Fraud Attack Risks
Social engineering techniques are designed to manipulate people into performing actions or divulging confidential information by making them believe they are dealing with a known, trustworthy or official source. It builds on the human tendency to trust and want to help, exacerbated by a false sense of created urgency.
Social engineering is frequently used to deceive you into opening an email attachment or link, or clicking on a pop-up window, that will in turn cause malware to be installed on your computer. Alternatively, you might be directed to a fake website where you’re asked to provide confidential information such as account numbers, passwords, balance information or your Social Security number. Or, you may be asked to initiate financial transactions that deliver information or money into the scammer’s hands.
Impersonation scams are based on a perceived legitimate relationship. Scammers do their research to identify the right people to contact, and the right tone and language to use in the scam, in order to convince their victim to do something.
Many impersonation scams target the email account of a company’s CEO, CFO or other executive, gaining control or “spoofing” it, which involves creating a fake email domain that closely resembles the actual one. The scammer then emails an employee with a request for an ACH or wire transfer to be sent to a specific bank account. In another variation, the fraudster, impersonating the CFO, "forwards" a second fake email from the CEO requesting the wire transfer, lending even more credibility to the request. The employee, believing that he or she is fulfilling a legitimate request from a high- ranking executive, instructs the company's financial institution to initiate the transaction.
Fraudsters can also take over or spoof the email account of a company’s customer. In these scams, the request is often related to something other than a payment. For example, a scammer might target a customer’s email account simply to collect information that could be valuable in committing a later fraud.
Phishing refers to an attempt by fraudsters to obtain confidential information by email. Phishers send emails purporting to be from colleagues, customers, vendors, banks or other recognized parties. In some cases, called “Spear Phishing,” fraudsters target a specific person within an organization who, based on their research, performs a specific duty and may have bank account information and access.
Vishing (voice phishing) is phishing conducted by telephone. Vishing attempts may be a direct call from a fraudster purporting to be from a bank asking for confirmation of account information under the guise of a credit issue or even a fraud alert. Vishing may also take the form of an automated call requesting a call back to a specific number and then asking for confidential information. Many vishing attacks use caller ID spoofing, in which a fraudster manipulates a caller ID system by changing the actual originating telephone number to be a familiar or local number.
Smishing (SMS phishing) is the text message version of phishing. These text messages often provide a web link or telephone number that the recipient must use to take care of a supposedly urgent issue. The executable web link installs malicious software on the user’s device, or the call-back number may request confidential account information that must be provided immediately to “address” the issue.
In this type of fraud scheme, the fraudster – posing as the vendor – sends an email or letter or calls to inform the company that the vendor has a new bank account where future electronic payments should be sent or a new physical address for check payments. In addition to depositing the checks, the fraudster can also use them to make counterfeit checks using the account information on your legitimate check as a template.
In another approach, a hacker breaches the company email system and studies the pattern of payment requests received by the accounts payable department. The hacker then creates a fraudulent invoice that appears legitimate, except for subtle changes to the payment instructions. A hacker can also breach a vendor’s accounts receivable system and generate a fraudulent invoice or payment request. Similarly, a fraudster can take control over or spoof the email account of a company vendor.
One of the common ways that fraudsters commit scams is through cyber account takeover – the ability to take control of an online account by stealing a user's login credentials or hijacking an online session. Once in control of an account, a fraudster can steal funds by initiating outgoing wires or ACH transactions, which can be extremely difficult, if not impossible, to recover if not identified quickly.
Malware and Other Viruses
Cyber account takeovers are routinely initiated through malware, a malicious software program, also called "spyware," a "worm," a "virus" or a "Trojan horse" which is transmitted by an email attachment or a hyperlink embedded in an email. Once the recipient clicks on a link or open an attachment, the malware is secretly installed on the recipient's computer. Malware programs can record a user's keystrokes in order to capture passwords, redirect a user's internet session to a fake but real-looking site, display fake pop-up messages, or even take control of the user's online banking session and initiate outgoing wire or ACH transactions – all without you being aware. Drive-by malware downloads can happen when visiting a malicious or vulnerable website or social media site, or by clicking on a deceptive pop-up window.
In the Man-in-the-Middle (MITM), or Man-in-the-Browser (MITB) attack, a fraudster can "see" and manipulate the information being displayed or typed into an infected computer's web browser (Internet Explorer, Safari, Firefox, Chrome and others). Since the MITM attack takes place inside the browser itself, security controls, like website encryption, are largely ineffective. Fraudsters can even change the images displayed on the user’s screen in real time – masking the transactions and displaying fake account balances and completed transaction records that exclude the fraudulent transfers. Due to the sophistication of this type of malware, traditional anti-malware programs are less effective at detecting it.
Check fraud accounts for the largest financial losses across all types of fraud. The information needed to commit check fraud is readily available on any legitimate check payment or bank statement. Checks or statements are intercepted in the mail, or payroll or vendor checks may be “sold” to fraudsters. A business has a very short window (the next business day) to reject an unauthorized check posted to its account and ensure the funds are recovered.
Check Fraud Variations:
- Alteration – changing the payee name, the check amount or both. A fraudster intercepts a check and uses a "washing" technique to remove information such as the payee or amount. The fraudster inserts new information and cashes the check under the falsified name. The check flows through the banking system as normal using the original account and bank routing numbers.
- Counterfeit – a fake check created using a company's actual account and bank routing numbers. Using commonly available printing technology, the fraudster creates a check, with or without the company's logo, and inserts a payee name and amount. Check stock security features, while important, only help protect against check alternations, not counterfeits.
- Payee Endorsement – a fraudster intercepts a check, forges the payee's endorsement and deposits or cashes it. The check could even be deposited electronically without any endorsement at all. The theft may remain undetected for weeks or months until the intended payee follows up on the missing payment.
- Lost or Stolen Checks – Issued checks and new blank check stock are easily stolen from an unsecured postal mailbox, giving the scammer the raw materials to perpetuate check fraud.
ACH Debit Fraud
ACH debit fraud occurs when a third party initiates an unauthorized electronic withdrawal from their victim’s account. All the fraudster needs is the account number and bank routing number, which are readily available on any check. Using a vendor’s online payment functionality, the fraudster enters the account number and bank routing number as his own, and pays his bill.
Because the ACH codes typically used for these types of payments categorize them as “consumer” transactions, the ACH Network allows a longer timeframe for returns of unauthorized debits, so these fraudulent transactions are often recovered. However, ACH debit still has the potential for significant losses.