Online and mobile banking have forever transformed the way people bank, but the digital evolution has a dark side: it is increasingly creating new opportunities for fraudsters to hack into accounts.
Text messaging and email are increasingly becoming vehicles for phishing scams in which fraudsters send phony messages to bank customers and fool them into providing login credentials or account information. Mobile check deposit is touted for its convenience, but it has also created opportunities for "double-dipping" in which thieves scan images of checks into one account and cash the physical checks elsewhere.
"In the banking industry, we compete on how easy it is for new customers to find us and make deposits with us, to switch from their previous financial institution to our bank," points out Aaron Glover, senior analyst for fraud risk management at SunTrust Banks in Atlanta. "By making it easier for our customer, we may be inadvertently making it easier for fraudsters."
Of course, fear of fraud has been a concern since the dawn of Internet banking, but these fears have escalated as technology has advanced and consumers have grown more comfortable accessing their accounts and communicating with their banks through multiple channels.
Meanwhile, thwarting attacks is an ongoing challenge. Fraudsters have become more sophisticated and more knowledgeable about banks' practices — for instance, they know when and how they call customers to verify fund transfers — and banks, whose technology budgets are stretched thin, sometimes struggle to put up adequate defenses.
Still, some banks are coming up with some creative approaches to security, developing programs in which they are setting traps for criminals and hiring people with nontraditional skill sets to be fraud analysts.
Others are more focused on educating customers on how to detect scams and to be more vigilant about protecting their information.
James Gordon, the chief technology officer at the $1.2 billion-asset Needham Bank in Massachusetts, says he wants to develop a code of ethics that would spell out all the ways the bank would or would not communicate with customers. For instance, he says the bank would never ask for a customer's Social Security number via text message or email, so if customers were to receive messages asking for such information they would know instantly that it's a phishing attempt. Gordon envisions distributing this code as an in-branch brochure that would be handed out to new customers, or as a statement stuffer.
"The multitude of channels offered — text message, phone call, email, voice call — is a confusing point for customers," says Gordon. "They don't know exactly how you might reach them next and they're unprepared for what the channel or the tone will be," making it harder to discern fake messages from real ones.
Online account opening is one point of vulnerability. Here the customer does not have to go into a branch but opens a deposit relationship with a bank straight from its website. Much of the information a bank would use to verify a customer is in databases such as LexisNexis's repository of legal and public records-related information.
Atlanta, Ga.-based LexisNexis was breached last year by an identity theft service that sells Social Security numbers, birth records, and other sensitive information on U.S. citizens. Anybody who was able to grab or buy this stolen data could potentially open an account using someone else's identity.
Mobile check deposit is another point of potential weakness fraudsters are more actively testing. In one recent case of double dipping, a man in Louisville, Ky., apparently used mobile remote deposit capture and a Bank of America account to deposit 32 Western Union money orders, then took those money orders to a Kroger grocery store and got cash for them.
There's also been a rash of fraudulent online wire transfers lately, with criminals using call forwarding to make sure that when the bank calls the customer to verify a transfer, the call actually goes to the criminals themselves or their associates.
"Phone number forwarding has been a huge challenge for our bank and others because it's outside of our control," Glover says.
In March, a Bank of Montreal customer shared with the Huffington Post his story of being a victim of wire transfer fraud and losing $87,500 of inheritance money.
The customer, Bruce Taylor, a Canadian engineering consultant who lives and works in Texas, was in a Houston hospital having open heart surgery while his account was being drained. He had inherited money that was held in BMO term deposits, then automatically deposited in a Canadian savings account when the investments matured.
In August, someone emailed Taylor's BMO investment adviser, using Taylor's email address, saying he needed the money wired to his cousin immediately. (The email and follow-up faxes contained spelling and grammatical errors.) The bank asked for a phone number to verify the transfer — and got a phony one.
After the confirmation call, a BMO employee approved and sent two wire transfers, for $47,500 and $40,000, four days apart.