Desperate times apparently do call for desperate measures. Recently the FDIC issued a warning to consumers against email fraud, and now the Federal Bureau of Investigation has quantified the attempted losses of another serious form of fraudulent attacks on unwitting banking customers: online banking scams. And the number given was no measly figure — $100 million.
Old Tricks, New Targets
In an intelligence note released by the Internet Crime Complaint Center (IC3), a joint venture between the FBI, National White Collar Crime Center, and the Bureau of Justice Assistance, it was revealed that criminals are now targeting small and medium-sized business enterprises, mainly using a mix of banking “Trojan” and phishing schemes. As of October this year, these cyber-crooks have already attempted to steal $100 million in what is more commonly referred to as Automated Clearing House (ACH) Fraud.
The FBI said in a statement that, “Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts.” The agency expressed that it has had to deal with several new complaints week after week.
How the Attacks are Perpetrated
While phishing scams combined with malware known in the online world as Trojan Horses (or simply Trojans) are perhaps the most commonly known fraudulent methods of acquiring sensitive information, this fact doesn’t make it any easier to avoid falling victim to these attacks.
The whole scheme usually starts off with a seemingly legitimate email to the company or organization’s accountant, bookkeeper, or finance officer. What the recipient doesn’t know however, is that this is actually a phishing email, infected with malicious software such as Trojans cleverly disguised as genuine Microsoft software updates, or simply connected to malicious websites.
If the recipient doesn’t recognize the phishing as a fraud attempt and falls for the trap, he ends up downloading the cyber-thief’s keylogging software into his computer. Once the malware is installed into the user’s PC, it would now only be a matter of gaining access and collecting the business’s bank account login credentials. The perpetrators then use this stolen information to make wire transfers from the company’s account.
Using Money Mules
These criminals have also wisened up to the possibility of being caught red-handed cashing the stolen money themselves and have recruited the “help” of third-party individuals, also known as money mules, which are the electronic equivalent of money launderers. The hackers initiate ACH transfers of the ill-gotten funds directly to the accounts of these money mules, who in turn, after keeping a small portion of it as payment for their services, wire the money back overseas to different individuals through wire transfer companies like Western Union and Moneygram.
These persons acting as money mules are often unsuspecting of anything untoward in these transactions, with many of them under the impression that they are doing payroll services for international companies. “Most of these individuals have been recruited via work-at-home advertisements, or have been contacted after placing resumes on well-known job search Websites,” the FBI said.
Smaller Banks Hit
Compared to larger banks, smaller community banks have been generally more susceptible to attacks by internet criminals because these banks tend to have less control measures against fraudulent ACH transfers, in many cases none at all.
“It’s strategic targeting of what is perceived to be a weakness in controls, whether it’s at the small corporation [or at] the small-to-medium bank level,” said Ron Plesco, executive director of the National Cyber Forensics and Training Alliance (NCFTA).