Slide 1

Download Report

Transcript Slide 1 

Who is Phishing in Your Company
Hole?
Michael Loox, CFI
Head of Loss Prevention
The Coffee Bean & Tea Leaf
The Road To The Coffee Bean
The Coffee Bean & Tea Leaf
• 2nd largest US retail specialty coffee & tea brand
• 933 stores in 28 countries, 15 states & Washington D.C. –
largest footprint in emerging markets
• $518 M system-wide sales
• Serving over 150 million customers annually
• 12,000+ global team members
• Successful Omni-channel strategy
• 58 franchise relationships
• Regional Offices in Singapore and Malaysia
• 50 Years Old- Born and Brewed in So. Cal since 1963
1. United States
2. Singapore
3. Malaysia
4. Israel
5. Korea
6. Brunei
7. Indonesia
8. UAE
9. China
10. Philippines
11. Kuwait
12. Saudi Arabia
13. Sri Lanka
14. Bahrain
Current United States Markets
Seattle Tacoma
Airport
(1 location)
New Jersey, Garden State Mall:
(2 locations)
Current Worldwide Markets
United States:
(311 locations: Company
& Franchised )
Iraqi Kurdistan:
(1 location)
Qatar:
Bahrain:
(3 locations) (7 locations)
Mongolia:
(1 location)
Germany:
(1 location)
South Korea
(221 locations)
Turkey:
(1 location)
Shanghai, China:
(30 locations)
Lebanon:
(3 locations)
Cambodia:
(2 locations)
Israel:
(2 locations)
Mexico:
(8 locations)
Vietnam:
(12 locations)
Egypt:
(17 locations)
Kuwait:
(15 locations)
Jordan:
(1 location)
Saudi Arabia:
(11 locations)
Oman:
(2 locations)
Worldwide Store Count: 933
India:
(26 locations)
Philippines:
(53 locations)
UAE:
(0 locations)
Thailand:
(10
locations)
Sri Lanka:
(3 locations)
Indonesia:
(68 locations)
Singapore:
(51 locations)
Company Owned
Brunei
(8 locations)
Malaysia:
(59 locations)
Company & Franchised
What is Phishing?
“A kind of social engineering attack in which criminals use spoofed
emails to trick people into disclosing sensitive information (business or
personal) or installing malware on their personal or employers
computers or servers.”
• Attack targets users not systems
• Attacks circumvent your organizations security measures
• It does not matter how many firewalls, encryption software, and
two factor authentication mechanisms you have, if the person
behind the keyboard falls for a phish
In a 2003 IT security survey, 90% of office workers gave researchers
their password in answer to a survey question for a cheap pen. Similar
surveys obtained similar results using chocolates and other cheap
lures, although they made no attempt to validate the passwords
Spam is unsolicited junk email which may contain a “phish”.
Origins & Evolution of Phishing
• Derivative of “Phreaks”- 1990’s term for Hackers
• First mention -January 2, 1996 in Usenet newsgroup
• Response to AOL preventing use of algorithmically
created credit card numbers to open accounts
• Phisher posed as AOL staff member via email or IM
requesting passwords and other personal info
• Hijacked accounts used for spamming and fraud
• Response- “No one working for AOL will ask for
your password or billing information”
Types and Variants of The Phish
• Spear Phishing- a targeted communication to employees or
members of an organization. Emails are customized for appeal
with public information available on web sites and ask for
recipient to click on a link or open a zip file
• Whaling- is a spear phish used against high
level targets such as a CEO, politician, officers
in the armed forces or other “Big Phish”
• Vishing- callers state from “tech support”, your bank, or have
you call a number to get business and credit information
• Smishing- same scam through text messages and IM
Phishing Season 2012
• Within the last year over 37 million unique users
subjected to phishing attack – up 87%
• Over 102,100 internet users are subject to attack
each day
• 12% of all Phishing Attacks were launched via spam
mailings. 88% came from links to web pages
• Over 20% of all phishing attacks mimicked
a bank or other financial institution
• Phishing losses estimated at $1.5 billion in 2012
• Major Cyber-threat to businesses
Anatomy of a Phish
Every Phishing attack email is built upon emotional and visual
triggers with commonly added human motivators and emotion.
1. Rightful Rewards: tax refunds and prizes
2. Greed: Unwarranted lottery winnings and 419-type scams
3. False Accusations: Tax Fraud, Customer complaint, FCC, etc.
4. Curiosity: “Look who searched for you on Google”
5. Right the Wrong: Fake order confirmation from known online
merchants or shopping sites citing alleged purchases made
6. Trust: Fake emails from banks, service providers, or
business associates/professional networks
Phish Tells
• Spelling and Bad Grammar- spellcheck????
• Embedded links: https://www.scamuez.exe
.exe files are known to launch malware
• Threats: “Your account will be closed”
• Spoofing popular websites/companies
• You did not initiate contact
• Any request for confidential or sensitive
information or requesting names
Identifying the Phish
What a phishing email might look like?
Species of Phish
Memo from: Ms Clare Brady
Ref: WB/MM/UNL.Vol2.8/2013
The World Bank Audit report showed you have an unclaimed fund which the banks have been trading
on, you can verify this on http://www.missingmoney.com/type your name at the search column for
confirmation.(you will see your FUND)
We have directed the I M F to start the release process which further details will be given to when we
have ascertained your identity. Therefore, you are required to forward to us copy of your ID, upon
verification; we will release full information to you.
Regards,
World Bank 1818 H Street, NW
Washington, DC 20433 USA
www.worldbank.org
From: IRS.gov [mailto:[email protected]]
Sent: Monday, July 22, 2013 8:16 AM
To: [email protected]; Melissa Lippert; Michael Loox; [email protected];
[email protected]; [email protected]; [email protected];
[email protected]; Michelle Stene; Mitzi Sutton
Zip file attached to launch malicious software
Subject: Complaint Case #267732192270
You have received a complaint in regards to your business services. The complaint was filled by Mr./Mrs.
Ahmed FRIGOLA on 07/22/2013/ Case Number: 267732192270 Instructions on how to resolve this
complaint as well as a copy of the original complaint are attached to this email. Disputes involving
consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the
basis of this dispute, the following claims will be considered for arbitration only if all parties agree in
writing that the arbitrator may consider them: Claims based on product liability; Claims for personal
injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement
between the parties. The decision as to whether your dispute or any part of it can be arbitrated rests solely
with the IRS. The IRS offers a binding arbitration service for disputes involving marketplace transactions.
Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated
with other legal options. 2013 Council of IRS, Inc. All Rights Reserved.
Appears to be from Coffee Bean email
account
Malicious
Zip file
attachment
Put an End to Phishing Season
Phishing may be used as one step in a targeted
attack against your company or its employees.
• Corporate Espionage from competitors; foreign
and domestic
• Theft of money from the company accounts
• Theft of money from employee accounts
• Theft of customer information
• Identity theft
• Theft of national security secrets
10 Tips for Phishing Prevention
1. Never give out personal, financial or other sensitive
information to anyone who requests
2. Be suspicious of email requesting sensitive
information
3. Don’t click on links embedded in an email
4. Enter a fake password when prompted; legitimate
website will not accept fake
5. Don’t fill out forms asking for sensitive
information. Use secure website only.
The other 5……..
6. Keep your browser and operating systems up to
date
7. Regularly verify all charges on credit card and
bank statements
8. Always use updated antivirus and firewall
software
9. When in doubt, check authenticity
10. Notify www.ftc.org and the internet
crime complaint center www.ic3.gov if
you think you are a victim to an attack
Phishing Forecast for 2013
• Phishing Via Mobile- directly attacking
smartphone users
• Phishing Via Apps- attacking through
installation of malicious apps
• Phishing Via Social Media- in 2010 social
media attacks comprised of 8.3% of total, by
end of 2011 it was 84.5%
Have strong IT and Computer Usage Policy!
False Billing & Phone Scams
False Billing- targets businesses by telephone, mail,
email and fax. The scammer will supply you with an
invoice for products or services you have not ordered
or received hoping it will be paid on receipt with no
investigation.
• Mid to large businesses are targeted hoping smaller invoices
are processed for payment without review
• Many false billing scams begin with telephone call to get
key names and contacts and details about company
• Information helps scammer create invoice including
names, account numbers for services ordinarily used.
Variations of Billing & Phone Scams
Advertising & Directory Listing (Yellow Pages renewal)
• Billing for unauthorized listing or ad (print or web)
• Proposal disguised as agreement or invoice
• You think you are responding to free offer or renewal
• Use of existing company names & logo to look real
Fax Back Scams
• Unsolicited fax offering great deals and discounts
on products, services, trips
• High cost of fax reply buried in print or not listed.
• Premium fax rates can cost up to $10 / minute.
Scams continued……..
Office Supplies or Mystery Supplies Scam
• Invoice for supplies never ordered, never received or
were not what you thought them to be
• Recent scammer cleared $700K sending invoices to
companies for fluorescent light bulbs never received
• Send unordered supplies at inflated rates or low
quality supplies. This is usually preceded with a fax to
confirm order. Employee signs and sends back
• This is used a proof of order to collect payment
Demand for Payment
• Receive letter demanding payment for products or
services never received or an unverifiable debt
• Official letterhead (agency, attorney, debt collector)
• A case number is assigned to alleged debt
• Written as if it were a court case
• Request comes from 3rd party who has taken over
debt or claims to be pursuing debt on behalf
• Threats of further interest and penalties
• Pay by this date or else……..
Demand for Payment
Richard T Avis, Attorney
& Associates, LLC
Richard T Avis
P.O. Box 1008
Arlington Heights, IL 60006
-•':b:C" ;v:;:;-;:: IV .::;: 1.· .,
!JCT 1 7 2012
Barry Serota (1948-2009)
Richard T Avis
Barry Serota (1948-2009)
Phone (847) 259-4700
Fax (847) 259-9434
P.O. Box 1008
Arlington Heights, IL 60006
Phone (847) 259-4700
Fax (847) 259-9434
April 18, 2013
October 5, 2012
1cli/ P 1;,g (:\t Fi ·
INTERNATL COFFEE & TEA
1945 S LA CIENEGA BLVD
LOS ANGELES CA 90034
Richard T Avis, Attorney
& Associates, LLC
972923
CASE NO. 972923
RE: Tyco Integrated Security
fdba ADT Security Services Inc
VS. INTERNATL COFFEE & TEA
Account #1300-145000314
AMOUNT DUE
$1185.43
INTERNATL COFFEE & TEA
1945 S LA CIENEGA BLVD
LOS ANGELES CA 90034
972923
CASE N0.972923
RE:
Tyco Integrated Security
fdba ADT Security Services Inc
INTERNATL COFFEE & TEA
Account # 01300-145000314
AMOUNT DUE - $1185.43
VS.
Our firm has been engaged to collect the obligation that is
due to Tyco Integrated Security.
The total balance of $1185.43 must be paid to our office
within the next 5 days. This total excludes interest, late
charges and attorney fees which can be added in accordance
with the underlying contract.
IT IS IMPERATIVE THAT YOU FORWARD PAYMENT OF THE BALANCE DUE IMMEDIATELY.
Your payment in full should be made payable to Tyco fdba ADT
and sent to our office at the above address. Be sure to include
our case number 972923 on your remittance.
Payment should be in the form of check or money
order made payable to Tyco fdba ADT and include
your case number 972923.
If we do not receive your payment, we will have no alternative
but to pursue the TOTAL balance due to our client. This could
include additional charges being added to your account such as
interest, late charges and attorney fees, as per the terms of
the underlying contract.
Send your payment via Federal Express or USPS Express Mail
to:
Sincerely,
Richard T Avis, Attorney
& Associates, LLC
CONTACT: N.Minnick, Administrator - Ext.230
Tyco Integrated Security»fdba ADT Security
Services Inc c/o Richard T Avis,
Attorney & Associates, LLC
3715 Ventura
Drive Arlington
Heights, IL
60004
The Health Dept. is Calling.....
• Receive call from “State Health Dept.” or DOA
• Inform restaurant of complaint and visit today
• Will attempt to persuade employee to provide
personal and/or credit information for ID theft and fraud
• Variation- will ask employee to enter a five digit verification
code to confirm appointment in a subsequent call. This allows
scammer to set up a fraudulent Craigslist or an online auction
house account verified to your restaurant phone number.
• Variation- other scammers claim to be IT techs or from
the bank requesting credit card info as system is “down”
Point of Sale Scams
•
•
•
•
Confuses cashier during transaction
Use of social engineering like a Phish
Asks for change of $20 and leaves with $30
Have policy on making change; double count, don’t be rushed
Counterfeit Money
• Best line of protection- UV machine or cash verification tower
• $5.00 bills washed, print $100’s
• Review security features on all
bills $20 and above.
Credit Card / Gift Card Fraud
• Never hand key any credit card transaction, especially for sale
of gift cards.
• Get swipe and signature for any transaction over your
designated threshold ($25.00?)
• Remove remaining balances from all gift cards linked to a
charge back transaction
• Establish credit card acceptance policy including a loss
prevention training element
• Identify areas or groups of stores with highest % of fraud
to develop a targeted response.
• Do not transfer balances from one gift card to another
No Scams Here……
• Employee Training
– Create eTraining platform (embedded)
– Micro-games
– Provide Internet access resources
– New hire awareness module
– Specific cash and credit card procedures
Establish Company Hotlines for verification
– Documented procedures and protocols with real time
access to assist in decision making process
– Ops / LP / IT / Acct. contact during business hours
– When in doubt- Just say “No” and call supervisor
Integrate For Success
• Develop and lead a multi-departmental partnership to combat
fraud and scams across all levels of your company or
organization
• Provide awareness and response directives for each
department or “impact” area
• Work directly with A/P to ensure;
– Invoices are verified by department
– Purchasing guidelines were followed
– There is a new vendor approval process
– Suspicious invoices are reviewed, create checklist
– Systems in place to prevent duplicate invoices
If you have been scammed…
• Notify appropriate law enforcement agencies
• Send alert to other departments or
restaurants to prevent/minimize other losses
• Alert your Loss Prevention/Security peers if
applicable and/or approved by your company
• Review scam to determine areas in need of
retraining or possible internal dishonesty
Thank You!