To navigate this new normal, we invite you to listen to our J.P. Morgan experts on the current fraud and cybersecurity landscape as well as tactics to strengthen your cyber defenses.

 CALL BEGINS

Moderator

Welcome to the J.P. Morgan Conference call. My name is Bella Jasani and I will be you conference operator for today.

 

Before we begin, it is important to remind you that the information discussed today is for informational purposes only. Opinions expressed herein are those of the speaker and may differ from those of other J.P. Morgan employees and its affiliates. The information provided is intended to help clients protect themselves from cyber fraud, however this is not a comprehensive listing of all types of cyber fraud activities or cybersecurity best practices. The use of any third-party brand names is for informational purposes only and does not imply an endorsement of their products or services.

 

It is now my pleasure to turn the call over to Bella Jasani.

 

Bella

Introduction

 

Thank you,  and thank you to those who are joining our call today.

 

Welcome.My name is Bella Jasani, Head of IPB Client Engagement and Solutions Marketing.

 

Some of you on this call may have personal experiences with fraud or know the panic and feeling that comes with hacking attempts.

 

We make cybersecurity and fraud prevention a priority across the firm, and right now we are seeing many fraud attempts. It is so important to protect our information, our names and to keep everything secure.

 

With that – joining me on today’s call are Amy Zeng, Head of Fraud Awareness and Governance and Ileana van der Linde, our Cyber Awareness Program Lead. Amy and Ileana are here to provide us with insights on the current fraud and cybersecurity landscape and share important guidance to help safeguard you, your family, and your money.

 

Welcome Amy and Ileana! We are excited to have you on the call today, and I’d ask that each of you take a moment to introduce yourselves.

 

Bella

Thank you both for joining us on today.

 

AS I mentioned, Cybersecurity and fraud prevention is something J.P. Morgan has invested a significant amount of funding and resources toward in the past several years.

 

However, we’re in unprecedented times. The COVID-19 pandemic has changed the way we live, the way we work, and how we interact with those around us. So there is heightened concern – and a renewed focus – for educating our clients on what we’re seeing.

 

Ileana, I’d like to start with you - what are you observing right now that should be top of mind for our clients?

 


 

Ileana

 

Sure, Betsy. As you alluded to, our landscape has changed in just a few short weeks. Many of us are now working, living and even socializing full-time in ‘stay at home’ status – one that is less formal, and often times less secure. Hackers have used this pandemic to their advantage, targeting individuals when they are more vulnerable to attack… and today Amy and I will briefly cover a few of the trends we’re seeing with our clients and prospects.

 

We’re seeing that very actively right now through COVID-19.

In the past month, we’ve seen increased attempts by cybercriminals to hack our devices as we seek out information about the spread of the virus. This has taken shape in a number of ways, and has also changed over the last few weeks. including:

§  Originally, we saw Several fake COVID-19 tracker maps that infect people's computers with malware when opened, as people were seeking more information as to where the virus was most widespread.

§  Soon thereafter, we saw, we began seeing Phishing messages, which appeared to come from a health authority, such as the U.S. Centers for Disease Control and Prevention, the World Health Organization and health agencies from specific countries, claiming to offer information about the coronavirus.  Hackers and cybercriminals are also calling, impersonating health officials and tricking individuals into giving up personal information, and login credentials under the guise of providing COVID tests, sometimes suggesting that a family member was infected.

§  Fake charity sites, donation and crowdfunding sites have been created to take advantage of individuals’ generosity and compromise personal information, particularly for people out of work, health care workers, etc.

§  Fake Supply Chain invoices – in which individuals and companies are getting phished to pay invoices, to support out of work vendors.

 

These all are some of the most common ways that fraudsters gain access to our information through social engineering. Social engineering is a tactic fraudsters employ to take advantage of our trust and natural willingness to be helpful. They use email, phone calls, text messages and social medial to trick us into performing actions, such as making a payment, or divulging confidential information, which could lead to the compromise of our data or assets.


Bella

It’s unsettling how quickly cybercriminals are able to react in times of uncertainty. They are very creative, very clever. 

The question then becomes, Ileana -  how do we catch this?

 

How do we safeguard against this type of behavior in a time when we are all focused on getting the news we need, staying up to date, supporting the organizations who need our help, and keeping ourselves and our families safe and healthy?

 

Ileana

 

 

Be Vigilant. And Verify, verify, verify.

 

§  To begin, it’s important to get your information from legitimate sources. Do not assume a request, whether it’s through email, phone or social media, is genuine. Just because the requester knows information about you or your family doesn’t mean they’re legitimate; you also should not click or respond to texts and emails from sources you do not know.

§  You’ll also want to educate yourself on phishing email warning signs, such as poor grammar and spelling, urgent language, hyperlinks or attachments, fake logos, a vague email address, and missing or vague contact information.

§  Next: double-check site information. Ensure any donations you might make are made are to reputable sources; ensure that the website address is legitimate, and ensure the website is encrypted (i.e. https://) before providing credit card or bank account information. If it doesn’t look right, or you’re not sure, don’t click, and don’t submit credentials.

§  Lastly, don’t give your information to just anyone. If someone calls, emails, or texts you asking for information, confirm the identity of the requester via an alternate, verified method, such as going to a referenced organization’s home page, or hanging up and calling the individual or organization on a known number. Call them back on a number you know to be valid. And please limit the amount of information you, and your family members, post on social media.

Bella

Great point, Ileana – and that goes for all of us that have children posting on Facebook, Instagram, TikTok, and other social media outlets as well.

 

Ileana

Yes! Hackers are usually after two key things: Information and Money. So we cannot make it easy for them. Once hackers have the information they need, they can also use it to not just steal personal and company data, but also try to commit financial fraud. And that is certainly on the rise during these times.

 

I want to turn the call to Amy to discuss the fraud trends that are most prevalent with clients right now.

 


 

Amy

 

Thanks, Ileana.

 

In the past month, we’ve seen sophisticated social engineering tactics spike as the pandemic unfolds. In most incidents, the fraudster impersonates a Chase employee by changing the name that appears on the caller ID.  Then, the fraudster creates a sense of urgency and claims that actions can only be taken after our client provides personal information, such as date of birth, social security number, and mother’s maiden name. Once this information is unknowingly divulged by our client, the fraudster is able to commit fraud against him or her. Other times, these details can be gathered through hacked email accounts, from social media, or information that is available publicly. With this information, criminals call in and attempt to use a client’s personal information for verification purposes.

 

And once the fraudster gets enough details, and puts all of this information together, and is able to trick multiple service providers – they can then execute what is known as a mobile device takeover.

Bella

Amy, I’ve been hearing a lot about this recently. Can you take some time to explain what exactly mobile device takeover is?

 

Amy

 

Thanks for asking, Betsy – as not many people are familiar with this concept. There are essentially two methods of mobile device takeover - Phone porting and call forwarding. In either method, fraudsters gain unauthorized access to an individual's mobile phone account to redirect calls intended for the client to themselves. They can gain this unauthorized access by:

§  Tricking mobile service providers into transferring the client's phone number to the fraudster's device, or 

§  Hacking into the client's mobile online account and forwarding inbound calls from the client's phone to their own

 

In the cases we’ve seen at J.P. Morgan, the fraudsters were very sophisticated as they have:

§  Stolen the client's identity

§  Opened cryptocurrency accounts in the client's names

§  Compromised the client's online profile

§  Ported the client's mobile device – or simply forward the client's phone number to their own device

§  Hacked into the client's email account and sent Client Service wire instructions

 


Bella

And Amy, as you know, we’ve seen instances of mobile device takeover as recently as this week.

Amy

We have, Betsy. And it’s because of incidents like these that J.P. Morgan is taking additional steps to protect you and your assets.  In each line of business, we are evaluating and adjusting our existing processes to verify your identity and to make sure that the transactions you are initiating are valid.

 

In practice, this may mean that we ask you additional questions about the transfer you request, or that we may call you back and ask for additional information. And if we do, we ask for your patience – because all of this is intended for your safety.

 

But we can’t do this alone. It is just as important for our clients to strengthen their cyber and fraud defenses to better protect themselves.

 

Bella

Agreed - that is critically important.  I also think it is very important for every client to know the name and number of their client service team. They are also our first line of defense.

 

So, Amy, where do you recommend we begin? What are some best practices you can share with us today?

 

Amy

First, to mitigate identity theft, you’ll want to be hyper vigilant around the information that forms your identity – because often times that is the information that we and many others use to verify you.

 

§  I’ll begin by reiterating some of the methods that Ileana already shared:

o    If someone makes a request for your information, validate their identity by calling the individual back on a known number

o    In addition, learn the phishing email warning signs, such as poor grammar, urgent language, and the like

§  It is essential to protect your identity and credit during this time. You can place a credit freeze with each of the three U.S. credit bureaus, as it restricts access to your credit report, making it more difficult for identity thieves to open accounts in your name and/or abuse your credit.

§  Another helpful tactic is to enable online alerts through JPMorgan Online. This will notify you of potential fraudulent transactions and activity; and the best part is you can set your own thresholds for the alerts. We recommend for you to receive the alerts through two channels, such as both email and text message, in case one channel may be compromised.

§  Lastly, and most importantly, if you’re making a payment to a new beneficiary, or receive a change in payment instructions, always verbally confirm the payment instructions with the source of the instructions, or the beneficiary, before making the payment.


 

Bella

These are great tips. Is there anything further you would add specifically around mobile device takeover?

 


Amy

Yes. For mobile device takeover, there a few additional things you can do to protect yourself.

 

§  Contact your mobile service provider to put a verbal password on your account. Avoid using the same PIN and passwords for your online accounts and devices.

§  If you notice a disruption in your mobile service, such as you lose signal for 10 minutes or more, please contact your service provider immediately to ensure your service hasn’t been ported.

 

I also want to remind everyone that these same precautionary measures can be considered for elderly and vulnerable family members, as they can be especially susceptible to fraud during these current events.

 

If you notice suspicious or fraudulent activity on your accounts, please notify us immediately so that we can take the appropriate actions to protect you and your assets.

 

Bella

Amy – thank you for this information. This is incredibly helpful for all of us.

 

Ileana – I’d like to turn now to cybersecurity. Can you share some of the common best practices our clients can utilize to strengthen their cyber defenses?

 

Ileana

 

Happy to, Betsy.

 

Cyber continues to be a top priority for the firm and we invest and spend hundreds of millions a year to protect our clients, their data, and their accounts. Clients can rest assured that during this time of crisis, the Cyber team is considered an essential part of the firm’s strategy around resiliency and increased protections.

 

Our concern today, with more people working from home and online, is that you know how to protect yourselves and your devices. [Ileana to discuss best practices regarding device and account protection]

 

So how do we do that? We go back to the basics – with anti-virus, an updated operating system, and strong authentication measures.

 

§  First - Anti-virus: It is incredible important that every device in the home has anti-virus software installed. Not just mom’s device or dad’s device, the children’s devices as well. This includes desktops, tablets and mobile devices. This will keep everyone protected because anti-virus software detects and removes malware, like spam, spyware, browser hijackers and more. Think of it like a vaccine, but for your devices.  However, it needs to stay up to date. Pick a reputable provider, not “free anti-virus”.

§  Second - Software/Operating System: Every device should also have the most recent and upgraded software patches to ensure devices and accounts are secured to the greatest extent possible. If you have been delaying implementing the latest software, this is the time to do it! The updates often address bugs, viruses, and known vulnerabilities. You can check for upgrades in the settings function of your device.

Third – Trusted Sources: When installing apps or software, ensure you are downloading them from a reputable source. Limit the use of third party applications and only download trusted apps from the Apple/Google Play store. For example, if your child downloads an app from an unknown source (free), your device can be put at risk for virus/malware.

 

Bella

I admit I’ve been guilty of delaying these updates on my phone. They take no time but they feel like an inconvenience. I’ll be making those updates as soon as this call concludes.

Ileana

I’m happy to hear that, Betsy!

There are a few more basic principles I want to share with you.

§  Passwords: it is essential that you create strong and complex passwords, change them frequently and never share them, and yes a different one for each site you visit.  This means they should ideally be a phrase, favorite song or book title, and should include upper and lower case letters, numerals, and special characters This applies to your online accounts, devices, routers, and other devices used in the home. If you feel overwhelmed with passwords, this is a great time to consider installing a reputable password manager, which can help you login to multiple websites securely with just one main password, but which can help you implement different and complex passwords.

§  This same rule applies to your Username. Stop using the same one everywhere, and stop using one that is basically your name, or that gives away information about you.

§  Lastly, Multi-Factor Authentication whenever offered, use it, as a second layer of protection. This can be used not only at banks, but on social media sites, email accounts, frequent flyer and shopping sites. And yes, at mobile phone providers.

 


 

Bella

Thank you Ileana. Super, super helpful information.

 

I want to turn to our last question for today. With so many people across the globe “social distancing” yet using more technology to stay connected to work, learn, and socialize, are there any other areas we need to think about?

Ileana

 

Yes, absolutely!! As we mentioned earlier, with so many people working – and learning- from home, we can be grateful that we have technology to keep us more connected. We’re now using video conferencing apps for meetings, schoolwork, as well as engaging in online workouts, concerts, tours of museums, zoos, at an unprecedented scale. 

 

And while this is transforming how we engage with others, there are still cyber concerns to take into account.

 

Video Conferencing is a Lifeline for Many:

§  For any and all meetings put passwords on the session!!  We’ve already seen hackers easily access important meetings that didn’t set a passcode, or have a waiting room that could preview attendees. Make sure you know whom you are inviting, and can manage the meeting attendees.  Public Zoom rooms are already being hacked

§  Also, when video conferencing or video learning - Select a background that does not expose too much personal information about you – such as diplomas hanging on a wall, anniversary pics with full names and dates, family photos, and/or other personal information that can be used against you later. Or if you have the world seeing that expensive piece of art in your house…not always good. Video conferencing is now another way “in”.  Use the virtual background feature if you have too much on the walls that reveal who you are.

§  Protect your video capable device, use a protective webcam cover or unplug, so that an external webcam can’t be compromised.  I.e. Make sure people aren’t seeing you or watching you when you aren’t aware.

Bella

I also know this to be true. Recently, Ileana and I were on a call together, and as we were introducing ourselves to our guests, we noticed that we have been joined by an attendee listed as “Ann Imposter.” Sure enough, once we called out to this individual, they dropped from our call before it had even begun.

 

Ileana

And since then, we’ve added additional controls as part of our videoconferencing best practices.

 

Last but not least, I want to highlight your WIFI networks.

§  Parents; please be sure that you are working on separate networks from the children. Parents should be remoting into work on one of the home wireless networks, and the children and all smart devices on the other. It’s important to segregate devices used for work and other sensitive transactional activities (e.g., banking, online shopping), from devices that the children and guests use for school and gaming. To mitigate the risk, parents should be on one network and children should be on the separate network.

§  And in general, when it comes to the network, make sure:

o    Your Wi-Fi networks should be protected with a complex password (e.g., a combination of letters, numbers, and special characters). Also, remember to change the default password to your wireless network.

o    And…Do not conduct business or connect to public Wi-Fi (e.g., cafes, airport, hotels, etc.). If you have to use public Wi-Fi, use a Virtual Private Network (VPN) to help you communicate and browse securely.

o    Every online avenue is a venue for a hacker to gain intelligence on you and your family. You must stay vigilant at this time when you and your family might be sharing more to be socially connected. Similarly…

 

Bella

Thank you, Ileana. You and Amy have shared a great deal of insight on today’s call.  For our clients may not have been taking notes – is there a place where they can find all of this information?

 

Amy

 

Absolutely.  To ensure our clients remain cyber and fraud aware, we continue to publish articles, tips, and guidelines to protect yourself, your family, and your business. All of this information can be found on the J.P. Morgan website, and for more specific information we recommend that you reach out to your Banker, Advisor, or client service specialist.

 

Bella

I also want to remind our listeners that Amy, Ileana, and their teams are able to work directly with your Bankers and Advisors to provide you an in-depth educational session.  I have personally hosted several of these sessions with our speakers and I highly encourage you to take advantage of this opportunity.

 

Amy and Ileana – THANK YOU SO MUCH for your time and a big thank you to all who joined today.  I know I’ve learned a lot today, and I am sure that our clients have, as well.  If you enjoyed today’s conversation, want to share this call with your friends and family, a replay will be available tomorrow. Thank you and stay safe out there.