Types of Fraud and Security Attacks
Understanding how fraud affects your business is an important step in preventing it. Here are some of the common methods fraudsters use. It’s important to note that multiple techniques are often used in a single fraud attempt.
Social engineering techniques are designed to manipulate you into performing actions or divulging confidential information by making you believe you are dealing with a known, trustworthy, or official source. Social engineering can occur via emails (called “phishing”), text messages, web browser pop-up windows, or even telephone calls.
Social engineering is most frequently used to deceive you into opening an email attachment or link, or clicking on a pop-up window, that will in turn cause malware to be installed on your computer (see below). Alternatively, you might be directed to a fake website where you’re asked to provide confidential information such as account numbers, passwords, balance information, or even your Social Security number. These messages often take one of the following forms:
- A warning about unauthorized access or fraudulent activity on your account
- A threat to suspend or deactivate your account
- A notice that a recent wire or ACH transaction has been rejected or cancelled
- A notice from the US Postal Service, UPS, or FedEx of a failed package delivery
- An offer of a reward for completing a survey
Sophisticated social engineering schemes targeting businesses are a growing threat. The fraudster impersonates a senior company manager, such as the president, CEO, or board chairman, and instructs an unsuspecting employee via email to initiate a wire transaction to a party in a foreign country. The fraudster may have gained access to the senior company official’s email, or may have created a new email account imperceptibly different from the legitimate account. Extreme urgency and an emphasis on confidentiality are other techniques the fraudster uses to encourage the employee to complete the transaction.
Stop! Did your executive really request that wire transfer?
Read about different types of impersonation scams
Read about the CEO impersonation scam
Read about consumer scams
Read more about Social Engineering
Cyber Account Takeover via Malware:
Malware is a malicious software program that gets installed on your computer without your consent. Once installed, it can record your keystrokes (to capture passwords), re-direct your browser, display fake pop-up messages, or allow a hacker to take control of an online banking session and initiate outgoing wire or ACH transactions – all without you being aware of what’s happening.
Malware may be hidden within an email attachment, a hyperlink within an email, or an infected document, image, or other type of file. Drive-by malware downloads may happen when visiting a malicious or vulnerable website or social media site, or by clicking on a deceptive pop-up window.
Email Account Breach:
Public email services such as GMail®, Yahoo®, Hotmail® and the like are more vulnerable to being breached. Once a fraudster has access to a business email account, a wealth of information is available to them to perpetrate a fraud.
- Saved emails provide the fraudster with vendor information, employee correspondence and the like which they can “forward” or copy, giving legitimacy to a request to an unsuspecting recipient for confidential information or to initiate a transaction (read more about vendor fraud below).
- Stored contacts may allow the fraudster to communicate with the company’s banking, payroll, or other financial services provider representatives.
Because public email services are quick, easy, and free, a fraudster can create a new email account that is imperceptibly different from that of your business – then use this fake email account as part of a social engineering scheme. For example, a legitimate email address of ABCAdditives@hotmail.com could be faked as ABCAdditive@hotmail.com.
This type of fraud scheme is impacting businesses in the U.S. and worldwide, resulting in billions of dollars lost. It involves making a payment to what appears to be a legitimate vendor or supplier – but the payment is diverted to another, unintended recipient. There are several ways this type of fraud is perpetrated; but all result in a payment request that appears to come from a vendor you know and trust:
- A fraudster, impersonating a vendor, requests that you change the payment instructions you have on file for them – thereby diverting future payments to the fraudster’s account. The request could come via phone, email, or letter.
- A hacker breaches your email system, and studies the pattern of payment requests received by your Accounts Payable department. The hacker then creates a fraudulent invoice that appears legitimate, except for subtle changes to the payment instructions.
- A hacker breaches your vendor’s Accounts Receivable system and generates a fraudulent invoice or payment request.
Checks remain the most often-targeted payment method by fraudsters. In fact, check fraud accounts for the largest financial losses across all types of fraud. The information needed to commit check fraud is readily available on any legitimate check payment. Checks are intercepted in the mail; or payroll or vendor checks may be “sold” to fraudsters. The American Bankers Association states that an average of 1.2 million fraudulent checks enter the banking system every day, and check fraud losses are growing by 2.5% annually, despite declining check usage.
Fraud protection regulations for commercial accounts differ significantly from consumer accounts. A business has a very short window (next business day) to reject an unauthorized check posted to its account and ensure the funds are recovered. Due to this very short return window, Positive Pay services are the ONLY effective protection against check fraud losses.
Check Fraud Variations:
- Alteration – Changing the check amount or payee name in an undetectable manner. Mobile check deposit technology further facilitates altered check fraud, because the paper check is not examined by a bank teller.
- Counterfeit – Fictitious check created using the victim’s account number and bank routing number.
- Forged Signature – Legitimate blank check stock is stolen and the authorized signature is forged on the face of the document.
- Forged Payee Endorsement – A check is intercepted and cashed by forging the payee’s endorsement on the back of the document.
Check stock security features, while important, only help protect against check alternations - not counterfeits. A fraudster only needs a valid account number and associated bank routing number (easily obtained from public sources) in order to create a counterfeit check that will successfully post to an account.
Counterfeit checks in particular are used in a variety of consumer fraud scams. Fraudsters exploit the “float” period by enticing a fraud victim to cash or deposit a counterfeit check and wire the funds to a third party before the check is returned for fraud. Fraudsters use various social engineering tactics to convince the victim that the counterfeit check is legitimate.
ACH Debit Fraud
An ACH debit is a withdrawal from your account that is initiated by a third party through another bank. For example, you may authorize a cellphone provider to debit your account to pay for monthly charges. ACH debit fraud occurs when a third party initiates an unauthorized withdrawal from your account. Most commonly, fraudsters initiate these unauthorized withdrawals to pay down credit card balances, pay cell phone or utility bills, and the like. All the fraudster needs is your account number and bank routing number (readily available on any check). Using a vendor’s online payment functionality, the fraudster enters the account number and bank routing number as his own, and pays his bill.
Because the ACH codes typically used for these types of payments categorize them as “consumer” transactions, the ACH Network allows a longer timeframe for returns of unauthorized debits. Therefore, these fraudulent transactions are often recovered. However, ACH debit fraud is not restricted to this type of activity alone, and has the potential for significant losses.
ACH Positive Pay is a service available on certain types of accounts. It allows you to designate your authorized ACH debit originators, and hold for review (or automatically return) incoming debits from any other parties. You may also choose to automatically reject all ACH debit activity. For more information on ACH Positive Pay, call 1-800-255-6190 or e-mail firstname.lastname@example.org.