Menu Close
Section 2

Building Your Foundation

MoreHide

Implement what you know with confidence

Discover action-based tools that provide simple steps for program improvement or robust plans for new ways of doing business. 

MoreHide

Your ethics and compliance program is an ecosystem of moving parts. New laws and regulations, new lines of business, new geographies, mergers and acquisitions become part of a growing enterprise that your compliance ecosystem must support. 

Effective compliance programs are able to deftly navigate these complexities because they have built strong foundations that were developed with the nature of the compliance industry in mind.

This section will give you the expert advice and programmatic best practices to ensure the first steps you take to develop your program are in the right direction. Or if you program is more mature, these resources and insights will give you the necessary guidance to course correct and improve your program’s foundation at whichever stage it is in. 

 

How to Survive a Friday Afternoon Cyber Threat

Chapter 1 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Seventy-five percent of cyber crime is reported as fraud on Friday afternoons.* Let’s let that sink in a bit – a single day of the week – a favorite for many – is host to three-quarters of cyber crime reports. Who would have thought? No one … except for wrongdoers.

 

Tom Fox 06/01/2017

Chapter 1 of The Worst-Case Scenario Survival Guide for Compliance Professionals

Seventy-five percent of cyber crime is reported as fraud on Friday afternoons.* Let’s let that sink in a bit – a single day of the week – a favorite for many – is host to three-quarters of cyber crime reports. Who would have thought? No one … except for wrongdoers.

 

How to Survive

Let’s recall a story that took place a time long, long ago – 2016 – and in places of which few have heard – the U.S., Bangladesh and the Philippines. The story tells the tale of $101 million of Bangladeshi money that was wired out the Federal Reserve Bank of New York (aka the Fed) through the Philippines central bank**. Given the various time zones and locations in play, this fraud took place during the work week and the weekend, which made it even more effective.

 

1. Consider What Day It Is

Is it Friday afternoon? And you’re getting an unusual request? This is the first warning sign that danger may be near. Cyber attacks often happen on Friday afternoons because no one’s watching the shop on the weekends. If someone is sending you an urgent request late in the week, put up your antennas and perform some additional due diligence for verification.

For example, in Bangladesh the weekend is Friday and Saturday. At the time of the cyber attack, “the computer terminal that connected Bangladesh’s central-bank computers to the secure interbank messaging system was ‘unresponsive’ the morning after the theft” and wasn’t able to stop the money transfer.

 

2. Determine Where the Money Is Going

Were you asked to send funds to a location not specified on the contract, such as a location other than where the services were delivered or where the payee is domiciled? This should raise a red flag.

Of the $101 million, “$20 million [went] to Sri Lanka … to the account of a newly formed nongovernmental organization, according to the officials in Dhaka. The Sri Lankan bank handling the account reported the unusual transaction to the country’s central bank and authorities reversed the transfer.” Unfortunately the remaining $81 million was wired to a bank in the Philippines.

 

3. Get to Know Your Vendors and Their Customers

In the banking world “Know Your Customer” (KYC) is a ubiquitous phrase. Yet in the non-banking commercial corporate world, how well do businesses know their third party vendors, their agents and their customers? As criminals and terrorists become more sophisticated, they are laundering money through commercial organizations and many of these same organizations do not have the internal controls that banks have around anti-money laundering (AML).

The Fed made 35 separate attempts to confirm that the money transfer was legitimate. The Bangladesh Central Bank reconfirm the initial requests to transfer the money before taking off for the weekend. It was not until the work week began on Sunday that Bangladesh Central Bank employees hooked up a backup server and printed out the 35 messages from the Fed. They were able to stop the fraudulent transfers at that point – totally another $950 million -- but $101 million was already gone.

Comments

Artboard 1Type your comment here

It never occurred to me to question the day and time a message came in. I think at this point any request to click a link (unsolicited) or to send money (for any reason) should be viewed with scrutiny. There are many ways to conduct business. Go specifically to the requester's business online presence and determine if the request was authentic.

0 Responses
2 Jun, 2017 10:23AM AndreaHIhara

Excellent article!

0 Responses
2 Jun, 2017 7:51AM Aludovic