In this episode, Sylvain Brisebois, National Sales Manager, BMO Private Wealth is joined by Larry Zelvin, Head, BMO Financial Crimes Unit, for an insightful discussion on the rise in cybersecurity threats and steps we can take to better protect ourselves in the digital world.
Transcript:
Welcome to The Wealth Experience podcast series, where our subject matter experts provide the latest updates on what’s happening in the world around us…brought to you by BMO Private Wealth.
Sylvain Brisebois: Good day everybody. My name is Sylvain Brisebois and I'm a National Sales Manager and a Senior Vice President with BMO Private Wealth. In the recent past, BMO Financial Group created a division called Financial Crimes Unit, which integrated cyber security, fraud and physical security capabilities. Today, we're joined by Larry Zelvin, Head of this Financial Crimes Unit to talk about cyber security.
Larry, the digitization of daily life has become our new reality and I think it's here to stay. But with this convenience of a digital life comes risk, of course. Thanks for joining us today to help us gain a deeper understanding of what it all means to clarify what we need to be aware of and what actions we need to take should we detect suspicious activity. So on that, let's start. Larry, you have a very interesting background. Can you tell us a little bit about your story.
Larry Zelvin: First of all, thank you very much for the opportunity and really appreciate the speaking to everybody today. I've been at BMO Financial Group for two years now almost to the day. And I was very much attracted to the concept of the Financial Crimes Unit, which I know we'll get into a little bit more. But for being at BMO, I was at Citigroup, where I was the Global Head of cybersecurity for about four and a half years, led teams around the world and help Citi and the clients and our partners deal with cyber risk.
Prior to that, I spent 28 years in the United States Government. Two and a half years before Citi, I was at the US Department of Homeland Security, where I lead one of three US government cyber centres. My counterparts were the FBI, the Federal Law Enforcement Agency in the US and the National Security Agency, or NSA, which did intelligence.
The three of us constituted the US government's approach to cybersecurity at least at an operational level. Before that, I am retired United States Naval officer. I was an aviator by background, served for 26 years. But when I wasn't at sea or in the air, I was in this place called Washington D.C., which is getting a fair bit of press and a lot of time at the Pentagon.
And then I did my last three years on active duty at the White House, serving in the first term of the Obama administration. And when I was at the Pentagon, and also the White House, predominantly a crisis manager, everything from 911 to Hurricane Katrina, and then the largest disaster I helped manage was the Japan earthquake tsunami nuclear disaster. So, crisis management and security background and that's what led me to BMO.
Sylvain Brisebois: Well, that's fascinating story, I think for the participants today. We think we've got somebody who knows a thing or two about security. So thank you, Larry, for sharing that.
Now, can you talk about – you’ve been at different places, as you've just touched on. Can you speak about BMO’s approach to security and how that might differ from other areas that you've been at before?
Larry Zelvin: Yeah, no, it's really exciting, you know, look, two years ago, Daryl White, the Executive Committee and the Board also blessed it is that BMO went on a journey that was rather creative and rather innovative. And that's what led me to BMO. What was creative? What was innovative? Well, in most organizations, particularly financial institutions, securities tend to stay in pillars, right?
You have the cyber folks, you have the fraud folks, you have a physical security folks, the crisis managers, and what they may integrate every now and again, they try to work closely together. But you know, they have different bosses, they have different priorities. And so bringing that together throughout my career had been rather frustrating.
And even within those areas of cybersecurity and fraud, you had those silos. But the journey that be most started two years ago was to put one leader, which in this case is me, to oversee cyber fraud, physical and crisis management. We could create that fusion, that integration, that horizontal connection. And I think it's really critical in these modern times because most of the attacks we're seeing in cyber are related to fraud. We see physical security that has digital aspects as well. And then you'll see frauds that also perpetuated by people going into our branches.
These things cross all over the place. And when you look at the bad actors, the criminals, in particular, you know, they don't work in silos. They don't really break down into organizational effectiveness models, they do whatever is necessary to steal money. This is a really adaptive approach, and I'm excited to say that what we started at BMO is now being emulated by other companies. I think we're way ahead and I think we're doing it quite well, and I'm sure others will someday catch up and we can all work together. But this really has been an exciting journey. I think it's something that's helped us to better protect our bank, our customers, and also our partners.
Sylvain Brisebois: OK, fascinating. Thank you for sharing that. Now, this doesn't sound like it's a new industry by any means, but speak to us about how the pandemic, has it increased the security threat or has it been about the same all along here?
Larry Zelvin: Yes, it's increasing greatly. None of us have really had any time off. Security is always a busy thing. But, you know, on the physical side, unfortunately, bank robberies, vagrancy, you know, the frauds are non-stop, the cyber-attacks are constantly going, But when everybody transitioned to work from home environment, this was a really great opportunity for criminals to really expand their market share, so to speak. And so they started as people working from home and really the COVID playing to people's fears.
So early on, in the pandemic, we saw frauds and cyber-attacks that were saying, “Hey, by the way, if you need test kits, please click on this link. Or, hey, if you need to apply for loans, particularly individuals and businesses, small businesses, open this attachment.” In some cases, it tends to say, “Hey, your co-worker, your neighbour, your family member’s sick. Please call us.” And all these were fraudulent. All these were ways to get people to share their credit card information, to share their bank accounts data.
For wire transfer, or potentially even to apply for loans fraudulently. As government loans started coming up, and then they shifted and started going after the money, either by again, falsely pretending to people applying for these government grants or getting people to take for grant money and shifting it over to the fraudsters, so they could literally steal the funds among those who needed it most.
Vaccines also became a big way that they tried to lure people to do things that they didn't. They took advantage of people when they were down and when they were most vulnerable, which is really sad. But at the end of the day, let me answer your question more directly. The industry as a whole saw cyber-attacks increased 600 to 800 times that which we hadn't seen before the COVID crisis began. It increased six to eight times, or six to 800 times what we have seen. It got a lot worse and it is coming back down. But as new government relief programs come online, people need to be careful because the fraudsters, they're following the money.
Sylvain Brisebois: OK, very good. So that sounds like the pandemic brings a requirement for further due diligence. For our listeners today, are there other security threats that people should be concerned about here?
Larry Zelvin: Yes, absolutely. I mean, you know, I alluded to some of the techniques around COVID. But, you know, there are a number of things that continue to go on. And, you know, there are things, what I would say is, is you just got to be careful, you know, when you are looking at your email, as you're engaging online, through web access, you know, you really need to be a sceptical consumer of information.
And really, in particular, you got to watch the links you're clicking on and opening your attachments. Because these are the basic and most common ways that individuals can be lured into a trap that the criminals are trying to get them to act on these frauds they're trying to perpetuate. So, you know, one of the biggest advice I give people and I'm happy to share some more, if you like, is just slow down. Don't be so quick to click on the link, don't be so quick to share your information. Really look at and go, “Jesus, does this makes sense?”
Sylvain Brisebois: That's right. Well, I'll take you up on that offer. You said let's slow down. Could you share with our listeners three or four other things that you'd recommend they do to decrease the security threats that are that are lurking out there?
Larry Zelvin: One of the most important things is, is that before somebody asks you for any of your financial data, really make sure that it's legitimate, make sure that, you know, gosh, this person who's asking me, you know, that they are somebody you know, that somebody can validate. One of the things if you really want to be an uber sceptical consumer of information is the Better Business Bureau has a website where you can actually plug in a business and see if it actually exists, because a lot of these are front companies.
You know, you can call back if everything's electronic and say I want to speak to an individual. But you know, and look, at any point any of us can be fooled. I've been fooled and I work in this industry, and I've been working with security for decades. But when you find something, one of the biggest pieces of advice I can offer is that you've got to confess, right? It's most important to talk to your bank, talk to your financial institution. And hopefully it's BMO because we have a robust ability to help you through these things.
And in most cases, if we get to things soon enough, we can help you, right? We can recall the data, we can stop the payment. You know, there's certain things like debit cards, it's next to impossible to necessarily get the money back there, because it's instantaneous payment. But on things like wires and credit card fraud, deposit fraud, the sooner we get to it, the higher the probability that we'll be able to help folks and make them whole.
In some cases, there's these things called business email compromises, you've got to watch those where people are fooled into wiring money to a location. And in many cases, our fraud analysts will call the client say, “Hey, are you sure you want to do this?” And clients go, “Oh, yeah, I'm sure.” They’ll ask again and go, “Are you sure?” They’re like, “Yeah, we’re sure.”
Only to a few hours later going, “Gosh, we got it wrong, could you give us the money back?” And unfortunately, again, if we can get that information soon, we can call the money back. But if days have passed and we did what the client asked, unfortunately, usually that money is lost and it's been a laundered around the world about 10 times. So there's not much you can do.
The last thing I would highlight is that book is it’s important to also let law enforcement know. If you're in Canada, the Canadian Anti-Fraud Centre provides, you can talk to provincial and local police in the United States, the FBI runs fraud programs, the Federal Trade Commission. I would also encourage people to report these crimes, because that's what they are, they are crimes.
Sylvain Brisebois: Understood. Thank you. That's an eye-opening statement. I would say, you've talked about some steps here to do. And I would expand on that a little bit or wish you could expand on that a little bit. What the first thing an individual should do if they think they've been impacted by one of these security events? You say reach out to the authorities. Is there something else that we should think about?
Larry Zelvin: Yes, I think the first thing you need to do is if it is a financial crime, reach out to your bank, reach out to your vendor. So again, if BMO is your bank, please reach out to our fraud team and speak to our folks email them. And look, sometimes they may be busy, you may be on hold and I regret that. But you know, there's a lot of frauds going on, but do you make contact with us. I would also encourage you to go up BMO’s website and look at security. We have, hopefully in a thoughtful way, have outlined a number of things that will help you prepare, and will help you to better understand these threats so you can defend against them.
We'll also provide information on how you can report it to us and also report it out to law enforcement groups as well. If you get a chance to look at the BMO website, look at security and take a few minutes and get yourself up to speed. The other thing I would encourage you to do is to sit down with your family members, once you all have a better sense of these things, because the most vulnerable people in our society tend to be the elderly and the young.
Unfortunately, a lot of folks, you know, are more trusting or they maybe are more easily duped by these criminals. But you know, as you look at the demographics, and please, I'm not singling these people out because they're doing anything wrong. I can just tell you statistically, from a crime perspective, the elderly and the young are the most victimized and those are the folks we need to really make sure understand this threat and really get them to slow down and when something happens, report it so we can properly deal with a situation.
Sylvain Brisebois: Thank you very much, Larry, for your time today. I would say this has been for all the wrong reasons, a fascinating conversation, a very insightful discussion on cyber security. With online being the primary method of doing so many things are right now, this has been very timely and an informative session, and lots of takeaways for us on how to better protect ourselves and to be mindful of the dangers that are lurking out there. This has been very helpful. Thank you.
In our evolving digital world, these comments are of critical importance for us as a bank and for you, our listeners and our clients. To you today, our clients and our listeners, please be safe, be cyber safe. And of course, all the best for the new year. Until next time, thank you for listening. Thank you again, Larry, for your thoughts.
Larry Zelvin: Thank you.
This podcast series has been brought to you by BMO Private Wealth. Please join us again.
Disclosures:
The comments contained in this podcast are general in nature, provided for information purposes only, and do not constitute legal, investment, trust, estate, accounting or tax advice. They are provided for general guidance, based on information believed to be accurate and complete, but we cannot guarantee its accuracy or completeness. Unless otherwise qualified, any opinions, estimates and projections in this report are those of the speakers as of the release date, are subject to change without notice, and may not reflect those of BMO Private Wealth. This podcast may not reflect all available information.
BMO Private Wealth is a brand name for a business group consisting of Bank of Montreal and certain of its affiliates in providing private wealth management products and services. Not all products and services are offered by all legal entities within BMO Private Wealth. Banking services are offered through Bank of Montreal. Investment management, wealth planning, tax planning, philanthropy planning services are offered through BMO Nesbitt Burns Inc. and BMO Private Investment Counsel Inc. Estate, trust, and custodial services are offered through BMO Trust Company. BMO Private Wealth legal entities do not offer tax advice. BMO Trust Company and BMO Bank of Montreal are Members of CDIC.
® Registered trademark of Bank of Montreal, used under license.
