Fraud Prevention Checklist 2016
1
The Fraud Problem
50% increase in ID Theft in 2015
21% Rise in Social Engineering Scams .
£160m
£18.5m
by a single fraud ring currently in court: 75 solicitors avg $2.1m
a single fraud from healthcare provider
Doubled! Losses to Social Engineering Fraud rose in 2015 by nearly 100% to over £675m
IT Pro NFIB & GetSafeOnline ActionFraud Intel from STORM FTC BBC
2
£32m
Only 1 computer hacker per month prosecuted in UK
to 994 reported Fake Boss Scams Jul 15’ to Jan 16’
95.5k Reported Phishing Scams Nov 14’ to Oct 15’
£Priceless Conveyancing fraud loses couple their family home
Fraudsters claiming to be from ActionFraud
The Fraud Problem
3
The Fraud Prevention Toolkit
Secure Banking Shopping List
Fraud Prevention Checklist
4
Fraud Prevention Policy Template
Fraud Prevention Guidance for Solicitors Clients
The QBE Fraud Prevention Checklist
5
The QBE Fraud Prevention Checklist
Levels of Criticality Red (L1):
Critical Control which considerably reduces fraud risk
Orange (L2): Important Control which will improve your firms resistance to fraud Blue (L3):
6
Additional Control which will strengthen your overall governance of fraud risk
Critical Controls to Reduce Fraud Risk (Level 1)
7
Improving Your Firms Resistance to Fraud (Level 2)
8
Governance of Fraud Risk (Level 3)
9
The QBE Fraud Prevention Checklist
4 Key Areas: 1. Fraud Prevention Policy & Awareness Training 2. Security of your Payment Systems & Processes 3. Security Best-Practice with your Bank
4. Compliance with Regulations
10
1. Fraud Prevention Policy & Awareness Training A. Policy & procedures Your firm has a written policy and supporting procedures, to which all staff strictly adhere, that defines the security and process for managing payees and making payments.
Giving staff direction, guidance, support and confidence to detect and prevent fraud
B. Fraud awareness for your payments staff All staff responsible for managing payees and making payments are regularly made aware of fraud threats and either trained, guided or otherwise made aware of fraud incident trends and current fraud prevention best-practice.
Enabling staff to maintain vigilance against fraud attempts
C. Leadership message A leadership message on fraud prevention is delivered to all staff at least annually using the most appropriate method for your firm e.g. during a staff meeting or via an internal communique.
Showing that a key management ethic is to protect the assets of both clients and the firm
D. Review of policy & procedures Your firms’ policy on fraud risk and security along with any observed failings or incidents are subject to an ongoing review by executive committee or similar senior team.
Keeping ahead of the constantly developing methods used by fraudsters
E. Senior management responsibility Your practice assigns responsibility to senior management to keep abreast of fraud reports and methods used by fraudsters and cyber criminals, to regularly update staff with all relevant intelligence bulletins and to require any adjustment in fraud prevention safeguards.
Supporting fraud prevention at an appropriately high level within the firm 11
TIP: Formulate a Clear Policy & Make Staff Aware Your Fraud Prevention Policy should include the following sections:
• Simple, jargonless wording. Examples and support from workflow • Fraud & Cyber Definitions: hacking, malware, denial of service, theft, forgery, false accounting, deception, bribery and corruption. • Run at least annual staff awareness (choose Cyber or Fraud events in Oct/Nov) • Measures to detect and minimise fraud and cyber risk: You might refer this to procedures such as those for making payments or managing networks. • Require users to sign an Acceptable Use Agreement
Use the Fraud Prevention Policy Template in the QBE FP Toolkit 12
2. Security of your Payment Systems & Processes A. Confidentiality of account credentials Your policy forbids all those assigned with accounts capable of making payments from ever divulging account credentials (usernames, PINS, passwords and/or token codes) to anyone.
Making it very hard for fraudsters to break and hijack accounts used for payments
B. Background checks on staff responsible for payments Your policy mandates that all staff responsible for payee management and payments are only assigned to this function once they pass suitable background checks.
Reducing the likelihood of fraud committed by criminal insiders
C. Payment time delay for new payees Your policy requires that there is always a minimum one hour period separating the definition of a new payee (on any payment system) and making the first payment to them. This might be a manual process or automatic via online banking.
Preventing immediate payments to fraudsters beneficiary accounts (take the money & run!)
D. Housekeeping of payee account details Your policy requires that payee reviews be regularly conducted and that redundant payee details be immediately removed from all relevant payment systems.
Reducing the chance that fraudsters can request payments to hijacked beneficiary accounts
13
TIP: Securing Your Payment Process DO: • Introduce a time-block process of one hour between creation or amendment of payees and making of payments to them. • Check any change requests to payee details through separate background verification. • Regularly review and remove redundant/old payees from your online banking list.
• Support staff to be confident in being assertive but polite to anyone who calls who may be a fraudster. • Use verifiable methods of communication with your clients. • Segregate your payment systems from other office IT.
• Use separate computers • Ideally use a separate broadband connection with an air gap between payment systems and company network • Use a virtual PC just for payments 14
TIP: Securing Your Payment Process DO NOT:
• Act or allow your staff to act on a payment request (payee details or transaction) which is not validated and authorised by at least one other member of your authorised payments staff • Continue or allow your staff to continue communications (inc. discussions) with any internal or external party who has not passed your validation checks.
ADVICE: Ensure that all communications with your Bank relating to your online banking are done: • Face to face with a branch rep • In writing by letter (make sure you don’t provide credentials in the post) • Using secure messaging within your online banking system NOT by phone NOT by public email/webmail 15
2. Security of your Payment Systems & Processes E. Control over changes to payee account details Your policy requires that all payee management activities must be verified by separate staff using rigorous authentication methods such as pre-agreed payment detail formats, authorisation limits and shared secrets which are established in-person once official ID checks (passport, driving license, references) are completed.
Reducing the opportunity for fraudsters to change payee details for subsequent diversion
F. Segregation of payment duties (Raise vs Release) Your policy requires that all payment systems inc. online banking, are set up so that one user is authorised to raise payments and a different user is needed to release each payment or payment batch.
Preventing fraudsters from scamming a single member of staff to make a payment
G. Separating account reconciliation from payment duties Your policy requires that all payment reconciliation is performed by a suitably qualified person who ideally does not have access to any payee management or payment functions or at the least does not have the ability to raise payments.
Reducing the likelihood that a criminal insider is able to cover up payment fraud
H. Using only ‘Strong’ passwords Your policy requires that all staff maintain strong* passwords on their payment systems accounts and never share accounts.
*strong passwords are min 8 characters including one or two numbers and special characters. Reducing the chances that hackers and fraudsters can hijack staff accounts used for payments Supporting accountability for the use of payment accounts
16
TIP: Good Password Management 1. Passwords should never be shared with anyone – regardless of hierarchy
2. Secure passwords should start with appreciation of preferences Password Psychology: What is your genre? • Family-oriented: names of people or events with emotional value • Fans: names of athletes, singers, movie stars, fictional chars or sports teams • Fantasists: sex is evident in passwords such as "sexy," "stud" and "goddess." • Cryptics: unintelligible passwords or a random string of letters, numerals and symbols. Choose a phrase and select first or last letter from each word I Like To Go Shopping At Harrods In The Spring (ILTGSAHITS) Mix it up! Exhange letters for numbers and 1LtgS@Hit5 17
2. Security of your Payment Systems & Processes I. Separate telephone lines for payments staff Your firm has a separate telephone line, number or extension specifically for payment queries. It is not possible to transfer calls to this phone and you have arranged with your telecoms provider to block all calls to this phone where the callers’ number is withheld.
Making it hard for fraudsters to achieve trust by internal call transfer
J. Isolated computers and broadband for making payments Your firm uses a separate computer dedicated to raising online payments which is not connected to your company network, has a separate internet connection, the latest fully patched operating system, enabled firewall and fully updated anti-malware.
Reducing risk of network compromise adversely affecting payments systems
K. Minimising the number of Authorised Payments Staff Your firm maintains a small, but adequate number of specifically authorised staff who manage payments and who ensure that all payment security policies and procedures, including those mentioned above, are always practiced.
Reducing the opportunity for scamming and insider fraud
L. Housekeeping of Accounts used for Payments Your policy requires all staff no longer responsible for payee management and payments have the accounts they use for these functions immediately disabled and/or removed. Reducing the opportunity for fraudsters to hijack and misuse redundant payment accounts
18
TIP: Splitting Up Responsibilities…..Responsibly Appreciating that payments staff (inc. authorisers) may not be numerous • Give some thought to how duties can best be divided
• Key is segregating the roles and online banking account functions: • Those who maintain payees • Those who raise payments
• Those who authorise and release payments • Those who reconcile payments Ideal Segregation 19
TIP: Splitting Up Responsibilities…..Responsibly Appreciating that payments staff (inc. authorisers) may not be numerous • Give some thought to how duties can best be divided
• Key is segregating the roles and online banking account functions: • Those who maintain payees • Those who raise payments
• Those who authorise and release payments • Those who reconcile payments Still good segregation 20
TIP: Splitting Up Responsibilities…..Responsibly Appreciating that payments staff (inc. authorisers) may not be numerous • Give some thought to how duties can best be divided
• Key is segregating the roles and online banking account functions: • Those who maintain payees • Those who raise payments
• Those who authorise and release payments • Those who reconcile payments NOT good segregation 21
3. Security Best-Practice with your Bank A. Firm adherence to online banking terms & conditions of use Your policy fully supports adherence to the terms & conditions to which your firm is bound for the provision of online or other payment services by providers such as your Bank(s). You also bring to providers attention to any breaches of these agreements by their own staff.
Reducing the risk of breach of agreement and resulting liability for losses
B. Ensuring bank staff also adhere to your firms’ security procedures Your policy requires that any failure to adhere to agreed or best-practice security by Bank staff interacting with you will result in immediate discontinuation of communications with them and reporting of such failures both within your firm and to the Bank in question.
Preventing fraud by criminals who claim to be bank personnel
C. Adequately authenticating bank personnel Your policy requires that enquiries made with or by your Bank(s) are protected both by security checks made by the Bank staff AND an additional security check made by you to validate them. An example might be that they advise you of your account creation date.
Preventing fraud by criminals who claim to be bank personnel
D. Tailoring the maximum single payment limits on client accounts Where their services are capable of supporting customised limits, your Bank has reduced the payment limits for your firm to those that remain practical but reduce impact of loss should your firm be the target of fraudsters.
Preventing fraudsters using their knowledge of default payment limits
22
TIP: Verifying a Bank Website
Don’t rely/trust the site!
Try other site features If you ever suspect your online bank is fake try entering a password or code which you know to be false JUST ONCE. If it is accepted then you know the online bank website is a scam. 23
3. Security Best-Practice with your Bank E. Tailoring the maximum aggregate payment limits on client accounts Where their services are capable of supporting customised limits, your Bank has restricted the aggregate amount of high value payments that can be made at any one time which would reduce the impact of loss from fraud.
Preventing fraudsters using their knowledge of default payment limits
F. Ensuring your bank helps you by detecting fraud Your firm has requested that your Bank(s), independently verifies, prior to authorization, the creation of all new payees located outside the UK, especially where these would be considered unusual to your firms general pattern.
Preventing fraudsters from transferring stolen funds to beneficiaries in less vigilant jurisdictions and where the chances of timely recall are reduced
G. Maximising the chances to recall fraudulent payments You have arranged with your Bank to disable the Faster Payments service on Client Account(s), thus removing the preferred method of payment by fraudsters. Using CHAPS or BACS has time benefits for cancellation, hold or recall.
Preventing fraudsters using FP to quickly transfer and transfer-on (take the money & run!)
H. Preventing unauthorised changes to payment details Your policy requires that, where relevant, clients are alerted to the risk of fraud, and controls explained for early and structured exchange of payment details, and for restricting future changes to those details by any party.
Reducing the chances that client accounts can be misused or funds diverted
24
3. Security Best-Practice with your Bank I. Secure control over changes to payment details Your policy mandates that any subsequent advices about payment/payee details will not be sent or accepted by your firm (nor should they be accepted by the client), without personal verification by the lawyer or their delegate, and independent validation by another authorised person in the firm.
Considerably reducing fraudsters ability to divert stolen funds to their illicit accounts
J. Ensuring your bank helps you by preventing fraud You have arranged with your Bank that payments must only be allowed by their systems if they are made from agreed fixed IP addresses or defined, authorised computers or mobile devices.
Reducing the changes of hackers and fraudsters being able to hijack payment accounts
25
How does a security token work?
Generates a set of one-time codes • Intercepting one code is only good for one operation or transaction • Tokens need a bank card to enable them • Each operation (Identify, Respond, Sign) requires a PIN to be entered • Once the PIN entry is successful a one-time code is generated • Only your online banking system is able to verify the one-time code
26
Security Token & Online Banking Card Assignment DO: • Keep the security token in a safe place and report any loss to your bank immediately • Keep the online banking card (used with a token) in a physically secure and separate location from the token
• Cards should be only for use with online banking and not dual payment (debit) cards • Ensure that each online banking user has their own security token and their own online banking card & PIN and your policy allows them to use only these. • Mark tokens and card pairs with single alphabet letters assigned specifically to each authorised user • Destroy all PIN advice notes. Assigned users must change and memorise their new PINs
• Only bring the security token and online banking card together when needed to use online banking 27
Security Token & Online Banking Card Assignment DO NOT: • Use security tokens and online banking cards during phone conversations for any reason. They are only for online use. • Keep old security tokens or online banking cards. Securely destroy them or return them to the bank (& get a receipt)
• Tolerate authorised users sharing security tokens or cards. The psychology of ownership matters! • Allow authorised users to divulge any codes or passwords (Usernames, PINS, passwords, numbers on cards or onetime codes generated by their security token) either between each other or to other colleagues or external people including your bank, regulators or law enforcement. • Identify staff responsible for finance and payments by their job title: choose “Office Manager” or “Operations Assistant”
28
4. Compliance with Regulations A. Securing sensitive data Your firm has identified all information which it stores, processes and transmits which is financial or personal and confirms that this ‘sensitive data’ is always encrypted in transmission and on mobile devices and backup or mobile storage media e.g. CD/DVD, USBs.
Reducing the risk that sensitive financial details and transactions can be stolen or misused
B. Destroying sensitive data You confirm that when sensitive data or the media on which it is stored is no longer required by your firm that it is securely and irretrievably deleted and/or destroyed.
Preventing sensitive data from falling into the hands of criminals
C. Reporting attempted fraud Your policy defines a process of reporting suspected fraud attempts both within your organisation and to trusted government reporting (such as ActionFraud) and/or the Police.
Helping the fight against fraud by sharing intelligence
D. Reporting actual fraud and personal data breaches You confirm that all incidents which may result in breaches in confidentiality of sensitive data are recorded and reported within the firm and to regulators and/or the Police and insurers as required.
Ensuring regulatory compliance and best efforts to recover stolen funds
29
The QBE Fraud Prevention Advice Improvement Actions List (on QRisk)
30
Summary 1. Review your firms Governance of Fraud and Cyber risk You don’t have to be a large firm to give your staff the guidance and confidence they need to prevent fraud
2. Implement strict yet effective payment processes Remember, small and mid-sized firms are those most targeted by fraudsters
3. Work more closely with your Bank Don’t expect banks to be secure, many of them do not currently have the fraud detection systems you might think they have!
4. Look for ways to improve your systems security Segregating systems is a good way to reduce fraud risk
5. Know who to call when you have a question or concern Use the QBE Fraud Prevention Toolkit and speak with your broker.
31
