Transcript

Operator:                          

Hello, and welcome to today's webcast titled, "Protecting Your Business from Online Banking Scams: Be Informed and Take Action."

Today's web seminar is being recorded, and you're currently in a listen-only mode.  Before we get started, I'd like to acquaint you with some of the ways you can participate today.  The On24 room you are in allows you to adjust and resize all panels that appear on your screen.  To resize any of these panels, al you have to do is click on the lower-right corner and drag to adjust.  To move a panel, click the top title bar and drag it anywhere within the console.

We will have a question-and-answer session at the end of today's presentation.  The Q&A panel is available to you on the left-hand side of your screen; just type your question into that window and hit Submit, and your question will be logged in the queue.  And we'll take as many questions as we have time for.

Please note, a PDF version of today's slides is available for you in the Related Content panel in the console.  That's on the right-hand side of your screen.  Just click on it and you'll be redirected accordingly.

And finally, if you experience any technical difficulties during today's event, first try refreshing your browser by hitting F5 on your keyboard or clicking the reload button on the top-left corner of your browser.  And if it doesn't work, you can enter a question into the Q&A panel stating your technical issue, and we'll be more than happy to assist you.

Now, without further delay, let's begin today's event, once again titled, "Protecting Your Business from Online Banking Scams:  Be Informed and Take Action."

I'd like to introduce you to Howard Forman, Head of Digital Channels, Corporate and Institutional Banking, PNC Bank.  Howard, the floor is yours.

Howard Forman:

Thank you, Ian.  Hello, everyone.  Welcome, and thank you for joining today's webinar.  As Ian mentioned, my name is Howard Forman, and I lead the Digital Channels team for PNC's Corporate and Institutional Banking business.  In that role, I have responsibility for the product management and product development functions for PINACLE®, our online and mobile banking platform; as well as PNC's file transfer platform and PNC's embedded finance program.

A significant part of my role is to drive the strategies for our user authentication, security features and controls for our channels, and to do that I spend a lot of time with our PNC cyber security and enterprise fraud teams, monitoring the fraud environment and working to keep our customers' online access safe and secure.

Joining me today from PNC is Chris Byers.  Chris is a Senior Product Manager at PNC, primarily focusing on solutions that can help protect organizations from the risk of improper payments, including but not limited to, those brought by imposter fraud scams the likes of which we will explore during this session.  Also joining me is Peggy Franklin.  Peggy is the assistant controller of Ross Industries, Incorporated, which engineers, manufactures, and markets food processing and packaging solutions.

While we at PNC are committed to having our subject matter experts deliver timely and relevant information and insights, we also believe that our clients' experiences can provide you with invaluable first-hand information.  Peggy has graciously agreed to share her knowledge and insights with us today.   Thank you both, Chris and Peggy.

Now, before we dive into what we believe to be both important and valuable information, I would like to take a moment to frame the scope of today's discussion, You are all likely very well aware, in recent years the threat and occurrence of cyber crime, and payments fraud specifically, has soared, and it remains elevated.  It continues to be a major challenge for all of us, banks as well as businesses, regardless of your size, your geography, industry, or your sophistication.

According to the 2022 Association for Financial Professionals Fraud and Control Report, 71% of respondents to that survey reported their organizations were victims of payments fraud attacks in 2021.  In fact, it has been said that within the next few years, cyber crime of all kinds stands to become the world's third largest economy, trailing only the United States and China, respectively.

While cyber crime and payments fraud are incredibly broad topics, in this session we're going to narrow the discussion a bit to cover two primary threat vectors pertaining specifically to online banking scams.  The first is email imposter fraud scams, of which there are two common variations that, as the name implies, use some sort of very deceptive email tactics to con potential victims.  That's business email compromise and email account compromise.  The other is account takeover, under which we will also explore two prominent means by which criminals are able to steal online banking access credentials to gain access to a potential victim's accounts. 

Along the way, we'll share insight regarding red flags to help spot and hopefully avoid falling victim to these scams, as well as tangible actions you can take to help you protect yourself from these dangerous threats.

In closing, we'll round out today's session by reinforcing and sharing additional ideas and solutions that can help your company protect itself from online banking scams.

Okay.  Let's get started with our first topic:  email impostor fraud.  Under this scheme, a criminal uses email to communicate payment requests or request updates to payment instructions to their intended target.  In doing so, the criminal uses a legitimate-appearing, but bogus, email account, or truly legitimate account that they have commandeered.  With that, let me turn the mic over to Chris to walk us through this first topic.  Chris?

Chris Byers:

Thank you, Howard.  Under email impostor fraud, we're going to talk about two primary threat vectors, the first being business email compromise, or BEC for short; and the second being email account compromise, or EAC for short.

Now, at first glance, they're going to look very similar to each other, and in fact, they are related.  But there are some differences that we want to highlight here on this slide.  We'll start with BEC.

This is where a criminal is using identity deception tactics to try and trick their target into taking action.  And those identity deception tactics center around the email address or the email domain itself, so they're creating a bogus, but legitimate-appearing, email account or email domain, creating the impression that they are a legitimate source of that request to take action.  So, to the target, the attacker is pretending to be somebody that they actually are not, and they're using, again, a spoofed domain to do that.

Now, under email account compromise, or EAC, while it's rarer compared to BEC, it's actually a little bit more scary.  Because here, the criminal bad actor has made their way into a legitimate email account.  They're not using a spoofed account; they're using a real one.  And once in there, they're able to search through all of the treasure trove information that's available within that email:  the inbox, the outbox, the contacts.  They're able to do some real research, get in there, and figure out what that individual typically does, or who they interact with.  And to the actual target, to the recipient of an email from that attacker, they really, legitimately are who they believe them to be.  This is an actual, legitimate account that's been commandeered and is one that the bad actor can use to send legitimate-appearing requests to their targets, whatever they may be.

Now, a few stats here to sort of get us going.  These first two come from the Association for Financial Professionals Fraud and Control Survey that Howard referenced before.  In 2021, 68% of organizations that responded to the survey found, reported, that they were the target of BEC, meaning they received at least one BEC email.  Of that subset, 35% of organizations, so more than a third, actually suffered a financial loss due to business email compromise.  All-told, per the FBI Internet Crime Complaint Center report, or IC3 for short, in 2021 there were $2.4 billion in reported fraud losses due to business email compromise and email account compromise.

Looking back the last handful of years, between 2015 and 2021, the total number of reported BEC and EAC fraud losses is in excess of $8.6 billion.  Now, the really scary and sobering fact of that is the word, "reported."  This represents losses that were reported to the FBI.  It has no view whatsoever into losses that were undetected, or were detected but were unreported for one reason or another.  So while we'll never know the actual amount that was lost due to these fraud scams, it's certainly in excess of this.  These numbers represent the floor, and not the ceiling.

So how did this happen?  How did these criminals create these scams to be able to walk away with billions of dollars each year?  Let's take a look at the anatomy of a typical BEC or EAC attack.  Well, you have the Who -- the Who is a criminal bad actor who's pretending to be someone that they're not, trying to trick their target into taking some action, and they're using a spoofed or actual hacked email account to do that.  And the request might be in the nature of, releasing information, divulging payment details, or changing payment instructions.  How are they able to do this?  How are they able to find their target?

Well, they do their research.  They do their homework.  They scour the internet.  They look for people that work together within organizations.  They even send out spam messages, not just for the purpose of aggravating all of us -- which they certainly do -- but they're very valuable to the fraudster because they're able to receive in return out-of-office messages if that setting is applied to the email account they're sending to.  Those out-of-office messages are a gold mine for fraudsters, because now they know who they can target.  Now they know who's not in the office.  They can pretend to be that person and hone in and do their research and see, who does that person know?  Who does that person work with, within that organization, to create what they hope would be a compelling request for that target to take action?

Now, let's look at a couple of examples of what this may look like.  Here's a spoofed domain example.  And to set the stage here, this is an interaction between John Smith -- or someone purporting to be John Smith -- who is the President and CEO of ABC Steelworks.  John is engaging, in this case, Susan Hoyle, who is the controller and CFO of that same organization.

Now, a couple of red flags that we might find here in this example.  One is the interaction model itself.  So, for example, if Susan is not accustomed to receiving emails from John Smith, that in and of itself may be a red flag.  Now, in this fact pattern, John being the CEO of the organization and Susan being the CFO, chances are pretty good they know each other.  So, Susan, I'm sure, is accustomed to receiving messages from John, and maybe even messages similar in tone to the one that she's received here.  So, let's look at a couple other potential red flags.

Perhaps in real life, the actual John Smith refers to Susan not as Susan, but as Sue, or by another name, or has a certain tone to his email that this either does or does not have.  That could be another red flag for the actual Susan to look a little bit more closely into this and determine whether this request is, in fact, legitimate.  Now, the big red flag in this particular use case, is the email itself, the email that John Smith has used to send this request.

If you look at it very carefully, the lower-case W in ABC Steelworks is, in fact, the product of two successive lower-case Vs.  So, this is a common tactic that fraudsters use -- again, visual trickery -- hoping you'll gloss right over that detail and assume that this is a legitimate email from, in fact, John Smith, the President and CEO of the organization.

So what are some other red flags associated with email imposter fraud?  One is that the requester -- again, this is a criminal we're talking about -- is going to insist on secrecy and confidentiality around whatever he or she may be requesting, whether that's payment for an acquisition or some other high-profile, perhaps top-secret type of activity that the firm may be undertaking.

The requester, again, a criminal, is often going to request or suggest generic accounting with respect to the purpose of this particular transaction.  What they're trying to do is, basically water down the transaction, have it blend in with the rest, not have anything that's drawing attention to its potential purpose because again, that could be problematic for the fraudster in trying to perpetuate their scam.

The requester, again, the criminal, may warn of some negative consequence if you don't make this wire payment today, or if we don't make it by 3:00 p.m. we're going to lose a giant deal.  You know, the acquisition that we're trying to complete won't be able to be completed.  So, trying to create that fear factor in the mind of the recipient.  They're going to insist on communication via email only.  The last thing they want you to do is pick up the phone and call the actual requester.  But really, in actuality, that's the first thing you should be doing.  That's the last thing the fraudster wants, because it then can blow the lid off of their entire scheme.

And then last, at least on this slide, they want instant communication when the payment is executed.  The reason for that is, they want to move those funds from the depository account to another account as quickly as possible to sort of make the paper trail of that transaction more opaque and difficult to track down.

Here's a real-life example, and this is one of hundreds, if not thousands, that we could have pulled from.  This one goes back a few years, 2016.  And it involves an unnamed European aeronautics company.  So this company, their criminal basically impersonated, using business email compromise, the CEO of that organization.  And they sent a phishing email to a finance employee within the organization requesting and directing that employee to release a EUR 50 million wire for a "acquisition project."

The wire was sent, and while the company was able to recoup some of the funds, the majority of them were lost, to the tune of EUR 42 million. 

Now, the sad postscript of this is the actual CEO -- because keep in mind, the criminal is pretending to be the CEO -- the actual CEO was fired over this event, as was the actual CFO.  And you may think, that's a really, really rough deal for those individuals, but I think it really speaks to the fact that owning controls around fraud and risk is something that needs to have executive sponsorship and buy-in from the top, and an organization that was willing to allow a EUR 50 million wire to go out the door with very little questions if any at all, being asked around it, that certainly speaks to the need to change personnel at the top and to certainly harden the risk and control environment for that organization.

Again, one of hundreds, if not thousands, of high-profile instances and events of this nature that we've seen in the last handful of years.  So how can you protect yourself?  Howard promised some tips along the way, and here's our first stop to do that.  So you need to establish procedures to verify and validate requests for payment and requests to change payment instructions.  Verification should always be made via direct call to the individual at a known phone number.  Do not use email to confirm the request.  Do not call the phone number that appears in the email requesting payment or the modification of payment instructions, if in fact you believe you may be talking to the fraudster and playing right into their scam.

You can also make use of commercially-reasonable means of trying to prevent fraud and confirm account ownership through account verification services, which are available on the market.  These can allow you to confirm the existence of your beneficiary's account your counterparty's account, and along with that gain insight regarding its status, its standing, maturity, and even its ownership.  This is a very -- another powerful tool in your toolkit to help prevent against fraud, especially that -- in the nature of impostor fraud and improper payments.

Howard Forman:

Hey, Chris.  I'm going to jump in here for a minute, just for a couple reasons.  Number one, I think you know, obviously a ton of great information as I talk about this topic.  This is one of my favorite slides to really emphasize.  Because that verification and validation is so important in making sure that anybody associated with processing payments for your organization understands the importance of verifying and validating all payment requests with a known contact at a previously-known telephone number.  So I just really wanted to emphasize that.

I also think this is a good spot to hear from our other speaker, Peggy Franklin, from Ross Industries, who I introduced earlier.

Peggy, a question, if I may?  From the perspective of a treasury practitioner in your role as an assistant controller, what can you tell us and our audience today about the real life threat of email and posture fraud, and how your organization has gone about confronting and combatting the risks here?

Peggy Franklin:

Well, yes.  Payment fraud is a concern for us, as it is for most, if not all organizations.  And we employ Federal controls to help mitigate the threat, a lot of which are on this slide right here.  Late last year, we received a request to update payment instructions from an email account belonging to one of our vendors.  After we had wired the funds, we learned that the account had been hacked, and that the person making the request was not who they claimed or appeared to be.  And this event highlighted the very real dangers of payment fraud and made us realize that we needed to enhance our fraud protection processes and to educate our staff to better detect suspicious email requests.

Howard Forman:

Yeah.  So certainly, you're not alone in that regard.  We've heard the story repeatedly from customers that have fallen victim.  But can you, as a result of that event, can you talk about some of the enhancements specifically that your company made to process and procedures, or services, anything that you want to share there?

Peggy Franklin:

Oh, yes.  Well, we worked with the bank to implement an account verification service, which we now use to confirm that the account belongs to the business or person that we intend to pay.  And the office heightened our standard processes for accepting and reviewing payment requests or updates to payment instructions, including limiting the means by which we will honor those requests, and calling the requester back to a known phone number, as Chris had said before, just to confirm that the account is legitimate.

Howard Forman: 

Great.  Thank you for sharing that information.  I think that's very helpful, consistent with what we're talking about here.  But again, I think hearing directly from you and as a company that has first-hand experiences, is valuable information for our customers today.

I want to keep the discussion moving, though, so let's turn our attention to the other threat topic we were going to cover today.  And that is account takeover.  And under this scheme, a criminal uses stolen online banking credentials to log in to an online banking service under the guise of the entity whose credentials they have just stolen.  Once logged into the bank's platform, the criminal then typically has the ability to view information or, depending on the entitlements of the ID that have been compromised, take action allowed by those credentials.  And that action may include initiating and/or approving payments transactions.  So, very, very dangerous, problematic fraud scam. 

And with that, let me ask Chris to walk us through just how this scam unfolds, like you did with business email compromise, and how the criminals are stealing credentials from our unsuspecting victims here.

Chris Byers:

Absolutely.  Yeah.  So we have two primary threat vectors here for account takeover, just as we did for email imposter fraud.  Here we have malware and pharming, and then we have sort of a newer variation of it, which is search engine fraud.  But let's start with malware and pharming.

So, with malware, most people are familiar with the term.  It's a shortened -- shortcut, short nickname for malicious software.  So this is where the criminal is infecting a device, a computer, a mobile device, tablet, you name it, with that malware.  We'll talk about how they do that in just a moment.  But they're planting malware on that individual device such that when that person uses that device with the malware implanted, when they go to log into their online banking portal, whatever that may be, the nature of the malware is such that it identified that attempt to make its way to that banking portal, but to divert that traffic away from the legitimate site to a bogus version of that site.  We'll give some examples of that as well.

What happens then is once the unknowing target, once the target is on the spoofed site, and they start to log in using their credentials and everything that they normally would do on the legitimate site, the bad actor is harvesting those credentials, and behind the scenes, just using them to log into the actual site as if they were that individual.  So, individual is typing away.  Unbeknownst to them they are putting their credentials and information into a spoofed site that's being used just to steal those credentials and to log in legitimately.  So that's farm -- that's malware and pharming.  The malware is the malicious software; the pharming is harvesting the information.

Search engine fraud is somewhat similar to malware and pharming, but a little bit more unique.  This is where the criminal is actually planting ads on the web made to look like legitimate ads that would be bought by a legitimate company, so try and draw traffic to that online banking portal.  Rather, instead of going to a legitimate site, it's going again to that spoofed site.  So instead of using malware, and depending upon the malware that's planted on the device of the individual to redirect them, they're using these ads and web links available somewhere on the internet to force that traffic across all the users of the internet.

So, here's a stat around malware.  And this, again, comes from the Internet Crime Complaints Center, the FBI's IC3.  And in 2021, there were 323,972 reported malware and pharming attacks.  Again, everything I said before about the word, "reporting," before, applies here.  This is the floor, not the ceiling.  We actually don't know the real number, but it is at least this much, if not much, much more.

So this is just a quick view of what we like to call the [Cyber Crime Insectarium].  We're not going to go into these in any detail, but malware is a very broad term.  Again, it covers malicious software of all different kinds.  And each of those types of software may work a little bit differently.  This is just a way for you to kind of associate the different types of malware.  And by no means is this an exhaustive list, but some of these terms might be familiar to you.  Take a look at this at your leisure following today's webinar when you download the presentation materials.

Now, how does malware get from the criminal to the target device?  Well, there are three primary ways that they would do that.  One is phishing.  This is sending malware across the internet, via email.  And that may be in the form of a web link contained in the email, or a malicious attachment that's accompanying that email.  And then once the individual opens the email, clicks the link, opens the attachment, the executable file, the malware, it automatically installs itself on that device, unknowingly to the target.  So, that's one means.

The other means, other two means, are smishing and vishing.  These are very similar to phishing, the difference being that the malware is being sent, via smishing, via links over text messaging, SMS messaging.  We'll show some examples of that in a moment.  And then vishing, this is where the criminal is using -- is making unsolicited telephone calls, purportedly from a legitimate company or source, asking for information that they then use to log into, again, the online banking portal or whatever access site they plan to commandeer.

So, in the anatomy of an attack, who, again -- this is a criminal.  This is a criminal that's phishing their target, they're smishing or vishing their target, trying to get access to legitimate credentials that they can steal and use as if that individual was using them themselves.  So the target receives an unsolicited email, a text message, a phone number, and they take the action.  They open the email, they open the attachment, they answer the call, whatever action is taken is taken.  And once the information changes hands, once it leaves the target's hands and goes into the criminal bad actor's hands, again, they are now acting as that individual.  They have all the rights and privileges and entitlement that duly authorized individual has to take whatever action or view whatever information may be available within that site they have commandeered.

Now, a couple of examples.  Here's a phishing example.  This is a legitimate, real-life example.  This is an example of an email that was brought to our attention some years ago from -- purportedly from PNC.  And there are some red flags here we want to hone in on.

One is that this -- these messages tend to elicit an emotional response.  We saw that with the email, the email compromise.  This is telling you that the PINACLE is changing, or that something's changing.  You need to take action.  There's a sense of urgency around this.  You'll also notice that the sender name is somewhat vague.  It's coming from an external source.  You can see the red banner there at the top of the screen is identifying emails coming from an external source.  So, that in and of itself should be a red flag.

There's improper branding.  You can see that there was an attempt to mimic the PNC logo and our brand name at the time that didn't quite make it all the way.  It was not a legitimate logo, the appearance that it's a legitimate email from PNC.

Then we see grammatical errors.  There may be formatting anomalies.  The list goes on and on.  So there's no shortage of red flags associated with phishing attempts.  And again, that is a means to try and steal information, try and harvest information, over the internet via email.

Here's a smishing example.  Phishing is sending the malware through email.  Smishing is doing so via SMS text messaging.  Here's some red flags associated with this one.  One is the improper branding; they haven't adhered to our brand standards of how we position ourselves and our PINACLE platform.  Then they give you an unrecognized SMS short code or link within the SMS message itself.  And the description may be somewhat generic, or odd, relative to the service that is purported to be offered.

We talked about search engine fraud as one of those other primary threat vectors, and here's an example of that.  So a client may be on the web, maybe on a search browser, and they type in PNC PINACLE, and lo and behold, a couple of ads may come up that appear to be from the bank.  If you look very closely, they are, in fact, not from the bank.  And so some red flags associated with the ads here, one is an unrecognized URL.  Again, the improper branding, doesn't adhere to the brand that you're accustomed to see of that company-- in this case for PNC.  It did not.  Grammatical and punctuation errors, and a confusing, illogical, nonsensical site description such as some of the ones you see here.  So, this is moving away from malware per se, delivering malware to the target individual and their device.  Rather, it's planting these links on the web so that when individuals click on those links, they're redirected to the bogus sites or the frauds, just to harvest those credentials and information.

Here's an example of a spoofed website, okay.  We recently, as you -- well, as you likely have seen, we recently have updated the PINACLE login page, but this is our former PINACLE login page.  And if you look at it in a side-by-side, compared to the actual, legitimate, legacy login page, the one prior to the one making the change recently, you really wouldn't see much of a difference between these two.  This is how realistic these bogus sites can be.  The big red flag here, the unrecognized URL, which you see at the bottom of the screen there.  They've created a spoofed URL, made to look like a legitimate PNC URL.  If you're moving quickly, if you're not honing into that, if you're not paying attention, if you're not accustomed to looking at the URL line, you might gloss right over that fact and start entering your credentials like you would on the legitimate PINACLE site, for the criminal bad actor to then steal and log in as you.

So, what are some more red flags?  Well, the malware/criminal -- because again, it's a criminal behind the malware, working in tandem here -- need to put the malware on the device to then harvest the credentials.  But this combination of the malware and criminals may prompt the user for credentials or other security information outside of the normal work flow, such as a token passcode or maybe a security question answer, forcing information or forcing questions that does not adhere to the normal sequence of authenticating into that site, whatever that may be.

They may request that a second user authenticate into the site from that same PC -- again, the malware-infested PC or device.  The reason for that is, many online banking sites, corporate sites such as PINACLE, require two operators to take some sort of action.  So when it's a payment, one to create the payment, the other to release the payment.  So perhaps the fraudsters were able to successfully commandeer the first individual's credentials.  They need a second individual's credentials to then release the transaction or to complete that action, whatever it may be.  So they will ask for a second operator to log in.

It may ask for some other information along the way, trying to keep a line of communication open through that web experience to be able to quickly ask for whatever additional information they may need to take that next step, assuming that step is a gated one, meaning that they need more information.  Maybe they need an answer to a security question or something of that nature -- they're going to ask for that information along the way to try and clear that track as much as they can to give to the information or get to the transaction.

Now, signs of a malware infection or spoofed site, unable to log in due to screens that delay or redirect the typical login experience.  We're all accustomed to certain sequences, and work flows.  And when things are sort of outside of that work flow, we should be suspicious.  Not to say that's always fraud.  As I mentioned a moment ago, we recently reorchestrated our entire PINACLE login page.  But before we did that, we gave ample notice to our clients, telling them they would do that.  So you know, the changes are made to these processes, these sequences, so pay attention if something is different than what you're used to.

The sites or the malware-infected device may prompt the individual to provide their token, passport, or security question repeatedly, presenting a "system unavailable" message.  This is kind of that sort of "hold, please" sort of moment where, again, the bad actor is trying to get as far as they can in that workflow.  If they run into a wall, and they need information they don't know or don't have, they're going to try and message through that experience, through that spoofed site, to ask for that information, whatever it may be.  And they may instruct another operator to log in from the same computer as part of the security process to reactivate or unblock another ID.  Again, in many of these cases, for many of these sites, certain actions may require a part taken by two different individuals, having two sets or multiple sets of credentials, allow the criminal -- allows the malware -- to continue perpetuating the fraud in a manner that they would or they planned to do.

Howard Forman:

Thanks, Chris.  I think this is another good stopping point.  Again, some really, really great and invaluable information.  So, let's let this sit for a minute, and we'll pull Peggy back into the discussion.  And I'd like to ask Peggy for some perspectives here, again, as a treasury practitioner, what are some of the ways that your organization helps protect itself from these really dangerous account takeover fraud scams that Chris just walked us through?

Peggy Franklin:

Well, as Chris mentioned, phishing is one of the primary ways by which fraudsters are able to plant their malware on the target device.  So, knowing that, our company routinely checks employees by sending fake phishing emails.  In other words, emails that look like they're phishing emails, but they're actually sent from within so that we can engage how our employees react when they receive these emails.

And many of the employees, when they receive these, do report them as suspicious, which is what we want them to do.  But some employees click the link or open an attachment that's found in the email, which if it had actually been a phishing attack, would have been really dangerous.

So, seeing how the employees respond has enabled us to focus on additional training needs, to help ensure that all of our employees can identify phishing and see those red flags so that none of us fall victim to a phishing scam.

Howard Forman:

That's great, perfect.  Yeah.  We do the same thing at PNC, and I've talked to many of our other clients.  And they've told me about similar training.  So I think it's important that really every company should be doing either in-house, if you've got the resources to do it in-house, or through the use of a third party that offer these types of services.  Because it really does raise awareness for employees, and then again, lets you focus on where do you still need to do some education to help your employees see what's real and what's phishing.

So maybe to further that a little bit, what are some other ways that your company helps your employees maintain awareness around these ever-changing, ever-evolving payment fraud threats that we're talking about today?

Peggy Franklin:

Actually, one of the most effective has been the communications that we get from PNC.  We get alerts and messages that are really good at informing us of new or emergent threats and it goes out to all of our PINACLE users, and also to our email.  So we really rely on the bank's expertise in this space, and they've reinforced for us what is going on out there in the threat world.  And our employees take notice of those alerts, and we make sure that they see them and we talk about them and heed them.

Peggy Franklin:

Actually, one of the most effective has been the communications that we get from PNC.  We get alerts and messages that are really good at informing us of new or emergent threats and it goes out to all of our PINACLE users, and also to our email.  So we really rely on the bank's expertise in this space, and they've reinforced for us what is going on out there in the threat world.  And our employees take notice of those alerts, and we make sure that they see them and we talk about them and heed them.

Howard Forman:

Well, great.  Thank you.  That's really great to hear.  We're very passionate, as you can tell by today's webinar, and I think the messaging that you see coming from us, we're very passionate about fraud prevention and doing what we can to stop these criminals from succeeding.

I think you also raise an important point that's good for our listeners today that are also PINACLE clients to remember, if you ever get a communication, an email from PINACLE -- purporting to be from PINACLE -- and you have any questions on the legitimacy of that communication, you can always log into the PINACLE platform and go to the message center, and you should see that same message in the message center.  So, anytime we send you an email, we always put those messages in the message center as well.  So that's another way of double-checking that a message you're receiving from something purporting to be from PINACLE is actually from us.

Okay.  Well, I know we're getting close to the end here, but I know Chris, before we wrap up and grab a few questions, you've got a bunch of tips for our attendees on staying safe.  So a lot of great information so far, but I know you've got a little bit more to come.  So let me turn the floor back over to you.

Chris Byers:

Yeah.  Thanks, Howard.  So, you know, it's been sort of a scary conversation, as it should be.  Fraud is a very scary topic and a real topic.  As promised, we shared some tips along the way.  We want to round this out by reiterating some of those tips that we've already shared, and adding some additional ideas for you to think about and take back to your organization and to act upon it if deemed necessary.

One is, first and foremost, PINACLE credentials.  As Howard mentioned before, if you have any concern or doubt that we -- a message that you've received purported to be from PNC, from PINACLE, is legitimate, you can always log in and sort of double-check to see if it's in the message center.  Much in the same way, we're talking about PINACLE credential theft -- don't reply to any text message, email or phone call asking for your PINACLE credentials, PINACLE security codes, or any personal information, even if the text message, email or callers claim to be from PNC or is a PNC employee.  We will never ask you for this information, nor will we ever call you to ask you to download or install software for PNC to gain access to your device for any reason.  A huge, huge don't.  If you see it, if you hear it, let us know about it.  Don't answer it, don't respond to it, don't take the action.  But certainly immediately contact Treasury Management Client Care at the number you see on the screen if you believe your credentials have been compromised or to report any fraudulent activity.

Now, staying safe around email imposter fraud, a few don'ts.  Don't reply to an email or use contact information provided in the email to validate a payment initiation or a payment change request.  We covered that before.  Do not confirm or provide personal information in response to an email or a text message.  And don't send out-of-office messages externally, or if you do, at least limit it to known contacts.  Again, fraudsters thrive on those out-of-office messages, because now they know who's not available and they can pretend to be that person.  They'll do their research to try and figure out, again, who that person knows and who that person would work with.  So, those are our don'ts.

Under our dos, do verify email payment instructions via an independent phone call, a call made to a known number.  Not one that's in the email itself requesting that payment or requesting that change.  Call that individual at a known number.  Establish formal policies and procedures and controls around your AP processes.  Create a change management process and allow for some flexibility, albeit within the bounds of the process or the procedure itself, but do not deviate from that to any degree if you can help it.  Stay the course, create the process, and stick to it as much as possible.

And then, last but not least, aesthetically identify emails received from external sources.  We saw that on one of our examples, that big external banner there.  Now you know right off the bat, this is not coming from within the organization.  If it's some -- if it's an email purporting to be from someone within your organization, you now have that giant red flag that in fact it is not.

So, those are our staying safe tips for email imposter fraud.  What about account takeover fraud?

Under don'ts, don't open attachments or click on links in any emails that are unexpected or from an unrecognized sender.  Again, that's how malware makes its way from the fraudster to the criminal to you.  Don't use a search engine to navigate to the online banking site.  As we saw a few minutes ago, fraudsters are not opposed to putting web links out there in the wild for people to stumble upon, click on, and then go unknowingly to a bogus version of the site that we're trying to get to.  Don't allow unrestricted internet access from company devices.  And don't recycle IDs, passwords, security questions, etc.  I know it's hard to manage however many different passwords we need to have for all of our different logins and all of our different experiences, but try not to recycle them as much as possible.

On do, do install software patches as they're available to ensure that antivirus software is routinely updated.  These patches are released for a reason.  There are backdoor vulnerabilities and gaps that are identified in various software packages, so the patches are intended to shore that up so that the fraudsters can't get into those applications as they would through those vulnerabilities.

Do access online banking sites with bookmarks or shortcuts.  This is kind of going back to the search engine fraud scam.  You shouldn't have to type in PINACLE in a web browser.  You should have it bookmarked within your browser, so you know you're going and hitting the right URL every time.

Install anti-malware software.  One such example is software called IBM Trusteer Rapport.  And it's one that's available for download for free from PNC.com, just search for it on our webpage and you can download it.  This will [harden] your online banking sessions, and should help reduce the effect of, and the ability to, implant malware on a device.

And then, as we just talked about a moment ago, conduct fake email campaigns, as Peggy's organization does, as PNC does, to help our -- help your employees understand what phishing looks like.  And this allows you to see who is clicking on those links, because you can educate in a very targeted fashion those individuals or those groups that are more susceptible to this type of fraud.

One other staying safe tip, you know -- payments, this comes back to the AFP Fraud and Control Survey, this is payment method subject to attempted or actual payments fraud.  We've been talking a lot about digital experiences, and you can see, check fraud and ACH fraud is still very, very prevalent in this environment.  And just something that we want to hone in on, our big do here is to use positive pay services.  There are different types of positive pay services that are variations of positive pay services.  You have it available for check positive pay; you have it available for ACH positive pay, to control what debits are leaving your account.  Tried and true services and ones that I think are pretty -- pretty effective in the fight against fraud.

One other staying safe tip, you know -- payments, this comes back to the AFP Fraud and Control Survey, this is payment method subject to attempted or actual payments fraud.  We've been talking a lot about digital experiences, and you can see, check fraud and ACH fraud is still very, very prevalent in this environment.  And just something that we want to hone in on, our big do here is to use positive pay services.  There are different types of positive pay services that are variations of positive pay services.  You have it available for check positive pay; you have it available for ACH positive pay, to control what debits are leaving your account.  Tried and true services and ones that I think are pretty -- pretty effective in the fight against fraud.

Peggy, not to put you on the spot, but I believe if I'm not mistaken, you all make use of positive pay services; is that right?

Peggy Franklin:

Yes.  That's correct, Chris.  And it's been an incredibly powerful tool for us in check disbursements by identifying payments for further inspection and decision if they don't match on four key points.  We also use it for ACH transactions.  Using check positive pay, Ross Industries has avoided $35,000 in fraudulent payments.  The positive pay has given us great peace of mind in knowing that only legitimate check payments will be honored.

Chris Byers:

That's great.  Thank you, Peggy.

Well, all right.  Cyber liability insurance.  Not going to go into this to a lot of detail, but you want to explore cyber liability insurance.  Here's a breakdown.  You can see that different types of insurance policies have certain coverage for certain types of cyber crime and payments fraud, but if you want to protect yourself holistically or as much as possible, you'll want to explore specific cyber liability policies that cover the whole gamut of issues associated with the likes that we're talking about here today, cyber crime and payments fraud.  To be able to cover that specifically and not rely on traditional policies that may have some gaps or don't offer as much coverage as a truly dedicated cyber policy, certainly go in the favor of exploring that and implementing that within your organization.

We're going to round this out by sharing what we like to call the Five E's of Cyber Hygiene.  Each of these five points begins with the letter E.  And this is really going to summarize and encapsulate everything we've talked about today.

The first E is "Establish."  Establish policies and procedures for payment and debit management policies.  You want to create a repeatable process so that your employees can understand what that is and can follow that each and every time.

The second E is "Enforce."  You want to enforce those standards.  You want to enforce those policies and procedures that you just created under the first -- if you don't, if you create them but don't enforce them, you really haven't done much to help your cyber hygiene, and you've actually wasted time along the way, and maybe some resources and money doing so.  So, it's as important to enforce that which you have established.

"Educate."  Educate, educate, educate.  Your employees need to know what these scams look like, need to understand email imposter fraud scams, and understand account takeover.  You don't have to be experts in it, but have to think and be at least conversant enough to identify something that doesn't seem right, to understand the warning signs of a BEC email, or malware infection.  So, can't emphasize enough the need to educate your workforce.

"Empower."  This is really important.  You need to give your employees the power to question suspicious emails.  So maybe you've educated them so well that they're now spotting things that you wouldn't have caught yourself.  They need to be able to raise their hand and say, something doesn't seem right about this, without any sort of fear of repercussion or you name it.  So, empower your employees to see something, say something, is really critical.

And last but not least, of our five Es, you actually get a bonus E.  You have "Evolve and Enhance."  You need to evolve and enhance your risk control to scale with the ever-changing threat landscape.  Fraud is a moving target, and it continues to evolve.  And the fraudsters are always going to be a step ahead.  That's why it's important to keep pace and understand the emerging threats and trends, and what's different and what's new, so that you can keep pace with that and protect yourself in this fight against fraud.

We have available for you to download from the console today, some valuable resources that will help continue this conversation, including our cyber security resource guide, along with some other information regarding the threat landscape and certain threat factors.  So please, feel free to take a look at those.  Share them within your organization.  If you have any questions about any of them, we're always happy to engage in dialogue with you.

With that, Howard, I think we might have the time for maybe a question or two, if we had any that came in.

Howard Forman:

Yeah, thanks, Chris.  Yeah, we've got a bunch of questions here in the console.  I think we'll only have a few minutes left to go through some of these, and again, we'll follow up directly with any questions that we're not able to get to.  But I'm going to pick a couple of these out that I think are important, one of which we've touched on a little bit, but it's worth repeating.  And the question is, what should we do if we receive a suspicious call or email from an entity purporting to be our vendor or supplier, or even purporting to be from PNC?

Chris Byers: 

That's a great, great question.  As we said before, you want to call the entity at a known telephone number.  You don't want to call them at a number that was in the email that you received.  And you want to confirm their request, its legitimacy, its details and accuracy.  Just again, as we mentioned a couple of times in this hour, but it's worth repeating:  if we're talking about someone pretending to be PNC or from PINACLE, we -- PNC -- will never call you to -- will never call you and send you an email or text message asking for your login credentials, asking for security codes, for token passcodes, for contact information.  Do not reply to this request, even if it appears to be from us.  We will not communicate with you on those terms.  We will never ask for this type of information, so notify Treasury Management Client Care, TMCC, if you receive such a request.

Howard Forman:

That's right.  Yeah, I think it's worth noting that caller ID can even be spoofed now, right.  So that's how these criminals are impersonating financial institutions, and you think your bank is calling you and trying to help you resolve fraud on your account when in fact they're actually trying to commit fraud on your account.  So, hang up, if you have any suspicions, and call us at a known telephone number and yeah, we can confirm for you whether the call was legitimate or not.

Okay.  One more question here, also important.  If the inevitable happens, somebody's asking, how and where should our company report fraud after it does happen?  So we hope it doesn't happen, but if it does, what do they do?

Chris Byers: 

I think we've seen, it does happen, right.  Everyone's a target, no one's immune.  So if it does happen, certainly as we said a moment ago, call Treasury Management Client Care, TMCC, to report it especially if it's involving your company's PINACLE credentials or your company's PNC account.  In addition to that, we really recommend notifying law enforcement.  This may seem like a no-brainer, but you'd be surprised.  There's some hesitation out there to notify law enforcement.  There's some thought that if they -- if law enforcement is involved, then it'll become somewhat public, that law enforcement will be on the -- boots on the ground, within the organization, doing some sort of work.  But even, you know, if -- if the event leads to criminal proceedings, that you, as the reporter, would have to testify in court.  Really, those are largely myths.  Law enforcement is there to help.  Law enforcement is -- it knows so much about these fraud scams, they have experts deployed across the country at FBI field offices that focus on different types of fraud, email account -- email impostor fraud, account takeover fraud, ransomware, you name it.  So, chances are very good that you're reporting something they've seen before, and they can offer some really valuable tips and help you to get back online and get back in business, and help to, again, strengthen your organization's cyber hygiene.

Howard Forman:

Yeah, and related back to your insurance comment earlier, depending on the insurance coverage that you have, the insurance company may actually require that you've made a formal report to law enforcement.  So, that's really another important reason why you should engage law enforcement, in addition to engaging the bank.

All right.  Well, I think we're out of time for questions, but Chris, Peggy, let me thank you both for your time.  We really appreciate the information and insights that you shared with us today.  And to all of our attendees, I hope -- we hope -- that you found this webinar to be enlightening and valuable, and you will take the information we shared with you back to your organization for greater awareness as to some of the online banking scams that exist today, and then take those actions we've talked about to help protect your company from these harmful effects of these payment fraud scams.

PNC's Treasury Management platform offers innovative end-to-end technologies and experienced teams that understand your industry and your business.  We can help you architect a cohesive treasury management system, giving you the means to help optimize your working capital, realize faster and more secure transactions, and drive your business forward.  To learn more about PNC's Treasury Management platform, please contact your Treasury Management Officer or your Relationship Manager, or you can visit us at PNC.com/treasury.

With that, we wish you all a safe online journey and hope the information we shared with you today will help your organization maintain or improve its risk hygiene with respect to the threat of these online banking scams.

Thanks, everyone.