Business Viewpoints

(music)

>>Anil Khilnani:
Hello and welcome to Wells Fargo's Commercial Banking Business Viewpoints podcast. On today's episode, we're going to be focusing on two main areas payments, fraud and cybercrime and the vulnerable points of entry that cybercriminals exploit for their schemes. We'll be covering the current fraud threat landscape. We'll talk about the impact of artificial intelligence and specifically generative AI on cybercrime. And we share best practices for protecting your people and your systems. I'm Anil Khilnani. I lead the Fraud Education and Awareness Program for Wells Fargo's Global Treasury Management Fraud Prevention Team. Matt?

>> Matthew Simmons:
Hi, Anil. I'm Matthew Simmons and I am the head of our Cybersecurity Vulnerability and Patch Management team here at Wells Fargo. Looking forward to the conversation today. We want to talk through two things people and systems. Anil, we’ll hand back over to you to talk through the people topic.

>>Anil Khilnani:
Sure. Thank you. So when it comes to people, did you know that according to a recent Gartner report, human errors account for approximately 74% of all security breaches. And in line with that, while most organizations do consider their employees to be their greatest asset, they can also be the biggest cybersecurity liability. Cybercriminals have realized that often the easiest way to breach security is to exploit the human factor. You know, employees are human. They make mistakes. They fall for scams, or they can just plain ignore security best practices for the sake of convenience or to save time.

>> Matthew Simmons:
That’s interesting, Anil, and when you say people, we mean more than just employees. When we're talking about people, we mean anyone who has access to your systems. So your employees, your suppliers, your business partners, contractors, anyone who would be able to access any of your information systems.

>> Anil Khilnani:
Yes, truly. That's a great point, Matt. Threat actors certainly do target a variety of channels and entities to execute their scams.

>> Matthew Simmons:
Do you have any specific examples?

>>Anil Khilnani:
Sure. On the people front, I’ll share three common examples of how people and employees become victims of cybercrime. Number one, they may click on a link that's been included in either a deceptive email, a phishing email, or text message. Specifically, or especially, I should say, if that message appears to be coming from a known entity or a trusted brand. And then they may, for example, either enter their banking portal login credentials or they may give out other sensitive information, or they may open an attachment that's been included in that deceptive email or text message, which could then install malware on their device. You know, I just heard a report from Know Before that talked about how one third of users will fail a phishing test prior to receiving training. My number two example is that employees will use a work device for their personal tasks, which could potentially expose their device to malware. You know, they may, for example, download personal information such as their health data, or they may inadvertently visit a malicious website, or they may allow family members or friends to use their work devices. So, for example, if an employee's child is using their corporate device for surfing the Internet and the child unknowingly clicks on a link or visits a bad Web site that could potentially Install malware on their device. Number three, that relates to connectivity. You know, users will take shortcuts and they will ignore the standard guidance to avoid using free non password protected public wi-Fi for accessing their corporate networks or their accounts without going through a VPN. And as I understand it, it's actually relatively easy for cybercriminals to hack into non password protected Wi-Fi networks. And then once they've access that network, they can then very easily access any devices that are connected to it.

>> Matthew Simmons:
Back to phishing for a second. Is that still a primary venue for the cyber criminals to target.

>>Anil Khilnani:
It certainly is, Matt. I would say that the vast majority of cyber attacks start as phishing messages. And this could be business email, compromise schemes, account takeovers, even ransomware. 90%, according to Proofpoint, of these attacks, start as phishing messages. One additional point I want to make in terms of the risky actions that employees take is, you know, Proofpoint does an annual state of the Phish survey where they survey working adults and I.T. professionals worldwide, and according their latest survey, seven out of ten respondents admitted to taking a risky action, and nearly all of them, 96%, knew they were taking a risk and they did it anyway. And not surprisingly, the number one reason they gave for taking the risky action was convenience. 

>> Matthew Simmons:
And some of these risky actions include things like reusing your password across different applications sites, and potentially sharing your credentials with an untrustworthy source or even writing down your password where someone could gain access to it.

>>Anil Khilnani:
Yep. And even Matt, in some cases sharing their passwords with other employees, you know, which is a big no no. We always, you know, advise our clients that your password is unique to you. Do not share it with anyone. But yes, absolutely. Those are all great examples of the risky actions that employees take at work. 

>> Matthew Simmons:
We also understand employees and our suppliers or anyone that we that has access aren't necessarily taking these actions intentionally. They're not out to do malicious activity, but they're busy and they're moving fast. And these actions do lead to open doorways and open pathways for cyber threat criminals. And so this is just an opportunity have employees take an extra second, take an extra minute review the email, confirm sender, you know, change that company culture to look for those red flags and take that extra time to validate those actions are necessary on the behalf of the employee.

>>Anil Khilnani:
Absolutely, Matt. Security over immediacy should always be the mindset for all employees. So, Matt, let's maybe change gears a little bit now and let's talk about how generative A.I. is transforming the fraud threat landscape. You know, it seems to me that with this new technology, it's now more important than ever to have good protections in place for your people and your systems. Can you please tell us more about this new threat?

>> Matthew Simmons:
Yeah let's do so. Generative A.I. or artificial intelligence is something that's built off of a model that is learning and providing responses to prompts such as chatGPT. It's taking a model, it's learning off of that data and providing you a response based on that, that model and generating new data with similar characteristics to it. And so from a cyber threat perspective, what this is, this is creating a situation where threat actors are able to build more realistic emails for their phishing campaigns or develop code in a much faster and robust manner. And so the things that we would have looked for in the past, whether it was the misplacement of words in an email, maybe English would have been a second language. those types of things going away with the emergence of some of this generative A.I. that's out there.

>>Anil Khilnani:
So any examples to share, Matt, of, you know, recent incidents involving the use of generative AI, perhaps even the use of a DEEPFAKE. Anything you can share with us?

>> Matthew Simmons:
it's definitely easier and faster now, as I was mentioning, to create those fraud scams. And so these the ability not only to generate emails but also to to take videos off of social media too, and taking all of this data about a person being able to put that into one of these A.I. models, they can then generate audio and video that looks and sounds exactly like you. And so if you think about an employee receiving a phone call from somebody claiming to be the CEO of the company or the CFO of a company and asking them to take action, we have seen this being used and targeted against some of the financial institutions in the United States, and it just becomes a much higher quality and harder to spot type of attack. They are able to automate these things, these attacks and these processes. And so it just continues to again, make it much more difficult to determine is, is what you're facing an attack or is it real?

>>Anil Khilnani:
So, yes, absolutely. You know, given this new fraud threat landscape involving the use of generative AI, it becomes all that much more important for organizations to make sure they're protecting their people and their systems. So far, we've talked about people as vulnerable points of entry. Let's talk now about system vulnerabilities. Matt, how are threat actors targeting systems and networks?

>> Matthew Simmons:
Thanks Anil, so your systems are vulnerable and cyber criminals are targeting and I think you can see that the media in the news today specifically if you look at the Identity Theft Resource Center 2023 set the record for most publicly disclosed security compromises ever. There were over almost a 43% increase in the number of incidents being reported as far as targeting systems by cyber criminals.

>>Anil Khilnani:
 So are there any specific systems or devices that are likely to be targeted by the cybercriminals? You know, just so organizations can be proactive in protecting or updating them?

>> Matthew Simmons:
Yes. So there's three things I’ll cover here. So first is your network footprint. It's really the cyber criminals are looking at your your network from outside. And so understanding your footprint and where your critical systems and devices are and we're not just talking about servers or desktops or laptops, but you've really got to narrow in on what are your critical systems to make your business work on a day to day basis and finding where those sit in your network, how they're protected. then the second piece is really outdated software and antivirus and operating systems. It’s critical to have what we would call a cyber hygiene program, something where you're updating and regularly patching to make sure that you're staying at the latest version of those software, because what we've seen is a large increase in these vulnerable systems being attacked by cyber criminals. Once they're in, they're able to start to move laterally through your network. And so making sure you've updated those and patched those critical software for your company is important. And then the third thing I would say is really understanding the full ecosystem of your network. This includes now where do you send your data? Does it go to a third party or to a customer, another company that leverages the data or has network connections to you? And so really understanding where your data is at, where your how your network is set up and establishing standards for the security footprint, the security architecture that should be around those systems. Let’s close with a few proactive steps to protect these vulnerable points of entry. Anil, do you want to share your top three for people?

>> Anil Khilnani:
Sure. So my number one recommendation is having a regular and ongoing employee education program. I would say that this is probably the most important aspect of any effective fraud prevention program. And really, the training should be provided to all employees at all levels and in every department, especially the employees who are involved with money movement or vendor management. Now, the training should cover how to recognize and report suspicious activity. And again, it really has to be a very regular program to this topic. Always stays top of mind for all your employees. And they never forget that they are the first line of defense against fraud. My number two recommendation would be to institute strong security requirements for accessing your networks and accounts. And some examples of how to do this can include requiring the use of strong passwords. And that may be up to 16 characters long with uppercase and lowercase letters, numbers, special characters. And also they need to be changed. The passwords should be changed on a regular basis. And perhaps also utilizing two factor authentication, including biometrics, as an additional layer of security. Number three recommendation would be to utilize a dual custody or dual approval set up for managing your outgoing payments, vendor payment instruction changes and your user entitlements administration. You know, dual custody requires two users on two different devices to separately initiate and approve all payments new set up for any changes. And it can really serve as a very effective second chance to spot a fraudulent payment before it goes out the door.

>> Matthew Simmons:
Those are great examples I would Add on the employee training to include some level of phishing recognition, some kind of phishing awareness program as well. But those are great. Thank you.

>>Anil Khilnani:
Yeah, definitely. So, Matt, how about how about your recommendation for protecting systems? What are your top three?

>> Matthew Simmons:
Yeah. So I would say the first one is stay current. first you want to understand the threat environment that you're operating in. So I would look at monitor for new and emerging threats keep your software and antivirus is updated, assign dedicated resources to doing this and so that really stay current. The second piece is manage service providers. So if the in-house capabilities are not there or the resources, you know, there are experts out there who can help and who can build programs to support your cybersecurity program. And so I would I would encourage you to use that. And then third is really establish your business continuity plans, establish procedures around that, create those, update them, keep them updated and test them continuously. The more you test them, the better you're going to be. If and when a real event takes place.

>>Anil Khilnani:
Yes, absolutely. Those are great recommendations.

>> Matthew Simmons:
Well, thank you, Anil, this has been great. Thank you for joining me today and thank you for all that are listening. We hope you have a great day.

>>Anil Khilnani:
Thank you, Matt, and thanks everyone for listening.

Disclosures:

Wells Fargo provides best practice information related to cyber risk and/or topics for educational and information purposes only.  This podcast is not intended to and should not be relied on to address every aspect of the risks discussed herein.  The information provided in this podcast is for the purpose of helping customers and clients better protect themselves from cyber risk and highlight industry best practices for operating in a more secure manner.  This podcast does not provide a complete list of all cyber threats or risk mitigation activities, nor does it document all types of best practices.  Wells Fargo is not providing cyber-related advice or consulting services and customers and clients should decide whether to engage a cybersecurity firm for specific questions or advice. It is the responsibility of our customers and clients to determine their best approach for mitigating cybersecurity risk through implementation of best practice aligned to the level of risk.

Commercial Banking products and services are provided by Wells Fargo Bank, N.A. and its subsidiaries and affiliates. Wells Fargo Bank, N.A., a bank affiliate of Wells Fargo & Company, is not liable or responsible for obligations of its affiliates. Deposits held in non-U.S. branches are not FDIC insured. Products and services require credit approval. 

Global Treasury Management products and services are provided by Wells Fargo Bank, N.A. Wells Fargo Bank, N.A. is a bank affiliate of Wells Fargo & Company. Wells Fargo Bank, N.A. is not liable or responsible for obligations of its affiliates. Deposits held in non-U.S. branches, subsidiaries or affiliates are not FDIC or CDIC insured. Deposit products offered by Wells Fargo Bank, N.A. Member FDIC.

© 2024 Wells Fargo Bank, N.A. Member FDIC.