Project Description

Video length: 29:29

OPERATOR: It is now my pleasure to turn today’s program over to Danny Peltz, who’s Head of Treasury Management and Payment Solution. Danny, please go ahead.

Danny Peltz: Well, thanks, Arrow, and good afternoon everyone and welcome to “Protecting Your Organization from COVID-19 Fraud Threats”. My name is Danny Peltz and I’m the group head and business leader of Wells Fargo’s Treasury Management and Payment Solutions. I’ve been sheltering in place for well over a month like many of you and I’m talking to you today from my home office just outside of San Francisco.

Hopefully the dogs will be quiet and as long as we don’t get a delivery from UPS, I think we should be fine. First and foremost, I hope you and your families are all staying safe and healthy. At Wells Fargo, our priority has been to keep our employees safe and at the same time ensuring our customers are well informed while we continue to provide the financial services you rely upon.

Like many of your businesses, Wells Fargo has executed resiliency plans to protect our employees and support our customers. We understand our responsibility and are making appropriate adjustments to our operating model to continue to deliver to you.

Beyond immediate health and safety concerns, we know that maintaining your business operations is essential and that this new normal many of you are facing is presenting some unique challenges. First, staffing changes and work from home situations make it difficult to consistently adhere to established protocols.

Second, business operating models often need to be reshaped on the fly and third, remote workers may introduce more cyber security risks as company devices, VPNs and collaboration tools leverage home networks.

Unfortunately, changes in business operations during times of crisis can attract opportunistic fraudsters. Criminals have been quick to take advantage of COVID-19, upping their game with more sophisticated, well crafted attacks that exploit these operational circumstances.

The FBI recently announced the rise in fraud schemes related to COVID-19 and Barracuda Network researchers have reported an increase of 667 percent in COVID-19 related phishing attacks since the end of February. It’s critically important that you have the tools and information you need to help protect yourself and your organization. As the largest domestic treasury management bank, Wells Fargo’s a leader in identifying and working to mitigate various types of fraud.

Today’s speaker will share insight and examples of some of the new COVID-19 twists on established fraud schemes. They’ll also outline steps you can take to help protect yourself and your business against the recent rise in fraud threats. Wells Fargo is here to support you. Your relationship team including your banker, treasury consultant and service officers are available to provide the advice and service you expect from us. Please continue reaching out to talk to any specific challenges or rethink existing strategies as needed.

Also, please be sure to visit our commercial COVID-19 update site which features information and resources related to fraud, market updates, economic reports and treasury operations. The site is accessible from several pages on including the commercial and treasury management home page and the commercial electronic office also known as the CEO.

Thank you for placing your continued trust in our teams and our institution. We hope you, your business and your loved ones continue to stay safe through this pandemic. I’m now going to turn the discussion over to Seth Marlowe with our Strategic Advisory Team. He’ll be joined in today’s discussion with Jeannie Ellis, financial crimes manager for treasury management and payment solutions. Seth?

Seth Marlowe: Thank you so much, Danny. We’re going to go cross country here with both Danny and Jeannie located in the San Francisco Bay area on the West Coast and I’m in my home office in Stanford, Connecticut on the East Coast. Today, we’ll be discussing four types of fraud and specifically how cyber criminals are taking advantage of COVID-19 and using the pandemic to perpetrate fraud. Before we get started, I’m going to ask you to pause for a moment and looking at the four fraud types listed on this slide.

Phishing, Business Email Compromise, ransomware and Account Takeover. Has your organization experienced one or more of these types of fraud in the last three years? If your answer is yes, let me tell you, you are not alone. According to recent reports, the majority of organizations have been affected by fraud.

Phishing, 76 percent, business email compromise, 75 percent, ransomware, 81 percent and account takeover, “just” 21 percent. Let’s begin by talking about phishing scams and malware. Even before recent events, companies and organizations have been at increased risk of fraud. Cyber fraud rates continue to increase.

In 2019, the FBI reported scams totaling $3.5 billion in losses. Malware and phishing continues to play a prominent role. Phishing is the cybercrime reported to the FBI’s internet crime complaint center with the largest number of victims. Email and text message scams known as phishing have become more and more sophisticated.

These messages may look legitimate at first glance but are used to lure targets to click on a malicious link. This enables cyber criminals to gain access to your computer to monitor and record keystrokes, capture sensitive information or block access to your computer until you may have to pay a ransom.

Jeannie Ellis: Thanks, Seth. I absolutely agree with you that phishing attacks have become more sophisticated. Now with so much information about COVID-19 in the news, cyber criminals are using this information to increase their phishing and malware attempts to try to steal your credentials or gain access to your information, operating system or network. Some of these emails might even target remote workers who are especially vulnerable with messages that notify them of a positive COVID-19 test within their organization.

IBM researchers recently uncovered phishing emails claiming to originate from the World Health Organization and links in the email, download and execute malware, giving fraudsters the ability to capture data and screenshots. There have also been similar emails claiming to be from the Centers for Disease and Control Prevention otherwise known as the CDC.

The FBI also recently issued notices about increased fraud attempts connected to COVID-19. Phishing emails may claim to offer medical supplies, testing kits or vaccines or information about the pay check protection program, the economic impact program and other stimulus payments. You should keep in mind that government agencies and financial institutions don’t send unsolicited emails asking for your private information.

It is essentially important during these times to avoid clicking on links or opening attachments from suspicious or unknown senders and use caution when visiting new or untrusted websites which may be contaminated with malware. Mobile phones can also be vulnerable as cyber criminals have developed malwares that attack through text messages as well as email.

Seth Marlowe: And they’re tapping into other messaging apps too, Jeannie. We mentioned that phishing and malware are very much on the rise. This means there’s also an increased risk of a type of malware called ransomware. In a ransomware attack, cyber criminals essentially hold your computer hostage, blocking access to your operating system by locking your screen or encrypting important files until you pay a sum of money.

The primary mode of ransom where penetration is through phishing emails containing malicious links or attachments as well as compromised websites embedded with malware that allow fraudsters to exploit vulnerabilities in your system, gather information and execute the ransomware. And organizations are definitely at risk.

Semantics 2019 Internet Security Threat Report found that 81 percent of all ransomware infections in 2018 targeted enterprises. Ransomware is becoming increasing popular with cyber criminals due to its very lucrative nature and the difficulty with tracking down the perpetrators. The FBI estimates over $8.9 million in losses for 2019.

But keep in mind, some post attack expenses are less easy to quantify. They include brand reputation and related lost sales and revenue, impacts to contractual obligations, data breach processes and notifications, operational costs and attack mitigation, recovery and future prevention. Remember, your organization can also be impacted by ransomware attacks directed to third party providers, particularly third-party tech providers.

Make sure you have plans and contingencies in place to address the different scenarios associated with this threat. Jeannie, never before have organizations, information, security or info sect teams been so incredibly popular.

Jeannie Ellis: So true, Seth. I think it’s really sad but worth noting that during the Coronavirus pandemic, criminals are deliberately targeting government entities, hospitals and health organizations through ransomware attacks, even starting with States that have the highest number of COVID-19 cases.

Attacks have been directed at local health districts and hospitals around the globe and the latest trends of ransomware is now the criminals are not only locking up company systems but they’re also stealing sensitive and confidential information. A ransomware incident should also be treated as a data breach incident.

Cyber criminals are gaining access to company networks and taking the time to scan through the network to identify value and confidential information. Not only are companies having to pay to unlock their networks but also for fraudsters to not post their company secrets online.

Seth Marlowe: Yes, or on the dark web.

Jeannie Ellis: Even worse, Seth. These criminals have realized they can monetize on the incident in multiple ways, even shorting a company’s stocks just before posting their sensitive data publicly. And it’s not just organizations on the frontline. In mid-March, a medical facility offering to assist in vaccine testing discovered an attempted ransomware attack.

Fortunately, they were able to detect and prevent the attempt from being successful. But with 71 percent of small and medium size businesses targeted in 2018, it’s important to note that ransomware is used against groups across all market segments. Since the primary point of entry for ransomware is phishing emails, employees need to be extra vigilant for phishing attacks.

Organizations should regularly back up their data, store companies offline and segment networks so that it’s even more difficult for ransomware to spread across systems. Additional measures include implementing firewalls and strong spam filters as well as measures to keep your software and operating systems updated.

And finally, remember to practice your resiliency plans so you can act quickly and limit operational impacts should your organization or your third-party providers become infected with ransomware.

Seth Marlowe: You know, Jeannie, prior to joining Wells Fargo, one of the treasury groups I was part of religiously practiced disaster recovery and BCP drills including back up people drills and we did this on all live production systems. I was blown away when I got there but it was soon in my DNA too. All I can say is, practice, practice, practice. Well, we’ll now move on to business email compromise, also called BEC or impostor fraud which also poses a significant threat.

According to the AFP’s most recent team and fraud and control survey, business email compromise affected 75 percent of organizations. These scams pose a significant threat to your business and occur when a fraudster impersonates someone you trust, such as a vendor, executive, the IRS and they try to trick you into making a payment or transferring sensitive data to them. The FBI found that BEC had an estimated loss total of $1.7 billion last year, making it the number one fraud type for total losses.

Fraudulent emails may ask for a rushed payment or last-minute changes in payment instructions or deposit account information and this kind of fraud is very hard to detect because you have been deceived in actually being the one making the payment.

Another example is payroll impersonation. This is where fake emails direct employees to update or confirm their payroll information on a totally fake platform. BEC attempts often create a sense of urgency to encourage individuals to react in the moment, to not think and without regard to standard protocols. Hey, Jeannie, I had this urgent wiring I need you to send right now.

Jeannie Ellis: Nice try, Seth. You can’t get me with that trick.

Seth Marlowe: Darn.

Jeannie Ellis: But it is that sense of urgency that cyber criminals are trying to take advantage of now. As Danny mentioned earlier, in today’s environment, operating models are being reshaped on the fly and standard defenses are harder to maintain. You could also have six staff members or staff members caring for their family members which can create staffing shortages. All these factors can increase risk.

Given that most businesses and organizations are also communicating updates about the virus and procedural changes by email, fraudsters have new opportunities to use COVID-19 related messaging to try to compromise your information using BEC. As we mentioned before, the email may claim to be from a government agency. It could also claim to have industry upgrades, HR updates or claimed to be from a charitable organization.

Now with the need for supplies mentioned in the news, government entities and health care organizations are being targeted with emails claiming to offer or request payment for personal protective equipment, also known as PPE supplies. The FBI recently issued an alert warning government and health care industry buyers of a rapid rise in scams related to the procurement of PPE such as masks, protective clothing, ventilators and other necessary medical equipment.

They identified multiple incidents where state government agencies have become duped into remitting payments either directly to a supposed supplier or to a broker claiming to have supplier relationships who can deliver desperately needed PPE. Fraudsters are taking advantage of the sense of urgency to procure PPE along with the shortage of supply available in the marketplace to negotiate advance payments from buyers who might not ever actually receive the goods.

It is critical that you validate and confirm any new supplier relationship before remitting payment and use caution if you are depending on a third-party broker. If possible, take delivery of the physical goods before remitting payment or potentially leverage a domestic escrow account that will release payment to the seller only upon receipt of the promised items.

Now, ensuring that your employees remain vigilant about validating any account changes or payment changes for vendors is even more critical during this time. It is also important to remain vigilant as more organizations migrate from paper to electronic payments. Fraudsters are using this opportunity to conduct ACH, wire and card not present supplier fraud. As an example, one of our customers recently received an email claiming to be from a known contracted vendor.

The email requested that the next payment be sent by ACH rather than check given the difficulty of making deposits during COVID-19. Confirm and verify the authenticity of requests several different ways, for example, by phone and email and don’t assume the contact information provided in the request as correct. Check it with what you have on file. Finally, employees may not have the normal access, the contact information, company files or procedures while working from home.

Make sure that employees have what they need to follow proper processes and procedures while remote. Employees with access to other’s personally identifiable information such as human resources, bookkeeping and audit groups should also should use extreme caution when handling requests for confidential information. There’s so much to look out for in this new normal.

Seth Marlowe: And it can feel like way too much sometimes and you know what, that’s exactly what the fraudsters want to have happen. Now, the final fraud thread is account takeover. And that’s when fraudsters use your online credentials to gain access to your email system, in essence, taking over you to make an authorized payment.

This means that they are making and authorized payments as you using your credentials, a process that can happen through malware and/or social engineering. Cyber criminals can also sell your information, making you vulnerable to additional fraud attacks. The option to sell information makes account takeover really profitable for the fraudsters.

In 2018, Javelin reported the cost of account takeover fraud had tripled to $5.1 billion and their 2019 Identity Fraud study found that takeover attempts are increasing, particularly on mobile devices.

Jeannie Ellis: Yes, on mobile devices and let’s not forget also on banking apps. A good example is the rise in malwares specifically designed to steal banking usernames and passwords. IBM began detecting an increase in the use of a Trojan malware package in March to steal banking information. Use of this particular type of malware had been declining however it’s become more prevalent during the pandemic.

Your organization might want to consider strengthening internal controls such as dual custody on all payments and modifying the way you validate payments and payment information. With dual custody, the first user initiates a payment or administrative change and the second user on a different computer or mobile device must approve the payment or change before it takes effect. So by separating tasks and using different devices, you’re better positioned to identify the fraud before it happens, especially in a remote environment.

Now that we’ve talked about the ways in which cyber criminals are using phishing, malware, business email compromise and account takeover during the COVID-19 pandemic, let’s review some best practices organizations can use to help protect themselves. Seth, do you want to get us started with the first best practice?

Seth Marlowe: Will do, Jeannie. So first on our list is to be aware of suspicious emails or links. So be cautious when opening unexpected emails from known or especially unknown senders. With phishing attacks on the rise, you should always access a company’s website by using a reputable search engine or actually typing the entire URL directly into your web browser.

Do not select links in emails or text messages or open attachments or install programs unless you’re sure that they’re from a trusted sender. Downloadable files could harm your computer or mobile device or even your entire network. So Jeannie, back to you for the next best practice.

Jeannie Ellis: Thanks, Seth. Best practice number two is verify all payment requests and changes to payment instructions. If you receive a request to change payment details such as account or invoice information, always make sure the request is authentic. Verify these requests using a different method of contact. For example, if the vendor typically contacts you by email, confirm the information by phone.

And use contact information you have on file and provide your cell phone information when leaving a message so your vendor contacts can reach you directly. Take steps to implement security measures when processing payments as well.

Dual custody and daily account reconciliation both help deter and detect potential fraud. Use extra caution when setting up first time payments to new or existing vendors. Many banks proactively reach out if they suspect a payment may not be legitimate. Don’t automatically assume your internal controls are sufficient. Pause and take the time to confirm the payment.

Be sure to use the information you have with the contact on file, not the contact information contained in the request that you received and ensure your employees have access to trusted vendor phone numbers, especially when working remotely to facilitate callbacks to confirm payment. Seth, perhaps should I use your home office or cell for my callback?

Seth Marlowe: Touché, Jeannie. Nice try. Moving – moving to third on the list, would be to protect your passwords and credentials. Organizations should have a strong password policy in place, one that’s been clearly communicated to your employees and staff.

Never, ever give out passwords, IDs, token codes or other authorization credentials. Do not share passwords across different websites and be wary of unsolicited calls including from people claiming to be from your bank to assist you for unreported sign on issues.

You should always ignore pop up’s asking for your online banking credentials and be cautious of unexpected token prompts. For example, customers using CEO or online banking portals receive token prompts when accessing certain high-risk payment services like ACH and wires. If you receive a token prompt at an unfamiliar point that’s not a high-risk activity, do not enter your token code.

In fact, for customers using our mobile token feature, instead of physical tokens, codes are actually sent directly through our secure app and mobile tokens don’t require reactivation or replacement. If you’re concerned about unfamiliar token prompts, contact your banking service’s support team.

You should contact your bank immediately if you receive unexpected messages or confirmations about sensitive transactions that you did not initiate. OK, we’re going to go back to the West Coast for best practice number four.

Jeannie Ellis: Best practice number four is to secure your devices and connections. As we’ve mentioned, with more people working remotely both on company issued devices and personal computer, the risk in remote connectivity leaves you exposed to more cyber security risk.

Having a remote workforce means employees are connecting to your information and systems using their home internet security, some for the very first time. While working from home, employees need to keep their work and personal activities separated on different devices.

Work devices should be protected using end point security, including password protection and virtual personal networks also called VPN for work communication. That way, even if the device falls into the wrong hands, your data is not accessible. Employees should also log out of applications and VPN when not in use. Protect confidential information by not printing confidential documents with personal computers.

Your meetings and conference calls are also vulnerable. Tracking video conference calls, sometimes called video bombing, is a fraud type that is increasing and can happen on any video conference platform. During an open call, unknown individuals join and share explicit content.

If you block the user but the call is not secure, they can sign in using different credentials and continue sharing unauthorized content. To thwart attempts to disrupt video meetings, keep your software up to date. Use log in passwords for meetings and manage participants, locking down which participants are allowed to display screens and use their microphones when necessary. Be aware that any content shared may not be secure.

Seth Marlowe: Yes, it’s one more thing and our last but not least thing is our fifth best practice which is monitor accounts and processes. If you’re not currently doing so, it’s an industry best practice to reconcile your accounts daily to detect any suspicious activity. Most banks offer positive pay for checks and ACH payments that incorporate separate review and approvals.

If you issue and print checks, make sure you have adequate controls over the physical check stock and all signatures. And if that’s not possible, consider leveraging electronic payment options that offer digital controls. Finally, ensure any new processes you implement are well documented and audited to capture any critical gaps. Jeannie, we both know that even the best organizations can fall victim to fraud. Now, if that happens, what should they do?

Jeannie Ellis: Well, Seth, if an organization thinks their account information may have been compromised or anything seems suspicious, they should contact their bank right away. We ask our customers to forward all suspicious text messages and emails to You should also contact your client service officer or call Wells Fargo Treasury Management Client Services at 1800 AT WELLS, that’s 1800 289 3557, option two.

Seth Marlowe: There are also a lot of other good resources available. Our COVID-19 site has information on business continuity planning, fraud and market updates. You can also find lots of information regarding fraud and security on our treasury insights website. If you’re looking for information about COVID-19 risk, use trusted sources and here are a few I suggest – the FBI’s Internet Crime Complaint Centre, the Federal Trade Commission and the Department of Homeland Security.

Jeannie Ellis: I would also encourage our listeners to share this information with your peers, executives, finance and human resource teams. Education is so key in fraud protection. Discuss ways to increase security with your IT teams and make sure new measures and procedures are clearly communicated to all employees. Now, as a reminder, a replay of this webinar will be posted on our commercial COVID-19 update site on You can look for an email from us when it’s available.

Seth Marlowe: Hey, Jeannie, it’s been great getting to collaborate on this webinar with you and Danny, too.

Jeannie Ellis: Thanks, Seth. It’s been a real pleasure to join you today.

Seth Marlowe: We know these are challenging times for you and your business and we’re here to help with the right guidance and support to make smart, thoughtful business decisions. Fraudsters are taking advantage of COVID-19 disruption and there’s been significant increases in phishing, malware, ransomware, BEC and account takeover attempts.

We encourage you to check out our COVID-19 website and reach out to your relationship team as you continue to navigate this new environment and take steps to manage potential cyber risks. On behalf of Danny, Jeannie and our entire Wells Fargo team, we thank you for your time today. Please do everything you can to stay safe and let us know how we can do our best to support you.

Operator: Thank you, presenters. Thanks to all our participants for joining us today. This concludes our webcast. You may now disconnect.