Magazine article American Banker

Wire and Online Banking Fraud Continues to Spike for Businesses

Magazine article American Banker

Wire and Online Banking Fraud Continues to Spike for Businesses

Article excerpt

Byline: Keith Button

A $1.5 million bank/wire fraud case made big news this summer, but experts say that malware and other online threats to banks' business clients have been spiking for at least a year.

The Associated Press reported in July that the bank account of a California escrow firm, Efficient Services Escrow Group, was hacked in December 2012 and January 2013, with three payments totaling $1.5 million wired to accounts in China and Russia. Only $432,215 was recovered, and the company was shut down.

During the last 15 months, "we're hearing that the fraud has evolved, there are new types of malware being deployed and, particularly in those banks that have yet to put in robust solutions, we're seeing that fraud spike again," says Shirley Inscoe, senior analyst with Aite Group.

In late 2008 and 2009, several targeted ACH and wire fraud attacks on banks' business clients prompted an FBI-published alert and lawsuits against banks, Inscoe says. Then banks started implementing ACH and wire fraud solutions that would alert them to suspicious activity in their business client accounts, so they could identify potential fraud before money left an account.

The major difference between the current spike and the 2008-to-2009 attacks is that the earlier attacks were fairly simple to commit. Typically the fraudsters gained the customer's credentials through keylogging software or other techniques, then went online and made the fraudulent transaction, Inscoe says.

"Now, they're more sophisticated, and having to work a lot harder to impersonate the customer," she says.

One banker told her he had no ACH or wire fraud losses in his corporate client accounts for 12 months, then three large incidents within the past year.

Banks need to focus their security measures particularly on internal employee accounts and privileged accounts, said Avivah Litan, Gartner vice president.

One of the most recent online crimes has been payment switch takeovers, in which a privileged user account is taken over by a fraudster to access the bank's wire application, Litan said.

In September 2012, the FBI issued a fraud alert reporting a new trend of cyber criminals using phishing e-mails, keystroke loggers and remote access Trojans, including variations of the Zeus malware, to infiltrate banking networks and to steal credentials, which were used to authorize overseas wire transfers.

Litan said the online criminal rings "are starting to break some of the techniques that banks are using to protect themselves, so it continues to be a cat and mouse game. The banks put a lot of protections in place, but the bad guys are still getting around some of them."

The current wave of attacks use a lot of man-in-the-browser techniques, intercepting the activity between the client and bank after a hard-token number is keyed by the client, Inscoe says. With a man-in-the-browser scam, the real client starts a banking session and the fraudster, through the use of malware, injects himself into the transaction. In some cases the victim will see a screen indicating that there is a problem with the bank's website, and wait patiently while the fraudulent transactions are completed.

The malware is sometimes loaded through a website that is visited by a bank client employee. But with business bank clients, more often the entry results from spear phishing of key employees, such as controllers, accountants or bookkeepers.

Another popular technique is email account takeover, where a customer has been corresponding via email with a banker and the fraudster takes over and instructs the banker to send a wire, Inscoe says.

"Now, that may be against bank policy, but the banker has interacted via email with his client several times before, and there have been no issues. So in the name of customer service, he might send that wire, per the instructions in the email, which was in reality from a fraudster and not a true client," she says. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.