Select Language

Search

Insights

No match found

Services

No match found

Industries

No match found

People

No match found

Insights

No match found

Services

No match found

People

No match found

Industries

No match found

Minimizing Your Exposure to Fraud: A Conversation with Larry Zelvin

Treasury Services November 02, 2021
Treasury Services November 02, 2021
  •  Minute Read Clock/
  • ListenListen/ StopStop/
  • Text Bigger | Text Smaller Text

 

A client recently said, “When we build tall walls, villains build taller ladders.” That helps explain why there’s been an exponential surge in fraud attempts and successful breaches since the pandemic struck a year and a half ago.

This is the world we live in, and it’s our job as financial professionals to make it hard for bad actors to do bad things. 

Susan Witteveen, who heads the Treasury & Payment Solutions group at BMO Canadian Commercial Bank, recently spoke with Larry Zelvin, Head of BMO’s Global Financial Crimes Unit, to discuss how fraud proliferates in the current environment, and what you can do to help protect yourself and your business.

A summary of the discussion follows.

Who are the bad actors?

“There are hundreds of thousands of people who wake up every single morning with one purpose in mind: to break into somebody's computer,” Zelvin said. It’s a stark picture, but that’s the threat companies of all sizes face. As Zelvin explained, fraudsters common break into five categories. 

Some work for national intelligence services in Russia, China, North Korea and, yes, even Canada and the U.S. Thanks to the internet and mobile device networks, it’s much easier for intelligence services to gather information without having to embed themselves in a foreign country and cultivate sources. The threat comes from nations that use their military and intelligence services for financial gain. 

The second group consists of those who work for terrorist organizations. So far, this category has used the internet largely to inspire the faithful and attract new recruits. But Zelvin noted it’s only a matter of time before terrorists start using the internet for more financially or politically motivated purposes. 

The next three groups currently constitute the greatest threat businesses and financial institutions. First are the financially motivated individuals or criminal organizations. “These are folks who are earning money the old-fashioned way—they're stealing it,” Zelvin said. “Thanks to being online, you can now rob hundreds if not thousands of banks in a given day. It has advanced and progressed robberies and fraud in a way that was unimaginable 50 or 60 years ago.”

Next are hacker groups. Unlike purely financially motivated fraudsters, hackers seek to embarrass or disrupt organizations in the name of a cause, such as social or environmental issues. 

The final group represents what Zelvin deems the most complex to combat: insider threats. “These are people in your organization who are trusted with certain responsibilities, and then they betray that trust,” he said. “These insiders could be technologists; they could be dealing with your finances; they could be you in your HR systems. They are very, very hard to detect because in many cases they will look like they're doing their jobs, and only the smallest mistakes or the strangest of behaviors will sometimes show that activity to be inappropriate and potentially fraudulent or criminal.” 

The human element 

So, how are these fraudsters conducting their attacks? And why are they so successful? An IBM study found that human error is a contributing factor in 95% of cybersecurity breaches,1 and the easiest method is through email. According to the FBI’s 2020 Internet Crime Report, business email compromise, or BEC, was a $1.8 billion crime in the U.S., accounting for about 44% of all internet-related crime.2

“You send somebody an email and you say, ‘Hey, I need you to click on a link or open an attachment.’ And they do,” Zelvin said. “And when that occurs, something called malware or malicious software downloads to a computer or device, which then allows an actor to go back in at a time and place of their choosing and do whatever it is they wish to do.” 

System vulnerabilities are another common method, though the human factor plays into that as well. “Computers, mobile devices, anything electronic were designed and are maintained by flawed machines, and these flawed machines are human beings,” Zelvin said. “Being flawed machines, our devices are constantly found with bugs, errors and security issues that need to be resolved.” 

That’s why installing system updates is a critical element in protecting yourself at the device level. “If you don't, then these vulnerabilities can be exploited by bad actors and can be as effective—if not more effective—than sending an email with a link or an attachment.”

Mitigating your risk

The pace of business is constantly accelerating. While that can be beneficial for the bottom line, for Zelvin it creates one of the biggest security challenges. “It gives us little to no time to react,” he said. “I think the biggest thing folks need to do is slow down. If it doesn't look right, if it doesn't sound right, if it doesn't seem right, it's probably not right. Folks need to question, they need to engage with their management, they need to engage with their security team, they need to have conversations with their financial institutions.”

Zelvin also recommends using biometric authentication on your devices whenever possible. “A lot of the frauds and scams we see are by people using passwords that are too easy to guess. Using biometrics creates a far more complicated problem for the people trying to use fraud against you than using passwords. But if you are using passwords, make sure they're really complex, and use two-factor authentication on anything that requires money movement.”

It’s also crucial to understand that fighting fraud is an organization-wide effort that requires the active participation of every individual, from the CEO on down. “The first conversation I typically have with folks is emphasizing how important every single individual in an organization is to the security and the soundness of that organization at any point at any time,” Zelvin said. “Making sure that everybody understands their responsibility as a person within an organization that if something doesn't seem right, who do they call and how do they make sure the appropriate review and action was taken?”

Just as you regularly review your finances, Zelvin said organizations should prioritize conducting regular reviews of their cybersecurity and fraud mitigation policies, through both internal and external audits. “If you do not test, if you do not assess, you may wake up one day and find that your capabilities were not nearly as resilient as you had hoped they would be,” he said. "There are a number of organizations that will provide those services. They can be really helpful in figuring out where your weaknesses are and how to rebalance and reprioritize.”

The threats businesses face are constantly evolving. That’s why even though there are strategies, tools and tactics you can employ to mitigate your risk significantly, Zelvin stressed that there’s no such thing as perfect security. It’s an ongoing effort that requires constant vigilance.

“If anybody tells you that they have these problems solved, you should walk away immediately,” he said. “It takes the best of technology and the best of people to solve the problems that we're seeing today, which are growing faster and more complicated than any other security environment that I've ever worked in. At the end of the day, they only have to be good once, and we have to be good every single time.” 

Zelvin shared many more insights during the event, including ransomware and its impact on cybersecurity insurance, some real-world examples of cyberfraud, and the importance of being prepared to respond to a fraudulent event. 
IBM
FBI

Read more

Speaker 1: Welcome, and thank you for joining us for today's live webcast and discussion. We invite you to be a part of the conversation. You'll see a chatbox located near the video window. Click chat as a guest and enter your name. Feel free to enter your questions, and our moderators will forward them to the panel. We'll repeat these instructions later in the show as a reminder. It is now time to begin, and I will invite your host to take the stage.

Susan Witteveen: Welcome everyone. I am Susan Witteveen, a senior leader in BMO's North American Commercial Bank. I proudly had our Canadian Treasury and Payment Solution sales team, which includes our cross-border team that uniquely specializes in advising our US-headquartered customers on their Canadian banking needs, and our Canadian headquartered customers on their US banking needs. I just wanted to point that out. We take a North American lens or approach with our advice, including fraud, risk management, and mitigation.

It is our mission to ensure that our customers have timely access to the best advice and experts, leading solutions, responsive servicing, and education to optimize and protect your cash flow, and overall, your day-to-day financial operations. Many years ago, I had a job in our risk management organization, specifically focused on protecting the bank from money launders and terrorists. As such, I work closely with our Canadian bank regulators, and admittedly, I was frustrated sometimes with the increasing levels of controls, the processes, the documentation, the training, and the mounting rules on KYC or Know Your Customer.

I recall one of the senior regulators coaching me at one point by saying that, "Badly behaving people will do bad things. That is the world we live in. Our job as financial professionals is to make it very, very hard for them to do the bad things." That was a helpful perspective for me, and it is basically why we are gathered here today. Together, we can make it very, very hard for criminals to do bad things.

We will spend this time together listening to a leading expert in the fight against financial crime, and by the end of it, we will all be refreshed and reminded, and maybe even further enlightened on the actions we should be taking consistently to minimize exposure to fraud. Particularly cyber, but we will and should go old school too. Check and, particularly right now, bank draft scams are going strong, as has become, unfortunately, apparent the last few weeks.

I guess the overarching message today is that we can never let our guard down. A client said to me a few weeks ago, "Do you know what happens when we build tall walls? The villains build taller ladders." Whether it is digital or paper, there has been an exponential surge in fraud attempts and successful breaches over the pandemic years. Likely because we have been working differently in response to COVID, which has created new risks combined with the fact that there is lots of excess liquidity in the system. The good news is that anyone and any size and type of company can leverage the strategies, advice, and maybe a few morals to the stories to be shared today.

I wanted this webinar to be called From the Cockpit to the White House to Bay Street for the Canadians or Wall Street for the Americans, fighting financial crime with Larry Zelvin, ut marketing said the invites had already gone out, so we had to stick with the very little, Minimizing Your Exposure to Fraud with Larry Zelvin. Larry is our Head of BMO's Global Financial Crimes Unit. It's an industry-leading and innovative model which is a holistic responsibility for cyber and physical security, fraud, and crisis management. He was also a US Naval Officer, and yes, an aviator for 26 years, Cockpit.

He has worked for the US government in many key roles, all including in their titles, cybersecurity, Homeland Security Defense, the Pentagon, White House. His expertise and experience drew the attention of top-tier North American banks, including BMO. He has been with us since 2019, Bay Street or Wall Street. Welcome, Larry. Thank you for always making time for our North American Commercial Banking customers and colleagues.

On a personal note, I respect that Larry has a huge job protecting BMO and our clients every day, all over the world from, untold number of attacks, but he never shies away from rolling up his sleeves to be part of the commercial banking team when we need him. Time is of the essence when a client has been the victim of a fraud, and I really appreciate the tone from the top Larry has set across his organization, which has resulted in the best possible outcomes in many clients' circumstances.

Audience, I plan to ask Larry, the questions submitted when you registered for the event. If you do have any other questions throughout the webinar, as the little video said at the outset, we do have this live chatbox. Please type them in, I will do my best as moderator to get to them. I know it looks like it's just me in my dining room and my pumpkins, and Larry and his very professional-looking workspace, but we do have a village of support behind the scenes, monitoring the chat line. Either way, we'll do our best. If your questions are not answered, email me or your BMO banker, and we will respond. Larry, the floor is yours for a few opening remarks and stories to get the juices flowing. Then cue me to ask the questions from our customers.

 

Larry Zelvin:Great. Thank you, Sue. I really appreciate the introduction. Everyone, thank you so much for spending time with us today. Believe it or not, this is not a Zoom or a Microsoft Teams background, but this is one of BMO's cybersecurity and fraud security fusion centers. I happen to be the one in New York. As we talk about this North American approach, I'm in the one in the United States. We have one that is much bigger and has a greater capability in Toronto at our corporate offices at First Canadian Place. Then we also have capabilities in London and also in Singapore. We have a follow the sun methodology to protect our bank, our clients, our customers, and our partners against such a huge global threat that's just facing everyone.

With that in mind, what I thought we would do this afternoon is the following. I will spend some time walking you through who are these bad actors? What are they doing? Why are they doing it? How are they doing it? I then thought I would use some interesting, hopefully, interesting stories that are all true, about actual attacks that have occurred. I think it's important. I'm going to start talking about some cyber incidents, some notable cyber incidents, and then transition to more fraud, but I think the journey is important for you to understand how cyber and fraud have become more integrated and how that physical aspect is also coming together. When I'm done working through a variety of different stories to give you a sense of what's happened and some of the things you need to be thinking about, I want to talk about why I came to BMO and the organization that I have the privilege of leading and being a member of called the Financial Crimes Unit.

Then Sue said, I'll go back to her. We'll be happy to answer questions, either the ones you've already submitted or the ones you intend to submit. Hopefully with that all in all mind. What's going on out there? Who are these people? Well, look, I hate to tell you, but there are hundreds of thousands of people who wake up every single morning with one purpose in mind, and that's the break into somebody's computer. That's what they do for a living. In some cases, they work for nations. They work for Russia. They work for China. They work for Iran. They work for North Korea and they even work for the United States and Canada. These are people who are in intelligence services. They are people in military services as well.

Most countries, not all, use their military and intelligence folks to do what they've always done, and that is collect information that will protect the national security or the national security interests of that nation or its partners. It has gotten so much easier for the intelligence services to not have to go to a country, turn somebody into a spy and make them betray their country when all you have to do is get on their computer or their mobile device, and you can get far more information than you could potentially get from somebody trying to sneak information out on a micro phish or using paper. Showing my age they're clearly saying micro phish.

However, there are a number of nations that are using their military and intelligence services for financial gain. I'll go into that a little bit more when we get into our stories. Part of the hundreds of thousands of people who wake up in the morning represent nations, are on national payrolls. The other group are people who are financially motivated. These are folks who are earning money the old-fashioned way, they're stealing it and it has gotten so much easier with the advent of the internet.

Just think about how hard it was to rob a bank in particular. You used to have to get a horse or a car. You had to drive to a branch or to an office. You had to go in, you had to scare people. You have a weapon, in most cases. You had to have the folks put the money in a bag. You had to carry it out. The whole time, you had a security person who may stop you or potentially shoot you. You had to get back in the car or the horse. It was really inefficient, it was dangerous. The internet has changed all that. Thanks to being online, you can now rob hundreds if not thousands of banks in a given day, you can face no danger whatsoever. The really great news is in some cases, you can do it from countries where it isn't illegal to do so unless you are robbing people or institutions within that country.

You can do it without risk of being shot or arrested, and you have the beauty of you can do hundreds if not thousands of banks in a day using automation. It really has advanced and progressed robberies and fraud in a way that was unimaginable, let's say even 50, 60 years ago. You have nation-states, you have criminal actors. Then you have hacktivists. These are people who have causes, things that are very dear to them. It could be environmental, it could be social, it could be a number of things, and they are hacking into systems to either embarrass or potentially disrupt or, in some cases, completely take offline institutions or organizations that they have issue with.

The fourth group I want to talk about are terrorists. Terrorists, thankfully, for the most part so far have not used the internet for great harm. It's been to inspire the faithful. It has been an avenue to recruit new folks into the cause. I think over time, we will see an expansion of terrorist activities as much as I've talked about nation-states and criminal groups and hacktivists, I think terrorists only a matter of time will start using the internet and computers in ways that may more financially motivated or more politically motivated.

The last group I want to talk about is actually some of the most complex folks for people like me and my teams to combat, and those are insider threats. These are people who are in your organization, that are trusted with certain responsibilities, and then they betray that trust. These insiders could be technologists, they could be dealing with your finances. They could be in your HR systems. They are very, very hard to detect because in many cases, they will look like they're doing their jobs and only the smallest mistakes or the strangest of behaviors will sometimes show that activity to be inappropriate and potentially fraudulent and or criminal.

Nation-states, hacktivists, terrorists, insiders, and finally the terrorist groups. How are they conducting their attacks? How are they becoming so successful? Ironically, the easiest method is through email. You send somebody an email, you send them something and you say, "Hey, I need you to click on a link," or open an attachment, and they do. When that occurs, something called malware or malicious software downloads to a computer or device, which then allows an actor to go back in at a time and place that they're choosing and do whatever it is they wish to be doing. Emails are typically the way most of these hundreds of thousands of people are able to break into computer systems and computer networks and do the activities they wish to do.

Another way is using what we call vulnerabilities. Vulnerabilities, you have to understand that computers, mobile devices, anything electronic were designed and are maintained by flawed machines. These flawed machines are human beings. Being flawed machines, our devices are constantly found with bugs, errors, security issues that need to be resolved. For those of you who use mobile devices, and I'm going to show my Apple phone, that if you go to settings and you go into software updates, if you see a number up there, hopefully, it says one, or hopefully, it says zero, but you actually have to install these updates. If you don't, then these vulnerabilities can be exploited by bad actors and can be as effective, if not more effective than sending an email with a link or an attachment. That is yet another very effective way to break into a computer system or to get into a company's network.

Lastly, there are certain websites that are used quite frequently, so if you go to a site and you will potentially think you're looking at news or some other appropriate, let's say business requirement on a website, they can actually download malware. A few years ago, there was a regulatory website in Poland that for many months had been compromised and that when discovered, it was interesting that financial institutions that we're doing business in Poland and required to use this website, every time they did it, there was a downloader for malware. The bad actor had really understood the regulator and how much they engaged with financial institutions. That was used as a vector to get in and then drop the malware so the bad actor could manipulate the computers and the systems they wish to go after.

There's a variety of ways to do this, but let me start the stories and give you a sense of what are the impacts of these hundreds of thousands of people that are using emails and phone liabilities and potentially websites. What are the real, tangible outcomes of these things? While I can go back further, I'm going to start in 2012. In 2012, I was working at the US Department of Homeland Security. It was September. I was leading one of the US government's three cyber centers, the one at US Department of Homeland Security. It was called the NCCIC, the National Cybersecurity and Communications Integration Center.

My counterparts were at the Federal Bureau of Investigation or the FBI, and then the National Security Agency and NSA, but the three of us constituted how the US government was fighting cyber at that time. Homeland Security had their responsibility for defending the US.gov domain and working with critical infrastructures. FBI did law enforcement and counter-intelligence. NSA, obviously, was doing intelligence collections. With all of that as a background, I was in Washington DC. I was at a meeting in DC and I got a call to come back to our center, which isn't Arlington, Virginia, and I needed to come back straight away. There was some huge activity going on.

AT&T and Verizon, internet service providers were reporting massive traffic, the highest that had ever been seen at the time, so there was a cyber storm brewing. When I got back to my center, my team quickly started going through what they were seeing and it was apparent that while AT&T and Verizon first brought the attention to us, that banks were now reporting that their websites, their externally facing websites were having slowdowns and outages. The traffic was traversing AT&T and Verizon, but hitting JPMorgan Chase, hitting Bank of America, hitting Citigroup, among others.

This was the start of about seven to eight months of cyber activity against financial institutions, predominantly in the United States, but not exclusively. This was an interesting attack in that on Sunday or Monday, the threat actor, which was known as Kasam fighters, Their cause is there was a video on YouTube that was insulting to the Prophet Muhammad and they were demanding that this YouTube video be taken down. The way they wanted to do it was to put pressure on financial institutions to put pressure on YouTube.

The way this would go is on Sunday or Monday, these Kasam fighters would post that on Tuesday, they were to hit, let's say, JPMorgan Chase, on Wednesday they would hit Bank of America, and let's say on Thursday, they would hit Wells Fargo. On Tuesday we would get into work as the markets opened in New York around 9:30, we'd start seeing traffic increasing. By traffic, what I mean is that there were folks who had taken over computers and were using them to go and access that bank's website.
Now, let's say on any given day, the bank website can handle 300,000 requests without a problem. Imagine what happens when it's 600,000 requests or 900,000 requests. That's what was happening. Computers all over the world were taken over bombarding these websites with traffic to overload them so they would tip over and start failing, and they would fail between, let's say 9:30 in the morning until about 3:00, 3:30, 4:00 in the afternoon when the market's close.

Now, from a defender's perspective, that was pretty polite because we could come in in the morning, we could have our meetings, we could have our coffee, we would see the traffic go up, we'd see a peak around lunch, and then around four o'clock, it would drop off so we could all go home and have dinner. As I said, this went on for seven or eight months. There were several phases of this and they became far more sophisticated as the banks became much better at defending. Towards the end, I will tell you that the bad actors, these Kasam fighters, they would change tactics two or three or four times a day. They would use one tactic, banks would counter, another tactic, counter, change, counter, and this would go on several times over days, then all of a sudden it stopped, which was very much a relief.

Several years ago, the United States government declared that Iran was behind these attacks. They may have been used as a means to come after the United States, in particular, for using cyber to disable their nuclear program just a few years back. That was really the start of the financial sector and their desire to look for people like me who had come from government and worked in the military and worked in security to come over and let them see, how do you defend against the nation that is coming against your bank or your institution.

The next one I want to talk about is Sony Motion Pictures. This happened in November of 2014. Sony was putting out a movie, a comedy, not a very good one, in which a fictional country that looked very much like North Korea, in which the leader that looked very much like the North Korean leader, was being made fun of. It was meant to be jovial. It was meant to be slapstick, but in North Korea, it was seen as of extraordinary offense. The North Koreans for several weeks told Sony, "Do not release the movie, do not release the movie, do not release the movie."

Well then, finally, in November 2014, employees at Sony Motion Pictures in California go into the office and all their computers are locked up. There's a large dragon on their screens, they have no access to anything, and they're being told that their computers have been locked up and they will have no more access. Folks at Sony, the only way they could communicate was using personal devices and using their own personal emails because all of Sony Motion Pictures computers and data centers had completely been wiped using something called destructive malware.

While that was bad enough, over the next few weeks and months, the North Koreans started releasing sensitive Sony information, everything from scripts to health records from their employees, to financial data, to movies that hadn't been released. Ultimately, the CEO of Sony Motion Pictures was fired, and she was fired not because there was a cyber attack at her company, but rather, emails that she never meant to be public became public and her credibility as a leader, as a leader in the industry was completely corrupted in a way that she could no longer serve as the leader of Sony Motion Pictures.

I tell you that part of the story in that you need to be very careful about what you send in an email or a text because there's a possibility during a really bad cyber day that it could be used against you in being released in ways that you never would have imagined. The same thing goes with photographs which is, again, another area that people are used to be manipulated by showing pictures of them in potential views that they would not want to be public.

One other story about nation-states, Ukraine. There is probably no nation on earth that has been more attacked than Ukraine and that's because of their continuing tension with Russia. In December of 2015, three of the power generation sites in Ukraine, all of a sudden on the screens, very much like what you see behind me, there was a mouse coming across, and all of a sudden, their distribution nodes had been being turned off. As the power employees went to see what was going on and grabbed their mouse, they realized they did not actually have control, but someone else did.

230,000 of their customers in Ukraine were without power for over six hours. I've been to Ukraine. I was there in the summer. I will tell you it's quite cold. In December, it's downright freezing. Do you know if you lose power, it is not just a cyber problem and not a business problem, but it is a humanitarian problem because people may not be able to heat if they're using electrical heat sources. Do you know that elevators don't work, so you were starting to see cyber having physical impacts upon society that can be quite dangerous.

I will also share that in Florida, there was recently a water power station, sorry, a water purification plant that had the chemicals that purified water adjusted, where if not caught could have made people sick or even worse potentially die. The current Secretary of Homeland Security had a news conference yesterday where he talked about something called killware, and that's using cyber as a means to potentially hurt or worst case, cost someone their life using cyber means.

Let me get a little bit more into fraud. How bad is the story in fraud similar to what I talked about with the denial of services from Iran, the swift, I'm sorry, the attacks on Sony, and then also the power in Ukraine. Is there a fraud story? Well, there is. Back in February of 2016, the Bank of Bangladesh suffered one of the largest frauds ever recorded. It was an attempt at $1 billion US, $1 billion. The means for the fraud was using the SWIFT messaging system. The bad actors in this case sent 35 messages wiring money from Bank of Bangladesh to the New York Federal Reserve to other institutions in Asia.

The only reason this was caught was because the bad actors had used the word, Jupiter, in one of the wiring instructions, and it set off an electronic signal within the Federal Reserve of a potential sanctions group that was in Iran. It caused a flag for security people to go investigate. The challenge was is that it was over a weekend but thankfully, due to the diligence of those folks even on a weekend, they started investigating it a little bit more. As they did, they started seeing the Bank of Bangladesh had never moved a billion dollars flown over a weekend. They started seeing other suspicious flags. They were able to thankfully stop most of that money from leaving the Bank of Bangladesh through the bad actors. Unfortunately, about $180 million was lost but it was a $1 billion attempt.

How could this have happened? Well, the bad actors, again, which has now been publicly disclosed as North Korea, use malicious software to get into the bank of Bangladesh and it is estimated for months, they were watching bank employees do their transactions. They understood how the bank moved money. They understood what security controls were in place. I will tell you, they actually disabled a number of the controls that were in place in the Bank of Bangladesh to include, every time there was a SWIFT message, it would print out, they disabled that printer. When the folks came to work on Monday at Bank of Bangladesh, got these messages from the New York Fed saying, hey, there's something suspicious here, their initial reaction was, well, that's impossible. Our controls work, we see no indications, but as they got more details, they got even more concerned.

There were similar attempts with SWIFT, not nearly at a billion dollars but in the hundreds of millions of dollars range throughout Eastern Europe and Latin America over the next few years. SWIFT, thankfully, has spent time and energy to correct flaws and challenges in their system and is doing a tremendous job of alerting financial institutions to anomalous or potentially suspicious behavior and there have been no other great frauds, but that doesn't mean it couldn't happen again. It doesn't mean that there aren't incredible challenges still that lay ahead of us, particularly in payment systems.

When you look at most institutions, you're seeing frauds that are occurring around wires similar to the SWIFT messaging, you're seeing it around check fraud, deposit fraud, credit card fraud, but a lot of it is happening around identity theft. We'll talk a little bit more about business email compromise. I know that is in your questions and I want to save that and get to that once we get to that portion of our presentation.

Let me talk a little bit about what is BMO doing around these security threats. You've talked about cyber, you've talked about fraud, but what is BMO doing to protect its customers and the bank itself? Well, as Sue mentioned, in 2019, BMO really took a huge leap and is a leader in the industry in creating the Financial Crimes Unit. The Financial Crimes Unit encompasses all the security teams at BMO. It's cybersecurity, it's fraud, it's physical security, and it's crisis management to include continuity and disaster recovery. Why this is unique is because most organizations, each of those security pillars are siloed. They're verticals. At BMO, we do have that vertical segmentation, but more importantly, there was a horizontal. There's an integration.

Most of the cyber-attacks we are seeing, particularly in the financial sector, are financially motivated. They're fraud-related. The ability of the cyber team to work in an integrated way with the fraud team has made us faster and better. The same thing goes with our physical security team. When it comes to our branches, in many cases, they may be telling the physical security team before they're able to tell the fraud team, the ability of the physical security team to work with the fraud team in the cyber team, again, the way we have designed this at BMO makes us faster and more capable, and I will tell you in a number of cases, has led to positive outcomes when malicious activity has been detected, and, I think just as importantly, perhaps, even more, enabled us to prevent frauds from occurring in the first place.

We've been at this for about three years. We are very proud of what we are building and have built but I will also want to share with you this, that there is no such thing as perfect security. If anybody tells you that they have this problem solved, you should walk away immediately and not listen to them anymore. It really does take, when you look at security, and I know we'll get into this in the questions as well here and I'll turn it back over to Sue in a moment, but it really in my view and having worked in security many decades now, it really takes the best of technology and the best of people to solve the problems that we're seeing today, which are growing faster and more complicated than any other security environment that I've ever worked in.

When you have good people and good technology, you have the best ability to confront these threats and protect yourselves, but at the end of the day, do know they only have to be good once and we have to be good every single time and we try and do that every single day. Sue, back over to you for the questions and I look forward to engaging with you all more.

 

Susan: Larry, you are terrifying, and I mean that in the best possible way. I mean it a compliment, but those are wild stories and case studies, so lots to be reflected on there. One of the first questions that came in from a customer is, what is the most common fraud risk that corporate treasuries face today that could also be a challenge to control? I think I know, based on listening to your remarks, that you're going to say email compromise. I would just say that given all the extra measures BMO takes to train employees, educate us, and keep us knowledgeable on email compromise, on the weekend, an email did come into my in-tray.

It looked totally legit from Apple saying that I had just made a purchase and that I should click here to view my receipt. Immediately, I start asking my children if they've just made a purchase of a game or an app, and they all sweetly said no. My husband then walking by said, whatever you do, don't click on that link. Of course, rather than trust my children, I clicked on the link. Sure enough, I think it was from your department, like a test of you've been a victim of phishing, this was a test. Now I fear that my face is up on a poster in one of your control rooms of what not to do.

I do think that I'd like to hear a little bit more from you and as what our clients on phishing, and just some good best practices not do what I did. Control yourself, do not click on links, but any other advice you can give us around email compromise?

 

Larry:Yes. Thanks, Sue. How bad is business email compromise? I did a little research just prior to the event and look, the US Federal Bureau of Investigation last year alone said it was a $1.8 billion with a B, billion-dollar crime in the United States alone. Do know that the FBI also reported that when you look at all internet-based crime that the number was $4 billion. $1.8 of the 4 billion was just business email compromise. Now, that's extraordinary by any measure and I will tell you that as you go back the last few years and look at the FBI's reporting on business email compromise, the number has been in the billions, and it is increasing.

Do know for bad actors as I talked about those hundreds of thousands of people, that's good money, and they're doing it as I said in countries, in most cases that it is not illegal and actually they're being well funded and they're also syndicating. If anything, these bad actors have had problems wandering the money, how do you not trigger international alarms when you're trying to spend this money because there are folks like the New York Fed and where I talked about the SWIFT case that are trying to flag these bad transactions.

Business Email Compromise. I think the biggest thing folks need to do in my opinion is slow down, okay. Slow down. It's the old adage. If it doesn't look right, if it doesn't sound right, if it doesn't seem right, it's probably not right. Folks need to question, they need to engage with their management, they need to engage with their security team, they need to have conversations with their financial institutions. They need to say, "Hey, we need to look at this a little bit longer and harder."

One of the biggest challenges we're having in security is that right now, businesses are pushing to go faster and as close to real-time as possible. While that's good, it also creates risk because when there's a security problem, it gives us little to no time to react. That being said, if you can find a business email compromise usually within the first 24 hours, it has been my experience that in most, not all, but in most cases, we can recall that money. As you start getting beyond 24 hours and into 48, 72 hours, the probability of recall becomes far less.

Do know that if you told your financial institution to do something and it was a legitimate direction, or if we warned you not to do it, as happens more cases than I wish to count, and you say, "No, no, it's fine. No, no, it's fine. No, no, it's fine," and then we eventually do send the money, and then you find out days later it was fraudulent and say, "No, no, I messed up. You need to recall it," we can't. My biggest and most important advice is really if it doesn't look right, it doesn't seem right, it doesn't smell right, stop, take a few minutes, get the right people in, validate, verify, and then if you have a problem, report it.

 

Susan: Thanks for that. I would just add too that what we try to remind clients is put on the Trusteer Rapport anti-malware software. It's free and it's specifically designed to protect your financial systems and financial transactions. Invest in other malware and antivirus software as well, but I think that's just a good added protection. Moving on, another question that just came in that I really like is, due to major corporations being hacked, including NASA, the CRA, the Canadian Revenue Agency, and the US Pipeline hack, how do we rest assured we are safe and protected while using our devices at home and in public areas? What is required to maintain safety, Larry?

 

Larry: You shouldn't be rest assured. Matter of fact, you should be on the other side of the equation. As I mentioned earlier, there is no such thing as perfect security, but I don't want you to overly panic either. You have to live your lives. I have my banking on my mobile device. I send texts, emails to my family and my friends. I am very comfortable banking online, but there is a responsibility of the financial institutions or the businesses in which you engage to provide proper security. I think you need to do your due diligence when you select who you're working with financially and make sure that their standards are at or above your expectations.

When you look at a commercial standpoint, you should see our folks investing in the right technologies and the right capabilities and capabilities are also about people. Are they innovative? Are they actually doing things that you think are above and beyond peer that will make you sleep better at night, that your money and your information is better protected at one institution over the other? Because in so many cases, and let me give you another example if I may.

A few months back, there was a company called SolarWinds. Nobody ever heard of SolarWinds and now, all of a sudden, the entire world had heard of SolarWinds and the reason is that SolarWinds was a rather small technology company in Texas that was used as a vector to infect thousands of other companies. SolarWinds, respectfully, did not have much of a cybersecurity program, nor did they have a chief information security officer. There were a number of things that SolarWinds could have and should have done better, but companies should have also asked and done their due diligence around that vendor, and hopefully, in some cases, that would've made the difference between being compromised and not. You've got to go out and you've got to ask some tough questions and if you don't like the answers, then you need to either hold them accountable or maybe look for others to do business with.

On a personal perspective, I think a couple of things. First, I talked about making sure that your devices are updated, that is utterly critical. Another thing, use biometric authentication. A lot of the frauds we see, a lot of the scams we see are by people using passwords that are too easy to guess and I know how many times you've heard change your password, change your password by people like me. I'm telling you wherever you can, don't use a password, use biometrics. Is biometrics perfect? No, nothing is, however, using biometrics creates a far more complicated problem for the people trying to use fraud against you and your family than using passwords.

If you're using passwords, make sure they're really, really complex. Use two-factor authentication on anything that requires money movement, so you're going to have biometrics hopefully, and then you will have a second factor of authorization, potentially a code or a password, or potentially even working with a human being on certain values to say, look without my authorization personally, unless you can hear from me, that you're not allowed to move that money and you've got to be safe.

Then the other thing I would say that you really need to be really aware of this is keep your eyes and ears to the ground. I will tell you that on BMO's security website, we offer a lot of advice on how to secure your home, how to secure your device, how to talk to your children about cybersecurity and fraud, how to talk to your elderly parents, grandparents, other friends, and relatives. Because, unfortunately, the two largest groups that are exploited when it comes to fraud are the elderly and the young, and we need to all as a society do a better job of educating them on the threat and how they need to be vigilant, and we try to offer that advice on our website at BMO and when you could go to BMO security.

One last thing, when you're talking to the kids, or when you're talking to elderly folks, don't shame them. Because one of the biggest challenges we're having is getting people to report this and often, they feel like, "My gosh, that was my fault. I can't believe I did that." We need to get over that. We need to work on fixing the problem and preventing it from happening again, not shaming the people who got duped.

 

Susan: Thanks, Larry. Yes, I don't shame my kids but I obviously don't trust them, which is why I click the links. These are very, very good lessons for me personally and I appreciate it. I think what's on everyone's mind here because I'm seeing some questions come in is, what advice can you give commercial businesses who are shopping for cybersecurity insurance policies?

 

Larry:Yes. The cybersecurity insurance industry has fundamentally changed and that's because of a thing called ransomware. Ransomware, you may have seen, I imagine you've seen the Colonial Pipeline incident which impacted the United States a few months ago, but they were taken over by a bad actor. They lost control of their ability to move petroleum, I believe, and I think it was just, anyway, I think it was petroleum, and four US states were running out of gas at gas stations. This was a huge, huge event. It was a ransomware event.

What that means, is that a bad actor got into their systems, put on this malware that prohibited the use of those computer systems, and said unless you give us money, these systems are going to be locked up. The FBI was brought in, DHS, NSA to help, but unfortunately, the time in which it was taking to fix this problem was greater than the United States in these states could put up with any longer, so eventually, Colonial Pipeline actually paid the ransom. There was another company called JBS, a meatpacking company who had a similar problem that impacted their ability to conduct their business and tribute meat across the world. I tell you these two stories, but there are thousands, if not tens of thousands of more that have occurred and continue to occur to this day.

The interesting thing, at least if you're a security person, the interesting thing about some of these ransomwares is that the ransomware actors have gotten into a company's computer, have looked at their cybersecurity policies, their insurance policies, and then make their ransom exactly for the amount in which the company is covered for. Their theory, which has proven quite well, is that many executives will go, "Well, why don't I just pay the ransom? That's what I have insurance for. They're asking for X, I'm covered for X, simple business decision. Let's go ahead and just pay the ransom."

The problem becomes in some countries, particularly the United States, if you pay the ransom and it is later found out that it went to a sanctioned individual or a sanctioned country, you could be potentially prosecuted criminally for allowing that payment to go through. What that means is if ultimately it is found out that the payment you made to get rid of that ransom went to Iran, went to North Korea in the case of the United States, or went to a terrorist group like Hezbollah or ISIS, you could be held potentially criminally liable in some countries, and potentially even subject to extradition depending on how everything came together.

The insurance industry has had some problems in that a number of companies have been paying these ransoms despite the risks, the business gain is really decreasing and the business risk is really increasing. Cyber security insurance programs are going to be harder and harder to come by, but even if they are available, you really need to get into the details of what is covered and what is not because there have been, and I'm not an attorney but I do work in the security business, there have been a number of lawsuits where companies and their insurers have fought over, "Wait a minute, this should have been covered," and the insurance company goes, "Not so sure." You don't want to be in that situation.

Another challenge is a lot of insurance products require you to use cyber security responders of their choosing, and in some cases, they work fine, and in other cases, they may not have the capabilities you need to recover in a time and in a method in which you need to recover. All of this is a way of saying is be careful of what you do, make sure you understand what you are doing, understand the limits of it and then make the right decision for your organization as to whether or not it is valuable for you.

 

Susan:Thanks, Larry. That's great. We could do a whole other session just on this topic. Other questions are coming in though, so let's try to squeeze in a few more in our last few minutes. What is best practice from your perspective on verifying vendor ACH or wire information? What are your thoughts there?

 

Larry: I think, again, it comes back to your risk tolerance. If there are certain transactions that are rather routine and you and your financial institution understand what normal looks like, that's great. There probably isn't going to be a whole lot of problems in what is normal for you and your business and your financial institution. I do think you need to have some conversations human to human and potentially not over email or other electronic devices, but rather in person or potentially over video conference or telephonically, as to what are those parameters when they're anomalous, what is it that you expect your financial institution to do? Do you want them to hold the payment? Do you want to contact somebody? If they contact somebody, how do you validate that you're actually talking to the right people?

One of the biggest frauds that's occurring and, again, it's highly successful, is something called SIM swapping where the fraudster is able to get a new SIM card and they can replicate your call. Your banker or your financial professional calls a number, they are actually talking to a fraudster and say, hey, I'm sorry, but the client's a little busy or they're injured. They asked me to take the call and yes they are okay but reality, you're actually talking to the fraudster, so it's called SIM swapping fraud, sorry for that. You've got to be careful.

You really do need to work at the interpersonal level, set parameters. Set up a standard operating procedure as to how you need to operate when challenges or things come up that are anomalous, and really work together. Sue, what have you seen?

 

Susan: I agree with all of that and something you said earlier just a philosophy on like slow down, the devil is in the details on this. Ensure information is complete and accurate, like address for the wires, check for spelling, that can be a red flag is incorrect spelling, even the slightest change. The policy is important, establishing tiered approvals. Larger the amount, more approvals required, and I understand that thresholds will vary depending on risk tolerance and even resourcing in your department, I get it. Establish trigger amounts. Any payment over $10,000 gets flagged or reported.

Other things to consider that my colleagues raise as best practices, absolutely regularly reviewing your financial reports to ensure no anomalies. That's really important in Canada because we don't have the benefit of in the US, you can leverage an ACH debit block to ensure only authorized payments are collected. It is really important to be checking your reports. Then maybe consider a different payment type for some of your payments, card-based payments for greater fraud protection, that's my two cents.

Other questions that have come in, let me just check here. Maybe this is more of a recap but it can't get said too much, but Larry, training our staff on cybersecurity is clearly important. What would you say are the top three things that our customers need to be aware of when educating or communicating to their staff?

 

Larry: Look as I mentioned earlier, I used to work at the US Department of Homeland Security, so every time I say this I get a nickel. If you see something, say something, and I'm kidding. I don't get any money from the US Department of Homeland Security, but DHS when I was there also had a saying that went stop, think, connect. I think the most important thing is look, we spend a lot of money protecting our bank and our customers and our partners. Many of you spend a lot of money on your security procedures and your security technologies and your security teams. Ultimately, as I come back to the Bank of Bangladesh, there was one word that was reviewed by a human being who took the time and did the right thing.

I think the very first conversation I typically have with folks is really emphasizing how important every single individual in an organization is to the security and the soundness of that organization. At any point, at any time, the one person that can prevent a really bad day, if they don't know who to call and they don't know what to do, it can make the difference between success and failure. I think really making sure that everybody understands their responsibility as a person within an organization. Even that organization could be your family. If something doesn't look right, doesn't seem right, who do they call and how do they make sure the appropriate review and action is taken? I think that's thing one.

The second thing I would offer is, hopefully, you all go to the doctor every year. Hopefully, you go to the dentist every year. You may review your finances quarterly or semi-annually or annually, whatever your rhythm is, but I guess when was the last time you asked an outside organization to evaluate your cyber security and fraud readiness? I will tell you at BMO, it was about six months ago. I think it's very important to both run internal and external evaluations of your organization's security capabilities across cyber, fraud, physical, and then again, into continuity and disaster recovery. If you do not test, if you do not assess, you may wake up one day and find that your capabilities were not nearly as strong, nearly as resilient as you had hoped they would be.

There are a number of organizations out there that will do these testings and that will provide those services. I will tell you that they can be really helpful in figuring out where your weaknesses are, and how to really rebalance and reprioritize. I would also say that these exercises should not be punitive but rather instructive. Because look, there's a lot of things to do on any given day, so being able to understand where the greatest risks are and be able to address them, I think is the next important thing.

Lastly, I would say that if you are a business owner or a senior executive within a business, the wrong time to figure out how you're going to respond to a security event, especially a large cyber event or a large fraud event, is during the event. When you look at these challenges and when they come into being, I usually say there are three things you need to consider.

First, is the technology problem. You have a bad actor, someone's on your network or systems and you need to get them out. Believe it or not, of the three problems, that's probably the easiest. The second problem which is a challenge is risk. You've got a lot of risk that you're going to have to manage, and that's not something normal your security people do. Because you need to look at things like counterparty risk, credit risk, market risk, liquidity risk, counterparty risk if I haven't said it, but there's a whole bunch of business decisions that will need to be understood and potentially made, the longer these attacks are impacting your business.

You need to have a sense of, how do you anticipate, how do you get ahead of decisions that will likely be coming your way? Who will be making them? How will they be making them? Because do realize that your computer systems may not be as available as they are prior to the attack. You have to work with technology ware. You have to work with technology problem. You have to work the risk problem. Finally, the communications problem. The communications problem is probably the hardest of the three.

What are you going to tell your internal staff? What are you going to tell your clients and customers externally? Are you going to notify law enforcement, and if so, who in law enforcement? Are you going to make regulatory notifications if you're a regulated entity? So on and look, if you have call centers, how are you going to deal with the extra volume? What do you do in the press, social media? There are more challenges in communications probably than any other area, and if you spend time on it, you can manage it well. If you don't, you will find it to be overwhelming, and all of a sudden, everybody and everything is making a bad day into a really horrific problem and bad and an even worse challenge than ever before.

 

Susan: I really like one theme throughout your words of wisdom, Larry, which is, at the end of the day, it is humans on either end of the exchange of value or the interaction, and it's so important that we do take the time to know who we're authentically communicating with. Another type of fraud that we've seen more of in the last months or years is supplier fraud. A trusted supplier has been compromised and our customers get notified by their supplier to change the banking or the payment arrangements and they do it. The next thing you know, our supplier is calling and wondering where their payment is. Those are just another example of just taking the time to know you're communicating with an authentic person.

I think we're just about at time and I know we have more questions in the queue, but we will get to them all one way or in another means. I really thank the audience for joining today. For those of you who didn't put your full name in when you registered, well, we may have to ask you to connect with your BMO banker to get your question answered, but for the most part, we'll try to figure out a way how to lay all these questions out and get answers or tip sheets to everybody.

Thank you, Larry, for your valuable insights as always. You are a great colleague in every way. I will just conclude with this stat that I found on our BMO cybersecurity page when I was flipping through, that 95% of cyberattacks are caused by human error. Events like this keep us informed and educated and they're absolutely key. According to the research, most of us will be phished, and that's what the PH, not the F. There are many ways that Larry has shared with us today to protect ourselves and protect our companies. We have lots of tip sheets and best practices that your banker can get to you very quickly and easily.

We hope you found this session valuable and we really appreciate your time and attention. We are also always striving to get better at these events and figuring out what our customers would most like to hear about or hear from, so your feedback on today's session really matters. I know everyone always asks this, but please fill out our short survey. I'm going to say this and regret it, by clicking on the link below the video window. It's not a trick, it is safe.

For those looking for CTP or FP&A recertification credits, please click on the link below the video window to save the confirmation of attendance documents for your records. We will send around a replay of this session so you can rewatch and share it with your colleagues, family, friends. I, on behalf of BMO, thank you for your time today. Stay safe. Bye-bye
[music]
[00:59:12] [END OF AUDIO]

Marc-Andre Bergeron Managing Director & Head, Global Corporate Transaction Banking

You might also be interested in