WE’RE HEARING there’s a new species of prey for those trying to commit bank fraud from cyberspace: small businesses that engage in frequent wire transfers of funds.
Sound like anyone you know? Chances are, if you’re in the mortgage business, you’re running an enterprise that requires frequent transfers of money between accounts and institutions.
Cameron Camp, a North American security researcher for ESET, an information security firm, says businesses, especially small businesses that may not be accustomed to being targeted for bank fraud, are increasingly at risk. The fraudsters who mastered technology to swipe money from the bank accounts of individuals by stealing PIN numbers and ATM magnetic codes are increasingly looking for bigger prey. Wire fraud from businesses appeals because the monetary threshold that would spark scrutiny from banks is much higher for business transactions than for consumer ones.
And the results of an informal poll of those participating in the BrightTalk webinar suggest that few are confident that their firms are safe from cyber fraud. Only 12% of participants said they felt that banks are keeping up with hackers. 76% said they are not keeping up with the hacker’s technology advances, and the rest were unsure. Most also thought that mobile banking apps could be vulnerable to technology fraud.
Camp said that crooks are targeting financial institutions for an old fashioned reason: that’s where the money is.
“The financial institutions aren’t very happy about this,” he noted during the webinar.
This could be a particular concern for smaller firms that don’t have the defensive technology defenses of megabanks.
“What’s kind of interesting as a macro-trend is that the larger banks know that they are being attacked, but does your local credit union?”
And they aren’t just looking for ATM magnetic codes and PINs anymore.
“One of the things that is interesting about bank fraud trends is that they are shifting more and more toward wire transfers of funds.”
What are the fraudsters looking for when they target a person or company? A history of wire transfers, high balances and lots of information that can be hacked into via email accounts or IT networks.
Banks have tighter security controls to detect unusual wire transfer requests involving consumer bank accounts than for business accounts, where transfers of large sums are more common.
Fraudsters are looking for easy targets, because once a technology scam is detected the banking industry will quickly take action to thwart future instances by patching up network defenses.
“If you had a master key to get in all the locks in your town, you’d only have a certain amount of time to use that master key while it would still work,” Camp said.
Fraudsters want to remain anonymous and are looking for ways to trespass into a company’s banking transactions that can’t be traced. And while consumers typically get reimbursed by the bank when their account gets hacked, businesses may meet with resistance from the bank.
“If it’s a wire transfer, you have very little recourse,” Camp said. “There are far fewer protections for the business customers.”
Russia or other Russian speaking countries are ground zero for cyber crime today, Camp said. Once a transfer is engineered, the money is simply gone, often shipped to overseas accounts. And when targeting businesses, the crooks are often looking to swipe between $10,000 and $99,000 at a time. That’s because business transfers don’t spark fraud lookouts from banks as easily as unusual consumer transfers of funds do, where anything unusual above $500 may invite an investigation.
On the positive side, Camp said that technology to detect and thwart network activity that looks malicious has improved. Network defenses are quicker to intervene when suspicious activity emerges than in the past.
But as always with cyber crime, the bad guys haven’t given up on research and development either. In fact, there are now some websites that actually sell programming and software to facilitate crime. One such program, known as OddJob, is designed to surreptitiously keep an online banking session open after the user believes they have logged off of their bank’s site. And a new breed of malware can be used to hijack bank text messages, so that a user may think they are in an online chat with a bank employee when in fact they are providing information to someone who intends to steal from them.
Camp said technology to authenticate and protect mobile devices and apps from banking fraud malware is “getting better.” But devices still remain vulnerable to hackers. Because cell phones and tablets are often turned on and connected to a network all the time, they are particularly vulnerable to hacking. Once hackers get into a mobile device, they have software that “can sort of look around for financial transaction apps” and do a lot of damage, he said.
Ted Cornwell has covered the mortgage markets since 1990. He is a former editor of both Mortgage Servicing News and Mortgage Technology.