Fraud Update: The 13 Hottest Schemes You Need to Prevent

From Credit Bust-Out to In-Session Phishing, Fraudsters Are Finding New Ways to Ply Old Tricks
Fraud Update: The 13 Hottest Schemes You Need to Prevent
The fraud fight is getting nastier by the minute, say experts familiar with the new schemes - and some old ones with new wrinkles -- being perpetrated by criminals against financial institutions and their customers. Here are 13 of the most prevalent ruses.

#1 -- Credit Bust-Out Schemes

By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit - or who might be the party responsible. How it works: According to Michael Smith, manager of the Fraud and Market Planning division at Lexis Nexis, consumers apply for credit from lenders using similar last names, oftentimes Eastern European or Balkan, in an intentional effort to capture financial access vehicles to cause delinquency.

What makes credit bust-outs especially difficult to prevent is that many of the applications have consumers with low credit risk ratings, "so these people tend to look relatively good from the start," Smith explains. These individuals make good payments on time, ask to increase their credit line and seem legitimate, however throughout the entire process they are thinking about how much money they can get from this bank before they 'bust out' and go delinquent.

The length of the fraud usually falls between six and 18 months. "This fraud is one of the biggest reasons bank are writing off losses," Smith argues. It is the most problematic and emerging issue with fraud today -- "even more so than true-name identity fraud, and is an issue that has increasingly hampered the industry over the past few years and one that is arduous to prevent, detect, and quantify," Smith says.

#2 -- Customer Loan Account Takeover

This type of fraud occurs online, and a recent case study related by Avivah Litan, distinguished analyst at Gartner Group illustrates how customer loan account takeover happens. The case resulted in a $71,000 theft from a customer's loan account.

An online loan Web site gave a customer the ability to open demand deposit accounts (DDA), Litan explains, which were to be held as savings accounts that could only be opened and accessed via the Internet. "To open the account through the online loan application, a customer needed an existing relationship with another bank," Litan says. The customer would provide all the account information necessary for both banks to complete ACH transfers.

Prior to opening the account, the online loan application system would complete two test transactions and require the potential customer to confirm the exact dates and amounts of the transactions. "If the customer could not provide that confirmation, then it was thought to be attempted fraud, and the account relationships would be closed."

Once accounts were opened, a customer was able to transfer funds between the two accounts via ACH transfers. Fraud in this account was able to take place because, after the initial account was opened and deposits were made, the customer was allowed to change the external bank account and continue to transfer funds.

Although the online loan system could verify control of external accounts, actual account ownership could not be confirmed. "The thief took advantage of this by taking over the customer's account and changing the external account it was linked to, even though the names of the account owners at the external financial institutions were no longer the same," Litan says. The crook was able to do this by using various ploys across customer channels. The criminal also compromised other accounts at the loan company, as was later determined by examining IP addresses that were accessing various accounts.

#3 -- Corporate Account Takeovers

Corporate account takeovers are becoming more prevalent says Gartner's Litan. "Corporate banks are reporting that criminals are targeting their cash management customers and moving money out of their accounts via innocent consumer accounts," she says. The owners fall for phishing e-mails that promise lucrative commissions for participating in the schemes.

How it happens: The crook starts by stealing user IDs and passwords of cash management account owners, and by signing up random consumers via phishing attacks, asking them to accept money into their accounts and then transferring it to the criminal's offshore account while retaining a 5 percent commission. "Of course, the crooks use clever social-engineering techniques in their phishing e-mails to get consumers to sign up," Litan explains. After the groundwork has been laid, the crook simply goes into the corporate cash management account and transfers funds, using ACH fund transfer facilities, out of the corporate account to the phished consumer accounts. "The rest is history, and the victimized corporate cash management banks generally fail to recover the stolen funds," Litan notes. Strong customer authentication, fraud detection and transaction verification can significantly, if not dramatically, reduce the threat and damage caused by these crimes.

#4 - Cross-Channel Call Center/Online CD Purchase Scam

A fraudster purchases multiple CDs online from one bank, funded by ACH Transfers from multiple compromised third-party accounts at other institutions, says Ori Eisen, former worldwide fraud director for American Express. How it happens: The perpetrator contacts the Call Center within 48 hours of the CD purchases to cancel the CDs and transfers the funds to yet another institution to liquidate. "Variable email addresses are used in an effort to mask identity," Eisen says. "Current procedures and safeguards at most financial institutions may not preclude the success of this type of cross-channel attack."

To resolve this threat, Eisen advises all accounts should be monitored for unknown device access, and accounts with new or unknown device access should be isolated and assigned an elevated risk score for monitoring. "The account access by an unknown device is best discerned utilizing device intelligence technology. Risk assessment based on velocity of activity seen coming from one unique device is a key metric to monitor," he explains. Eisen advises all financial institutions search for similar activity of online CD account opening and cancellation via the call center.

#5 -- Wire Fraud Account Grooming

Financial institutions are exposed to very high levels of risk within their online wire transfer processes. "Traditional methods of detection are very labor intensive, yielding high false positive rates and low recovery of stolen funds," Eisen says.

Existing tactics and systems in place to minimize wire fraud, such as account activity restrictions and transaction anomaly systems, have begun losing their effectiveness. "Investigators are often reviewing over 800 suspicious wire transfers for every one legitimate case of fraud," Eisen says. "With an extremely low recovery rate due to the speed at which the funds transfer, banks need something to identify accounts being groomed for wire fraud long before the wires were executed."

To identify potential account grooming for wire fraud, Eisen suggests link analysis should be used to find accounts where unfamiliar devices have accessed account administration settings and made changes; such as address or phone number updates. "These suspicious accounts, once identified, should be monitored (spanning the pre-existing account activity restriction periods) for repeat account activity by unfamiliar devices," he explains. A pattern will emerge providing a highly concentrated basis of accounts, each with a strong probability of potential fraud should a wire transfer be executed.

#6 -- In-Session Phishing

A somewhat recent tactic being perpetrated by fraud rings -- "in-session Phishing" -- has emerged as one of the chief threats to the breach of secured online assets. These attacks utilize vulnerabilities in the Javascript engine found in most of the leading browsers, including Internet Explorer, Firefox and even Google's Chrome, notes Eisen.

How it happens: Utilizing a host website that has been injected with malware acting as a parasite, this parasite monitors for visitors with open online banking sessions or similar protected asset sites (such as brokerage or retirement planning sites).

Using the Javascript vulnerability, the parasite can identify from which bank the victim has a session currently open by searching for specific sites pre-programmed in the malware itself. "There are no limits to the volumes of URLs a website hosting the parasite can test from the victim's machine. The malware asks: 'is my victim logged onto this XYZ bank website' and their browser replies either yes or no," Eisen says.

Once any site from the list is confirmed to be "in session," a pop-up claiming to be from the bank issues a warning. Most warnings appear as time-out messages stating "For security purposes your banking session has been terminated. To continue your session please re-enter your username and password here (supplied link by fraudster)."

Once an unknowing victim complies, clicks the link and enters his/her credentials, the damage has been done and the attack was successful and the game is over - right?

In most cases it would be devastating for a victim after their credentials had been breached; expecting the fraud rings to quickly begin selling off this information or pillaging through the victim's account. Since many financial institutions rely on cookies or tags to discern one device entering user credentials from another, and then count on fairly common (and easily answered by crooks) out of wallet questions - to validate a new device attempting access, this would be true.

However, simply by utilizing a robust device ID technology - which creates the equivalent of a device fingerprint for every machine attempting to log on to a banks site, coupled with historical negative lists of known bad devices, "financial institutions could render credential breaches using in-session or any other type of phishing attack useless to the fraudster," Eisen says.

The power lies in knowing what a suspicious or fraudulent attempt looks like upon log-in. "If you know a legitimate customer most always uses a device configured for local New York time and the language for this device is English, you would not provide unchallenged access to this account from a machine showing to come from China and having a default language set to Mandarin," Eisen says.

Further strengthening against future attacks, placing the device fingerprints gleaned from all known previous fraudulent attempts into a negative list effectively blocks the devices with a history of fraud from ever gaining access to another user account.

#7 -- ATM Network Compromises

The industry is seeing breaches at all stages in the payment process, including merchant terminals, the communication links between merchant acquirers, and (worst of all) core elements in ATM networks, according to Paul Kocher, Cryptography Research Institute's president and chief scientist. "Once the perpetrators have the contents of magnetic stripes and the corresponding PINs, the data is then sold to people who write the data onto counterfeit cards and drain customers' accounts," Kocher observes. Because other fraud targets are strengthening their defenses while ATM networks remain a soft target, "we're expecting ATM fraud losses to grow rapidly, and eventually financial institutions will be forced to switch the ATM infrastructure to chip cards," he predicts.

#8 -- Precision Malware Strikes

The most common defenses against malicious programs work by comparing programs against the signatures of known malware, says CRI's Kocher. As a result, attackers have learned that they can breach high-value targets' computer systems relatively easily, provided that their attack software does not spread so widely that antivirus companies get a copy and add it to their databases. "Attackers clearly have their crosshairs aimed at individuals with non-public information about publicly traded companies, sensitive government data, and systems involved in processing payment transactions," Kocher states.

#9 -- PIN-Based Attacks

For the past 10 years, Verizon Business has tracked metrics and statistics from IT investigative cases, including incident response, computer forensic and litigation support, across the globe. The Verizon Business' just-issued 2009 Data Breach Investigation Report, shows more electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, says Bryan Sartin, director of forensics and investigative response at Verizon Business.

Driving this explosion in compromised records are more sophisticated attacks, specifically targeting the financial sector. In fact, 2008 saw three of the world's largest known data compromises on record.

With many large individual compromises over the past two years, the value of payment card, check, and other forms of consumer data on the information black market are on rapid decline, says Sartin. "Just two years ago, magnetic-stripe sequences sufficient for counterfeit were priced at an average of $14 per record, while today that cost has dropped to as little as 20 cents," he says. "Cybercrime, it seems, chases the almighty dollar."

Last year showed a sharp increase in attacks against counterfeit sequences plus the corresponding cardholder PIN value, leading to the direct theft of consumer assets, Sartin notes. "The lead indicators of these types of crimes were not based on the conventional analysis of signature-based counterfeit fraud patterns to find common valid transaction points within legitimate spending histories. Instead, bank customers were suddenly reporting zero balances in checking and savings accounts, alleging fraudulent ATM withdrawals." As more and more similar complaints surface, it became easier to pinpoint the likely source of compromise, whether it be a bank, data processor, or payment gateway, Sartin says.

Verizon Business tracked at least three different techniques during 2008. Until recently, many PIN-based attacks were known to be possible but no credible evidence of them being used in real-world incident has ever surfaced. That has since changed as attacks against PIN information are on the rise, setting the stage for more sophisticated forms of identity fraud.

#10 -- Account Manipulation

Aside from the five or six massive individual compromises that took place across the globe in 2008 is a vastly larger population of data breaches, also targeting financials, that garnered little public attention, Sartin notes. "Much of these involve unusually small populations of compromised records, yet massive fraud in terms of total dollar losses, resulting in significant impacts to the institutions affected. By and large, these cases appear in two forms: insider manipulation and application manipulation," he says.

Insider manipulation involves organized crime groups infiltrating a target financial entity, not through a systems-based intrusion but via its personnel, Sartin explains. "Most commonly targeted are individuals within the vendors utilized by financial entities - those entrusted with legitimate access for remote support purposes," he says. These cases do not always involve vendors, in many cases actual employees are infiltrated, often increasing the capabilities of the fraudsters.

Application manipulation is somewhat different and involves moderately sophisticated application-based attack techniques. It is common that ATM processors, credit and debit card issuers, brokerages, etc, make Web-based portals available to customers for convenience purposes. It is similarly common that PINs, usernames and passwords, and other privileged account values can me modified online through these portals by the customer, Sartin observes. For the past year, Verizon Business has tracked a rapidly escalating trend "where organized crime groups are increasingly targeting these online application interfaces in attempt to identify weaknesses in the underlying code that can be exploited for the purposes of account manipulation and fraud," he says. In most cases, these code weaknesses are vulnerabilities that are previously unknown, are unique to that individual company, and cannot be identified through common security scanning tools. The perpetrators put a considerable amount of time and effort into testing for these exposures and then exploiting them, paving the way for very similar fraud impacts to that seen in insider manipulation.

#11 -- Fraud Pattern Changes

Fraud patterns changed dramatically in 2008 as a result of both reduced percentage of successful fraudulent transactions and arrest of individuals involved in organized fraud activity, says Verizon Business' Sartin. The new fraud patterns can be divided into two categories: random fraud patterns and global ATM transactions.

Random fraud patterns used by organized fraud groups involve similar purchases as seen prior to 2008, but in a random pattern. "In 20089, the fraudsters have adapted to completely random fraudulent purchases to make pattern identification much more difficult," he notes. The fraudsters began showing up at random stores in random time patterns to make identification of a pattern difficult or impossible. "No two purchases would be made at the same merchant location in a several month period. No pattern of purchases at each exit as a group drives up a highway. The purchases were at the same chain merchant stores of the same items, but now in a random pattern," he explains.

Global ATM transactions involve hundreds or thousands of ATM transactions occurring around the world in a very short period of time, similar to what happened in the RBS ATM theft of $9 million in November 2008 ( In previous years, organized ATM transaction fraud was not considered a major fraud concern due to the protection of PIN in these transactions. Recent frequency of data compromises involving PINs has increased the dollar losses associated with ATM fraud dramatically, leading to an increase in high dollar, high volume ATM fraud attacks. "These attacks require a sophisticated organized group to perform hundreds or thousands of ATM transactions simultaneously at multiple locations around the world," Sartin notes. In several instances, these high volume attacks also involve account manipulation at the same time. "In these attacks, the fraudsters have obtained hundreds of thousands or millions of dollars before the attack is recognized and preventive measures can be enacted," he says.

#12 -- Foreclosure Prevention Schemes

This doesn't hit a financial institution directly, but if an institution holds mortgages for "troubled" homeowners, this is a scheme you need to be on the lookout for, says Denise James, market planning director Lexis Nexis' Residential Mortgage Solutions. These foreclosure prevention schemes generally involve fraudsters posing as professional, knowledgeable foreclosure specialists. Homeowners facing the threat of foreclosure and nearing eviction are contacted by these "foreclosure specialists" who promise to work out their loan problems or buy their home and offer the homeowners tenancy. "Unfortunately for the homeowner, the fraudster has no intention of following through with these promises and instead will manipulate the homeowner into deeding the property to them," James says.

Once the fraudster obtains the signed documents, a false lien release is generally filed or leveraged to secure funds from a fabricated sale or refinance on the property. In many cases, the homeowner is under the belief that they will rent the property for a period of time until they are in a better position to regain ownership rights, James notes. The fraudster continues to accept payments made by the homeowner while selling the property, absconding with the funds, and eventually evicting the homeowners. "Perpetrators of this type of fraud often move from town to town, sizing up their opportunities, quickly scamming as many homeowners as possible, inflicting costly damages, and then moving on to the next location," says Jennifer Butts, director of operations at the Mortgage Asset Research Institute.

#13 -- Builder Bail-Out Fraud

This fraud involves securing funds for condominium conversion or planned community development properties that, unbeknownst to the investor (financial institution), will not be completed, says Butts of the Mortgage Asset Research Institute. The scams entail multiple purchases from would-be investors or false identities on fabricated loan transactions. "Investors are lured by photos or inspections of a few converted units used as models with promises of further rehabilitation of remaining units. Once the contracts are in place, the fraud continues as the perpetrator secures funding for the contracts," Butts explains. However, she adds, no additional work is done and the investors and lenders are left with incomplete and, in some cases, uninhabitable dilapidated buildings.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.