AML RightSource
Cybersecurity issues have a broad impact on the delivery of financial services. Our panel of experts discusses how cybersecurity and financial crime intersect and how to identify threats and harden your systems.
Cybersecurity and its Impact on Financial Crime – Transcript
John Byrne: [00:00:00] Welcome to the April edition of AML Voices. I'm your host today John Byrne. And with me today are two folks that are going to walk us through some of the major challenges that we're all facing. In terms of cybersecurity, cyber fraud those, types of issues. As always, we can take your questions, you can put them in the q and a box and we'll get to those throughout the program.
We'll probably stop about five minutes toward the end to see if we have any questions, but feel free to send them throughout the conversation. As I mentioned, we have two panelists with me today. Billy Gouveia. Billy is the founder and CEO of Surefire Cyber company that he formed back in 2022. And also Juan Carlos Benavente, head of fraud prevention at Popular Bank.
Previously, he was head of cyber fraud, the Fusion [00:01:00] Center at Citi. So guys, a couple things. Because it's a cyber related issue and topic that we're talking about today. Stats and reports change daily and I just noticed that this week the FBI issued their IC three report, and this is from the 2024 series of complaints to the, internet Complaints Center just by some of the numbers here, and I urge folks to read the report. A 50 page report total complaints, almost 860,000 in 2024 losses have been estimated at 16.6 billion, increase in losses from 20 23, 30 3%. Complaints with actual loss almost 260,000. As we know, cybersecurity is a broad, very broad topic.
We talk about ransomware denial services, data breaches, identity [00:02:00] theft, romance scams. Anything can be done online. We put under the category of cyber security and cyber fraud. Billy, let me start with you. You've been in this space for a long period of time in 2025. What are some of the things that you see that are cha that have changed maybe in the past five to 10 years?
And then obviously we're going to drill down on some very specific issues that many in the financial, in industry have had to deal with. So give us a sense of the playing field.
Billy Gouveia: Thanks very much, John. It's terrific to talk with you today. We've been talking, you and I have been talking about some of these issues over our 15 years of collaboration and friendship.
So it, it's fun to, it's fun to talk with you about this and also an honor to, to be here with, Juan. Just by, by way of bit of context, our firm is our first responders for. Cybersecurity incidents. So last year we helped nearly a thousand organizations. Over our three years in business, we've done thousands of, response [00:03:00] matters.
And so I think it's fair to say we see a wide swath of cyber incidents, but one of the changes worth coming on is a couple years ago we're seeing. 80% ransomware, 15% business email compromise, which I'll hereafter to refer to as BEC. The proportion and the cost of B Cs has increased tremendously.
So now it's over a third of our portfolio of, cyber incidents and. Each BEC is, causing far more harm. As to the IC three report. It's an excellent document and I, I certainly want to commend law enforcement for their information sharing, but I, do want to point out my personal view that those numbers wildly understate the magnitude of the problem.
So I think there's under reporting in terms of how many incidents there are, and I think there's under reporting on a more on a, greater scale in terms of the, cost of those incidents.
John Byrne: Let me ask you about that. I talk I, completely agree, and I think law enforcement would tell you the [00:04:00] same thing.
What do you think the biggest. Besides the obvious to me would be a major company doesn't want to report something because they know it could get leaked, it's going to affect reputation, that sort of thing. So we understand that. But besides that being a hindrance to reporting, just from your experience.
Why is it so under reported? Is it main, is it mainly that, or are there some other factors?
Billy Gouveia: There's a couple considerations, There is some, guidance for publicly traded companies to report things that they deem material. So there's a lot of discussions around materiality.
It's important to note that the under reporting has a wide range of, possible explanations, On the one, one scale if, you're a highly visible organization. It invites a class action lawsuit, So if, you're be beneath the notification thresholds and you can comply regulatory regulatorily with everything you have to and not [00:05:00] disclose it, then that might serve your interest well I certainly don't see any organizations willfully not complying, but there's a choice to be made sometimes of, should we report this or not? And one of the possible factors in that is we don't want to do it. Another is it could open you up for further attack. Much of cybersecurity is not about outrunning the bear.
It's around outrunning other companies and once you disclose you've had an incident, other threat actor groups can have an eye on you. And then moving down downstream to personal things, I think there's, some shame involved. And I never should have clicked on that, or you touched on romance scams, like it's a difficult thing for, people to talk about, and they may say it's unlikely that for. Me losing a few thousand dollars that the FBI is going to give this attention. I just want it to go away. This, I have no obligation to report it here. Hard to say with anything in terms of this type two era, like what's missing.
But those are some of the, [00:06:00] explanations that I put forth.
John Byrne: Juan, just from a process standpoint, tell the folks what are the various ways in which institutions like FIS can report. Breaches or attacks. What are some of them? We're aware of suspicious activity reports, but what are some of the other vehicles to actually report if there is an attack, a breach, and we'll talk about ransomware and that sort of thing.
What, are some of the compliance platforms in which you can report or should report?
Billy Gouveia: Yeah, I
Juan Carlos Benavente: think, I think the main, I think Billy mentioned it as well, I think the main process for this is SARs, Where they can have analytics around this data and kind of understand where the attacks are evolving and the kind of things that we're seeing,
In terms of the trend, which is something that I wanted to highlight even though. I agree a hundred percent. This is under reported and the numbers are probably very, low for the reasons that you mentioned, The victims sometimes don't report the information and [00:07:00] things like that, but at least it gives you a trend of what's happening.
I think this is a 33% increase from last year. Which is significant when you look in the underlying numbers. And the vast this, increase year over year and no expectations that they will change anytime soon.
John Byrne: All right, we have it. We can hear you. I know you're down in Puerto Rico, but there was a little bit of back whatever the technical term is, so we didn't hear a actually everything, so let me go back.
Oh, wait, okay. One more time. You mentioned
Juan Carlos Benavente: SARs and go ahead. SARs the main mainly, it is really the main mechanism we have in, in, in the one we use for these type of recording. Of course all the regulatory requirements on the cyber side for different types of issues. But on the fraud side is mostly the SAR process for the different cases.
John Byrne: Great. Billy, one of the things we talked, about, was it better
Juan Carlos Benavente: by the way, the [00:08:00] sound? Was it better? Yes, Yeah. Sorry. Yeah, we're good. We got you on. Thank you. Yeah,
John Byrne: we gotcha. Billy, as we talked in our prep call, one of the things we wanted to cover was ransomware. Just going back to the IC three report, again, given the premise that we accept that these are lower numbers, the, the report from 2024 says that there were five top five ransomware variants by complaint, and they list them in there. But they also say that there was, in the financial services industry, excuse me, there were a hundred and 125 reported cases of ransomware. Let's talk about what is ransomware. Give us some examples and then two things I'm very curious about you from Surefire’s perspective, when you get called in after it's occurred.
Yep. The recommendations, what are some best practices and that sort of thing. So first, describe it, if you will. I think [00:09:00] most of us know what ransomware, but let's talk a little bit about that and then again when you're called in, what are some of the factors you consider when you're giving your advice and counsel to the client?
Billy Gouveia: Yeah. Okay, great. As, you pointed out, many people are aware of the term. It tends to work in a couple different ways. So the primary way is threat actor compromises your environment, encrypts your data, and demands payment for a decryption key. Another way that this, that ransomware takes form is by stealing your data.
And then demanding payment in exchange for a promise to delete that data. And then many times they commit both instances of ransomware. So you can, that's considered double extortion. And also there are incidences of threat actors. Contacting executives and issuing personal threats if there's not a payment and things like that.
I don't [00:10:00] want to focus too much on that because it tends to be the edge case, but we certainly see this as, ransomware grows, there are additional techniques brought to bear to increase leverage and try to force payment,
When an organization detects ransomware, either by.
Waking up one day and seeing that their data's locked up and there's a, ransom message or being contacted by a threat actor saying, we stole your data, or being notified by law enforcement. Or threat intelligence researchers saying, Hey, we saw a notice on the Threat actors dark website about your organization.
Those tend to be the, primary, ways that an organization finds out. Our first step is to contain that. So step in figure out where the threat actor is in the environment. Isolate them and eradicate them right away. The second step is pulling forensic artifacts so we can do a proper investigation.
Figure out [00:11:00] exactly what happened, how that threat actor got in, what data they accessed, if they exfiltrated data what data did they exfiltrate and start a data mining process in order to determine. If no sensitive customer data or anything that, that set certain PII triggers or, notification requirements around that.
In addition we have a discussion around negotiation strategy. Oftentimes the decision to negotiate is very different from a decision to pay. There can be four possible objectives in, negotiating, One is to get a decryption key. One is to get a promise to have that data suppressed so that it's not published.
Another is to gain intelligence to inform our investigation. So if the threat after promises to steal that makes a claim rather that they stole data, you say, okay, prove it. Send us a file tree of what data you stole, and that helps us accelerate the [00:12:00] investigation. And then the fourth would be to buy time.
So a lot of times the decision to pay is informed by things like the quality of backups and figuring out how, much damage they may or may not have done. By communicating with the threat actor and extending the negotiation process, we can often buy more time to get answers to those important questions.
And then the, final step is restoring the client's environment so that they're more secure than they were before. So rebuilding their systems, bringing their data back. Whether that's decrypted or pulled from backups making, sure that all that is available and that their security posture is stronger than it was on day zero.
John Byrne: This is a naive question on my part. I, literally don't know the answer, but are there situations where the threat actor, during the negotiations the client agrees to pay Hays and then the threat actor does not? Provide the key. Is that, something that occurs [00:13:00] or, and again, you want, we don't have to be too technical, but maybe the way the system works and the way you guys operate, that can happen.
But is that a possibility at all? Yeah, it,
Billy Gouveia: it could happen, but it doesn't. Okay. And here's, why. There are more threat actor groups than ever before. Prior to the Ukraine invasion I like to think of it. We were dealing with dragons. They were very predictable actors. We knew them fairly well.
They were a very limited number. After the Ukraine invasion number, those groups splintered and we were dealing with snakes during that time. There was a lot more erratic behavior on the, part of threat actors. And the first time we're dealing with a threat actor. We want to take that risk into account.
The hundred time we're dealing with that same threat actor we understand their typology and things like that. But the reason it doesn't happen is that and I've read stories of it happening. I don't want to say it can happen, but in my many hundreds of times being involved in this we haven't, experienced it.
It's simply because these [00:14:00] threat actors understand that there are only so many. Negotiators or responders like our firms. Only so many law firms that deal with this, only so many insurance carriers are involved in this. And if they take money and donate description keys we'll burn them,
So we'll tell everyone that they're not acting in good faith and there's a payment made and they didn't keep good on their word. We, will point out that risk to them if it doesn't happen. There are times when the decryptor doesn't work. And it almost enters a help desk cycle.
Hey, it only worked on these files. Can you help us troubleshoot this? And, stuff like that. And there's a difference between whether they give you a key or whether that key is maximally effective. It's important to remember, these are not enterprise grade software engineers. Might only work on 90% of your encrypted files or something like that.
John Byrne: That's very helpful. Juan, all I want to ask you about this is just in terms of education. So since ransomware is obviously something that [00:15:00] does sadly continue to, occur what do you and your peers do in terms of making sure that internally there's proper education, not just about ransomware, but about the process that if this occurs.
Who they need to contact at the bank, whether it's the IT people or what have you. Just in general, how is that training handled? Is there, is it not training as much as it's just awareness? Like you would get, like at our company, we get these notes all the time about phishing. It says if you get this don't click on the link.
If send it to the. The, fishing barrel or whatever we call it, where we'll know that this came through. What sort of things is, in your experience, in terms of education and awareness specifically about ransomware? Does the financial institutions typically do?
Juan Carlos Benavente: Yeah I think, it all starts with your tools,
For the detection. It all comes in through an email or any other type of mechanism. I think you have those tools, but for anything [00:16:00] that gets through, I think the biggest and most effective weapon you have is awareness. Create awareness among all the population and the company. So everybody knows to look for these indicators and obviously if you find
just. Send it to the right air the, most important. I think there's a lot of institutions that do internal tests for these things right. To, ensure their employees are able to recognize it when they see it. And, you'll be surprised how effective this becomes.
John Byrne: I'm going to go back to Billy in a little bit, but Juan, I want to come back to you on something that we've talked about and you were kind enough when we were in, Puerto Rico a couple months ago to do a panel discussion about that, and that's developing.
Enhancing and sometimes creating a cyber fraud fusion center. Tell us what that is, what [00:17:00] you're seeing other institutions high level do, and then I'll ask you some specifics about the process. As we've talked about before if you've been in the AML space as long as I have, it was certainly.
Very siloed money laundering investigations, compliance bank secrecy. ACTO was totally distinct from fraud prevention, financial crime. And that's changed over time, obviously by necessity. But the cyber fraud space is still an area where the financial sector is improving its internal collaboration.
But you've been involved in some. Of opportunities to, to try to figure out ways of connecting those. So I'm curious about how you put those together and let's talk about some of the, challenges in getting there.
Juan Carlos Benavente: Yeah, sure. So look the cyber fraud fusion Center idea, It is really about bringing different disciplines [00:18:00] together with the purpose of detecting fraud fraudulent activity earlier in the lifecycle,
And what I mean by that is, deploying capabilities at the different stages of an attack. So you give yourself a better chance of detecting those attacks as they happen, When this discipline, this concept appeared several years ago, There's really no framework or anything that you could follow to implement this kind of capability.
So, what you start to see is different flavors of the idea, Different institutions coming together and bringing functions together to try to develop these kind of function. But then just from my experience in building functions like this we came up with three very important areas that add a lot of value in the fraud prevention world that come from cybersecurity space.
So we have the threat intelligence portion [00:19:00] which I think is critical in that work. Threat intelligence has been a very well established function within the cybersecurity world for years now. In the fraud prevention world is a little newer, And harder to integrate because the concept just didn't exist.
If you think about cybersecurity and fraud prevention that have been siloed functions forever, Completely different at its core as a function, But there is an overlap and there's a lot of value that can be added from, specifically from the cyber side and the threat intelligence side that can help in the detection of fraud.
Threat intelligence being the first one. This is any type of collaboration with external institutions, peers, and collect any information about attacks, Try to disrupt them as early as possible. Then you have the cyber fraud, which is an interesting concept, Because if you think about cyber fraud is obviously leveraging the tools that you have at the perimeter, at the cyber perimeter to understand a little bit more detail, that interaction between the bad [00:20:00] guys and the systems,
This is something that is not. Available in the traditional fraud prevention tool so you can leverage this information to understand if the client has malware, things like that. And then you have, which is actually a little bit more difficult, is the interaction between the bad guys and our customers,
That's an area for which nobody has any tools. So you have to do a lot of innovation in this space to really understand and try to disrupt. This interaction that happens by you can do things like understanding traffic between the bad guys and our customers, When there's malware on a machine, there's a lot of C two servers are there collecting this information.
So it's entering this world for which nobody has any capabilities to try to understand. There's a lot of things that we do for example, in the fishing space, we say we see the industry, In the fishing space, looking for phishing sites that are targeting the corporation, seeding information, trying to understand the cycle.
Of that information when it comes back. And then of course the [00:21:00] analytics, which is traditionally more of a fraud function. But when you start combining that threat intelligence with the cyber fraud capabilities that you get at the perimeter in that interaction in the outside and you run the traditional analytics on it, but you get back, it's a tremendous amount of information that is not available in traditional fraud prevention functions.
And that's the reason a function like this starts to emerge, To get that better understanding.
John Byrne: What was your background before you got involved in this? because in the, past, as I said, with the disparate areas of AML and fraud, the AML space was lawyers and compliance folks and that sort of thing.
Obviously in cyber information security, people with analytic data backgrounds. What was your background in the space and did it did it help you in, in. Ensuring internally that there was collaboration because many moons ago at an [00:22:00] institution that I was at, there definitely was a disconnect between the two.
The fraud, not even the cyber side, the fraud side and the AML side. And so there was gaps in when SARs were filed it, there didn't seem to be this team effort. It wasn't just a, my institution, I heard it, a number of other ones. So I'm real curious when you got involved. Your background, your skillset, and then how did that help you or not in connecting everybody.
Juan Carlos Benavente: Yeah good question. Definitely I spent the majority of my career on the cyber side, so did a lot of engineering work. SOC type of work operations and that kind of stuff. And then an opportunity came up to build this cyber fraud fusion. I was like, sign me up. Yeah. But I think the, interesting question about the background,
Because what I, just from experience, The most difficult part of building something like a fraud fusion center is actually the [00:23:00] language between the cyber function and the fraud function, They're very different. They don't necessarily understand what they're talking about. Fraud prevention is more.
Much closer to a business function, the way it is managed, the way it is run in, in general, Cyber's very different. So coming from the cyber background and as I started to learn the fraud language, what's important, what matters most, What's recoverability, what are the types of transactions that we go for, and things like that.
I think merging those two i is really an important concept for, something so for a function like this to succeed. And I think it actually helped. Having, that background, having the exposure to what the perimeter looks like. When, I was part of the cybersecurity function we had the opportunity to build very good use cases that were helping the fraud function.
And that was like the connection, Hey, look, this is very useful. It's not available over there. Let's just share it right.[00:24:00]
John Byrne: All right, Juan, you froze a little bit. I'm going to come back to you. So Billy, there's a question in here and I know we haven't talked about that. That's kind made the background.
Billy Gouveia: Oh, you're back. You.
John Byrne: Oh I'll come back to you. No, no worries, Juan. I'm back. We're back. Yep. You mentioned business email compromise before, and I'm going to ask you to, drill down a little bit, but one of the questions from one of the attendees is could you talk about the, this would be obviously your experience, the biggest cyber event that, that you've been involved in.
How was it solved? High level, of course, what was the payment method used and it, and was there a way to track that payment method? Again, we're not asking you to give up secret sauce, but just in general and how was control regained you? Can you give us a high level example?
Billy Gouveia: The, hardest the hardest part of that question is, biggest,
So it's tempting to measure biggest in terms of what's the biggest dollar page or the number of machines locked up and things like that. But [00:25:00] the, reality is the biggest might be those that have an existential. Question posed by a ransomware actor in, front of, an organization,
You there are times when there are big ransoms demand at a very, large institutions and they're going to be okay, As they were the storm, there are times where that there's a ransom demand that if not paid, the organization cannot continue.
And there's a real question of whether they have the money to do that. One way of looking at that is in terms of the criticality of, the incident to the organization. And one of the things that makes this work so easy to pull one's heart into and I feel it's such an honor for my team and me to do this is that we're, helping real people through real problems. It's not just the technical team, it's not just the executive team, it's the people that they live with that they're coming home all stressed out about. It's the people [00:26:00] that work at that organization that may or may not have any idea about this incident.
And then it's all their customers or all the people that depend on, the good and services that organization provides. I can think about the biggest in terms of, cancer clinics that get hit and we want to make sure that patients walk in the next morning, I can think of biggest in terms of $20 million ransom demands.
You're like, wow, that's a lot of money that good people worked really hard to earn. That could get sent to evil people to do more evil things. And I'm deeply allergic to paying ransoms but I also recognize that sometimes it's the best cost benefit analysis, so a bit of a bit of a long preamble to, the heart of, the question.
But So, forgive me for that's, or thank you for indulging me in. That's, yeah. But the great thing about engaging is having done this so many times before, firms like ours can look at a client like, we got you. [00:27:00] Like we know how to get you back on your feet.
And part of the question is around the, payment mechanism, So if we do negotiate, we want to balance out those different objectives we talked about. Oftentimes it comes down to a, straight trade of time for money, If we can drag out the timing, let's say it's a $10 million demand.
If we're going to drag out the timing for several weeks, we might be able to get it to a million dollar demand or, less. And in the meantime we'll be constantly interacting with the threat actor and saying hope we restore our critical systems. We have data backups. We don't really need this.
And things like that. But this is also where the cyber intelligence that you, you spoke of one comes, becomes very helpful because each threat actor has a different mindset and a different approach to negotiations. And some, we will move much more quickly to start leaking [00:28:00] data or start taking other punitive or destructive action.
So at the end of that negotiation cycle, if the organization chooses to make a payment and they feel it's in their best interest to make that difficult decision, it's their decision, not ours. We will engage a crypto broker to affect that transaction, There are a number that have been through very strict diligence regimes.
There's a lot of attention paid to OFAC checks. We provide insights from our forensic investigation to inform that, OFAC and sanction check analysis. But I think it's I think it's important that whoever's negotiating the ransom and whoever's affecting the payment, be separate parties run on the same side of the table so to speak.
But there's a, few players in that space that have proven to be very careful around who they pay and have strong diligence regimes in place, and we'll work with them. [00:29:00] If I may Yeah, go ahead, Juan, John.
Juan Carlos Benavente: Yeah, please. Just to add on that threat intelligence point you, you'd be surprised how many times you find information through these channels, even before the compromise.
Target knows about it. And, it gives you a pretty good understanding of your adversary, like who you're dealing with and how are you going to prepare for that. So definitely agree on that point.
John Byrne: Billy a, aside but important issue, and I know you're not in public relations per se, but I'm curious when you're doing your work with the clients a, after the ransomware.
What is the, how does a decision made to go public if they do go public? Now, I realize you do. You don't just deal with financial institutions, you deal with the health industry and a bunch of others. But just in general, what's, what are the factors? There's some obvious factors that we could guess at and be right, but what are some of the factors that go into your [00:30:00] recommendations on after this is closed down?
We have to be public about this and here's how to do that. What? What are some of the considerations?
Billy Gouveia: Yeah. A large financial institution would, have a strong internal communications team with oftentimes external crisis communications experts. And so we work with them to explain our narrative of, what happened is that it's important also to point out that the stigma of a cyber event, except for the very worst or egregious ones has really changed over time.
Yeah. If an organization is hit by a ransomware that no longer has a reputational damage that that it did just a few years ago and when you talk about the numbers from your IC three report
You think about how many organizations have been hit it just doesn't have the, same impact.
And that's, proven true with stock price analysis and other, measures as [00:31:00] well. What does matter is how well you handle it. If, you choose to disclose an incident or you're, you have to disclose an incident because you're publicly traded or there's some right, or guidance or it's others, security researchers see it on the dark web, or customers are aware of it and you feel it's the right thing to do to address it. Or sometimes you just want to, explain that it's that this happened and you handled it really well and everyone should have confidence going about the business.
I think just saying, sending a, like anything, a clear and truthful message goes a long way. It's, pretty straightforward. I don't think it's always helpful to share the. The details, the technical details of, the incident, because oftentimes that can help threat actors. They read this stuff too.
John Byrne: Yeah, that, that makes perfect sense. Without me knowing more than just reading about it I think. A hundred percent agree with you that it doesn't have [00:32:00] the same, it's negative when it occurs. No question. It's totally different than it was several years ago. So I think that's a very fair, point.
Anything Juan, you want to add to that? Just in terms of the financial sector's response? because we've all seen several of your peer banks when they've been hit have announced that and have fairly soon after it occurred, so that does tend to happen. More so when they're hit. So any, anything that goes into the decisioning that some of your peers have that in addition to what Billy's already mentioned.
Juan Carlos Benavente: I think, the point around the response, I, think it be, it is becoming increasingly difficult to detect every little thing. There's a lot of action out there in the face. The resources that you pour into the response are very valuable. When thing happens and they become critical to detect, mitigate, and eliminate the risk from the environment.
So [00:33:00] a lot of what I have seen a lot of institutions are spending a lot of resources and investments in this space.
John Byrne: Got it. That makes sense. Billy, as I said before, I want to go back to business email compromise Again. We talked offline that it's the, attempts to do that are getting much, much more detailed and harder to discern.
Briefly describe what it is, and then some of the, again, do's and don'ts. I will mention that we did a we were part of a forum last month in DC in which the IRS CI was involved in presenting and talked a great deal about business email compromise as a big issue that they've been grappling with, as I'm sure law enforcement is at the other agencies as well.
Let's talk a bit about that.
Billy Gouveia: Sure. Put simply, it's. Compromising someone's email. And what can you do with a Compromise email if I compromise a CFO's [00:34:00] email, I could change payment instructions and have money go to an evil person's account instead of payee's account.
Just I think the first ransom I worked on over a decade ago was $4,000 until a couple years ago. A lot of, a lot of business deal compromise losses were in the low single digit thousands. What's changed is not just the sophistication of the attacks, and I'll unpack what I mean by that in a moment, but the amount of money being lost per attack,
So in instead of trying to get away with $5,000 misrouted here, they're looking at the full payment amount of I think about a, construction company buying materials and trying to. Change pay instructions for an entire amount of payment, We're seeing $600,000, which is a vast change from just a couple [00:35:00] years ago.
The other change is used to be primarily compromised by, phishing, by clicking on links, by clicking on attachments, things that's really dropped off. Instead what's, really picked up is compromise and credentials. And so this is where AI comes to bear. Those credentials could be compromised, passwords available on the dark web.
They could also just be brute forcing passwords either at the individual account level or in, into some network appliance, like a firewall. And you can, use automation to just create hundreds and hundreds of attacks and try to penetrate in, in a user account.
And then once you're in, that will then notify a human to come and do that changing payment accounts. But as, as I was mentioning earlier, a lot of early phishing emails [00:36:00] or you. Easily detectable.
By poor language or just outrageous schemes or things like that. I look at them all the time and I say, I would've clicked on that too.
This is pretty tough. So there's a deeper answer here.
John Byrne: Anything you want to add to that, Juan?
Juan Carlos Benavente: Look, VC is a, significant threat when it comes to fraud, Especially in the commercial side of things. You see it a lot. I think one of the most useful things that we have done in, general across the, industry, take it AC metric approach,
If I get a business email compromise and it looks exactly like the customer, just call them. Call them to assure as the customer use the phone number that's on file, It's not even that high tech, but it's very effective. Especially if you have high amounts being transferred as a result of an email request, changing that interaction model that the FIS have with the customer to ensure that you account for these type of threat, [00:37:00] which is very prevalent.
Billy Gouveia: Yeah, go ahead Billy. Mike. That's a great point. Roughly I have our data here, 26% of losses are actually not because of an organization being compromised, but one of their third parties being compromised. So there's no technical solution to this. There's a set of different controls such as the one you mentioned that would eradicate that risk.
John Byrne: Billy, as you were mentioning before about identity. And another related a AI compromises I'm looking here at Governor Michael Barr. Spoke at the Federal Reserve Bank of New York last week. The headline is Deep Fakes in the a Ai Arms Race and Bank Cybersecurity. You could see that on their, website.
But just wanted to mention that he talks about just. Basically how simple this be has become in terms of [00:38:00] using artificial intelligence to do this. In the thing they talked about, audio information, voice recognition, that sort of thing, and that the financial sector needs to step up its game.
So I know you saw that as, as well, Billy, but it confirms what you were talking about that's another area of business email compromise that's using artificial intelligence to get access right. And,
Billy Gouveia: and that example thank you for sharing that with Juan with me earlier. That example negates the effectiveness of the control that we were just talking about,
If you're going to have a dfa, and I've talked to people that say I've known this person for years, and they called me and it was them. It wasn't them, It's hard. There's, other ways to improve identity verification and you think about just the.
What is multifactor authentication, Something you have, [00:39:00] something , or something that you are, How, do you integrate other things in there so that if I'm changing a payment instruction to Juan and say, Hey Juan it sounds like you, what was the name of the guy that did that webinar with us?
John Byrne. Okay, cool. I'm going to hit pay. It's something else that wouldn't be intuitive if you're being de fake, but again, I think that's a, pretty terrifying thing that we're seeing a little bit more of. But it. It's not 99% of, the situations Deep Fakes. I, read these stories about 10 million losses and things like that.
But those are edge cases at this point. Thank goodness.
John Byrne: A great comment from one of our audience members and she says this this is on compromised credentials. She says, I see too many employees wearing their badge, their work badge when commuting attached to their clothing or worn on a lanyard.
That's security risk. Cyber training, or [00:40:00] within FinCrime compliance must address this with its employees. Technology's advanced so much to easily scan these credentials by being within close. Proximity. Let's not make it easier for bad actors. I assume both, you guys agree. That's, an issue.
One, I guess when any institution that you work for the security requirements probably include, if not that specific, don't do this, but awareness. And this is a perfect example that that the that she's mentioned in this comment.
Juan Carlos Benavente: Yeah. Look I, think the, main approach for all of this is just don't give anything away.
Not the batch, not anything that says it's you. I, think that's, a practice that would serve well for everybody. There's enough information out there already about all of us that actually going back to the thought topic, it makes it [00:41:00] very, difficult for institutions to differentiate between an actual customer.
An attacker, They come in right through the main door, not breaking the perimeter through a vulnerability moving internally, in most cases, in the case of fraud, you actually see them come through, the main door with all the information that they need for authentication, for identity verification.
So it's really, it is, a really difficult space. So anything that just don't share anything that's, the approach.
John Byrne: I know Juan, you said again before we get on to not click on links, but somebody asked this question and besides the answer not to click on links, they said, could you explain about links to bank accounts that are connected directly with somebody on the outside and how to identify something as a fraud link?
I without knowing anything, I would just say. As you, guys have said, don't click on it, call the institution. But I, don't know the answer, Billy, but I'm assuming there's not an easy way of looking at a link and saying, oh, we [00:42:00] can tell immediately it's fraudulent. You might see misspellings and that sort of thing, but it's safer just simply not to click on it.
Right?
Billy Gouveia: Yeah. I, don't want to disagree with my counterpart here. I think the reality is most security awareness training. Don't click on links and attachments in order, just communicate by sending links and attachments. So, John you, bring up something really important, which is you have to understand how to evaluate a link to see if it's highly probable of, being suspicious.
And hovering over it, which is hard to do on your phone, however, see the URL I think is, a good practice. But. I believe there's room for the technology community to do a better job making sure that when bad links are clicked on, they don't lead to bad effects.
And So, I think we talk about the human being, the weakest link in the chain. I don't know if that's [00:43:00] fair. I think we need to do a better job understanding that as long as we communicate this way. There are going to be nefarious attempts to exploit that, and we need to make sure that the magnitude of that activity is really low and not really high.
John Byrne: Juan, anything you want to add?
Juan Carlos Benavente: Anything that we can do from a technology perspective to make sure this links don't really take you where they want to take you when you back out from the network, I, get it, it's more of a personal choice,
I just don't click. I, if I get something and I know what it is about, just go directly to it. Because I feel like any one day there's going to be one that's going to be that good, So it's just a matter of a personal choice it, it may bear.
Billy Gouveia: Yeah. And John, if I might sure, sure.
I think the easiest things we, we can do in our professional lives and our personal lives, the kind of advice I give my mom have a really long [00:44:00] password and use my multifactor authentication every single time you can. And app-based MFA is much better than text-based MFA, but that's much better than nothing.
Again, most of this is not about running the bear. We just have to be a, less easy target than others. Those two straightforward, free things go a long way.
John Byrne: That's a great point. I know a lot of us are like, oh, it's got two factor authentication, but that makes so much sense and I just make it harder for folks.
I hate calling them folks criminals to commit these things. going to come back to you Juan. We, had talked and lost a little toward the end, but on the cyber fraud Fusion Center, just a couple follow up questions and that is from your perspective. Again, somebody who came from the cyberspace.
So you had that background and you needed to integrate yourself with those that were doing fraud prevention and AML. [00:45:00] So you, already knew you wanted to do the, data part of this hard job. What are other what are other ways to integrate and then how do you measure success? Not so much the success of a fusion center.
Success that cyber fraud is being, identified, recognized, detected, and reported. What's besides stopping losses and that sort of thing internally, when the board of directors, you come before the board and you're going to do a report on, in 2024, we did X. How do you measure success?
Juan Carlos Benavente: Very, interesting question.
So I'll talk a little bit about the challenges first, and then I'll end it up with the, measures of success. In the beginning, just like any new thing, Very completely, very different from traditional fraud prevention. So you say, okay, we're going to put a cyber fraud fusion center.
The initial reaction is, what is this? What does this do? So it actually [00:46:00] takes a lot of effort in building trust with your counterparts and with the traditional organizations of fraud prevention to really start to show that value that comes from sources that they have never looked at before.
Like tools of the perimeter at the soc, This is not available on a traditional fraud prevention. And then what we learned very quickly is that if you take this type of information like cyber malware and the client or threat intelligence data, and you just send it over to fraud prevention, they won't know what to do with it.
So that's where the value of the analytics and the reason why we built an entire analytics function within the Fusion Center to translate this information into something actionable and understandable by the traditional fraud. So, they can turn it into a rule, a strategy, a process change to detect and avoid that type of fraud that we're seeing earlier in the lifecycle.
Some of the other challenges that we found, [00:47:00] just in generally for the process was a lot of fraud prevention processes start with, okay, I see the fraud, I tweak the rules, I claim the benefit going forward. When you start building capabilities that detect this type of attack earlier in the process, so you detect a trend that hasn't necessarily turned into fraud yet when you go to the operations, you're like, this is not fraud.
So you have to actually build these processes for operational teams to preemptively. Mitigate the risk with this account. So those are some of the challenges that, we went through. And, definitely a lot of lessons, a lot of failures too. There's a lot of, a lot that happens in the cyberspace, has no use in fraud prevention.
It's really a select a few capabilities that really bring a lot of value and become actionable from a fraud prevention perspective. And then going back to [00:48:00] the measuring the success. That's actually a very difficult part because we thought about different ideas of, okay, let's use for example, the open or buy, the amount that is available on the account after you detect that it could be fraudulent.
Okay. That's one way. Then you use things like for example, how much fraud do you lose to a particular type of fraud? The average fraud per loss type that. The better you get at implementing a function like this, the earlier you're detecting the attacks, the less you can measure the, value in terms of avoided losses because it didn't happen,
You detected it through. Threat intelligence, you fix the vulnerability either in a process or a technology, then it never happens. So it becomes a matter of trust. And it is actually closer to cybersecurity when it comes to measuring the benefit than it is to traditional fraud prevention. So it all becomes a matter of trust and of course, a reduction in the overall losses that really says, Hey, [00:49:00] look, because of what these guys, A little bit of storytelling too.
Look, we lost X two years ago because of this type of attack. We just detected this type of attack. Very early. We didn't take the losses. So that's the, methodology used for it.
John Byrne: Billy, a question came in, how can we verify if our personal and financial data has been exposed on the dark web?
Billy Gouveia: Yeah, thanks. So I'm sure that all of us have received letters in the mail saying hey, your data was entrusted by you to this organization and that organization lost control of the data. And so we're going to provide you credit monitoring with TransUnion or Experian or any number of others.
And all, of those services have dark web scanning modules most of the time. I, never pay for them. I always figure I'm, in 10 data breaches every year, so I just want to, [00:50:00] roll them through. And that's a very easy way to. To check, check that, and those are good capabilities to have.
And if you haven't been involved in a data breach that you're aware of yet first of all I, commend you. Second of all these services are not terribly expensive. But there's a website. Have I been owned? And just it's a, very straightforward thing to pull that up, type in your name and see where your name has come up, type in your email address or your, physical address and see where that's been out there.
I think the bigger question is what do you do about it? And so if I see that a my LinkedIn password from 2012 was compromised. I learned that like a year ago. I go, okay, I've changed it five times since then. So that's, not a worry. Did I use that anywhere else? I hope [00:51:00] not.
Making sure password reuse is, not part of your security hygiene is important thing. There's some stuff you, can't do anything about. I'm not going to move my house because I, it was. Wrapped up in a data breach, but that piece of information alone can't do much.
But if I'm looking holistically across everything that's been compromised, what can I do? Do I need to freeze my credit? Do I need to freeze my IRS account? Things like that I think are the bigger questions based on what's out there.
John Byrne: Yeah, and I would add that given the stories the reports, not stories of access by some new newly created US agencies to a ton of our data.
I think it's only a matter of time we're going to see the fallout from that. But we'll see what happens. Juan, I want to come back to you. We have a few minutes here. Obviously you're involved in training and awareness at your institution. What [00:52:00] are some of the best practices that you and some of your peers do in terms of training?
Those of us that have been around a, long time used to be 10 or 15 questions once a year that you're required to do from an information security standpoint. You've given us great advice. Both of you. Give us great advice about ways to handle protecting yourself in terms of multifactor authentication, not clicking on links, all that sort of thing.
Just give us a sense of some good examples of. From your perspective, being a cyber guy initially of good tr of good training and good awareness, what you've seen and what you recommend the FIS on the call to be considering if they're not already doing it.
Juan Carlos Benavente: Yeah I think an important, that was mentioned earlier,
Important part is your traditional cybersecurity training, Where you learn how to hover around the link to see if it is all this stuff, [00:53:00] This. Gamut of, training is, really important for all organizations, When it comes to the fraud side, of course, we have our entire regulatory set of training, how to handle a claim, how to interact with the customer, what you need to do from a regulatory perspective.
But I think one of the most exciting ones, which is something that I, actually think it is it's very useful is training the front end employees, the ones that deal. With the customers to try to recognize those flags when , a fraudster calls in, right when to invoke a higher level of authentication.
That training is actually very, useful because once you show it to the frontline employees, they're like, oh. Look, I see this all the time. Now. I know what to do. And you'll be avoiding a tremendous amount of losses with that kind of targeted training, with the tools, how to use them, how best practices, how to detect again, the red flags that they see through there.
John Byrne: Billy, you've already said that when you get [00:54:00] called into a client that's been hit, whether it's denial of service, ransomware, business, email compromise, you work with them and then you work with them to improve. So this does not occur again. Yeah. What are some good examples besides what Juan has mentioned in terms of training in the FI industry?
I realize a lot of these industries, probably similar training is required, but in some spaces like the banking industry, more specific. Might be the, way to go, but just general, I call you in Big bank, had the hit, you fixed it, we've done everything else. But what are some of the things you recommend going forward?
Billy Gouveia: Yeah, so on the on the business email compromise on the fraud side more broadly, oftentimes it's a question of identity, Things that help you validate the identity of the payer and the payee go a long way. These a really cool company that I'm aware of. [00:55:00] Not, a partner, not a plug, but maybe the Alex was out there named Virtuity.
I think it started to help Fortnite make payments to players to make sure that it was the right. The right person who won whatever the championship. And now they're helping a lot of big banks reduce their, fraud by validating the identity on, both sides of the transaction.
So I think a, lot of cool capabilities like that. I think about Juan's comments about tr training and then layering in tools and then also just making sure you're, aware of intuition. It's amazing how many times, whether it be ransomware or business email compromise when you sit down with, the team and say, Yes, I knew it didn't look right, but I was in a hurry.
And John, you were talking to us about a situation where, , in the middle of a due diligence process is a demand for, sensitive forms. And it was a credible question, but it was, it may have gotten a lot more scrutiny if it wasn't coming at such an important time and with such a tight timeline.
[00:56:00] So the, threat actors understand human psychology and how we tend to make more mistakes. When we're, moving too fast or having to just trusting the intuition. Thinking about there are times when, , slow is smooth and smooth is fast, Let's, just make sure we're going about this in a thoughtful way and not letting the bad guys force us into committing own goals, so to speak.
So those, would be the, stuff on the, front side of the ransomware side. I have bit of a different list, but,
John Byrne: well, Juan takeaways from you, and I'll give you the last word.
Juan Carlos Benavente: No important topics. First of all, thank you for the invite. Great, time spending with you guys talking about all these topics.
Look I think it, it's the, amount of data that's out there, it's is really the challenge, You’ve got to develop [00:57:00] more advanced tools to really do identity verification as best as you can. And I was mentioned a couple of times, and I know we mentioned AI is also part of the, set of capabilities coming in.
Anomaly detects bunch of different things, But I think that's the key, Detecting and differentiating the true customer against the, fraudster is the real challenge for all the financial institutions.
John Byrne: Quick follow up to you. Recommendations for other FI staff on how to stay current.
So what, are some of the things that you read that you either subscribe to? Just high level, you mentioned specific publications, but in terms of. Agency information, that sort of thing. There's a lot of free information out there. Obviously all these law enforcement agencies that we've referenced today put out guidance documents and alerts, and that's obviously valuable reports that come out.
What other things would you say [00:58:00] that maybe they're the audience isn't aware of? You should also consider reading this on a regular basis.
Juan Carlos Benavente: I think the bigger message there, John will be when you develop a threat intelligence organization, That's where you're start, you start obtaining all these sources your peer institutions, very valuable,
What the other institution is seeing is sometime more valuable to us than what we read on the press, And sharing that information in the right forums. Also ensuring that you have interaction with law enforcement, That's bidirectional, What we're seeing, what are you seeing? That's a very important portion.
And then what you do when you have a threat intelligence function dedicated to fraud prevention, you actually sift through all the noise, which is, this is a very noisy space, the intelligence space. It's just if you start reading all this states, you'll never end, So built in that. Process of eliminating the less reliable sources [00:59:00] and bringing in that high value actionable data, which is really the difference between information and actual intelligence.
Something that we learned early on in the process.
John Byrne: Billy Gouveia. Juan Carlos Benavente. Thank you so much for sharing your insight today. Thanks to the audience. Next month's webinar will be on sanctions. You can register for that right after this is over. Thank everybody so much for their time.
Thank you for your questions, everybody. Stay safe, stay smart out there, and we'll see you next month.
Billy Gouveia: Thanks a lot, John. Thank you. Thanks Joe.