Bank of America Merrill Lynch podcast
Evolve or become susceptible: How to keep pace
with emerging and future fraud and cybersecurity
scams
Mary Rosendahl, Global eChannel Solutions Executive, Bank of America Merrill Lynch
Jim Scopis, Global Information Security Executive, Bank of America
© 2017 Bank of America Corporation. All Rights Reserved.
Cyber Threat Trends
Malware
Mobile/Internet of Things (IoT)
$1 Billion
96%
Paid by ransomware victims in 2016
Increase in smartphones infected by malware
Attackers will increasingly develop new and
enhanced malware variants in 2017.
The growth of mobile and IoT device usage
most likely will lead threat actors to
increasingly target these devices.
Social Engineering
67%
138%
Of individuals report having received
a spear phishing email
Threat actors will continue to leverage
social engineering techniques to compromise
individuals and organizations.
Increase in 100+ Gbps DDoS attacks since 2015
GIS Cyber Threat Intelligence March, 2017
2
Distributed Denial of Service (DDoS)
The increased availability of DDoS-for-hire
services and the public release of the Mirai
code have lowered the technological
barriers for threat actors to conduct attacks
against vulnerable organizations.
© 2017 Bank of America Corporation. All Rights Reserved.
Hactivist threat
• Vast majority of hacktivists will continue to primarily use basic tactics such as DDoS
attacks, defacements, and data leaks
• Hacktivists will increasingly become capable of launching more powerful DDoS
attacks via IoT based botnets or DDoS-for-hire services
• Nation-state actors will increasingly use hacktivist groups as fronts for statesponsored activity over the next year
• Hacktivist groups will continue to regularly target financial institutions in 2017
• Hacktivism will continue to be driven by current events, with events related to
financial sector regulation having the highest likelihood of resulting in anti-banking
hacktivism
Bank of America GIS Cyber Threat Intelligence March, 2017
3
© 2017 Bank of America Corporation. All Rights Reserved.
Nation State Threats Continue To Increase In 2017
Recent media reports indicate:
• Nation states conduct disruptive and destructive attacks
• Growing number of nation states will incorporate cyber operations
into their security strategies
• Aggressive cyber espionage efforts will occur against a wide range
of entities, including corporations, think tanks, and governmental
organizations
• Higher level of technology and ability to infiltrate networks to
increase cyber economic influence and change economic outlook
• Increased use of cyber attacks to impact nuclear energy sector, to
take down power grids, to disrupt services through DDoS
(Distributed Denial of Services)
Bank of America GIS Cyber Threat Intelligence March, 2017
4
© 2017 Bank of America Corporation. All Rights Reserved.
Criminal threat
The volume and sophistication of criminal campaigns, most
notably business email compromise schemes and ransomware,
will continue to increase in 2017
Cyber criminals will increasingly target online shoppers. These
criminals are leveraging the insecurity of ‘card-not-present’
(CNP) transactions and combatting the use of EMV chip-enabled
cards which provide extra security to ‘card present’ transactions
The move towards EMV in the US will lead to an eventual
decrease in skimming, which most likely will be supplanted by
other types of ATM crime
Cyber criminals will increasingly develop novel and enhanced
capabilities in an attempt to bypass improvements in detection
and mitigation and continue conducting effective campaigns
Bank of America GIS Cyber Threat Intelligence March, 2017
5
© 2017 Bank of America Corporation. All Rights Reserved.
Business Email Compromise (BEC)
Business Email Compromise (BEC)
• Continues to be the most prevalent fraud scheme targeting
businesses for a second year
• Sophisticated phishing scam targeting businesses who
– Usually work with foreign suppliers
– Regularly performs wire transfer payments
• According to the FBI, there have been over 22,000 victims of
Business Email Compromise with a business impact of
$3.1Billion
• Increased broadening of victims outside the U.S. sending
funds
• Funds have been traced to 108 Countries
• The victim is usually induced to making a wire to a foreign
bank
• Industry is seeing shifts into ACH payments
• 3 predominant types of Business Email Compromise
– CEO Scam – email coming from an Executive Officer
– Invoice from a Supplier whose email address is being
–
spoofed
Business acquisition email coming from an attorney
https://www.ic3.gov/media/2016/160614.aspx
6
June, 2016
© 2017 Bank of America Corporation. All Rights Reserved.
Best Practices for Business Email Compromise
Do not "reply" to
the email
• May inadvertently be
communicating with
fraudster instead of
intended party
• Report the email to IT
or information
security
• If have to
communicate via
email, have another
associate create a new
email from another PC
to validate the
instruction
Validate Using
Other Communication
Channels
• Pick up the phone and
call the individual –
using the company
directory or vendor
information
• Ask for the sender to
send the new payment
instructions from the
company letterhead
and validate the
letterhead
Be Alert to Sudden
Changes in Business
Practices
• Pick up the phone and
call the individual –
using the company
directory or vendor
information to verify
request
Develop Procedures
for non-standard
Requests
• Confirmation
procedures for nontraditional requests
• Approval process for
implementing new
account number
Never reply to an email message requesting a change to a beneficiary
7
© 2017 Bank of America Corporation. All Rights Reserved.
Business Process Compromise
Changes to your business system or processes
What is a Business Process Compromise?
• Targets the discrete processes, or machines facilitating these processes, to quietly manipulate them for the
attacker’s benefit.
How is it Perpetrated?
• Attackers infiltrate the target organization
• Move laterally from the point of compromise
• Clear view of the structure of the organization from
reconnaissance and monitoring communications.
• Become familiar with enterprise processes and
vulnerabilities.
• Pinpoint specific processes that can be changed or
manipulated.
• Covertly alter the targeted business process
• Approval process
• Payables / vendor account update
• Payroll input or employee account change
• Benefit financially from that change, and leave the
victim unaware of the situation
Front Office
Bank-Office
Corporate Reporting
Financial
Applications
C
U
S
T
O
M
E
R
S
Sales &
Distribution
Company
Network
Manufacturing
Applications
Service
Applications
Inventory
Management
Human Resources
Management
What practices will help to protect your organization?
• Establish a comprehensive view of your network
• Perform risk assessments and include third party vendors in their evaluation
• Maintain awareness within the organization and educate employees on identifying normal and abnormal behavior
• Adopt security technologies which can detect malicious lateral movement
• Employ the latest cybersecurity measures
8
© 2017 Bank of America Corporation. All Rights Reserved.
S
U
P
P
L
I
E
R
S
Ransomware
Evolving to multiple platforms
Ransomware is a type of malware that restricts
access to the infected computer system
• Demands ransom to remove the restrictions
• Some forms systematically encrypt files on the system's hard drive
• Difficult or impossible to decrypt without paying the ransom for the
decryption key; some may simply lock the system and display
messages to coax the user into paying
• Most ransomware enters the system through attachments to an email
message
Evolving to mobile environment
• Mobile devices also being targeted for ransom demands
• Mobile projected to increase by 50% on some platforms1
• Will continue to see increases as more business information is accessed and
stored in the mobile arena
Areas of focus
2
• Protection parity – Up-to-date anti-virus software on all access devices
• Email gateway security products
• Employee education
9
1. https://www.infosecurity-magazine.com/news/mobile-ransomware-jumps-50-in-a/
2. Bank of America Research
© 2017 Bank of America Corporation. All Rights Reserved.
Treasury Best Practices
Use
strongest
authenticati
on tools
available
Dual
Administrat
ion
Set user
limits
Review all
details
before
release
Reconcile
Vigorous
account
review of
activities
beneficiary
daily
change
instructions Keep audit
logs >
Set
more than
notifications
year
& review
promptly
For the highest level of security, conduct all online banking activities from a
standalone, hardened and completely locked-down computer.
10
© 2017 Bank of America Corporation. All Rights Reserved.
Notice to Recipient
"Bank of America Merrill Lynch" is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives,
and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member
FDIC. Securities, capital markets, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of
Bank of America Corporation ("Investment Banking Affiliates"), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill
Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, locally registered entities. Merrill
Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are
members of the NFA.
This document is intended for information purposes only and does not constitute a binding commitment to enter into any type of transaction or business
relationship as a consequence of any information contained herein.
These materials have been prepared by one or more subsidiaries of Bank of America Corporation solely for the client or potential client to whom such materials
are directly addressed and delivered (the "Company") in connection with an actual or potential business relationship and may not be used or relied upon for any
purpose other than as specifically contemplated by a written agreement with us. We assume no obligation to update or otherwise revise these materials, which
speak as of the date of this presentation (or another date, if so noted) and are subject to change without notice. Under no circumstances may a copy of this
presentation be shown, copied, transmitted or otherwise given to any person other than your authorized representatives. Products and services that may be
referenced in the accompanying materials may be provided through one or more affiliates of Bank of America, N.A.
We do not provide legal, compliance, tax or accounting advice.
For more information, including terms and conditions that apply to the service(s), please contact your Bank of America Merrill Lynch representative.
This document is intended for information purposes only and does not constitute investment advice or a recommendation or an offer or solicitation, and is not the
basis for any contract to purchase or sell any security or other instrument, or for Investment Banking Affiliates or banking affiliates to enter into or arrange any
type of transaction as a consequent of any information contained herein.
Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is", with no
guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied,
including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on
information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own
independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information
security advisor. No information contained herein alters any existing contractual obligations between Bank of America and its clients
Disclaimer for Brazil
Disclaimer for Latin America
Copyright 2017 Bank of America Corporation. Bank of America N.A., Member FDIC, Equal Housing Lender. ARWML336
11
© 2017 Bank of America Corporation. All Rights Reserved.
© Copyright 2026 Paperzz