About CoBank

Fraud and Security Center

Types of Fraud and Security Attacks
Types of Fraud

Understanding how fraud affects your business is an important step in preventing it. Here are some of the common methods fraudsters use. It’s important to note that multiple techniques are often used in a single fraud attempt.

Social Engineering:

Social engineering techniques are designed to manipulate you into performing actions or divulging confidential information by making you believe you are dealing with a known, trustworthy, or official source. Social engineering can occur via emails (called “phishing”), text messages, web browser pop-up windows, or even telephone calls.

Social engineering is most frequently used to deceive you into opening an email attachment or link, or clicking on a pop-up window, that will in turn cause malware to be installed on your computer (see below). Alternatively, you might be directed to a fake website where you’re asked to provide confidential information such as account numbers, passwords, balance information, or even your Social Security number. These messages often take one of the following forms:

  • A warning about unauthorized access or fraudulent activity on your account
  • A threat to suspend or deactivate your account
  • A notice that a recent wire or ACH transaction has been rejected or cancelled
  • A notice from the US Postal Service, UPS, or FedEx of a failed package delivery
  • An offer of a reward for completing a survey

Sophisticated social engineering schemes targeting businesses are a growing threat.  The fraudster impersonates a senior company manager, such as the president, CEO, or board chairman, and instructs an unsuspecting employee via email to initiate a wire transaction to a party in a foreign country. The fraudster may have gained access to the senior company official’s email, or may have created a new email account imperceptibly different from the legitimate account. Extreme urgency and an emphasis on confidentiality are other techniques the fraudster uses to encourage the employee to complete the transaction. Read about a real-life example of this and other types of social engineering-based fraud.

Read about the CEO Impersonation Scam

Cyber Account Takeover via Malware:

Malware is a malicious software program that gets installed on your computer without your consent. Once installed, it can record your keystrokes (to capture passwords), re-direct your browser, display fake pop-up messages, or allow a hacker to take control of an online banking session and initiate outgoing wire or ACH transactions – all without you being aware of what’s happening.

Malware may be hidden within an email attachment, a hyperlink within an email, or an infected document, image, or other type of file. Drive-by malware downloads may happen when visiting a malicious or vulnerable website or social media site, or by clicking on a deceptive pop-up window. See examples of malware in action.

Read about Cyber Account Takeover

Email Account Breach:

Public email services such as GMail®, Yahoo®, Hotmail® and the like are more vulnerable to being breached. Once a fraudster has access to a business email account, a wealth of information is available to them to perpetrate a fraud.

  • Saved emails provide the fraudster with vendor information, employee correspondence and the like which they can “forward” or copy, giving legitimacy to a request to an unsuspecting recipient for confidential information or to initiate a transaction (read more about vendor fraud below).
  • Stored contacts may allow the fraudster to communicate with the company’s banking, payroll, or other financial services provider representatives.

Because public email services are quick, easy, and free, a fraudster can create a new email account that is imperceptibly different from that of your business – then use this fake email account as part of a social engineering scheme. For example, a legitimate email address of ABCAdditives@hotmail.com could be faked as ABCAdditive@hotmail.com.

Read about Email Account Breaches

Invoice/Vendor Fraud:

This type of fraud scheme is impacting businesses in the U.S. and worldwide, resulting in billions of dollars lost. It involves making a payment to what appears to be a legitimate vendor or supplier – but the payment is diverted to another, unintended recipient. There are several ways this type of fraud is perpetrated; but all result in a payment request that appears to come from a vendor you know and trust:

  • A fraudster, impersonating a vendor, requests that you change the payment instructions you have on file for them – thereby diverting future payments to the fraudster’s account. The request could come via phone, email, or letter.
  • A hacker breaches your email system, and studies the pattern of payment requests received by your Accounts Payable department. The hacker then creates a fraudulent invoice that appears legitimate, except for subtle changes to the payment instructions.
  • A hacker breaches your vendor’s Accounts Receivable system and generates a fraudulent invoice or payment request.

Read about Invoice/Vendor Fraud

Check Fraud:

Checks remain the most often-targeted payment method by fraudsters. In fact, check fraud accounts for the largest financial losses across all types of fraud. The information needed to commit check fraud is readily available on any legitimate check payment.  Checks are intercepted in the mail; or payroll or vendor checks may be “sold” to fraudsters. The American Bankers Association states that an average of 1.2 million fraudulent checks enter the banking system every day, and check fraud losses are growing by 2.5% annually, despite declining check usage.

Fraud protection regulations for commercial accounts differ significantly from consumer accounts. A business has a very short window (next business day) to reject an unauthorized check posted to its account and ensure the funds are recovered. Due to this very short return window, Positive Pay services are the ONLY effective protection against check fraud losses.

 

Check Fraud Variations:

 

  • Alteration – Changing the check amount or payee name in an undetectable manner. Mobile check deposit technology further facilitates altered check fraud, because the paper check is not examined by a bank teller.
  • Counterfeit – Fictitious check created using the victim’s account number and bank routing number.
  • Forged Signature – Legitimate blank check stock is stolen and the authorized signature is forged on the face of the document.
  • Forged Payee Endorsement – A check is intercepted and cashed by forging the payee’s endorsement on the back of the document.

Check stock security features, while important, only help protect against check alternations - not counterfeits. A fraudster only needs a valid account number and associated bank routing number (easily obtained from public sources) in order to create a counterfeit check that will successfully post to an account.

Counterfeit checks in particular are used in a variety of consumer fraud scams. Fraudsters exploit the “float” period by enticing a fraud victim to cash or deposit a counterfeit check and wire the funds to a third party before the check is returned for fraud. Fraudsters use various social engineering tactics to convince the victim that the counterfeit check is legitimate.

Read about Check Fraud Scams

Third Party Link Disclaimer

You are now leaving CoBank.com. This link is provided solely as a convenience to you. If you use this link, you will leave this site and our Privacy Policy is no longer in effect. CoBank is not responsible for, and assumes no liability associated with, the practices employed by third party Web site owners.