What is cyber fraud Current types of attacks
• What is cyber fraud? • Current types of attacks on the world and our industry • Building a defense against those attacks 2
Cyber fraud refers to any type of deliberate deception for unlawful gain that occurs online or through electronic means. 3
Old Scam • • • Bad grammar and spelling Weird syntax Outrageous claims Quick money In your spam folder 4
Old Scam GOV GODWIN EMEFELE <postmaster@cooky 112. de> !!!***+++ URGENT NOTICE +++***!!! inform You Is my pleasure that your deliveryman has arrived at the airport with your cash trunk boxes value $8. 3 million dollars US currency being your inheritance /compensation payment? Most importantly you are advised to send your full data to him on this email Full Name, Current Residential Address, Direct Cell Number, and A copy of any identity card with social security Numbericals to verify address reply, which include your that you are the right receiver to avoid mistake and enable him deliver your cash consignment boxes to your house without any further delay. CONGRATULATION! MR. GODWIN EMEFELE, EXECUTIVE GOVERNOR, 5
New Scam • • • Highly sophisticated Virtually indistinguishable from legitimate email Looks to be from trusted source Right timing, right tone Deadly 6
New Scam From: To: Cc: Subject: Jack Lawyern <jack@lawyem. com> Brenda Buyer <Brenda@buyer. net> Eddie Escrow; Rinda Real Estate New Wiring Instructions Hi folks, We’re almost to the finish line! Just got the heads up that there’s been a tweak to the wiring instructions – see attached for new info. Let’s get this baby wrapped up today. Congrats again to all. Brenda, you and Roger and little Bobby Sue are going to love your new place on Franklin Road. Cheers, Jack-O Jack Lawyern & Lawyern Hand in Hand with Georgia Homebuyers for Three Generations 7
On the Frontline… • Email Hacking: • • Russian (? ) hacking of Democratic National Committee and HRC Election staff. Merger & Acquisition law firm hacks • Malware • 9 -1 -1 Takeover • Ransomware • Seehotel Jaegerwirt, Hollywood Presbyterian Medical Center 8
On the Frontline… • System Hacking – Bangladesh Bank – Sony Pictures – Yahoo 9
Statistics • Verizon 2016 Data Breach Investigations Report – 100, 000+ security incidents – 3, 141 confirmed data breaches (66, 459 used in the data set) – 92% committed by outsiders – 80% driven by financial motives – 91% discovered by external parties – 50% took months to discover – 55% organized crime – 21% state affiliated 10
On the Frontline… • System Hacking • Ddos & Botnets • ID Theft • • • Phishing Social Engineering Tax return fraud • MITM attacks • Dumpster diving 11
Be on Guard • Email Hacking – Our system – Customer’s system • Scams – Earnest Money scams – Bleaching the payee • • Ransomware Malware – Keystroke recorder 12
Everyone is Fair Game – Statistics • • • By 2019, annual global cost of cybercrime = $2. 1 Trillion USD In 2015, three quarters of small to mid-sized businesses reported a cyber breach or attack More than half of business spear phishing is on small businesses Dangerous misperception: “I’m too small for them to bother with” Cybercriminals know that the small guys are less protected 13
How to stay on guard • ALTA Best Practice Pillar 3 – Best Practice: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law. • Layered approach to making it more difficult to surmount the defenses. • Physical security of computers & information • • • Physical access to work areas Physical access to computers, servers, routers Prohibit use of removal media 14
How to stay on guard • Network security – Robust malware, ransomware, virus protection – IT vendor with appropriate experience, vetting and capabilities – Restrict use of company systems to company business – Require passwords to be changed frequently 15
How to stay on guard • Practical Tips • Passwords • • • Use Upper, Lower cases, numbers & symbols Meaningless phrase Change letters for symbols 16
How to stay on guard • Practical Tips – Check theft • Lock up the stock • Positive Pay & Reverse Positive Pay – Phishing • Tricking someone into providing login information – Fake Web Pages, redirection • The hover technique – Google Security – Social Engineering 17
How to stay on guard • Password Best Practices – Best practices for strong passwords include the following: • Passwords should not contain all or part of your name or ID. • Passwords should be at least eight characters long, but the longer the better. – Passwords should contain characters from the following four categories: upper case letters, lower case letters, numbers and symbols (e. g. , &, %, $, #). – Use special symbols • Use @ for letter a • $ for letter S • ! for l or 1 – Change Passwords Every Three to Six Months, giving potential hackers less time – Do not maintain a password database – If an admin assigns a password, the user should be forced to change it on first login – Password protect phones and tablets with Locator Service 18
How to stay on guard • Wires – – – Engagement letter Talk to the parties Email signature footer Multi-factor authentication No ACHs 19
How to stay on guard 20
How to stay on guard • Google Security – Add your phone number under Security Checkup – Signing into Google, 2 step verification • Add Text Message or Phone Call. Yahoo and Facebook have this as well – Account/Password recovery completion • Use Phone and Non-Google Email 21
Recommendations – Email Protection • • • Use non-public domains Use Complex Passwords Set up secondary authentication Do not click on links or email the person and make sure its legit Use a paid antivirus program that includes internet security – Advise Cash Buyers and all customers you will not provide wiring instructions • Email Signature • Verbal Warning – Consider Insurance Protection • Financial Loss • Notification Expense • Continued Protection 22
Counterattack • Contact the police • FBI Internet Crime Complaint Center (IC 3) • www. ic 3. gov • www. complaint. ic 3. gov – FBI states that even if the FBI doesn’t apprehend the fraudster, the FBI keeps a database on fraud, and if this fraudster/IP Address shows up repeatedly, the FBI knows which fraudsters to focus on. 23
Stories from the Frontline… Here are two recent scenarios that we’ve encountered: Scenario 1 – Cyberfraud attempt unsuccessful… Title Resources was alerted to the real estate agent commission scheme, from a title agent that had a contract pending and had received, by email, instructions of a bank routing number and account to send the real estate commission due at disbursement. Shortly before the closing day, an email message was received by the agent, directing the title agent to change the bank routing number and account number to a different bank for the commission check to be disbursed. Fortunately, the escrow officer saw the change, and recognized the name of the real estate agent as a friend. The escrow officer called the real estate agent, to confirm the change of the bank and account number. The agent was told that no change had been made and that the email was an attempted fraudulent diverting of their funds by a criminal hacker. 24
Stories from the Frontline… Scenario 2 – Cyberfraud attempt successful… In this instance, a settlement agent received an e-mail requesting a change to the existing wiring instructions. This e-mail was sent by a hacker who gained information about the transaction. The settlement agent relied on the e-mail without independently verifying the change request and a loss was incurred. 25
Don’t Let it Happen to You! • Be sure to verify from known phone numbers, not on the email involved in the change, any change of routing and account numbers for sending any disbursement of proceeds, any real estate commissions, or any other change of wiring done immediately before a closing. • Review Updated Seller Proceeds Wire Policy – May 2016 26
Questions? 27
- Slides: 27