skip to Main Content
share

Phishing: Stop Fraud Before It Starts

Tom Cronkright, Published on February 20, 2019

This month’s fraud briefing dives into Phishing. Watch to learn more about this fraud tactic and how you can better prepare your company and customers to reduce your threat.

Sign up for the next CertifID webinar!

Full webinar transcript:

Good morning, everyone. Thank you for attending this month’s fraud briefing. I know we have several hundred of you that either dialed in or dialing in. I’m going to make it my goal to start promptly each and every month here, so we’re going to dive in. A few housekeeping matters. There is a question panel on part of the go-to, so if you have questions as we walk through the topic today of phishing, please just throw those in, because at the end, I’m going to reserve at least 10 minutes to basically answer the questions and walk through the thoughts and ideas that you have that may warrant further consideration. With that, I’m going to dive right in. This month’s topic is on phishing. Phishing is an area where basically all frauds start. This conversation is going to tilt more towards realistic transactions, just because most of everyone that’s dialing in is facing the real estate industry in some way, but just now that these principles are applying across so many different industry categories.

Bye way of introduction, I’m Tom Cronkright. I’m one of the co-founders and CEO of CertifID, a fraud prevention solution, preventing wire fraud in the US. I’m also a co-founder of a title company in Michigan, and through our title company experience, we actually went through a wire fraud back in 2015, and over the months and years to follow like everyone has seen, just a landscape change so significantly in the area of wire fraud and ultimate loss as money continues to be diverted from bank accounts, trusted bank accounts to fraudulently controlled bank accounts.

Today’s topic is phishing. We spoke last months, the January session about this idea that the fraudsters are running a well defined playbook. That starts with profiling. All through these series of activities, and it ends with the transfer of funds, typically, to a fraudulent account or access to credentials that they then sell on the dark web or whatever happens to be. Today, we’re going to start with phishing. I’m going to get sidetracked several times during this. Here’s my first sidetrack. This is a layered series that we’re intending to provide you every single month. Make sure that you come back on march because we’re going to start to work our way through how the frauds actually take place. Think of it as like a clinical dissection of what they’re doing, and how they’re doing it. I promise to do everything we can to bring you the tip of the spear as far as information, and live examples of how these frauds are hatched. Today’s no exception.

What is phishing? Think of phishing as trying to obtain personal information or user credentials through fraudulent e-mails that are made to look trusted or authentic. This could be credit card, it could be social security numbers, birth dates. For our industry, for real estate, it seems to be e-mail account credentials. The types of phishing that I’m going to show examples of in a second, are these two types. Spear phishing and whaling. Spear phishing is where they know how the target is and they need to get to that target by sending specific e-mails that are unique or personal to the person that they’re trying to gain account access from. Like we talked last week, starting fraud is easy because all the real estate transactions that are taking place, at least on the purchase side are publicly available. They all syndicate, and so is the ownership record of the current home owner.

It’s pretty easy to identify who is in an active transaction. Especially the representatives that are representing those as well. That’s spear phishing. Whaling, we’re seeing more whaling. Whaling is a variation where they go after a higher level target typically within an organization. Think of it as the owner of the C suite, and they either obtain the credentials of that individual or they so well-spoof their credentials that they are able to influence somebody more junior in the company to do something, typically to transfer funds. I’m going to show you a live whaling example in just a couple of minutes. By the numbers, I wanted to share a few statistics that recently came out. 91% of all cyber crimes starts with some well crafted phishing lure, they call it, these e-mails that somebody clicks on and then bad series of events starts to happen but they’re not aware of it.

What are the attack vectors? It’s just shocking how many people are falling for this each day, but not … I’ll show you how sophisticated they are. It’s just a matter of training and being more aware. But 30,000 Americans, 80,000 Canadians, and then 7,500 fake invoices that are actually disguised as phishing attacks are clicked on every single day. You notice here, and we provide an example of the types of things that are embedded in phishing scams and their strategies. Look to the right of this grid, half of them roughly are fake e-mail attachments, or e-mails with attachments or fraudulent links. Just know that half of all this activity where you have a link or some type of attachment is likely to be some sort of a phishing scam involved.

There are many other different vectors. What they do is they’ve gotten smarter over time. They’re saying, “Look, I don’t need to recreate the wheel here. I just need to impersonate a brand that already has a level of trust with the person that I’m trying to compromise or I’m trying to defraud. Why not go after the most trusted and call it digital brands in the United States, and lay on that bedrock of trust, if you will, by impersonating them, because they’ve spent hundreds of millions, if not billions, of dollars curating these relationships with these people?” Frankly, it’s really effective strategy. Just last year here, the top 10 brands that were impersonated in various different attacks. You can see they’re widespread. What’s interesting is we’re starting to get more and more data around the level of phishing last year, so we had 76% of businesses that actually reported that they were victims, not just attempts, guaranteed it’s 100%, whether or not they know it, they’ve been involved in some type of phishing attempt or scam.

Here, 76% are saying, “Look, we were actually victims of some type of a phishing attack.” Business e-mail compromise, we’re going to get into that next month, but phishing leads to account takeover, which leaps to loss. The FBI reported through the end of ’17, that that was a 12 billion dollar problem. I’m sitting on statistics that we’re about ready to release. It’s going to dwarf the 12 billion dollar number, because last year was just an insane year for wire fraud and e-mail compromise. Then, just make a mental note, one thing that is really trending is this idea of spam phone calls. There are people predicting that nearly half of all calls that are coming in to cell phones, and direct dials, are going to be spam related. You probably had it, where it looks like it’s coming from a local number, and you pick it up and you get that two-second delay. Here’s a clue for me, if you’re calling me and trying to reach me, and there’s a two-second delay, I’m ending the call. Just be weary that they’re getting more kinetic and they’re using the phone more and more.

Let’s start to dive in. Like I said, these sessions are made to be intense training around topics, so we’re going to start the training on what to look for in some of the top phishing scams that took place last year. It ranges everything from personal, to professional, to just general. What I mean by that is phishing is not just a nine to five exercise for fraudsters. It’s a 24-7 exercise. If you have an employee or you have a referral partner, you have a customer that is compromised while they’re online on the evening or the morning before work hours, chances are that compromised state is going to carry over into the work life. That’s the challenge we have right now. It all started with these guys right here. This is the, remember that the Nigerian prince had a relative that died, and the relative left him 20 million dollars, and if you would just an open an account or send account credentials, I’ll park the 20 million over the weekend and then I’ll move it out of your account, and I will leave you two, because I’m a nice guy. I’m that kind of fraudsters.

What’s interesting is we have come so far from where these started. Although these are still effective today. It’s amazing. Was recently with the FBI, and they said people are still falling for these. Now, we’re getting into next level. I’m going to start to dissect. What I’m trying to do here from a themed perspective is to say, “Okay, what’s the target? What’s the objective on our sophistication scale? What are we seeing?” I’m going to start to dissect some things to look out for. If you’re taking notes, you might want to take down the following, okay? There are three main attributes to every phishing scheme, and ultimately business e-mail compromise messaging. Three. One, there’s new or a change to information. Something new just happened, or something changed and you need to be aware of it. The second is, there’s some temporal aspect or time or time-bound issue wrapped up in this communication. Then the third, so newer change in information, time-bound, the third is if you don’t do something right away, bad things happen to you or the person that you’re representing. Keep those three in mind. New, temporal in nature, and there’s some consequence for not acting.

Here’s a situation. It looks like it’s coming from a help desk, and it’s saying, “Look, all these servers are maintained by, or going through routine maintenance and you need to complete your updates, so simply click here.” Embedded in this click link is a redirection to obtain what, username and password. This is where they’re trying to obtain user credentials. This is a company setting. Sophistication is in our skill, medium, and here’s what we’re picking apart on this one. Okay. The IT department would never ask for your participation in maintenance. I don’t know if you have an IT department. I do, and they just maintain and update stuff without you knowing it, which is why you can’t log on. I’m kidding. But they just do it. The help desk team, this should come from an individual, so you can see the from, help desk, service account. I’m going to pick these things apart and you say, “Hey, I never noticed that.” Well exactly. That’s what this training is meant to be because it’s the nuance. It’s the margin of the things that are just a little bit out of place that they’re not aware of, that we have to be able to spot now.

Then, scaring you there with access restrictions, right. Access to the server will be intermittent or completely unavailable for non-updated accounts. That’s not good. Can’t do my work. Next one is a web page [boot 00:13:01]. Here’s an online document platform. Well-known. You guys can see the icon. They’re trying to say, “Hey, we want to place an urgent order this month.” Interesting, all right, new business. Click on the attachments so we can provide you with the order details. You can click on that and they’re going to ask for your username and password. This one’s pretty sophisticated, because typically they target an employee within the organization that might be working on a file or known to work on files. Address by their e-mail address. This is what’s interesting. “Dear, T Cronkright at CertifID.com,” that’s really impersonal. Here’s the other thing you have to realize about salutations and how people are addressed, these brands spend hundreds of millions of dollars on a customer experience. Any canned message or alert probably goes through multiple layers of approval before they’re sent out.

They would not send me a “Dear, TCronkright42@gmail.com, how are you doing?” It’s just not going to happen. It’d say, “Hey, dear, Thomas or dear, Tom.” Okay. Use of the word, “urgent,” in the request. This is urgent. You got to do something right away. I might have to, but that’s typically not how we’d start out on the first notice. The use of the word “kindly.” Kindly check the attached file. We talked about this last week during the pay off fraud. Please kindly see the updated wiring instructions. Please kindly let me know when you’ve sent the wire. Please kindly confirm that … Guys, we don’t use the word kindly. We really don’t. We use, please, or sometimes, based on the state you’re in, you don’t use please at all. You just say, hey, I need this done. Let’s go. Flag the word, kindly, because that is one of the common denominators we’re seeing. They’re trying to be nice, they’re just using the wrong word. This is a big one you didn’t know, HTTPS access to the actual web page. We’ll get into that further, but if you’re going in and responding to an e-mail, especially a link, it should, on a header there where you’re communicating with, it should be an HTTPS, a secure site behind a secure wall. Not just an HTTP. Big thing to spot.

Online banking scams. Guarantee, people fall for this one a lot. This is individual in nature, and basically what it’s saying is we have a problem with your account, and the limits will be lifted after confirming your information. They got the wording a little bit wrong, but the idea is hey, something’s wrong with DOA here, and I need to do something to confirm. It’s medium sophistication. We can take this one apart real quick. Dear user, again, not real person. There’s no way they would address me like that if I’m a banking customer. There are several grammatical errors in the text that you can see. The bank is simply not going to send you a link to click on to confirm. If you think it’s Bank of America, go to Bank of America, log into your account, go to messages, or communication, or notices, and see if there’s something because it will be.

Another one, this one is a fake invoice but it’s doing one or two things. This is the challenge with PDFs right now. PDF could be used to insert a packet of malware, or malicious software, they call it malware where all bad things happen once you download. I’ll show you a more sophisticated example, the number one lure for malware last year, or I could click on this and they’re asking me for user credentials to get into the document. But here’s the challenge, if you’re working on real estate transaction, you’re processing invoices all the time. This could be a survey, it could be [inaudible 00:16:59], it could be HOA, it could be whatever it is, doesn’t matter. You’re passing this back and forth all the time, but we need to make sure that we know where they’re coming from. This one was embedded with a sign-in in Google. You could sign in, and you could also be hit with malware, because this could be a double dip where they got the user credentials, and they insert a packet of malware on your server.

A couple of red flags here when you’re looking at these. Make sure the e-mail is coming from the company you’re actually doing business with in this subject line. We master privacy here. Double check that e-mail address, and usually fake e-mails or invoices come with some type of urgency. Please add this to the CD, or here’s the updated invoice, or like we talked about, one of those three things. Here’s another one, and these are challenging because people typically respond, and you’re going to read this because it says, look, I’m about ready to click the switch on something and you’re not going to like it. Deactivation notice. We received a request to delete your account. Yikes, that’s not good. Your account will be removed from the site shortly and permanently deleted within 24 hours. That goes on, and click verify now. They’re after, again, user credentials. The sophistication here is low. I kind of feel bad for this fraudster, because he must be new to the game and maybe in an apprenticeship or something overseas, because this one’s super bad.

Mail administrator, but it’s actually going to some aerospace domain. That’s easy to find. The urgent request and then they’re going to delete my account if I don’t act shortly, and then permanently delete within 24 hours. We wouldn’t use 24. You have to pick these things apart. It’s just not good English to use the numbers 24. But note, this is what’s interesting about this one, is they give a little bit of trusting sentence in these parenthesis. Note, please ignore this message if the request was from you. If you wish to cancel this request, do so immediately by viewing your details. Saying, look, if you already responded to this, don’t worry about it. We got you. I thought that was interesting on this one. When I saw this, I was really concerned. This is, again, to somebody personally obtaining user credentials, high sophistication. Let’s say for the sake of argument that they went down on the dark web, the fraudster, and they actually obtained the Comcast number, and they obtained the actual Visa card number, because you can do that for about 25 bucks right now. Full profile on somebody in the dark web.

If that’s the case, their click through rate on this is going to be very high, because they’re layering, they’re credentialing the e-mail with user-level information. We’re starting to see this more. I don’t think that’s the case with this one, and here’s why. Let me pick this one apart. There’s a direct link rather than sending the user to their account. Go to your account, log in, and we’ll communicate that way. You cannot, guys, click on direct links to view anything when you receive this type of a solicitation. It’s just the odds are too great that it’s malicious. You’re going to end up somewhere bad. Take one business day, with the number one, again, it’s a nuance, but it’s important. If we’re talking about days, we write out days, we don’t put numbers in there. Same thing typically with hours. Hello, instead of hey. Hey, Tom. Hey, Mr. Cronkright. Whoever it is. They would spend so much time making this personal, especially after personalizing all this. The name on the account is sales, well this would be the account name connected to the number.

Then this one, the payment doesn’t even match. This guy either fat fingered something or he got distracted, or he’s just not smart. But either way, that doesn’t jive. Those are some of the nuances that you have to pick up. The other challenge, guys, is when you’re talking about this [inaudible 00:21:18] blown up on what appears to be a desktop monitor, mobiley, it becomes even more challenging to detect these things. Okay, response request, this looks like it’s coming from PayPal. This is again, user credentials. What I want to show here is what I call second level domain masking. What’s that? What that means is you hover over it and it looks like it’s coming from international intl.paypal.com. Looks like a legitimate address. But you go one layer deep and it’s actually coming from service@epaypal.outlook.com. That’s a challenge, especially mobiley, when it’s hard to see that second layer. You may hover over it and say, “Oh, it looks like it’s coming from PayPal,” but in fact, it’s coming from a completely different account because they’re masking where it’s coming from.

Then, what I love about this is, hey, just the language. There’s a response required. That’s really strong in your faith in a sense of like, hey, we e-mailed you a little while ago to ask for your help. Really? We’d just say, “Hey, we have some odd account activity, please log into your account and go to your messages. That’s how it would happen. LinkedIn, it’s not just e-mail, it’s on our social, it’s Facebook, it’s LinkedIn, it’s Instagram. You start to see messages that clearly are out of the ordinary. Here’s basically an e-mail message that looks like it’s coming from Wells Fargo to someone who has a corporate account with LinkedIn, asking them to go in, click this link and make sure that your keys to your account access are up to date. They will never embed, one, Wells Fargo is never going to send you a LinkedIn message. That is simply not going to happen. If they do send you a LinkedIn message, it sure not going to include something like this that says, “hey, your security in Wells Fargo is compromised or needed to be updated, so you need to take action.”

The number one malware delivery attack vector was this. This involves a Macro. Macros are a massive security concern, because Macros actually run code in the background. A Macro, you may have some on the software where you type #3 in the Macro, pulls up a form to fill out, or you have a Macro for creating a title commitment where you type in #F and you get whatever happens to be that shows up in the software. Those are Macros. What this e-mail is suggesting is to say, “Look, you need to enable your Macros in Office, that’s why Microsoft Office was the number one spoofed company for Phishing. You cannot respond to any proactively messaged request to enable macros, or enable Macro contents. Okay? It’s simply too risky. You have to make sure the e-mail came from the original source, and what’s interesting about this e-mail is that fraudsters actually giving you the three steps to download the Macros so they can infiltrate your system, so that it is successful, that their code that’s embedded in whatever documents behind this successfully implants into your server.

What is that? It could be key loggers, where they’re logging the key strokes or your user keys. It could be screen scraping where they’re actually where they’re actually taking screenshots of what you’re doing and how you’re doing it. It could be live video recordings where they’re just scraping data. It could be literally thousands of different strategies for what they’re doing with that. It could be, I’m going to lock you out of your program, and now we’re going to get into a ransom situation to get access to your programs again. What are the takeaways here? Then I want to show you how to spot whaling. The takeaways are three. Just think of phishing as targeted, very timely, and coming from a trusted source.

How to spot whaling? Here’s a whaling example that actually came in to our title company last year. About this time, almost to the day. I want to walk you through what it looks like as it unfolds in real time. This is the fraudster impersonating me to our COO. I’m the whaling target as the CEO, and then this is to our COO. You can see, if you unlock it, it’s coming from some whatever@comsast. But she didn’t see that because she was on her mobile device. She just saw that it was coming from me initially. Right about lunch, which I think is interesting, and I think is coincidental, right, because I’m probably out with a customer or having a strategic meeting, or a talk, or whatever. Are you at your desk? She responds, “No, I’m sitting with Sarah in exam. Do you need something?” Just a few minutes later. Fraudster, impersonating me, yes, I, lower case I, write that down. We picked that up last month. Kindly, I, lower case I, you got to flag those. I need you to process a payment to a new vendor, let me know when you can get it done. I’ll head over now. Are you in your office?

We’re just a few minutes into this fraud. No, I’m in a meeting. I had to catch up. Let me know once you’re ready for the vendor account details. This is 12:36. I actually got back from lunch and she’s standing in my office. I’m like, “What’s up, Sarah?” She’s like, “Well, I’m here about the payment details. Why would you ask me for that? Why wouldn’t you go to the controller?” I said, “What are you talking about?” We decided, I grabbed our IT manager, and I decided to phish this guy back. “You know what, let’s screw with them for the next couple hours and see how much he knows.” Because I actually was curious. How much do you know about me and the organization, and what we do, to see how targeted this whaling attempt was. The rest of these e-mails are me standing over our IT manager’s shoulder typing things back to the fraudster, to try to see how much information we can pull out. Okay?

From her account, we say back to the fraudster, “Sorry for the delay. I’m ready for the vendor info. Go ahead and send me the payment details.” At the same time, our forensics team is running and back channeling all the information we can find on this guy to see if we can report it to the authorities in real time. Fraudster comes back and says, “Yeah, I just need 34,800 sent to [Surama 00:28:14] Tech Trade down in Miami. Please send me the confirmation uploaded as soon as you’re done processing the payment. Why? We’re going to get into this. Money mewling. They want to know when you’re sending the wire. We talked about that last month. Somebody is asking me to provide proof or what time you’re going to send a wire, you got to slam on the brakes. Let me know if you get the vendor details, so he responds another minute later, got them, we’ll start working on it. We’re still back channeling and data feeds. Then I lobbed this one over the wall “One more question. I don’t recognize this is an existing vendor. Can you tell me what this is for, so I can correctly book it in the system.” I wanted to know what he thought he was asking us to pay for.

The fraudster says, “The new vendor and the payment is for our new inventory.” What inventory. We have no inventory, right, we’re a service company. “Sorry for all the questions,” I come back and say. “What inventory specifically? Want to make sure our team has a heads up before it arrives.” “Our new goods in stock,” he says. He must have Googled like, what’s another way to say inventory. Well, if you’re back in the 80s and you’re taking accounting class, they call it new goods in stock. I’ll brief you later. I’m busy at the moment. Two lower case I’s there. “What’s going on with the payment to the vendor?” He steps up the rhetoric. I’m the CEO. I’m the owner. Why are you questioning me. Just get this done. Then comes back. “Are you done processing the payment?” Then, I said to him, “The computers are giving me trouble. Must be Friday. I’ll confirm as soon as it’s sent.” Then I get an okay.

Here’s what we’re able to glean out of this. This is Surama Tech Trade. It was a Florida Corporation. We knew all this by the time we sent that last e-mail. This appears to be the corporate headquarters, but he was actually sitting on the second floor of the sweatbox somewhere in Indiana, or Miami. I mean to say that these are live people in real time, that are conducting these frauds. He didn’t know anything about industry or the company, or whatever, but he was smart enough at least to know that there was a possibility based on the profiles or the personas. Quickly, strategies to prevent fraud. Here are several, and I hope all of you will get a recorded session, a recorded link to this session. I know many of you passed along the session from January. That’s exactly what we mean to do.

Here’s some content to train your staff, train your referral partners, train your customers, use these as monthly topics to go over. We do. Because I don’t think you can get enough of these refreshes. But here’s the bullet point list. They’re not exhaustive, but they start to, at least, thematically, start to unpack some of the big things to think about. I think it’s just think before you click. Take a beat, take a second. Slower is faster in this area. Implement internal or external e-mail notices. This is a feature that you can turn on in web e-mail filtering, that if the e-mail is coming from an external source, it would identify that. That would identify to Sarah that this was coming from an external source. She would have said, “Wait a second, it looks like it’s coming internally from his account.” Verified site security that you’re dealing with an HTTPS account, that all you software browsers and software platforms are up to date. Your operating system, your virus, your malware, I mean every detection system that you have. Even your phone. If you have an update that needed to run on the phone, run the update. Log into your wifi, plug the thing at home and run it tonight.

Because those patches are meant to cover all things that they know were vulnerabilities in the software. Firewalls, pop ups are really challenging, especially if they’re taking you to a login page. Enroll an e-mail monitoring. I think the biggest one, guys, is just stay curious around this issue. Continue to be a student of what’s taking place. I recommend Google Alert. You can go into Google Alert, it’s free. You can type in a bunch of keywords that every morning will feed you articles on that topic. Wire fraud should be in there, phishing should be in there, business e-mail compromise. Those three alerts should be setup, I recommend every one to set those up. Then you’ll see a lot of them really to real estate right now, the trends that people and some of think tanks and others are blogging and writing about on a regular basis.

E-mail monitoring, quickly, here’s an example of e-mail monitoring. The effectiveness. This is [Sun 00:33:13] title’s e-mail traffic. We had 267,000 e-mails that went through the organization just last month for the month of January. You notice though that there are trend lines, right? The trends are Tuesdays and Thursdays. Trend Tuesday and I call it Funding Thursday are the highest instances of phishing attacks. You’re setting up the file to close on Tuesday for a Friday close, and what do you do on Thursday, you’re figuring out where the money’s coming from and likely where it’s going to go during dispersing. What’s interesting is that our mail server, our monitoring service such as MimeCast, they’re absolutely fantastic. They’re not paying me to say this. They just are. They flag roughly 10% of all the e-mails that were coming in the organization or internally as fraud. Here’s the graph of what vectors that month included. Roughly 60% of e-mails that otherwise would hit the organization were unknown blacklist.

That’s the benefit of an e-mail monitoring system, is you get the consortium level intelligence that says, “Look, we’ve seen this before. Someone’s already rejected it as fraud.” Then a ping goes out to the rest of the group that says, “Hey, we’re not even going to let that go through.” 60% of that traffic was actually unknown blacklist. Takeaways, then I’m going to get into the action item for the month. Be very, very vigilant on Tuesdays and Thursdays. You’re actually two and a half more times likely on those days to become a victim of a phishing attack. Because not only the velocity, but in the industry, those are pretty busy days for us. Invoices are key, slowing down. Just slowing down. That for every 33 employees, one phishing attack per quarter is what a recent report showed. This last one, is you approach this idea of cyber security and awareness, there’s no single one thing. That’s why that list had a multitude of things. We call it the silver bullet. There’s no one silver bullet that can say, “You know what, if I implement this or I do this, or I train around that, then we’re good.” This is an evolving landscape. It’s a level of investment that you’re going to continue to have to make to keep your company and your customers secure, but know that it’s also a layered approach.

It’s secure environments from a data perspective. It’s secure networks. It’s securing and hardening data. It’s making sure our people are trained. Identifying phishing. We’ll get into CertifID in a second, right, it’s this idea of how do you protect wires at the end state, but it’s a layered approach to things. Action item for the month. We’ll always leave you with an action item. Let’s fish ourselves and our people to see what the state of the union is right now on our awareness of phishing. In the box, in the chat box, right, I’ll get my IT team on right here. In the chat box, we’re posting this link and it’s a secure like, HTTPS, for you to take the Google phishing test. I have done this, and it’s really good. It’s actually hard. They did a nice job not only curating the examples, but then showing you if you didn’t identify it as a phish, why. What was wrong with this e-mail?

This is where you’ll start. You’ll click on Take The Quiz, and then you put in your name and your e-mail, you get started, and you’ll be asked a series of roughly 10. You’ll be presented with a series of roughly eight to 10 examples, and then you have to click, hey, is it phishing or legitimate? But it says, hey, be sure to check out the URLs and hover over as long, using long presses and explore the e-mail address. Look at the attachment. It’s asking you. Be curious here and let us know if you think this is phishing or it’s legitimate. It’s going to surprise you. I can’t recommend enough that you have to get an understanding of how susceptible you personally are, and how susceptible the organization may be to phishing attacks. Then, like I said, many different examples.

Upcoming webinars. We have a bunch of content that we’re ready to share this yer. Next month is going to be on e-mail account takeover, or otherwise known as business e-mail compromise. Now that you can see how they’re gaining credentials, we are going to share some absolutely mind blowing examples of fraudsters that are in the accounts of somebody in a transaction to see the lengths that they will go to manipulate somebody into sending funds to a fraudulent account. I’m talking agent accounts, titled company accounts. We have mortgage processors and loan origination account examples. It’s going to be difficult to watch next week, but you have to know it’s taking place. The level of sophistication.

Now, we’re going to get into some of the wire fraud loss stats that will out us into April where we should receive recent FBI, another stats on the industry impact, and then we’re going to roll in later in the spring to how we recover from a wire fraud if one takes place. 30 seconds on CertifID, we have the ability to provide a layer of security that will protect against the actual transfer of funds to a fraudulent account. We do that by confirming identity in real time, and then being able to securely send and receive wiring information and credentials outside of the normal e-mail channel and all that. What I invite you to do when we’re putting this link in the chat, I invite you to just schedule 15 minutes where you and I can have our conversation directly to talk about current practices and see if CertifID is something is something that could help you, that last mile of defense, so that even if a fraudster was involved in the transaction, was in the communications all along, we’re that last mile of defense that says, “You know what, we’re going to snuff this thing out and they’re not going to get paid. They’re not going to re-divert the wire on this transaction.”

I welcome you to do that, and I look forward to connecting with many of you. I want to reemphasize that for all these, this is a month over month, we’re going to continue to build on these principles and these layers. Invite your staff, invite your referral partners, invite your vendor partners, anyone you’d like. This is a free webinar and it will continue to be that way. Our hearts, really, and our goal is just to educate the community around what are the things that are taking place right now. Because 2019 is already shaping up. You’re going to see this next month. To be different than 2018, and the strategies that they’re using early on this year. We’re only about a month and a half in, to divert wires.

I’m going to take questions, and while I do that, make sure you connect with on LinkedIn. We’re dropping many useful videos that are 60 to 90 seconds long, that you can repurpose and share with your group, or for training exercises, or whatever happens to be. But I’d love to connect with you there. The questions are rolling in. If you do have a question, could you please put them in the questions or the comment box. We can see both the questions are better, and then I’m going to start to riffle through this, and we’ll wrap up in just about four or five minutes. I want to get your guys out right on time. Why were so many more Canadians victims of frauds than the US? I can’t speak to our neighbors to the north so much, but I would say that there’s likely more awareness and just education around the issue that we’re having in the US. But I don’t have the authority to necessarily say that. That’s my presumption.

I mentioned we were involved in a wire fraud, and then the main ring leaders that were actually operating out of Canada and responsible for about three and a half billion dollars worth of fraud attempts, and a lot of that was in Canada. Just know that while I say it’s not only real estate issue, it’s also not just a US issue. It’s Canada and the rest of North America was challenged as well. Question came in. One of our employees was spoofed and our clients are receiving fake e-mails from her. We have told them that it was fake. But is there anything else we can do to ease their fears? Well, if you’re spoofed, they have to understand, you’re either hacked or spoofed. If you’re spoofed, it’s a great indication that you haven’t been hacked. The first thing that I’ve had to do this, the first you do is to say, “Look, let’s look at where the e-mail is coming from. It’s not coming from my domain. They registered our domain that was close to main domain, like the international.paypal.com.”

It’s not paypal.com. I’m being spoofed. If I was hacked and my e-mail was compromised, it would have come directly from that e-mail. That typically puts them at ease. But if you’re ever concerned about this, and I don’t think you could do it quickly enough, get your IT team involved, or if you have a third party that can do just a forensics and make sure that you haven’t been compromised and no one is in the network right now controlling sessions. That’s a really good question, but that’s how I typically tease that out. Spoof means not hacked. Can’t control if somebody’s spoofing you, and a lot of times, you don’t know it’s taking place when it is.

Next question, are there potential issues with answering spam phone calls? Not in the sense that they can embed something into your device, and then take it over or malware or anything like that, because that’s a voice call. I’ve had heard situations where they would record your voice and maybe try to use algorithms to then get past some other biometric measure because they translate the tone of your voice. That’s really sophisticated. What they’re trying to do is trick you into … What they do with a phone call is they disarm you. If I’m a fraudster and I’m trying to impersonate Brent here that you can’t see, but is in the room, and I say, “Hey, Brent. This is Tom from ABC Title, we got the upcoming closing and I just wanted to let you know that I’m about to send you the wiring information, and I just want to know if you’re by your computer or your phone where you can confirm that you received this e-mail. Oh by the way, there’s a lot of fraud going on, so you need to make sure that these are the ones. You can’t trust anything else no matter where they come from. Does that make sense?” “Yeah, that makes sense.” “Okay, here they come.”

They’re meant to disarm, or they’re meant to get user credentials. “Hey, I’m calling from PayPal, or I’m calling from your bank, the fraud desk. We have a problem. Can you just confirm some information for me?” Here’s an example, I was at the dinner table and my wife said, “Hey, do we owe the IRS money?” I’m like, “No.” She said, “Well, I got this message on the voicemail that we need to call back and suggest that if we don’t call back, then bad things are going to happen with penalties and criminal fines, and this and that.” I said, “Sure.” I listened to the message and it was one of those where it sounded like the IRS, and there was a bolt, and that was actually put out by the FBI and the IRS on this, about two years ago, where to confirm, we have the right information, I just need your social security number, and then I can look up the data to make sure that this was a legitimate request or an error. That’s really what they’re typically looking for as account credentials.

What was the e-mail filtering company that you used? MimeCast. They’re one of the leading ones. It’s highly configurable, and for us, it has worked fantastic. There are others out there, but I would suggest that them or one of their competitors, something that you can really hone in on. That has a consortium effect that you’re able to benefit from others than pour in and say, “Hey, this is fraudulent, or let’s flag this, or don’t accept it,” then it likely won’t hit the servers of other companies that are subscribers. Just a couple more and then we’ll break. Are there other strategies for training employees on phishing? I think it’s important to use live examples that are coming into the company, that really personalizes it with staff. You can actually hire third parties that will conduct periodic but unannounced other than the IT and typically the owners, phishing exercises so you can get a broader sampling of what they’re falling for, and the information that they’re giving on these phishing scams.

You can proactively phish your people, use it as an example to train around some things. Corporate e-mails, attachments, personal stuff. You’re going to go into various different vectors. Then the last one, will link to the presentation today being distributed, and can I share with the rest of my staff? Absolutely. Once we wrap up here, everyone will receive a link to the presentation today. Feel free to use that however you like, and I hope that you’ll find it useful in further conversations or trainings.

With that, we’re out of time. I thank you for attending this month’s fraud briefing. Be sure to register for the March fraud event. Like I said, invite your friends and colleagues, and referral partners, and until next month, thanks again. Thanks for the time, and take care.

AUTHOR

Tom Cronkright

CEO and Co-Founder @ CertifID

Back To Top