Cyberfraud & Cybercrime
Alexandre Pluvinage – Head of the Cybersecurity Awareness
Understand them and Protect yourself
May 2017
Number of Internet user buying online
50%50%
54%
56%58%
59%
61%
63%65%
44% 45%
50%
52%55%
57%
60%
63%
68%
53% 53%
57%
60%61%
62%
64%
67%
68%
43%44%
47%
50%51% 51%
53%53%
55%
35%
40%
45%
50%
55%
60%
65%
70%
2007 2008 2009 2010 2011 2012 2013 2014 2015
Total 16-24 years 25-54 years 55-74 years
Internet users who bought or ordered goods or services for private use over the internet in the previous 12 months by age groups, EU-28, 2015 (% of internet users)
Source: Eurostat. EU 28 average (10/2015)2
3 Source: Etude Euler Hermes –DFCG march 2016
French companies facing cybercrime and cyberfraud in 2016
Companies that had (at least) one fraud attempt last year
Companies that were too late to detect the fraud
Companies that had more than 10 fraud attempts last year
4 Source: Etude Euler Hermes –DFCG mach 2016
Top 4 cyberfraud and cybercrime modus operandi
CEO Fraud Cybercrime(hacking IT systems)
Identity theft(banks, lawyers, etc.)
Invoice fraud
CEO Fraud
5
Brussels: 41,668,967 €• Total amount recovered: 26.921.772 €• Total amount stolen: 14.747.195 €
Wallonia: 28,867,353 €• Total amount recovered: 24.411.817 €• Total amount stolen: 4.455.536 €
Flanders: 5,445,309 €• Total amount recovered: 3.526.594 €• Total amount stolen: 1.918.715 €
Total at risk in Belgium: 75,981,629 €
Money at risk (29/05/2015)
6
7
Social engineeringPsychological manipulation
Audio
• Evidence in a real criminal case (anonymized)
• Recording between a fake CEO (criminal) and an accountant (victim)
• CEO is calling from Paris to a group’s company in Belgium
8
deb amount date Loss client Via account 1 Via account 2-3
Victim Corporate client 4.500.000 1.540.000 2.960.000
Beneficiary 1 NIKM LTD
BG00BUIB98881402900 -250.000 19-12-2013 Bulgarije Bank 1
-250.000 19-12-2013
-250.000 23-12-2013
Beneficiary 2 LINK LTD
CY22 0050 0140 0001 65 5301 -250.000 2-1-2014 Cyprus Bank 2
Beneficiary 3 ASIA LTD
AB12 1923123040003 -250.000 7-1-2014 China Bank 3 / rekening nummer 1
Beneficiary 4 ULTRA LTD -145.000 13-1-2014
AB12 1923113800237 -145.000 13-1-2014 China Bank 3 / rekeningnummer 2
C-Level Fraud – Real example (anonymized)
9
Invoice fraud
10
11
Invoice fraud
An invoice is intercepted and modified• Account number is changed• New invoice
Variance 02
Company receives a message faking email or letter from a legitimate company saying that they have changed of bank. All new invoices should be paid in the new account
Variance 03
Same as variance 02 but using a fakefactoring company
12
Invoice Fraud and Sticker Fraud
Variance 01
An invoice is intercepted during the mailing process and a sticker is added with a new account number
Invoice Fraud – Real example (anonymized)
13
Original
Fake
Phishing
14
• Security tests
• SEPA – new Bank interface
• Click here to read the Google document
• Fake new Bank card
Phishing
15
16
How to protect myself?
17
Protect your organization
GET them INVOLVED | Management | Persons with access to the company accounts
EDUCATE them | Secret and urgent are suspicious when concerning payments to an
unusual account | “Don’t believe your CEO !!!”
Create SECRET procedures | Set up internal secret double check procedures for
secret or urgent matters
PROTECT your own and customer’s data | Do not make all information available online | Destroy sensitive and financial information
PROTECT your payments | All change in a provider’s static data (account number, email,
telephone, etc.) should be double checked by phone (call back procedure)
PROTECT you invoices | Anonymous envelops | Double sending (e.g. email + mail)
18
It has just happened …
Contact your bank immediatelyIn some cases, we can get the money back
Contact the police to file a complaint(yourself or by a lawyer)
Protect the evidence (mail, telephone loggings, conversations)
Prefer a no-blame culture: targets of social engineering are also victims
19
Phishing
▪ Never share your codes
▪ Never go online from a mail (if you need to login to access the information)
▪ Always cut the chip if you do not use the card anymore
20
Cybersecurity Kit (FREE Awareness kit for companies):- Social enginery- E-mails (phishing)- Passwords
http://www.cybersecuritycoalition.be
Train your employees
22