Sunday, June 7, 2009

Classic Fraud: 6 Scams That Don't Go Away

From Check Fraud to Phishing, All the Old Tricks are Back with a Vengeance

Bank fraud has evolved over the last several years, but some classic variations keep financial institutions busy.

Here are six old fraud tricks that are back with new twists to bedevil fraud departments and information security professionals.

Check Fraud

Last week, New York indicted 18 people in a massive check counterfeiting ring that cashed more than $1 million worth of checks at major New York City banks. This case causes even the best fraud departments in financial institutions to check their own programs and safeguards.
Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, according to the latest biennial survey conducted by the American Bankers Association (ABA). Bank prevention systems caught 92 percent or $11.2 billion of check fraud attempts.

Precautions: Employee training is still one of the most effective security measures against check fraud. Other prevention systems include signature verification, screening of new accounts, "positive pay" systems (a computerized check number matching program between banks and corporate customers), special check stock (water marks, micro-printing and/or holograms) and "touch signature" fingerprint programs for cashing non-customers' checks.

Elderly and Immigrant Identity Fraud

Financial institutions' mortgage and loan officers need to pay attention to this kind of fraud. While not new, elderly and immigrant fraud is regaining popularity, especially in the age of identity theft. This is currently happening in some reverse mortgage situations. Similarly, some immigrants who rent properties are discovering that their identities have been used on fabricated loan transactions.

A simple inquiry about a loan product that leverages investment or rental properties can be enough to obtain information for use on fabricated loan transactions. As foreclosure scams also continue to proliferate, loan officers need to keep track of those homeowners, making sure they don't fall prey to these scavengers.

ATM Fraud/Skimming

This type of fraud made it into President Barack Obama's speech announcing his cybersecurity initiative, when he said "thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes." The big question is: Can it happen at your institution?


Phishing continues to change and grow, and crimeware (or malware) is also growing. There is a notable tendency for phishing to become more technical -- for example, using advanced obfuscation to combat anti-spam techniques. At the same time, crimeware (what used to be called malware) is becoming increasingly more reliant on social engineering. Trojan horses commonly use clever social engineering techniques to improve their success rates. Bad guys have been devastatingly effective at tricking end users into installing malware and divulging personal information, but their methods for monetizing this data have been fairly crude. This is starting to change, however, and brokerage accounts are an area of particular concern.


The increased number of "vishing" - or phone-based phishing -- scams hitting regions is cause for alarm. In the last week, there have been five different regions of USA hit by phishers using phone calls to solicit information about the person's credit union or bank account:

•New England Federal Credit Union in Williston, VT reported that a vishing scam hit residents, and the Heritage Family Credit Union in Rutland, VT also reported a similar scam.

•Customers of the Forward Financial Credit Union in Niagara, WI and the River Valley Bank in Iron Mountain, MI received calls last week from fraudsters asking for account information.

•Asheville Savings Bank, Asheville, NC was alerted last week by its customers that a vishing scam targeting area residents was trying to get debit card numbers.

•The final vishing scam of last week targeted all 22,000 residents of Guilford, CT. The calls started coming on May 24. In the Guilford, CT. case, the automated call was a female voice claiming to be from Guilford Savings Bank. It prompted those on the other end of the line to enter bank card and PIN numbers, along with their card's expiration date.

Insider Threat

The threat of a trusted employee or vendor taking sensitive information is not new, but the ways that insiders are getting to the juicy data or dollars is changing. Collusion is the new way insiders are getting sensitive data.

To put it into context, people who stole information with the intent to sell it, more than half of them were recruited to do by parties outside of the organization. When fraud is involved with insiders, half of those involved another insider.

No comments: