Verifying identities continues to be a tricky proposition for banks as cybercriminals diversify and increase their attacks — especially when it comes to wire transactions.
Payments fraud hit a record high in 2017, with 78% of all organizations affected, according to a report from the Association of Financial Professionals and J.P. Morgan. Wire fraud was the second-most prevalent in that category (check fraud was No. 1).
Wire fraud losses are averaging about $63,000 per incident and can run as high as $1 million dollars, according to the security blog frankonfraud.com.
“It’s really becoming a huge issue for banks across many of their channels,” said Thomas Cronkright, president and CEO of the fintech firm CertifID, which provides digital security services. “And in direct channels in particular, when they are providing loans for collateral-based lending, the challenge is they are funding to a third party. So how do you trust that the wiring information has been received from the third party is accurate?”
Cronkright said over the past 18 months this has become a particular issue in real estate transactions; in fact Cronkright — who owns a title company — was a victim of such fraud and lost $180,000, which spurred him to create CertifID.
Here's a typical example of how this type of fraud can occur: A title officer responds to a phishing lure that looks legitimate, and then unknowingly gives up credentials to an online portal. The fraudster can then monitor accounts, sometime for up to 180 days, “to get the lay of the land, a full idea of the deal flow, and see how all the parties communicate. Then they’re ready to strike,” Cronkright said.
At that point, the fraudster will send fake wiring information to the bank from a communication that looks like it is coming from a title company, or a consumer, that redirects the loan amount to the criminals’ bank account.
“They’re preying on the weakest link [in the transaction],” he added. “Attacks in real estate have really been ramping up.”
It is a trend that law enforcement has also been monitoring. The FBI last month issued a public service announcement that the real estate sector has been “heavily targeted” recently by business email compromise scams.
“The scam continues to grow and evolve, targeting small, medium and large business and personal transactions,” the announcement said. ”Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses.”
Though banks themselves are typically not targeted, Cronkright said there needs to be an increase “in the education level of the entire transaction ecosystem, from consumer to seller, the whole transaction from end to end,” he said. “Banks are suffering direct losses from this, so we all need to raise our standards on how we are authenticating and confirming digital identity.”
This is a byproduct of fraud increasingly moving to digital spaces, leading to an ongoing “cat-and-mouse game” between banks or other legitimate businesses and fraudsters, said Rick Trainor, the CEO of business services for LexisNexis Risk Solutions.
Fraudsters “move very quickly from one vector to another,” Trainor said. “They continue to try and beat the system. More and more, transactions are moving to mobile and online spaces, so there’s more popping up there.”
This means banks can’t just have the mentality anymore of “just turning on a [cybersecurity] tool and letting it run,” Trainor said, adding that smaller banks are typically more susceptible because they have a simpler technology infrastructure than bigger banks.
“You have to make sure there’s a layering of solutions and controls in place,” he said. “Unfortunately there’s no silver bullet.”
Corrected August 2, 2018 at 12:45PM: Previously, the name of the firm CertifID was misspelled.