Fraud Update: The 13 Hottest Schemes You Need to PreventFrom Credit Bust-Out to In-Session Phishing, Fraudsters Are Finding New Ways to Ply Old Tricks
May 26, 2009 - Linda McGlasson, Managing Editor
The fraud fight is getting nastier by the minute, say experts familiar with the new schemes - and some old ones with new wrinkles -- being perpetrated by criminals against financial institutions and their customers. Here are 13 of the most prevalent ruses. #1 -- Credit Bust-Out Schemes
By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit - or who might be the party responsible. How it works: According to Michael Smith, manager of the Fraud and Market Planning division at Lexis Nexis, consumers apply for credit from lenders using similar last names, oftentimes Eastern European or Balkan, in an intentional effort to capture financial access vehicles to cause delinquency.
#2 -- Customer Loan Account Takeover
This type of fraud occurs online, and a recent case study related by Avivah Litan, distinguished analyst at Gartner Group illustrates how customer loan account takeover happens. The case resulted in a $71,000 theft from a customer's loan account.
An online loan Web site gave a customer the ability to open demand deposit accounts (DDA), Litan explains, which were to be held as savings accounts that could only be opened and accessed via the Internet. "To open the account through the online loan application, a customer needed an existing relationship with another bank," Litan says. The customer would provide all the account information necessary for both banks to complete ACH transfers.
Prior to opening the account, the online loan application system would complete two test transactions and require the potential customer to confirm the exact dates and amounts of the transactions. "If the customer could not provide that confirmation, then it was thought to be attempted fraud, and the account relationships would be closed."
#3 -- Corporate Account Takeovers
Corporate account takeovers are becoming more prevalent says Gartner's Litan. "Corporate banks are reporting that criminals are targeting their cash management customers and moving money out of their accounts via innocent consumer accounts," she says. The owners fall for phishing e-mails that promise lucrative commissions for participating in the schemes.
#4 - Cross-Channel Call Center/Online CD Purchase Scam
A fraudster purchases multiple CDs online from one bank, funded by ACH Transfers from multiple compromised third-party accounts at other institutions, says Ori Eisen, former worldwide fraud director for American Express. How it happens: The perpetrator contacts the Call Center within 48 hours of the CD purchases to cancel the CDs and transfers the funds to yet another institution to liquidate. "Variable email addresses are used in an effort to mask identity," Eisen says. "Current procedures and safeguards at most financial institutions may not preclude the success of this type of cross-channel attack."
#5 -- Wire Fraud Account Grooming
Financial institutions are exposed to very high levels of risk within their online wire transfer processes. "Traditional methods of detection are very labor intensive, yielding high false positive rates and low recovery of stolen funds," Eisen says.
#6 -- In-Session Phishing
A somewhat recent tactic being perpetrated by fraud rings -- "in-session Phishing" -- has emerged as one of the chief threats to the breach of secured online assets. These attacks utilize vulnerabilities in the Javascript engine found in most of the leading browsers, including Internet Explorer, Firefox and even Google's Chrome, notes Eisen.
How it happens: Utilizing a host website that has been injected with malware acting as a parasite, this parasite monitors for visitors with open online banking sessions or similar protected asset sites (such as brokerage or retirement planning sites).
Using the Javascript vulnerability, the parasite can identify from which bank the victim has a session currently open by searching for specific sites pre-programmed in the malware itself. "There are no limits to the volumes of URLs a website hosting the parasite can test from the victim's machine. The malware asks: 'is my victim logged onto this XYZ bank website' and their browser replies either yes or no," Eisen says.
#7 -- ATM Network Compromises
The industry is seeing breaches at all stages in the payment process, including merchant terminals, the communication links between merchant acquirers, and (worst of all) core elements in ATM networks, according to Paul Kocher, Cryptography Research Institute's president and chief scientist. "Once the perpetrators have the contents of magnetic stripes and the corresponding PINs, the data is then sold to people who write the data onto counterfeit cards and drain customers' accounts," Kocher observes.
#8 -- Precision Malware Strikes
The most common defenses against malicious programs work by comparing programs against the signatures of known malware, says CRI's Kocher. As a result, attackers have learned that they can breach high-value targets' computer systems relatively easily, provided that their attack software does not spread so widely that antivirus companies get a copy and add it to their databases.
#9 -- PIN-Based Attacks
For the past 10 years, Verizon Business has tracked metrics and statistics from IT investigative cases, including incident response, computer forensic and litigation support, across the globe. The Verizon Business' just-issued 2009 Data Breach Investigation Report, shows more electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, says Bryan Sartin, director of forensics and investigative response at Verizon Business.
Driving this explosion in compromised records are more sophisticated attacks, specifically targeting the financial sector. In fact, 2008 saw three of the world's largest known data compromises on record.
#10 -- Account Manipulation
Aside from the five or six massive individual compromises that took place across the globe in 2008 is a vastly larger population of data breaches, also targeting financials, that garnered little public attention, Sartin notes. "Much of these involve unusually small populations of compromised records, yet massive fraud in terms of total dollar losses, resulting in significant impacts to the institutions affected. By and large, these cases appear in two forms: insider manipulation and application manipulation," he says.
#11 -- Fraud Pattern Changes
Fraud patterns changed dramatically in 2008 as a result of both reduced percentage of successful fraudulent transactions and arrest of individuals involved in organized fraud activity, says Verizon Business' Sartin. The new fraud patterns can be divided into two categories: random fraud patterns and global ATM transactions.
Random fraud patterns used by organized fraud groups involve similar purchases as seen prior to 2008, but in a random pattern. "In 20089, the fraudsters have adapted to completely random fraudulent purchases to make pattern identification much more difficult," he notes. The fraudsters began showing up at random stores in random time patterns to make identification of a pattern difficult or impossible. "No two purchases would be made at the same merchant location in a several month period. No pattern of purchases at each exit as a group drives up a highway. The purchases were at the same chain merchant stores of the same items, but now in a random pattern," he explains.
#12 -- Foreclosure Prevention Schemes
This doesn't hit a financial institution directly, but if an institution holds mortgages for "troubled" homeowners, this is a scheme you need to be on the lookout for, says Denise James, market planning director Lexis Nexis' Residential Mortgage Solutions. These foreclosure prevention schemes generally involve fraudsters posing as professional, knowledgeable foreclosure specialists. Homeowners facing the threat of foreclosure and nearing eviction are contacted by these "foreclosure specialists" who promise to work out their loan problems or buy their home and offer the homeowners tenancy. "Unfortunately for the homeowner, the fraudster has no intention of following through with these promises and instead will manipulate the homeowner into deeding the property to them," James says.
#13 -- Builder Bail-Out Fraud
This fraud involves securing funds for condominium conversion or planned community development properties that, unbeknownst to the investor (financial institution), will not be completed, says Butts of the Mortgage Asset Research Institute. The scams entail multiple purchases from would-be investors or false identities on fabricated loan transactions. "Investors are lured by photos or inspections of a few converted units used as models with promises of further rehabilitation of remaining units. Once the contracts are in place, the fraud continues as the perpetrator secures funding for the contracts," Butts explains. However, she adds, no additional work is done and the investors and lenders are left with incomplete and, in some cases, uninhabitable dilapidated buildings. (Full text at www.bankinfosecurity.com)
Remember, estimates are that every 2-4 seconds an Identity is compromised. Why take chances? Why not protect yourself and your loved ones with the best suite of services provided (including restoration) by the best NYSE company in the field? Educate yourself and visit the shameless plug below or call me at (909) 208-3728!
Posts
