From Awareness to Action: Fraud Prevention Webinar by First Financial Bank
Eric Nabozny: Good morning, everyone, and welcome to the 2023 First Financial Bank Fraud Awareness webcast. This is Eric Nabozny. I'll be your moderator for today's event. We're so excited to have you all here. We've prepared a prerecorded webcast here with some of our leading experts in business fraud, cybersecurity, and risk management, who are also here live as panelists in the webinar to answer your questions. Before we launch the webcast, I want to encourage everyone to use the Q& A feature in the bottom right- hand corner of this WebEx session to send questions to our panelists. Once the prerecorded session has concluded, we'll answer as many of those questions as time allows. For whatever we don't get to, we'll make sure we'll follow up directly with a response. I did have two quick items that I wanted to share. Jack Bowden at Evolve MGA unfortunately could not be here today to answer questions, so for any insurance related questions, we'll make sure to get those to Jack and provide a response promptly. Also, as we stated, we prerecorded this webinar and as luck would have it, there was some major construction going on right outside our studio and you'll occasionally hear some background noise, but wanted to inform everyone as not to create distraction for you. With that, I want to thank everybody again for being here and we hope you find this webcast informative. Thank you. Hello, and welcome to the 2023 First Financial Fraud Awareness webcast. My name is Eric Nabozny, managing director of Treasury Management Solutions here at First Financial Bank. I'll be your moderator for today's event. As we all are so acutely aware, business fraud has been and continues to be one of the most pervasive and persistent issues facing businesses of all sizes. Today we'll be discussing some of the common threats facing businesses and how you can prepare your company when such an event occurs. The risks your business face are very real. Our panelists here today will share their thoughts and experience on what they are seeing and share how your business can prepare and also mitigate the potential devastating impacts an attack can have on a business. Today I'll be posing some questions to our four panelists with a focus on three common threats, check fraud, business email compromise, and ransomware. If we have time, I'd like to spend a few minutes to ask our panelists to comment on the impacts of artificial intelligence in this space. Our panelists each bring a unique specialization and perspective to these issues. We hope that you take this information back to your management teams and your staff and share the insights that can truly have an impact on your preparedness. We are privileged to have four leading experts in the field of business fraud and cyber crime. We ask that you take full advantage of their expertise and ask questions. To that end, we will have a Q& A feature open in the presentation, so please ask questions of our panelists as we move through this event. We will use the final 15 minutes to answer as many of those questions questions as time allows, and if we run out of time with Q&A, we'll make sure we respond to your questions directly via email. Now, without further ado, I'd like to introduce our panelists. First, Andrew Sizemore. Andrew's director of Clark Schaefer Consulting. His team at Clark Schaefer provides services including fraud risk assessments, fraud investigations, internal controls, development and testing, cybersecurity, documentation, and governance, and third- party risk management just to name a few of the things that his team does. Nick Ritter, chief information security officer at First Financial Bank. Nick is a leader in the bank's information security program and member of the Enterprise Risk Management Committee and is a key advisor to the executive team. Terri Williams, senior vice president of Treasury Management. Terri brings over 20 years in treasury management and commercial banking experience specializing in working with companies on their accounts receivable, accounts payable, and fraud dimension processes. Jack Bowden, cyber production underwriter at Evolve MGA, Jack specializes in working with companies on underwriting their cyber risks and providing education to clients and other agents in the complex landscape of cyber cloud. With those introductions, let's get into it. Our first topic is business email compromise. Business email compromise is an attack that targets employee email with the goal of stealing money or critical information. Using various email phishing and spoofing techniques, a criminal can either pose as an employee or gain access to their network. For context on the scope of business email Compromise, business email Compromise attacks surged by 81% in 2022, and it continues as a persistent and preeminent threat to businesses. The U. S. experienced$ 2. 7 billion in losses just from business email compromise alone. First, I'll pose a question to Nick. Nick, once a business email compromise attack has been successful in penetrating a secure network, what is the extent of the potential damage to a company?
Nick Ritter: Sure, thanks for the question, Eric. As you mentioned, there's really two buckets of compromises that can occur with business email compromise. The first bucket is what you call the spoofing fishing, this is the impersonation thing. We're pretty familiar with. Decades ago there was the Nigerian or African prince who would send you an email and say, " I've got billions and billions of dollars, I just need to be able to get it. I just need your help. Send me$10, 000 and your bank account information and I'll give you a share." That was really an early form of business email compromise. It tended to be personal and not so much business, but that kind of spoofing still exists in that first category. This time though, what they're trying to do is spoof the email of somebody that you would know or you would trust within your organization, your CEO, your CFO, a key customer, those kinds of contacts that you're familiar with, and usually there's some level of urgency in the email to take some immediate action. " Hey, Terri, please send a wire or go buy gift cards. I'm with a customer right now and I need some help." Those types of things are the typical spoofing or impersonation business email compromises that you see. The loss there, the consequence of that is obviously it's financial loss, and it is to the extent of however much money the transaction is for. The one that I would consider even worse than that is what you mentioned, the network or email compromise. This is where the attacker actually gains access to your email account, and typically what happens is they gain access through compromised credentials or malware that gets loaded on a machine or something like that. Once they have access into email, they usually create a silent order, so they will get a copy of every email that hits your inbox into their inbox, and then they're able to see your business processes, your key decisions, your other information beyond financial, so they can extort you by injecting in between suppliers and invoices in different things like that. They can also extort your customers. They can extort suppliers. I've seen situations where especially during the supply chain crisis that occurred early in the pandemic where a business had their email compromised and raw material was shipped to a different place. Raw material was lost, right? You can see that, and then intellectual property or core business process information, those things also are extraordinarily consequential, and so it goes beyond just the, you've wired a hundred thousand dollars to what you thought was a supplier in paying off an invoice, and it turns out it wasn't. It's not just contained in that because that extortion or that information that you lose could pay off for a long time, right? You could be dealing with it for sometimes years.
Eric Nabozny: What should a business do as soon as they've identified that they've acted on something or that their system's been compromised?
Nick Ritter: Well, I used to have an old football coach who told me that" Failure to plan is planning to fail." I think that's really apropo here. In our businesses, we have all kinds of plans in place. We know what happens if there's a fire in the building, we know if there's inclement weather, what we're going to do. We have plans for that. Fraud and cyber attacks are no different. We have to have a plan in place so that we know what to do when it occurs. That plan is... This is pre- event taking place, you need to know what are the roles and responsibilities of actors within your organization? Who's going to make decisions? Who's going, if there's a ransomware issue for example, are you going to pay it? What circumstances were you going to pay it? Who makes that decision? Those things need to be outlined in your plan. You also need to work with your technology provider to understand what the capabilities are for scoping and containment of an incident once it occurs. For the various different types of incidents, you will have multiple types of playbooks for business email compromise, ransomware, data breach, those kinds of things. You'll want to have a playbook for each of those inclusive of your technology provider and what capabilities are, your insurance, if you have cyber insurance, your PR firm, if it's a data breach that has publicity or some type of public relations aspect to it, law enforcement and your bank. You want to contact your bank if you are immediately involved in, " Oh no, I just sent a wire, and I think that was a fraudulent wire." Terri, I think there are things that the bank can do to help customers both before and after the event occurs.
Terri Williams: Absolutely. Thanks, Nick. Specifically within the finance piece of the business and to your critical point, which is you have to have a plan. That plan should include dual controls. Again, to Nick's point, roles and responsibilities, managing the wire limits, managing your ACH limits, all of those things are critical and understanding who has wire authority, who has the ACH authority. Once that compromise has happened and you've contacted the bank, how are you communicating to the bank then? Obviously, if the email has been compromised, who's contacting to the bank? How are we contacting the bank? But back up just a minute on the email compromise effort. If you're feeling like you're getting a wire request from a supplier and it looks legitimate, right? It looks like any other wire request, but they've changed an account number, the phone number is different. You need to go back into your system and think through, " Okay, I've got this request from Eric and it definitely looks like a legitimate email, but Eric is saying,'But my routing number and my account number has changed.' We need to call Eric, the Eric that we know within our system, and utilize the phone number that we have within the system to make to make that contact."
Eric Nabozny: Jack, this next question is for you, what would a cybercrime policy cover in an instance of email compromise?
Jack Bowden: Business email compromise can be very tricky as Nick and Terri absolutely nailed there, and it all starts with that incident response plan to be coming into place, figuring out the full scope of the events. We're going to get our forensic investigators involved, the data breach attorneys to see what all information was actually lost in this cyber event. Then breaking it down to" Is it as easy as just changing a password or do we need to dive in and make sure that nobody on the team has actually been affected?" Once that has been assessed, we can then see if there was any reputational harm because maybe the clients actually got affected here as well, and they wired money to the wrong location. Once that's been assessed as well, we can make sure that the funds are going to the right location, and they're really going to want to dive into the social engineering place in the document on our form. Get with your agent, touch base on what coverages are actually involved, and then actually set up a client conference call with the carrier.
Eric Nabozny: You bring up a good point about social engineering there, Jack. I think one of the things we talked a lot about the technology aspect of this. A big component of business email compromise is that social engineering, which is actually that criminal reaching out to an individual and trying to convince them, maybe talk about posing as the CEO. These criminals are researching and targeting businesses and they're learning and can find out that the CEO is going on a trip, and then they'll call the company and say, " Hey, I'm in Aruba," where I said I was going to be, but it's not really the CEO, so that's a really good point to bring up that social engineering aspect.
Terri Williams: You're never expecting it. However, if you have your plan in place and you're following your protocols, always follow the protocols. Don't divert from the protocol. The protocol is you get the email, you verify the person with the contact information that you already have on file. You have to do it every single time.
Eric Nabozny: Because that individual's going to say, " This is really important. It needs to happen now."
Terri Williams: Right now.
Nick Ritter: They're going to play all inaudible I think the other thing is so many companies that I talk to on a regular basis, they're under attack all the time and everybody knows that they're under attack. The little companies are under attack, as well. They just don't know it as much and it's not part of the core competency, right? If I have a smaller mid- size construction company, I'm not worried about my IT organization. I probably don't even have an IT organization. I have a tech guy or a provider who I rely on and probably pay a monthly fee to for things like email services and stuff like that. As a business owner, as somebody responsible for the business, if you have something you don't want to lose, you have to actively protect it. Part of that active protection, in addition to the plan, is working with your technology provider to understand what are they doing to help you? What capabilities do they have? What defenses are they putting in place? How are they protecting you from email compromise, from ransomware, from data breaches? How is that? In addition to your own processes and your own protocols, work with those who are helping you run your business and make sure that you're talking about this, too. Don't just bury your head in the sand or ignore the problem.
Jack Bowden: 70% of all of these cyber events that we're seeing take over the last five years have been going after companies with less than a thousand employees. They really are focusing in on those small to mid-size businesses that aren't going to have these huge IT budgets that they can just throw and they're not the Googles or the Equifax's of the world. That's important to note, because there's still a ton of great resources that are out there and available for everyone to utilize. The number one cause it's just human error.
Eric Nabozny: I did have a quick follow up on that. I'm sure there are folks watching here today. They know they have a business policy, but they're thinking, " I have no idea if I have a cyber inaudible policy." What should a client do if they're not aware and what steps, if they're need to take further action, what should they do?
Jack Bowden: The best way is just to pick up that phone and your guys' agent is going to walk you through the steps and if anything, they will then contact the carrier and you guys can have a good chat on what is actually covered and making sure that your guys' client has the coverage that they truly need.
Eric Nabozny: Great. Andrew, as a risk management auditor in all of this, what area should a company focus on as they're planning and reviewing preparedness for their company? Where do they start?
Andrew Sizemore: Security awareness training is definitely a place to start, and this applies for both companies large and small. We really want to empower employees to be able to look for suspicious behavior. Common training and education topics are going to include things such as common phishing tactics used, interactive exercises with real life examples, and who to contact if suspicious links are clicked on. While we can never truly eliminate the risk of business email compromise, we can dramatically reduce it through effective training. That being said, just how effective is training? Some studies show that employees who receive security awareness training are actually up to five times more likely to apply skepticism when dealing with suspicious behavior. All in all, this really is an effective manner to arm employees with information upfront to look for suspicious activity. Next, I would say that organizations can push for both policy and also system configurations that require strong passwords, and this can also be coupled with multi- factor authentication enablement, which would allow for an additional layer of security to be applied before actually accessing a sensitive account. As previously mentioned, organizations who maybe don't have a strong IT presence internally can always coordinate with a third party service provider to both implement technical solutions but also work to provide security awareness training.
Eric Nabozny: Thank you. That's great. Terri, from a banking perspective, what tools do you talk to clients about to employ in their business? From a financial operations perspective, what things, I know you talked a little bit about managing signers, managing users limits, other things that you want to expound upon as you help clients get ready for this type of activity?
Terri Williams: Back to the roles and responsibilities, we really need to be identifying who does what in every scenario and have those protocols in place. One of those things would be dual control. You really need to have somebody that is setting up the wire and then somebody that is approving the wire. Prior to that wire even being allowed to be input, so to speak, there should be a protocol in place to make sure that nothing's changed, the writing number hasn't changed, the account number hasn't changed, they were using a repetitive wire or repetitive ACH. If those things are changing, then again, go back to your protocols of calling ahead to say, " Is this accurate information?"
Eric Nabozny: If the bank has a security product, whether it be to gain access into a banking system or use it, don't opt out of it, you got to take full advantage of what's available to you. Well, great. I think we can't emphasize enough how important it is to pay attention to business email compromise. As you've heard here today, we see it a lot and we can't emphasize enough, business, big or small, you really need to pay attention and train your staff and prepare your company. Moving on to ransomware. Ransomware is a malicious software that is used to block computers and network access to a company in order to use this to collect payment from the victim. We saw a spike in ransomware attacks from 2019 to 2022 internationally, and now we're seeing a new baseline here in 2023. With that, these attacks are getting more sophisticated and new threat actors are entering into the space. According to a recent article in Forbes, ransom payments have climbed along with recovery times. Average ransom payments are clocking in at approximately$ 600,000 per attack and recovery times are taking well over seven days for company to recover. Nick, can you talk a little bit about how ransomware works?
Nick Ritter: Absolutely. First of all, ransomware is devastating to a company that gets it. It is a seminal event in the lifespan of a company, and for many companies, unfortunately, it's a terminal event. There's really two things that occur in a ransomware event. The first event is the encryption or the locking up of important files, all files or devices themselves. The ransomware, the malware that does the encrypting will land on a desktop usually through a phishing email. Sometimes it's done through a drive by, what we call a web drive by, where somebody visits a website, they download something from the website and it turns out to be malicious. That malicious software will land on a desktop, and what it will do is it will start encrypting files. Fundamentally, what they do is they lock up, they encrypt a whole bunch of files and make those files inaccessible or make the device itself inaccessible. This is... Obviously, it's disruptive operationally, but it's acutely disruptive for devices that are part of the operations. Think of manufacturing lines and SCADA systems, medical devices, anything that is controlled by a computer and that computer is on a network is uniquely susceptible to this and it can shut down the operations and that creates that sense of urgency to pay the ransom. That's step one. Step two then is before the file is encrypted, a copy of that file is made and sent off to the attacker and that file is analyzed, is there anything interesting, compromising? Is there customer information associated with it? Is there information in that data that was stolen that would compromise the company, or their position, or their employees, or their leadership? The second wave then, of a ransomware attack is an extortion not to release the data. Let's say you have a really good backup of all of your systems and you say, " Okay, the device is completely locked up. I'll just buy a new device. I'll restore from a backup and I'm up and running and it's no problem. I don't need to pay the ransom." Then you get a hit from the attacker that says, " We're going to start releasing your data publicly unless you pay us." There's those two components. There's the encryption aspect of it and the extortion aspect of it, and both of them can be extraordinarily painful to an organization.
Eric Nabozny: Are there any proactive measures a business can take to mitigate the devastating impacts of this?
Nick Ritter: Absolutely. First and foremost, Andrew mentioned earlier about awareness and training. Super important, right? You want people to be skeptical about websites that they visit, emails that they open, that kind of stuff. The second thing is make sure your systems are set to update. You get a notification sometimes it feels like every couple of days, but at least every month on systems to update, make sure you're applying the latest updates to things, including your mobile devices, your tablets, your laptops, update as many things as possible. Then the last piece is work with your technology provider. We mentioned that earlier too, but work with your technology provider, either your internal IT people or a third party service provider like Andrew mentioned. Work with them to make sure that you have a conversation about" What are your defenses, what are your capabilities, what updates are being done, and how do you protect yourself,".
Eric Nabozny: Great, thanks, Nick. Jack, can you talk a little bit about in your business, what are you seeing in terms of the impact of ransomware and what recovery rates are we seeing?
Jack Bowden: They can be sitting dormant in your systems for three to six months, making sure that they're encrypting everything. Sometimes unfortunately, even the backups, so we at least from our data have seen that there's only around a 57% recovery rate, which if you're a gambler, not too great. It's really important to have, again, an incident response plan. You want to know, " What are the immediate procedures that we can do to help mitigate this loss as much as possible and get back up and running?" Because there are a lot of different factors that are involved with ransomware, such as if you are completely locked out of your systems come Monday morning, you are not able to do any of your normal business activities. You are then on the hook to try and pay this ransom. It's typically in some form of cryptocurrency. There's a lot of moving pieces there. The last component that a lot of people don't think about is actually the business income loss and reputational harm. I think of a large manufacturer, who comes to mind, if they get completely shut down, they're not able to fulfill the contract, and they're not able to get there by the need by date, given that the typical turnaround time from start to finish is around 25 to 28 days. When you're sitting there thinking, " Do I have this coverage?" It's going to be imperative to have that conversation with you broker, because not many businesses are able to survive with a whole month of being down. They're actually going out of business within six to eight months after these types of attacks.
Eric Nabozny: With regard to ransomware, what specific things should they be talking to? I mentioned about business email compromise, making sure you've got the appropriate coverage. Is there anything particular ransomware that they should be making sure they're either covered for or they need to change their policy?
Jack Bowden: Having the conversations with your agent is going to be imperative again, because at least on a couple forms that come to mind, it could either be listed as ransomware coverage, it could be... Excuse me. It could be listed as extortion coverage and a plethora of other vernaculars. Going in, diving through that policy and making sure that you have a strong ransom limit, whether it's full policy limits, maybe a million dollars, $ 2 million, covering the large increase in ransom payments that we're seeing, making sure that there is a strong BI component, or business income component, and making sure there is some reputational harm coverage.
Eric Nabozny: Great. Good information. Andrew, your specialty is risk management, again. Talk a little bit about what companies can do here.
Andrew Sizemore: Payment of a ransom demand doesn't actually ensure that a business will become back up and running immediately after or ever. I think another important thing to point out as previously mentioned is starting with security awareness training, again. You want to arm your employees with knowledge on what to look for to identify potentially suspicious behavior. Further preparation also includes things such as partnering with your IT departments and your third party service providers to ensure that appropriate security measures are taken into consideration. These considerations include things such as ensuring the computers are updated and patched accordingly on a regular schedule and also performance of vulnerability scans and penetration tests. Hand in hand with this, it's also critical to not only perform data backups, but to periodically test those data backups.
Nick Ritter: Andrew, to piggyback on that a little bit, working with your IT department or your IT service provider to ensure that you have protections in place around updates, it's easy to update your phone, it's easy to update your tablet, it's easy to update your laptop, the multi- axis lathe that's on the shop floor that's running a 34- year- old version of NT4, that thing's not getting updated tomorrow. You're not going to patch it. There's no way to do it, but you've got to be able to segment it all so that it doesn't have access to the rest of the network. Your service provider, your IT department needs to identify those things that are critical to your company's operations, including manufacturing floors, OT, operational technology type elements, and put appropriate protections and network segmentations and things like that in place so that you don't run into a situation where your laptop is protected, but the critical element on the operational floor is not, and that's what ends up shutting you down.
Eric Nabozny: Sure.
Andrew Sizemore: Nick, to build off that even further, part of analysis and preparation includes putting together formal plans. We always encourage the organizations put together a disaster recovery plan as well as an incident response plan. T disaster recovery plan is a little bit broader in nature. That's going to cover things such as natural disasters and other events that could take place. The incident response plan is going to be a little bit more targeted. That's going to include specific security related incidents such as a ransomware attack. Ultimately, these are formalized plans that bring into effect procedures to be executed if something like ransomware to occur and the steps that are needing to be taken afterwards. Having these plans in place isn't enough. Ultimately, organizations still need to periodically test these plans and procedures. Testing is often performed through what we call tabletop exercises. These are periodic risk- based simulations that are run, and ultimately we bring the parties who are responsible for execution of procedures into one room. We walk through a scenario and then we perform a lessons learned exercise afterwards to pull from this experience and better prepare us for the next time that something may occur.
Eric Nabozny: Yeah, great points. I was going to say, a lot of the services that Andrew just mentioned will sometimes be accompanied into a very strong cyber policy in their program. Sometimes large carriers will partner with Andrew and get all those things in place for you, so another very touching point. Terri, these are scary, scary scenarios that we're talking about. When you think about it to the accounting professionals and finance folks that are listening in here, they're thinking, " Well, how do I do my job now? I have access to nothing. I can't see my bank accounts, I can't process accounts payable. I can't process accounts receivable." How do banks help businesses that are going through these types of things?
Terri Williams: It is critical that A, I understand the preparedness, I get all those things, but unfortunately at some point, sometimes they still get through. It doesn't mean that the bank has been compromised. It means that the credentials were compromised and utilized by the hacker once they got into their system. Now, to Eric's point, you're completely shut down. The bank has restricted all of your accounts. We have shut down all of your online access, all of your wire access and all of your ACH access. You are very limited in your financial capacity to actually pay bills, get receivables, those kinds of things. Even though it is a very manual process, you should be concerned and understand your banking partner ahead of time. You should have these conversations with your banking partner to understand what protocols do they have in place to aid your business if this does happen. Once we've shut down all these things, we've made human contact, we are very for sure that we are talking to the person, the CFO, the CEO, whomever it is that is running the operations. Again, those decisions and those protocols need to be in place in advance, and the bank needs to understand who these people are ahead of time. The bank can actually still help you operate. What I mean by that is even though you've gone into a very manual state, the bank can make exceptions, meaning as checks are still coming in, if you can provide us with a listing of those checks, we can pay them for you. As receivables are coming in, we can still allow those credits to post to your accounts. You can still function with accounts payable manually. We just need to understand those checks that are being written so we can authorize those on our end internally. There are ways to work with the bank. Again, it's a very manual process, but as long as you have confidence in your banking partner and you've had those conversations ahead of time, there are ways to operate still.
Eric Nabozny: Great. I know you're talking about both scenarios, whether it be a compromise or a ransomware attack and how the bank helps. I think it's important to know the importance of if you've financially been compromised and you've lost money, to quickly contact the bank. There are things that the bank can do in coordination with law enforcement to try and retrieve some of those funds. We've seen success with that. It's really important to your point, meet with your banker regularly so that the client knows exactly the steps they should take with their bank to try and recover some of those funds.
Terri Williams: Yeah, to your point, if you've had experienced the loss, so not only have they gotten in, they've compromised your system, they've compromised your banking access, and now they've actually wired out or electronically sent out funds. Those funds, as long as you're in really close communication with the bank, the bank can then deploy the FBI. There's something called a kill chain. We can go through many, many processes to try to recover those funds.
Eric Nabozny: Good point. I think the other thing... Andrew, this is a question to you a little bit. I'm going to put myself in the seat of I've got a metal fabrication company, I've got 10 employees, and all of a sudden you're telling me that I've got to have an IT service provider, I've got to have a pen tests, I've got to have network segmentation, which I don't really totally understand what network segmentation is. How do I make this consumable for me and my nine employees that I'm trying to run my metal fabrication company. I get it, the thousand person companies can have IT departments and contracts, to do penetration testing and updates and all of that stuff. What can I do as a 10 person business to make this consumable? I know that for me, the planning is important. It doesn't have to be formal tabletop exercises that we bring a third party in to do. We can all go out to dinner one day and play a game of what ifs, like" What would we do if this happened? What would we do if this happened? What would we do here?" What are your experiences with the smaller companies and how they can make some of this a little bit more consumable?
Andrew Sizemore: Yeah, I think regardless of the size of the organization, let's keep in mind that this is a maturity model that we want to work towards. I think to make it digestible, what we want to start with are the easy things, the education and training like we've talked about. We want to kind of set in place where do we want to get to and in what timeframe. Engagement of third party service providers, such as my company, really allows the organization to stay focused on their operations while shifting some of these tasks, maybe it's monitoring, training, prevention to the provider itself. I think that this ultimately results in a true partnership, which really allows both parties to focus on what they're good at, focus on operations for a smaller company. We can focus on recommendations and how to get there. We do typically break those recommendations up into digestible pieces as we talked about in the maturity model. It can take a couple of years to get to a true state of maturity. But you can do some things, just basic conversations with your IT provider, the person that's delivering for every new employee, the person that's delivering a desktop or a laptop at your site, talk to that person about what they're doing and how they can help and put a little pressure on them to do a little bit more to help. I think that anything that you do is better than nothing. A key piece of the planning and the ability to deal with these kinds of things is developing relationships, a relationship with your banker, a relationship with your insurance agent, a relationship with your third party, relationships with your suppliers, relationships with your customers. Have those... Just like any other successful element of business is based in a good relationship, have good relationships here and keep those lines of communications open.
Eric Nabozny: Last but certainly not least, check fraud. The proverbial saying of" What's old is new again," rings true with check fraud, still the most consistent fraud threat for decades running, check fraud is in vogue again. FinCEN, which is the government's financial crimes enforcement network, reported an 84% increase in check fraud in 2022. Terri, would you mind talking a little bit about how a company can work with their bank to protect against check fraud?
Terri Williams: Sure. The most basic form of check fraud protection is something that's called positive pay. The Cadillac version of positive pay is payee line positive pay, so not only does it verify the check number, the dollar amount, but it also verifies the payee. I would say this though, I understand we get a lot of pushback from businesses on not wanting to have the expense of the positive pay. A few suggestions maybe beyond the positive pay, one is you need to reconcile daily, absolutely. If you're waiting for that bank statement at the end of the 30 days and there is check fraud that happens, that money is long gone. You have a very limited time to report check fraud to the bank as a commercial business. Like I said, if you're waiting to reconcile and it's not daily, then you're going to lose the funds. That said, two big suggestions. One is electronic payment, which is ACH. ACH is going to be cheaper in the long run anyway. There's a cheaper settlement, it's a controlled settlement. Your check number and routing number is not unprotected flying through the mail system and you're not paying for check stock and other things. Moving to an electronic payment is the way to go. Truly the best form of payment is a credit card. You are truly protecting yourself with the payment mechanism. Again, in essence, if we're still cutting checks, positive pay, but my ultimate recommendation is to move into the electronic payment world.
Eric Nabozny: If you still do have to write checks, another big piece would be separation of duties, which the person who writes the check shouldn't be the person who reconciles the account. It's just that simple.
Terri Williams: A hundred percent. Yep.
Eric Nabozny: Jack, any comments from an insurance perspective on check fraud?
Jack Bowden: Yeah, so we have seen a huge rise in those kinds of claims, and the easiest way is to just switch that over to go electronic. We have seen a lot more ACH, and honestly, it's easier to track given that there's an electronic component there. You really could dive into, again, the insurance language and make sure that your form is robust enough to pick up paper documents as well as electronic funds. Both of those could get covered in a instance like this. I want to build off what Terri said. We're always going to encourage organizations to leverage electronic payments when possible. When this isn't possible, and we do have to have physical checks on hand, we're always going to encourage our organizations to basically lock those checks up, put them in a locked drawer or a filing cabinet, and then further restrict access to those locked locations only to those who have the authority to write a check in the first place. Then, in terms of the ability to issue account information, whether it be physical voided checks or blank checks or account information or documents, we really want to limit those to trusted sources. Anytime there's a question around whether or not a source is trusted, I would encourage further investigation prior to disbursement of documentation. Then lastly, a simple but effective measure that organizations can take is screening backgrounds prior to hiring employees internally. These screening procedures can check for things like verification of credentials. They can also check for criminal backgrounds and histories, and they can also potentially weed out those who have fraudulent intent in the first place. We certainly encourage background screening procedures prior to onboarding new employees.
Eric Nabozny: Both you and Terri had mentioned leveraging a shift into an electronic form of payment. To tie a point I made when talking about check frauds, we're seeing some new trends and twists where checks are getting stolen and those criminals are actually going and opening a business account in the name of the payee line of the check. If you think about that, that bypasses a positive pay scenario. That check will clear, it will look to you that it went to the right place and went to the right person.
Jack Bowden: Eric, I'm curious, how are the fraudsters getting physical access to the check?
Eric Nabozny: We're seeing criminals that are actually gaining access to PO boxes and actual postal boxes, stealing keys, and basically they're emptying boxes and they're sifting through that mail. They're looking for checks.
Nick Ritter: They're not just taking the physical checks and opening up fraudulent accounts or washing them or stealing the routing number, account number. They're also taking the other pieces of mail and using that to further their database of identity theft.
Eric Nabozny: I had mentioned at the top of the session webcast today that if we had some time, we wanted to spend a little time to talk about artificial intelligence and the impact that that really new technology, new paradigm that we're adding into is the impact it's having on fraud and cyber crime. I just wanted to ask the panel, and I'll open it up to the group here, some initial impressions on the impact of AI.
Nick Ritter: AI's been around for a long time. I've used AI or machine learning techniques for, well more than a decade. What's new is the speed in which it's evolving, so that's new. Then the access of AI to literally everyone that has an internet connection that is new, with ChatGPT and Google's Bard, and any number of other tools that are coming up in the marketplace. I think that there's a couple of things that will happen. I think the future holds, with AI, a lot of opportunity and some risks. It is all about the democratization of that technology and making things that were generally reserved for very technical people or very well- resourced people is now going to be available to the masses. That can be used for good, lots of capability to market your company, lots of capability to run your company in efficient ways, in innovative ways, but also the bad guys get it, too. I go back to a comment I made previously, which is if you have something that you don't want to lose, you are really going to have to take a role in actively protecting it going forward.
Eric Nabozny: I think there's a degree of caution that needs to be taken with all of these great tools that we have at our disposal. When I say caution, we really need to be careful about what we're putting into systems, such as ChatGPT. Just because we put in a scenario or specific information from our account, that does not mean that it is private to us or organization. These responses are actually recycled into future responses that are given to others outside of the organization. So we really need to monitor and set a tone at the top about what type of information is allowable to go into AI. That being said, again, these are great tools. I think they should be used as a starting point on many comprehensive and complex problems. On the positive side, there is potential in the future for organizations to leverage AI to potentially perform some analysis type behavior that could look at data logs and other activity and identify abnormal behavior. Jack?
Jack Bowden: Yeah, as technology gets better, so do the hackers. A couple examples can come to mind is phishing attempts are only going to get that much better and look even cleaner. I'm already starting to see it in some of the claims that are populating now, where it will pretty much be a one- to- one mirror of you logging into your Office 365 or Microsoft account, and it will come through saying, " Hey, we are upgrading our securities. We're going to encrypt all of our emails moving forward." You're like, " Great, we're doing a good thing here." You click on that link, it takes you to the homepage to log in. It's actually just getting a key recording of what you're typing in word for word. That's one way. Another way that I'm seeing currently is I pick up the phone and as a salesperson I'm like, " Hey, this is Jack from Evolve," unbeknownst to me, I've now actually heard that is a recording on the other end. They will then use that as a vishing technique, which is voice fishing. They will then try and play that to my bank or whatever to get a little bit of trust going, and then they can only expand upon that. Nick, you made a good point. Earlier you talked about we really need to make a conscious effort to make deeper connections and relationships with our business partners, and I couldn't agree more with you that on many fronts that's really important, but specific to fraud, if you can duplicate somebody's voice, make it look exactly like that individual, you've got to have a way to have a deeper connection to really verify who that person is.
Eric Nabozny: Well, great. This has been a great discussion everyone. Thank you for your insights here. We all hope you found this discussion informative and helpful as you think through how your business can meet these threats head on. We're now going to move on to our Q& A portion. The Q& A chat box, which is located in the lower right- hand corner of this webinar. You can go ahead and key in any questions, feel free to type in any questions you have, and we'll go ahead and ask our panelists to help me through the answers.
Eric Nabozny: Okay, hope you all enjoyed that video. I'm going to go ahead and post some questions to our panelists here. Again, as you'll see in the bottom right- hand corner, the Q& A box, if you want to type something in there, you can direct those questions directly to our panelists. I'm going to go ahead and start with Nick. Nick, are you out there?
Nick Ritter: I am.
Eric Nabozny: Hey. Hey. All right, first question. " My company uses a cloud- based ERP hosted solution. Should I be worried about ransomware? What should I be talking to my provider about to protect my business?"
Nick Ritter: Yeah, so ransomware can hit you in any area of your business that is impactful to operations or data. Even if you have a majority of your data, your financial systems, your HR systems in a cloud, you still have some level of local data, local operations and local capability that isn't in the cloud. Again, your laptop, the way that you interface with your ERP system in the cloud, any effect that ransomware would have to lock up your computer and then you can't access your cloud- based ERP system. Those are the kinds of things that you have to worry about. Certainly, you change your risk profile by moving to cloud- based systems and some of that change is beneficial and you introduce some other risks as well associated with it. But I think that the thing that you've got to worry about most is protecting those assets that are in your control and within your purview and making sure that you have that full business recovery plan that goes beyond just a cyber attack or something like that, but what happens in case of a fire, a tornado, those kinds of things.
Eric Nabozny: Great, thanks, Nick. Andrew Sizemore?
Andrew Sizemore: Hello.
Eric Nabozny: Hello. I'm going to ask this question probably in the context of what you see and examples out there in the marketplace, but question is, " What do you think is the greater concern for a business, business email compromise, or ransomware or both?"
Andrew Sizemore: Yeah, sure. I think ultimately my answer is going to be both. I think on the business email compromise side, we just see a much higher volume. The dollar amounts or loss are essentially lower typically per event, but we just see a much higher volume and it's a little bit easier to implement and execute, in terms of a foreign bad actor into your environment. The ransomware piece though is equally as dangerous and important. It's a much higher transactional cost per event. Ultimately, what I'm trying to say is that both are dangerous. I would ultimately put the business email compromise, though, as a primary focus out of the two.
Eric Nabozny: Agreed. All right. Next question. I'm going to merge a couple of questions together here. Terri Williams, are you out there?
Terri Williams: Morning.
Eric Nabozny: Hello. Great. Got a couple of questions. I'm going to blend them here together, Terri. Really about do we have any best practices in framework for a business to review with their bank? Well, I guess overall, what would you recommend a business do with their bank to review security procedures, things of that nature?
Terri Williams: We sure do, Eric. We have a host of folks within the bank that have put together some great best practices, and we're happy to share those with the attendees here today. But I would say the best practice is to really be sitting down with your banker. I know we've spent a lot of time in talking about what happens after and how do we manage through that, but at the end of the day, the best practice is to be prepared. Your banker can be a great resource for you from an advisor standpoint. Obviously, the folks on this phone, the panelists, the experts that we've brought to you today, but I would say the best preparedness is to sit down with your banker. They can also make connections for you, especially with an Andrew Sizemore, for instance, to help with those conversations.
Eric Nabozny: Absolutely. Great. Thank you Terri. Nick, I'm coming back to you. This next question probably provide your perspective. The question is around the prevalence of ransomware in mid-size businesses, probably even small size, for that matter. I know we hear about it a lot on the corporate end of this spectrum, but what do you see out there? Is it non- discriminatory as it relates to size of business?
Nick Ritter: Yeah, so statistically speaking, the small and mid-size businesses tend to get hit more frequently than larger mid-size businesses and large businesses. The FBI statistics track everything that's known and have been reported to law enforcement and the known body of information is that a vast majority of the small businesses end up getting hit and one of two things happen. They go out of business or they pay the ransom, and rarely is that event recorded. We know that the majority of hits are actually in smaller and mid-size businesses, but the data that exists tend to concentrate on the bigger businesses, because those are the ones that get reported, and go through full investigations, and involve law enforcement and stuff like that. The prevalence among small and mid- sized businesses is really quite high, unfortunately. It goes back to a little bit of resources. They're softer targets. It's easier to hit a five person law firm than it is to hit a 10,000 person corporation that has a dedicated CISO, and a security budget and all of that of stuff.
Eric Nabozny: Yeah. Thank you, Nick. Thank you for that. I'm going to try and squeeze in one last question here, Terri, I'm coming back to you. The comment here, " Some banks require customers to send a secure message to their bank when setting up an ACH or a wire to verify those instructions. Some banks allow the customers to do that online themselves. Any opinion in terms of a best practice there or what the bank provides to help verify setting up payment transactions and things of that nature?"
Terri Williams: I would suggest that they're absolutely correct, to start with. The banks have different practices as far as the security of the file that's being sent and the messaging that's being sent. A, if the file's being sent securely, which it has to be, then the follow- up email, it's not going to contain account numbers or routing numbers. It's literally going to contain a dollar amount. But my suggestion is yes, anytime there is a secure option to, I would follow that protocol, Eric.
Eric Nabozny: Great, thank you. Yeah, I'll add on the... For banks that are allowing you to set up those ACH and wire payments online, make sure you are using what we refer to in the industry as dual control, meaning have one individual set up the payment and another individual create it, so to speak, and send it out. That way you're protecting yourself from potential crime there. Again, thank you. We've reached the top of the hour here, and we're going to go ahead and conclude the Q&A session. I did want to note you will be receiving a thank you email from the bank. There was a question with regards to getting information on any of the panelists here today. We will be providing the contact information for the panelists that were in this call today. With that, you'll also be getting our 2023 best practices checklist. With that, I sincerely want to thank all of our panelists for being part of this event and for all of you being here today. I really, really appreciate it. With that, have a great rest of your day. Thank you.
October is cybersecurity month and our parent company, First Financial Bank, is hosting a educational webinar to help you protect your business and finances against potential cyber threats.
• Planning and reviewing your company’s preparedness for #business email compromise.
• Best practices to mitigate the impacts of malicious software like #ransomware
• Protecting your business from check fraud.
• Artificial intelligence (ai) and its impact on fraud and cyberattacks