Online bank frauds—in which hackers use employees’ bank passwords to transfer funds out of a company’s accounts—don’t seem to be letting up. In fact, criminals keep coming up with new variations on the frauds.
“We’re just in a constant cat and mouse game,” said George Tubin, senior security strategist at security software firm Trusteer, a unit of IBM. “The banking industry has gotten better in general at improving their defenses, and the criminals have also gotten better at improving their attack methods.”
“A lot of the fraud is moving to the call center,” said Avivah Litan, a vice president and distinguished analyst at Gartner Research. “As the online channel gets more controls, bad guys are starting to move into using the [bank’s] call center.”
Criminals will phone the call center pretending to be the owner of the bank account and asking to change information on the account, such as adding a signatory or changing an address, Litan said. They may also try to extract information about the account.
“The trend is really social engineering of employees,” she said. “That’s where it’s moving—more social engineering of nice people trying to help out their customers.
“People are really the weakest link, and that’s where you see the attacks going,” she added.
Hackers are also leveraging the relationship between companies and their suppliers. In December, the FBI’s Seattle office issued a warning about a “man-in-the-email” fraud that it said had hit at least three companies in Washington state, resulting in total losses of $1.65 million. Hackers would intercept emails between a company and its suppliers. Then they’d send the company an email, supposedly from one of its suppliers, asking it to send payments to a new bank account, one controlled by the criminals.
Greg Litster, president of SafeCheck, cited a related fraud he’s been hearing about recently in which hackers access a company’s accounts receivable database to identify vendors that are due to receive a big payment. Then the hackers will notify the company that vendor has changed its bank and provide a new account number.
Jason Hart, a vice president of cloud solutions at information security company SafeNet and a former ethical hacker, says companies put too much faith in passwords.
“Generally there’s a misconception that because they have a password they’re secure, and even more of a misconception that if the password is long and complicated, it can’t be breached,” Hart said.
Criminals have many ways to uncover or elicit passwords, many of them involving social engineering, Hart said.
“They can physically email an individual saying, ‘I’m XYZ Bank. Please click on this link,’” Hart said. “They’re doing it via phone calls, ringing [companies] up and posing to be the bank. They’re doing it via text message as well.”
The information people post on social media helps hackers figure out passwords, he said.
Hackers may also harvest employees’ bank passwords by planting malware on company computers. Businesses can minimize this risk by completing all online banking transactions on a dedicated PC that isn’t ever used for email or accessing the Internet, Litan said. But few companies have adopted that practice, she said. “It’s too inconvenient.”
Companies should be using dual authentication, Hart said. “You need true two-factor authentication where you’re using a device or app that generates a random one-time password.”
Trusteer’s Tubin argued that the solution to fraud is “a layered security framework,” rather than any single security safeguard.
“There’s no such thing as a silver bullet,” he said. “The more layers an institution has, the better off they’re going to be. If the criminal finds a way to bypass the first and second and third [layers of security], you have a fourth and fifth to help you.”
Larger banks, because of their financial resources and know-how, are better equipped to put together such layered security than smaller banks, Tubin said. “I think we are seeing fraud move down market, to the smaller and midsize banks that haven’t caught up to where the largest banks are now,” he added.
Online bank fraud, which is most often aimed at small and midsize companies, is particularly devastating because corporate bank accounts don’t have the same protection under the law as consumer accounts. The company whose account has been raided may end up eating the loss.
Some organizations that have lost money via such frauds have sued their banks, but the results of those lawsuits have been mixed. In 2011, a court ordered Comerica Bank to repay Experi-Metal $561,000 that fraudsters had wired out of the company’s account.
But in 2013, a court ruled that BancorpSouth wasn’t liable for the $440,000 wired out of Choice Escrow’s account because despite the bank’s recommendation, Choice Escrow refused to use dual authorization on wire transfers, and that played a role in the fraud. Choice Escrow is appealing the verdict, but Tubin said businesses should take note.
“It’s a kind of warning to business customers,” he said, “If your bank offers you something and you decline, that could be the straw that breaks the camel’s back.”
Companies that aren’t willing to follow their bank’s security recommendations should consider switching banks, Tubin said. “If it’s something you don’t want to do, go to a different bank that doesn’t require it,” he said. “At that bank, you’ve given up any right to a claim if fraud does happen.”
Joseph Burton, a partner in the San Francisco office of law firm Duane Morris, cited other issues involved in the Choice Escrow appeal, including the question of how to weigh any negligence on the part of the customer. Very often, online bank frauds occur after the company’s computer system has been infected through a phishing attack, he noted.
“There’s an open question as to what actions of the customer could, in effect, outweigh the bank’s own negligence,” Burton said. “Even if we found the bank’s actions weren’t commercially reasonable, could we find that because of a certain level of customer negligence, it’s outweighed and the bank’s not going to be liable?”