her accountspayable group was hit up by what appeared to be a phishing attempt and they were asked topay a particular vendor a particular amount ofmoney in an account. “Here’s the account and”, you know, “Jeff is off of work now but I’m taking “over this council. “Please send this money to this account.” It was $400,000 and the accountspayable, it seemed valid. It was the right company name. They knew who the previousperson they were supposed to be dealing with was and theycompleted the transaction. It really, there is nobodythis targets in particular, this targets everyone and the idea of validating the transaction through a trusted alternative method is really key for us here so the person who never acceptthose kinds of instructions and Jack, will go throughsome of this as well but never accept thosekinds of instructions on an email alone.Even with what happened with my parents. Had they made one phonecall to the relative who was supposedly incarcerated, they would’ve known that well yes he was in Montreal at the time andthat’s where the call came from. He was fine and he was out with coworkers having a grand old time but just making that onephone call to validate and maybe it’s more than one phone call. Maybe it’s not, maybe it’s a matter of also going to Google and checking out, does this person evenwork for that company? And just knowing to trustyour gut a little bit when you feel like somethingmight be suspicious and with that I’ll handit over to Jack Nunno who will take you through what to do if you happen to suspectsomething has gone sideways on you and also some preventativeand protective actions.- [Jack] Thanks very much Susan. I’m assuming Susan can you hear me okay? – [Susan] I can. – [Jack] Okay, perfect and I believe I have takenover the presentation too. So once again my name is Jack Nunno and I’m in our CIBC’s cashmanagement sales group. You know, thanks again to Susan and there really is so much totalk about here that we could, as every one think, I thinkknows could spend hours on these topics but I willtake a few minutes now to touch on some preventative measures and best practises thatalmost all organisations can implement and Susan did touch on acouple of things already but I will start with first and foremost let’s get right to what todo if unfortunately you do in fact become a victim andthat is as Susan mentioned that the first thing to doif you do become a victim of a wire fraud, electronicfunds transfer fraud is as soon as possible to contactyour financial institution and when I say that I meanyour relationship manager, your cash management representative,the fraud department.The sooner that you’re ableto contact us the better. Now although wires for example,as Susan had mentioned, are considered final and irrevocable once the receiving financialinstitution has received them, our fraud department inconjunction with fraud departments at other banks worldwide will together on a best effort basis, do everything possibleto retrieve the funds before the fraudsters are ableto get away with your money.Time is of the essenceobviously in these situations so that needs to happen quickly and this will touch intosome of the best practises that we talk about too. So depending on severalfactors there is a chance that we may be able to get back your money and again I put lots ofmay and chance around that but the sooner you let us know or your financialinstitution know the better. Okay. I, get right into somepreventative measures. I always start this discussion regarding preventative measures by stating a phrase that people aroundme are surely tired of hearing and that is that old worldsolutions to new world problems. It is a very high-techworld that we live in today as we all know and we’vejust been talking about and although there aredefinitely a lot of very sophisticated hackers out there who like in the movies plot themselves into acomputer with multiple screens, there’s data flying around,like in the “Matrix” movies and they punch away at theirkeyboards for a few minutes and they figure out how to breakthrough some major firewall and breach cyber security systems, the reality is that themajority of breaches in fact occur fromfraudsters taking advantage of the weakest link inour workplace and at home and that is us, human beings.We are the weakest linkand that is the easiest way for these fraudsters to getin and then wreak havoc. So many of the preventativemeasures that we discuss with our clients and thatexperts in cybersecurity preach are ultimately commonsense, low cost and simple and I’m not saying that thehi-tech firewall solutions and everything that the expertstalk about are real valid and need to be in place if possible But there’s a lot we canall do to protect ourselves. They don’t require huge investments but they do require attention and focus of senior levels of your organisation. So looking at some of the measures and I’m going to goright to what I consider, in my opinion, let’s say to be the top three non high-techmeasures as I call them and Susan alluded to this already. I would say first and foremost, verbally confirm anyfinancial transactions including changes to payment structures et cetera, et cetera. I can’t, so simple andI can’t over emphasise how important that is. The various types ofbusiness email compromise that Susan touched upon,I don’t want to say without question or without exception can be prevented by a simple phone call but I’ll say it’s pretty darn close.That phone call to a person that you know, that you recognise, a phonenumber that you have on record, not a phone number thatsomeone else has given you, a phone number to get through to the CEO who told you via emailto complete a fraud, a wire transaction whatever it might be, I know it sounds so, sosimple but a phone call, a live phone call and aconversation can resolve so many of the problemsthat we are running into. Secondly is have a dual approval process for financial transactions and again, very, very important. Again, I hate to make astatement but I’ll say that I would say that the majority of internal and external frauds could be avoided or at leastsignificantly mitigated by having strong dualapproval processes in place and when I say dual approvalprocesses in this regard, I’m speaking of electronicdual approver processes and not only is that the situation, let’s say a more common situation where a person who creates a wire payment on an online banking system oran electronic funds transfer is not the person who isallowed to approve it.It must be a second different person who approves that payment butnot that but it could also and should be also thatthe person who, for example creates a wire template thatis used to pay a vendor, if a person changes a wire template or creates a new wire template then that very transaction although in itself is not a transaction where funds are leaving the organisation, that can at least on CIBC’scash management online can and should be set up tohave a creator and an approver. (Jack clears throat) We recently in the last twoweeks had yet another client who was a victim of a businessemail compromise fraud.The very common one that Susan mentioned or one of the very common oneswhere they received an email with a very difficult todiscover email address that was very, very slightlydifferent than the real one (Jack clears throat) and preying on the COVID situation, used some excuses around COVID to tell the accounts payable person that they had changed their banking information and that, you know,please forward payments for the upcoming shipmentsof medical devices and such to this new email address, oh sorry, to this new bank and bank account.Unfortunately, the accountspayable person did not verify by live phone callthat this was the proper and the real supplierand as Susan mentioned, (mumbles) everything lookedfantastic and correct but she did not verify via phone call. So the person went ahead and made over a period of two weeks, not only one but four separate wire payments and in the end, the organisation lost over $360,000 out of that and a simple phone callcould have avoided that. Furthermore had that and I’mnot saying they were or not but in the case ofsomething that sometimes we don’t think about, had thatcompany had a dual approver process in place forchanging of the wire template then when the accountspayable person changed the wire template, they, someone else would’vehad to approve that and so let’s say it was a manager and at least that would give the manager an opportunity to consult withthe accounts payable person to ensure the properdouble-check had taken place. So dual approvers processesis extremely important and at CIBC we are, I’ll say, are very insistent on this and require our clients, except for in veryexceptional circumstances, to have dual approval processes in place on their online platform.Third one I’ll say is the implement and employee cybersecurityand fraud training and testing programme. That is again very, verylow cost and very important and it touches into somethingon the best practises also but if employees are trained properly then it helps avoid and mitigate the top two items on this list, which are, you know, think before you click and be suspicious ofunfamiliar screens or requests. The training is very, very important because the other part it does is that and I’ll touch on this onthe next screen is that it demonstrates to theemployees of an organisation that cybersecurity and fraudawareness is top of mind and is part of the culture and there have been many studies that show that the more prevalent and this applies for general securityand theft measures too, that the more prevalent there is a culture of controlled processes, ofawareness of cybersecurity of regular fraud, of everything,the studies show that those organisationscorrelate very strongly to having overall lessincidences of fraud.So it’s very important and the testing programmepart is also something that can be implemented atI’ll say relatively low cost, where the organisation itself whether or not you have an IT department but let’s say you do have anit department or an IT person, that person is responsiblefor occasionally sending test fraudulent emailswithin the organisation to see what people will in fact click on things that they’renot supposed to click on and it’s a very, very effective tool.We do that at CIBC allthe time for our employees and again, studies showthat organisations that have training and alsoimplement testing programmes show great improvementsin the, well improvements or the other way around as far as people not clicking and actingsmartly and intelligently when it comes to phishing exercises and business email compromise situations. So the other items on here again are, I won’t get into detail onthem but they’re all strong and I say, common sensepreventative measures. The next slide I’ll lookat is best practises. I already touched on itand so I won’t go into it but in detail againbut it’s very important to have a culture of strict controls and cybersecurity practisesand that starts with senior management and peopleinside the organisation knowing that this is importantto senior management. It does result in a, shown lower rate of both internal and external fraud. I would say also to be diligent, to take advantage of many available and often free of charge resources to help mitigate your risk of fraud.Similar to the preventativemeasures on the previous slide, I’m sure you already know about many of these best practises that are listed here. Antivirus and anti-malwaresoftware up-to-date. It’s amazing how manyorganisations are breached by viruses and malware thathave already been identified by the various protection softwares but the organisation has failed to update their protection softwareon a timely basis and then become victim to that fraud.Reconciling bank accounts daily. Again, I know that incertain organisations and staffing issues andsuch that you may say, “Oh, you know what we justdo not have the resources “to be reconcilingaccounts on a daily basis.” But I want to say againthat it is so, so important. Often an organisation and a person who takes a look at the accounts doesn’t in fact need to doa very detailed cross track strike and match on theaccount reconciliation. I think many of us, like whenwe look at our visa statement, you know may not to oversimplify this but a glance down on a dailybasis at transactions that went through your account, someone who knows the accounts can often very quickly identify something that doesn’t looklike it should be there. So daily reconciliation is very important and again it ties intothat ability to let us or your financial institution know of issues.I think the last thing I justwant to point out on this slide and what we’re going to beleaving you with all this information or you’re able to get it through your relationship management team but let’s not forget as Susan mentioned, let’s not overlook that cheque fraud is still extremelypopular amongst fraudsters and remains a leading fraud mechanism. Like it’s right up there. It doesn’t make thenewspapers and the headlines but it is still somethingthat is very, very important and you cannot ignore. Okay. Just start to the next slide here. I guess the next few slides I’mnot going to go into detail.I’m going to leave it with you and I will at the endalso point you to a link that is on the cibc.com thathas some very, very good information for you but what I will reiterate thatSusan already mentioned is to be aware of and trainyour employees to be aware of any emotional reaction toan email or a phone call and I mean any emotional reaction.A reaction to fear, ofexcitement, of happiness or sadness should be animmediate warning signal to take a step back becausethe fraudsters want you to get into that other part of your brain where you’re not thinkinglogically and rationally and you’re thinking on emotion and doing things that you would never do. So that is again another very simple one but it is so, so true. The only thing I wouldpoint out here is that again make sure to regularly backup your data. Again another very, very simple one but secure backups as it says here. Our insurance against ransomware. Again I will leave you with theother couple of slides here, how to stay safe online and also how to stay safeon the go with mobile. Again, all of this information in more detailed can be foundvia the link that is shown on slide 19 that I haveright up, I have up now. So I encourage to pleasego to that website and there’s a lot of excellentinformation on there, of tips and guidelinesand preventative measures and so on and so forth. So with that, Steve, I’m done.I will open it up now to folks. If you have any questions,please, please go ahead. Actually Steve, I don’t recall now. I know you can do the questions online. Are people also able toask questions via audio? – [Steve] No Jack. I think the best way to ask a question, there’s a little icon witha person with their hand up in the top right cornerof people’s screens. If you click on that, you’llbe able to type in a question. – [Jack] Thanks Steve. – [Steve] Maybe whilewe’re waiting for people to ask questions, I have one for Susan and Susan you were mentioningthat CIBC collaborates with the other banks, likeare there any major trends in terms of how corporateCanada is responding to the increase in cyber fraud? – [Susan] Yeah that’s a great question. We’ve seen quite a fewsort of new organisations and government organisationstrying to step in here as well and creating these cyber safe sort of education toolsfor corporate Canada.In terms of actualorganisations collaborating, I haven’t heard as much ofthat but again as we see these, like for example there’s theCanadian Bankers Association, I’m a member of cybercitizens awareness group there and we have a number oforganisations across, you know banking as wellas insurance and things who all actively collaborate. So I think there’s probablysome starting to crop up as well as these governmentsites get up and running and the cyber safe programmeis actually pretty phenomenal and that’s trying to pullsome of the groups together and then with the, someof the other team members in our enterprisesecurity and risk services work alongside some of theuniversities as well as RCMP to try to pull some of that material and try to have a uniform message and again that usuallycomes from intelligence that’s fed in through whether it’s the Canadian fraud group or these different sort of cyber platforms.- [Steve] Okay. Well it doesn’t look like wehave any questions registered at this time so maybeyou’ve covered everything. So maybe- – [Susan] Either that orwe’ve scared everyone. (all laugh) – [Steve] Well, yeah, that’s true. Oh actually we have one. – [Jack] Oh we do have a… – [Susan] Great. – [Jack] So we do havea, let’s see a question and I guess it’s more of a comment too. The comment coming insays, “In case of…” (Jack exclaims) and now it just disappeared on me. “In case of a phone call,I usually ask the person “for their phone number tocall back so it gives me time “to check or sometimesthey hang up the call.” So there’s another little tip too and you know, again, youknow Susan mentioned, something too that Iforgot to mention is that if you’re, if you have any whiff of something doesn’t smell right, Google it.- [Susan] Yeah. – [Jack] Because by the time it hits you and I don’t want to say in all likelihood, there’s a good likelihood that it’s already made it onto the web – [Susan] Yeah. – [Jack] and this has happenedto me several times where something didn’t sound right or whatever, I Google it and (exclaims) it pops up all over the place as being a scam. – [Susan] Yeah and thegovernment actually has a it’s called the little black book of scams and it’s on the Canadiangovernment of Canada website but if you just Googledlittle black book of scams and open those up you’ll see the ones I mentioned about the romance scam and the grandparents scam and thebusiness email compromise. Those are all in there anddetailed in there as well. So you’re right. Most of the time you’renot the first victim.- [Jack] Steve I see we’vehad a couple of questions about the copy of the presentation. Do you want to just address that again? – [Steve] For sure and Iguess (mumbles) looking at the time it’s 11:53. There are a couple of questionsabout the availability of the presentation whichI’ll address in a minute. Here’s an interesting question, Susan you might be ableto answer this one, “Is your organisation”, so I assume CIBC, “taking any special precautions “with so much of ourworkforce working remotely.” – [Susan] Oh goodness yes. We’ve actually internally launched a special site for all of CIBC. It’s our COVID-19 support site and we’ve been, you know, looking at our policies and procedures, the good thing is that a lot of our policies in terms of working securely and a lot of our kind ofcyber hygiene elements that were in place before carry over very easily intokind of a remote workplace.There are because we’vealso had a lot of people, I don’t know if peoplerealise that over the years CIBC did get into a moreflexible working style which was to do like hoteling, so you didn’t have a deskand people working remote. So we’d had some experience with this but yeah, there are some extra documents and sort of extra reviews on things like which collaborationtools we use for example and Microsoft Teams is ournumber one collaboration tool. I’m sure a lot of people heard about Zoom and in the early days ofthis crisis there were some pretty scathing articles online about Zoom and their privacy policies and I believe they’ve madesignificant changes now but we have been assessing at a very rapid though still thorough pace to make sure we have the right tools in place, the right data lossprevention setups in place and there’s no silver bullet, right? So our security has always been about multiple layers, right? Like layers of an onion and those layers are still intact and now we’re just reaching out to the actual CIBC based tomake sure they, you know, they understand and continueto behave in secure ways but also we provide thetech in the background to make sure that all of that remains stringent and in place.So there are some definitenew considerations when it’s such a much, manymore people working remote but we had the benefitas did man of the the FIs that we had some of thosesetups in place already. – [Steve] Right. – [Jack] Thanks Susan.- [Steve] Okay. We’ve had a few more questions come in and again whether this is forSusan or Jack not sure but, “Are there any end user training resources “that you recommend tohelp educate employees “on the signs of afraudulent communication?” – [Susan] So within the bank we have a lot of policy andprocedures as well as courses that we have for all of the employees and they have mandatory coursesthey have to take every year that really do go in depth on that and we have a number ofcommunications about that and we run different kindsof simulations as well.For external folks, Idefinitely suggest, you know, going to the anti-fraud sites, the Canadian anti-fraudsite, as well as the, as well as that cyber safeprogramme with the government because there’s a number of free resources that anyone can leverage from there as well as stuff that you can get into if you want to get into the programme. So we try to do this and as well as that, the link that’s actually on the screen now that Jack mentioned, there are a number of tips and articles you can pull from that. If you navigate around a little there are how to identifyphishing, how to, well, try to identify phishing,how to prevent against fraud, COVID scams and things like that. It’s actually a pretty, I think, pretty elaborate sitethat has quite a few things and there’s even some videosas you navigate around as well.So I definitely encourage people and also you don’t haveto log in to cibc.com to get access to them. That’s just from the outside. You don’t put in anycredentials or anything. That’ll take you, the linkwill take you right there but even if you went to cibc.comjust underneath the panel where you would normallyenter your credentials, there’s actually a couple of links there. One is about our digital client guarantee as well as security, privacyand security information and if you click there it’ll take you right into all of this as well. – [Jack] And just one comment, I’ll say not directly related tothe question perhaps but if anyone on the line,we, if you’re interested, if you have an organisationwhere you’d like, I’d like to say something in person but with Susan’s group and inmy group in cash management and Steve’s group in commercial banking, if you reach out to us,we can make arrangements to try to do something at your site when things get back to normal to, whether it’s a lunch and learn, a one hour meeting whereyou gather your people and we can do something similarto what we just did today or a little bit more tailoredto your specific questions.- [Steve] Yeah I think that’sa great suggestion Jack and I don’t think we have to wait till we get back toin-office arrangements. I think we could probablyuse Microsoft Teams or other virtual sessions.- [Jack] Yeah. – [Steve] So yeah. – [Jack] Yeah. – [Steve] It’s a priority. It’s a, it is a priority andwe do want to help our clients. – [Susan] We (mumbles) – [Steve] I think we’ve gotmaybe a couple of minutes. So maybe one more question Susan and somebody asked a questionabout the topic of passwords.So, you know, could you maybetalk about strong passwords, password change rules,not reusing passwords and perhaps using third-partypassword storage facilities. – [Susan] Definitely. Yeah passwords are one of my definitely most sensitive topics. First and foremost is pleasedon’t write them down. We, we’re kind of moving, wefollow the NIST framework. So it’s the National Instituteof Standards of Technology and they used to be big proponents of highly complex passwordswhich everybody will recognise where you, you know, youlog into a site and you know all you’re trying to dois fill a grocery basket and it’s asking you for apassword that’s 16 characters with three special characters,capitals, little ones, just kind of gone a little bit bananas and now NIST is movingmore towards something that we’re trying tolook at as well which is both having a long passwords that don’t necessarily haveto go crazy on complexity that it takes them a (mumbles)of time to migrate to that but long passphrases.So for example, had apeer in a previous job who wanted a new car so theirpassword was new Honda for me but then a couple of the letters in there were swapped out with characters or numbers in order to makeit a little bit more complex and adding to that as themulti-factor authentication which you’re going tostart seeing a lot more of. Which is the adding of, sonot just having a password which is something you knowbut also maybe a biometric like a fingerprint scanor something like that or a voice authentication in order to also doubly authenticate into your accounts.You’ll see something like that. It’s kind of like a step-upauthentication on like cibc.com. If you log into your accountand you want to add a new payee that you’re going tosend an email transfer to you have to do a one-timeverification code on your cell phone or in your email you’ll get a text with a code. So those kinds ofmultifactor authentication. Long strong passwordsthat are easy to remember. In terms of frequency of changing them, it’s, that one is always a tricky one. On most systems they’regoing to drive you to change in a particular timeframebut also realising how many passwords we all haveto remember these days. Some of those thirdparty password managers are pretty darn good and we don’t particularlysupport one or the other because it’s, you neverknow how those, you know, what could happen with those companies and we tend to try to evaluate those offerings and see if we can bringthat in house as well.We haven’t settled onone as an organisation but they are quite common and people who use themare very pleased with them. I use them for, I have apassword vault for some of my what I would consider reallyinconsequential passwords to, you know, various periodicals or silly things thatwouldn’t ever have access to my bank accounts or anything and that’s just a personal preference. Everyone has to kind ofevaluate their own risk and decide sort of wherethey feel most comfortable but yeah they are definitelygrowing in popularity and, you know, you justhave to make sure you don’t forget the passwordto the password manager. That’s, hopefully goes without saying ’cause that becomes a problem but yeah it’s definitely, youknow, don’t write them down, don’t put them on post-it notes and do not save them on yourcomputer in a text file.It is the number one in terms of a hack that happens more frequentlythan anyone cares to admit. If a criminal or cybercriminalsthreat actor gets into your network or intoany kind of file system the first thing they look for is text files called passwords and it’s unbelievable howmany people store them in a text file calledpasswords on their computers in plain text, which just means it’sjust typed out exactly how it would be. So doesn’t mean renamethe file to, you know something else likegrandma’s bread recipe, it’s literally aboutdon’t keep your passwords written down or typed out in plain text and yeah password managers are definitely an option there as well.- [Steve] Okay. Well listen Susan and Jack, thank you very much for yourpresentation and the Q and A. Obviously cyber fraud isan uncomfortable topic but given that it’s areality public sector and not-for-profitorganisations need to deal with we certainly appreciate your thoughts. Previously we will sendall of today’s participants a copy of the presentation through your CIBC relationship manager. We’re also recording the webcast and you’ll be able toaccess the recording for up to 90 days, likely startingby the end of the day today using the same link that weincluded in the invitation. So if you think any of your colleagues or friends would be interestedin watching the webcast please feel free to share the invitation and the link with them. Also our cash managementteam is in the process of developing a generalfraud prevention tip sheet that will also circulate toyou within the next few weeks.So in closing, our CIBCteam would like to thank you for participating today and we’d also like to extend our appreciationto all all of you who are with public sector charitable or not-for-profit organisations for the fantastic workyou’re doing to help us get through this pandemic. Although the country and the economy are starting to cautiously open up we recognise that we’renot out of the woods yet and that this continuesto be a challenging time for many of you. So thank you very much for the treasurecontributions you’re making to help our communities managethrough the COVID-19 crisis. We certainly hope thatyou’re able to get back to a more normal state ofoperations and revenues as quickly as possibleand if there’s anything that CIBC can do tohelp your organisation, please contact your commercialbanking relationship manager and we’ll do whatever wecan to provide assistance and on that note, we’llconclude this webcast. So thank you very much everyone.

For More Info click here

Related posts

Leave a Comment