Identity Theft, Fraud & Cyber Crime Units

Ralph Gagliardi Traci Schwartzbauer

CBI CSP DCJDFPC

DHSEMCICJIS SSRC

CBI – SECTIONSInvestigationsForensic Services

• Collection, Preservation, and Analysis of Evidence Found at the Crime Scene.• Dedicated Forensic Scientists Will Work With Each and Every Agency in Order to Provide Timely and Accurate Results.

InstaCheck Identification Crime Information Management Unit (CIMU)

CCIC, NCIC, CO State Sex Offender RegistryMaintain and Update all Information Stored in the Automated Fingerprint Identification System (AFIS)

CBI - Investigations UnitIdentity Theft / Fraud & Cybercrime• ID Theft / Financial Crime• Cyber Crimes• Victim Assistance

Gaming• Gaming / Organized Crime

Marijuana• Black Market Marijuana Enforcement

Sex Offender / Fugitive• Fail to Register SXO & Fugitives

Major Crimes• Death Investigations • General Crimes• Cold Case• Missing Persons (Amber Alerts)• Human Trafficking

Task Force / Offsite • JTTF – Joint Terrorism Task Force• Safe Streets Task Force• Front Range Drug• RMRCFL – Computer Forensics

TRENDING NOW !!!!!

BUSINESS EMAIL COMPROMISE

Business Email Compromise (BEC) is a sophisticated scam targeting businesses and individuals who regularly perform wire transfer payments

The scheme compromises email accounts to conduct unauthorized fund transfers to a bank account(s) the fraudsters control

BUSINESS EMAIL COMPROMISE

Businesses Affected:Public & Private

City / County / State Title Company / Real Estate Transactions Law Offices CPA / Bookkeeping Firms Any Business or Person – who routinely wires money

Weak Link is YOU!

Fraudsters are depending on our habits. They do their homework about YOUR (office /corporate information).

They count on the email recipient doing many things at once and not taking the time needed to be certain whom they are communicating with.

Don’t be so Quick to Click!

Scams Can Include: WIRE FRAUDPHISHING (Spear Phishing) 92 % of Every Breach!MALWARE – RansomewareROMANCE SCAMS Other INTERNET SCAMS (work from home etc…)W-2 FRAUDPAYROLL DIVERSION

Don’t be so Quick to Click!

Scam Tactics – Used to Get Your Attention!!

Tactics - Get Your Attention!! Social Engineering Open Source Research Identity Theft - Past Breaches (Passwords Same?) Phishing - Spear Phishing - 92% of EVERY Breach

‾ Fake Links ‾ Malware ‾ Gather Credentials

RISK VS. REWARD

Average Amount of Money Stolen in Bank Robbery?

Risk vs Computer Enabled Crime “CYBER CRIME”

BUSINESS EMAIL COMPROMISE

Losses According to the FBI:

$2.9 billion - U.S. victims (October 2013 thru May 2018)

$12.5 billion - Globally (October 2013 thru May 2018)

Real estate scams increased 1,100% 2015 to 2017

BUSINESS EMAIL COMPROMISE

Reported U.S. losses due to Business Email Compromise scams targeting the real estate industry, shown quarterly, with peak losses indicated. (Source: IC3)

Ransomware - Malware

BUSINESS EMAIL COMPROMISE

Tactics - Get Your Attention!! Social Engineering Open Source Research Identity Theft - Past Breaches (Passwords Same?) Phishing - Spear Phishing - 92% of EVERY Breach

‾ Fake Links ‾ Malware ‾ Gather Credentials

Romance ScamWooing Begins Immediately• Promises of Love / Marriage• Excuses as to why can’t meet in person• Ask to Send Money For a Phone Help a Family Member

Her Own MoneyMoney Mule – Open Bank Account ($$$$ From Other Scams)

Accept Packages / Re-Ship

Payroll Diversion - Vender Impersonation

Cybercriminals Target – via Phone or Email: Employees / Employers Human Resources

They want YOU to change bank account information!

Utilize: Phishing emails – (Capture creds or Malware Installed) Spoofed emails (or Fax) Social Engineering

From your HOME or PERSONAL accounts - Hulu?

Selling Agent

Assistant

Buyer One

Buyer Two

Listing Agent

Assistant

Seller One

Seller TwoMortgage Lender

Loan Officer

Processor

Closer

Title CompanyExaminer

Closer

Processor

Transaction Coordinator

BUSINESS EMAIL COMPROMISE

REAL FAKE

xmatteson@yahoo.com xmattason@yahoo.com

mackerman@ulc.com mackermanulc@mail.com

carrie@5280fm.com carrie5280fm@mail.com

kwhitlock@atgf.net kwhitlockatgf@protonmail.com

Hover Over ‘From’ NameFrom:Date: January 24, 2018 at 3:08:25 PM ESTTo: Subject: Re: Parking Meters

Display name is:“Jim@lotsparking.com” or “Jim”

Email is actually:“HackYouAllDay@gmail.com” - Bad

John Smith

Jim@lotsparking.com

Hover Over ‘From’ NameFrom:Date: January 24, 2018 at 3:08:25 PM ESTTo: Subject: Re: Parking Meters

John Smith

Jim@lotsparking.com

Display name is:“Jim@lotsparking.com”

Email is actually:“Jim@l0tsparking.com” - Bad“Jim@lotsparkirng.com” - Bad

Take Quick Action for Return of Fund$!

BEC Victim Should Gather & Be Ready to Provide:◦ E-mail requesting funds - with wiring instructions◦ E-mail headers and IP’s (Request they get assistance from their I.T. or other trusted expert)

◦ Ensure victim has contacted their bank!

Email to CBI: ReportWireFraud@state.co.usWebsite: ReportWireFraud.com

Report to:FBI website is: www.ic3.govFTC website is: www.ftc.gov

What Does The CBI Do?

• Take Quick ActionReporting through Email / Website

• Communication with Bank – All HopsUtilize proper LE Bank Contacts

• EducationWebinars – Flyers – Target Audience

• Persistence / DiligenceNo Loss Threshold, No Time Limit

• Make banks aware - Even When Funds Have Not Been Sent• PREVENT Other Victimization

• Return of Funds• Hold Harmless / Letter of Indemnification• Court Order / Seizure Warrant• Communication with Victims and Banks

• FBI – Financial Fraud Kill Chain• Over $50k• U.S. Bank to Overseas• Occurred within last 3 business days

What Does The CBI Do?

BUSINESS EMAIL COMPROMISE

Number of Victims Attempt Loss

Loss Recovered

Recovery Percentage

FY 16 16 $1,219,203 $1,051,873 $427,154 40.61%FY 17 17 $2,699,060 $542,102 $470,800 86.85%FY 18 36 $6,314,025 $5,174,221 $4,667,121 90.20%

FYTD19 59 $12,078,832 $7,979,021 $6,996,453 87.69%Total 128 $22,311,120 $14,747,217 $12,561,528

As of May 29, 2019

Business Email Compromise

PREVENTIONNEVER EVER EVER – Provide: Money, credit card, social security number or other identifying information over the phone or via the internet.

TRUSTED SOURCEWho called who?How? Why?

PREVENTIONTraining and Policy/ProceduresFollow it! Continued and frequent training / remindersLook for abnormalities in email Be aware of subtle changes in email addressesNotify – Employees and Customers/Vendors what you WILL and WILL NOT do

Policy on?Requests for Bank Account ChangesRequests for PII - W2’s etc…Contact - in person / on the phone - Last known numberCEO / Execs need to have buy-in

Establish Policy and Follow it!!!!

PREVENTIONEmailUtilize I.T. for best practices

Do not use “Reply” – use “Forward” – address from contact list

Who is email sender?Hover over the ‘From’ in the email name display to see addressLook closely at the email address for subtle changes

PREVENTIONEmailBe Aware of Other IndicatorsUnusual grammar or phrases In your service – Blessed Day - Kindly

Odd TimesSense of UrgencyOther Oddities?

PREVENTIONEmail

PREVENTIONPasswords:Don’t use the same one for all of your accountsUse sentences, phrases, lyrics, etc. to be able to remember longer passwordsPassword Manager

Two-Factor Authentication:A second authorization must be provided before signing in, or before transfersAvailable on everything from Gmail to bank accountsThink about how to build this into all of your accounts and your

interactions with clientsPersonal & company accounts

PREVENTION• Careful Clicking: Embedded malware

• Public Wi-Fi:Do not “auto connect”Connect to secure websites and appsRefrain from banking activities in an unsecured environmentKey loggersVPN – How and why to use themhttps://www.privateinternetaccess.com/pages/how-it-works/VPN/Proxy/Tor: What happens to your stolen data

PREVENTIONEMAIL AUTHENTICATION: • Email authentication technology makes it a lot harder for a scammer to send phishing emails

that look like they’re from your company.

• Allows a receiving server to verify an email from your company and block emails from an imposter — or send them to a quarantine folder and then notify you about them.

WHAT TO KNOW• Your domain name might look like this: yourbusiness.com. And your email may look like

this: name@yourbusiness.com. Without email authentication, scammers can use that domain name to send emails that look like they’re from your business. If your business email uses your company’s domain name, make sure that your email provider has authentication tools.

PREVENTION:

QUESTIONS?

Thank you!

Ralph Gagliardi, CFEAgent in Charge

ID Theft & Fraud / Cyber Unit303-239-4287

Ralph.Gagliardi@state.co.us

Traci Schwartzbauer, CFEAgent

ID Theft & Fraud / Cyber Unit303-239-4656

Traci.Scwhartzbauer@state.co.us

Email to CBI: ReportWireFraud@state.co.usWebsite: ReportWireFraud.com