Phishers Hone Their Scams with Texts, Phone Calls, Big Data
Cyber-savvy con artists posing as company CEOs are carrying out highly successful financial frauds. Bank of the West's David Pollino is on a crusade to educate banks and their corporate customers about this threat.August 1
The online banking malware Dridex leans on an old technique, phishing, and an even older ruse, malicious macros, to steal online banking credentials from unsuspecting employees and customers.November 18
Fraudsters are getting more creative and effective at phishing attacks on banks.
Criminals who used to focus on email fraud are turning to text messages and phone calls to trick unsuspecting bank customers. And with the help of Big Data and social media, fraudsters are becoming more informed about their consumer and business targets, the better to masquerade as executives, suppliers or customers.
In late January, the Internet Crime Complaint Center or IC3, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, produced rare data tracking a specific category of phony emails. This kind of attack, used to generate fake wire transfers, is classified as a "business email compromise."
According to the IC3, 1,198 victims fell for these scams in the U.S. in 2014, racking up losses of $179 million. (The organization estimates the losses worldwide were $214 million.)
"This type of fraud has become a major concern in the banking industry over the past year," said Al Pascual, director of fraud and security at Javelin Strategy and Research. "Fraudsters can easily spoof email addresses, and time-tested solutions to authenticate email such as SPF and DKIM are not universally implemented."
(SPF stands for Sender Policy Framework, an anti-spam approach that authenticates the Internet domain of an e-mail sender. DKIM stands for Domain Keys Identified Mail, an encryption authentication method that is used to determine if an email originated from an authorized system.)
The IC3 gave three typical scenarios for this type of fraud: One is a bogus invoice scheme in which fraudsters target a company with an email, phone call or fax that that appears to be from a supplier and ask for a wire transfer to an alternative account controlled by criminals or their money mules.
The second is masquerading, also sometimes called CEO fraud, a business executive scam or financial industry wire fraud. In this type of fraud, criminals compromise the email accounts of company executives and send urgent transfer requests to the employee in charge of processing such requests or even directly to their financial institutions.
In the third type of fraud highlighted (which hasn't been given a name), fraudsters compromise lower-level employees' email accounts and send money transfer requests to multiple vendors identified from the employees' contact lists. The requests route wire transfers into accounts controlled by the crooks.
All of these schemes are being aided by the expanded availability of data and analytics. By combing the Internet, fraudsters can easily glean information about top executives at victim companies. They can find out who in a company is likely to handle invoices. They can also obtain personal information from social media accounts of lower-level employees.
Businesses should implement authentication solutions that weed out forged emails, while also looking for their executives' credentials that are being traded on Internet black markets, Pascual said.
Masquerading has concerned David Pollino, senior vice president and enterprise fraud prevention officer at Bank of the West, for several months.
He sees it going way beyond email.
"We have seen scams that not only are based on unsolicited text messages but also more and more we're getting reports of aggressive phone calls to people," he said. In some cases, a fraudster pretending to be with the IRS threatens to arrest the customer if he doesn't immediately wire money. In others, someone claiming to work at a local courthouse calls to say the customer skipped out on jury duty and there's a warrant out for his arrest and a fine that needs to be paid by prepaid card.
"I've had both of these personally myself," Pollino shared. "The person who called me pretending to be from the IRS was very aggressive. My wife hung up on him, and he called back multiple times."
And in addition to the three scenarios the IC3 laid out, Pollino sees evidence of email masqueraders impersonating bank customers. "You could conceivably send an email to the bank as the customer, saying 'please execute a wire transfer for me,' and try to get a bank employee to do the transaction," he said.
In another variation, criminals target front-office financial advisors or back-office employees at banks who are part of a routine wire creation process. The fraudsters can easily find out who the back-end wire personnel are through LinkedIn and other social media channels, Pollino said. "That makes them a target for these sorts of communications."
In the IC3's warning about business email compromise, it said companies should be careful what information they post to social media and company websites, especially job duties and descriptions, org charts, and who is out of the office.
"Everybody needs to be careful with the amount of information that they publish about themselves online even their geolocations through check-ins or posting with GPS tags but also be aware how much information is available for a sophisticated attacker to reverse-engineer an organization by going through titles and information on LinkedIn or some of the other social media tools," Pollino said.
Also needed are good, robust processes for high-risk financial transactions, including not accepting email requests for wire transfers and requiring "dual control" in which one person initiates transactions, another approves. And they need to be the right two people.
"If the CEO or the person originally requesting the wire isn't part of that approval process, therein lies the opportunity for the bad guys to fool the financial controller and have the financial controller walk across to the CPA and say, 'you originate this wire and I'll approve it,'" Pollino said.
On the back end, banks need to monitor those transactions for signs of abnormal behavior that should trigger follow-up questions to the customer, which might help uncover a masquerade attack.
Bank of the West has developed a series of five 60-second videos on masquerading and related fraud. Pollino also writes a blog educating customers and the industry about fraud. One post recently addressed what to do with an old tablet or smartphone when you get a new one.
The bank is also working with industry groups like the Financial Services - Information Sharing and Analysis Center to share information about the latest security threats.
The Vicious Text Message
Banks are increasingly big, unwitting targets of text message fraud, also known as smishing (a portmanteau of "SMS" and "phishing").
Smishing attacks on banks spiked in the fourth quarter, quieted down during the holidays, and resurged in early January, according to analysis by Cloudmark.
"I think they were taking the holidays off," said Andrew Conway, research analyst at Cloudmark, which operates a spam reporting service for the phone carriers' trade group, the GSMA, as well as several large telecom and cable providers.
One in four (26%) unsolicited SMS messages reported in 2014 attempted to steal the victim's personal or financial information, Cloudmark found. (Yes, people can and do report SMS spam, by forwarding it to 7726, which is "spam" spelled out on a phone keypad, where it's entered into Cloudmark's unified reporting system.)
It's hard to say who is behind these attacks, as it's mainly a cottage industry. "It's a number of small operators, that makes it more difficult for law enforcement," Conway said.
The people who get caught are usually the money mules. "It's not enough to get someone's credentials. You need to extract the money and then get it safely out of the country beyond the reach of U.S. law enforcement," Conway pointed out. "You also have to do that in small transactions. If the bank sees a $30,000 transaction going out on an account, they may delay that and check it."
Small amounts mean a lot of money mules are needed.
"Often they're unwitting dupes. Sometimes they're people who know what's going on, they've signed up for this," Conway said. Sometimes foreign students come to the U.S. and get involved in a money mule scheme. More often, people are recruited to a work-from-home scheme that involves payments forwarded somewhere else.
The phishers themselves are rarely caught; many are in Nigeria, Eastern Europe, and India.
One thing that's making smishing attacks more successful is they're using improved malware for collecting banking credentials. The Gameover Zeus malware was successful last year at getting into computers, sending spam, and collecting the banking credentials. These attacks would also try to steal money a different way from the same victims by deploying ransomware the malware would encrypt all the user's files and demand bitcoins to decrypt them.
Several copycat operations are just doing the ransomware component, holding a person's content or machine for ransom without bothering to get bank account information and having to arrange for money mules. Cryptowall and CryptoLocker are two notorious examples of this.
Like email phishers, smishers are combining their antics with phone fraud. They will obtain credentials for a victim's voice-over-IP system, transfer it to their own phone system with an autoresponder, and use that for as long as they can. Then they'll switch the number back to the original owner, who is mystified when a flood of calls responding to spam messages comes in.
"This morning I was calling some of the phone numbers we were seeing in spam messages for banks and ended up talking to the receptionist at a hotel in Texas, who was confused that all these people were calling about their bank account," Conway said.
U.S. banks keep ramping up their use of SMS messages they use -- for fraud alerts, balance alerts, special offers and card-related offers, which could increase the risk of customers getting fooled by fake alerts. And it's also likely that more people will start reporting genuine messages from their bank as spam, which will make finding and dealing with spammers harder.
Requiring two-factor authentication could help deter smishing. But this also has a drawback in that it lessens convenience.
Overall, text message phishing is a bigger threat than email phishing, Conway said.
"Phones are a trusted device. People tend to trust what their phone is telling them a lot more than they trust what email is telling them," he said. "It's also very immediate. People tend to respond to text messages right away."