Online Fraud: New Victims, New Approaches

Education, Monitoring Needed to Protect Smaller Businesses, Banks

By Linda McGlasson, October 26, 2009.
Online Fraud: New Victims, New Approaches


See Also: Identity, Security and Risk Requirements for a New IAM Architecture

ommercial banking customers continue to be the hot targets of online crime, as additional U.S. businesses report money stolen from their accounts following the FDIC's alert in late August .

Among the recent incidents: In mid-Sept., fraudsters siphoned $150,000 from a fuel company in Maine, while earlier this month hackers diverted approximately $77,000 from the group running a former air force base in NH.

"It's clear that a wide education campaign is needed on this [threat]," says Doug Johnson, Senior Policy Analyst at the American Bankers Association. "Community banks need to be aware it is attacking them as well as the large banks."

The Latest Victims

Over the past year, the FDIC says, it has detected an increase in the number of reports of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.

In mid-Sept. Downeast Energy and Building Supply of Brunswick, Maine, found its banking account compromised by hackers from Eastern Europe in a sophisticated email scam. The heating fuel company says that 800 of its customers' checking accounts may have been exposed by the hackers, involving roughly $150,000. The hackers gained access to the bank account that the company uses to let customers pay for fuel with electronic transfers from their checking accounts.

The scam began with a spear phishing email to a Downeast employee that looked to be from the company's bank, KeyBank. A link in the email took the employee to a web site that was identical to the bank's. Once the company's user name and password were entered in the bogus site, the information was sent to the hackers, and the $150,000 was stolen from the bank's account.

Then, on Oct. 1, the Pease Development Authority (PDA), responsible for redeveloping the former Pease Air Force Base in Portsmouth, N.H., said hackers removed approximately $77,000 in 10 fraudulent transfers to eight different banking institutions.

"This stuff is happening all across the country," said Art Nickless, chairman of the PDA Board, to the Portsmouth, NH Herald. "But as far as we're concerned, over half the money has been returned, and the question now is how did it happen?"

The Need for Education

The message to banking institutions is: The threat is ongoing and real, and so is the need to further educate small-to-midsize businesses.

Elaine Dodd, head of the Fraud division at the Oklahoma Bankers Association, has crisscrossed her state for months, holding workshops for bankers and businesses on what steps they can take to prevent these attacks. And the efforts have started to pay off: A recent attempt to obtain a company's account ID and password was thwarted after an ACH transaction was stopped.

Dodd says she hears from her banks, "What can we do to limit exposure to ACH batch fraud?" Defense requires a multi-pronged approach, she says. "First, since the initial point of compromise resides with your customer (malware or virus on their computer), the first step should be education of your customers who make ACH batch payments," Dodd says.

Customers need to be aware of the hazards of clicking on hyperlinks in e-mails from unknown sources and of pop-up boxes purporting to be from their financial institution. "For this reason, staff should never open e-mails from anyone they do not know or have a reason to trust," she says.

Antivirus software alone is no protection in many instances. "Many of our banks are now doing training at the retail customer level to acquaint them with frauds of which they need to be aware," Dodd notes. She tells them they should also understand that these crimes are not a rarity and are occurring with regularity even in Oklahoma.

Dodd says one place for businesses to start is to have a dedicated computer for their online banking transactions. "[Then] there is no ability to surf the net or click on bad hyperlinks on that computer," she says. "I ask retailers, 'What's the price of a dedicated computer compared to thousands of dollars lost in a scam?'"

Banks that are the originating deposit financial institution (ODFI) should make every effort to protect their ACH batches. "Implementing a higher level of multi-factor authentication is a positive step. Explore with your software vendors reports that would show activity out of the norm for ACH customers," she says.

Malware such as the Zeus Trojan is being used in many theses attacks. "It is a troubling, nasty piece of malware," says the ABA's Johnson, "and this type of attack is not going away anytime soon."

The Need for Monitoring

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE HP Inform: Art Wong, SVP Enterprise Security Services

Read HP Inform with discussions on five trends this year and beyond, how Big Data is reshaping...

Latest Tweets and Mentions

ARTICLE HP Inform: Art Wong, SVP Enterprise Security Services

Read HP Inform with discussions on five trends this year and beyond, how Big Data is reshaping...

The ISMG Network