Classic Fraud: 6 Scams That Don't Go AwayFrom Check Fraud to Phishing, All the Old Tricks are Back with a Vengeance
Here are six old fraud tricks that are back with new twists to bedevil fraud departments and information security professionals.
#1. Check Fraud
Last week, New York indicted 18 people in a massive check counterfeiting ring that cashed more than $1 million worth of checks at major New York City banks. This case causes even the best fraud departments in financial institutions to check their own programs and safeguards.
Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, according to the latest biennial survey conducted by the American Bankers Association (ABA). Bank prevention systems caught 92 percent or $11.2 billion of check fraud attempts.
Actual bank losses totaled $969 million, compared with $677 million from the previous survey in 2004. The ABA's findings showed the number of fraud cases decreased from 616,469 in 2003 to 561,306 in 2006. But bear in mind: These statistics are from before the current recession, which has seen a heightened insider threat and an increase in attempted fraud.
Employee training is still one of the most effective security measures against check fraud. Other prevention systems include signature verification, screening of new accounts, "positive pay" systems (a computerized check number matching program between banks and corporate customers), special check stock (water marks, micro-printing and/or holograms) and "touch signature" fingerprint programs for cashing non-customers' checks.
Since 1997, the number of fraud attempts against bank accounts has doubled every two years. Ever since the desktop publishing era began with color copiers and computer scanners, counterfeit checks have become harder to detect, which is reinforced in the number of checks the New York crime group spread among the various banks in the city over a two-year period. Banks routinely process more than 10 billion checks each year, says a 2007 Federal Reserve payments study.
#2. Elderly and Immigrant Identity Fraud
Financial institutions' mortgage and loan officers need to pay attention to this kind of fraud. While not new, elderly and immigrant fraud is regaining popularity, especially in the age of identity theft. In this predatory practice, Jennifer Butts, Director of Operations at the Mortgage Asset Research Institute, explains that elderly and non English-speaking consumers are taken advantage of by fraudsters who steal their identities and use them in straw-buying or other property transactions.
"This is currently happening in some reverse mortgage situations," Butts says. "Similarly, some immigrants who rent properties are discovering that their identities have been used on fabricated loan transactions."
A simple inquiry about a loan product that leverages investment or rental properties can be enough to obtain information for use on fabricated loan transactions, Butts warns. As foreclosure scams also continue to proliferate, loan officers need to keep track of those homeowners, making sure they don't fall prey to these scavengers.
#3. ATM Fraud/Skimming
This type of fraud made it into President Barack Obama's speech announcing his cybersecurity initiative, when he said "thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes." The big question is: Can it happen at your institution? The answer is seen in the numbers from a Pulse EFT study (Pulse is one of the leading ATM/debit networks in the U.S.) -- the banking industry lost $662 million to debit card fraud in 2005. Of these losses, 60 percent resulted from ATM transactions, 37 percent from signature transactions, 37 percent from signature debit transactions and 3 percent from PIN point-of-sale (POS) transactions.
While the same Pulse study done in 2007 doesn't give a total loss due to debit card fraud, it does say that is higher than in 2005. Survey participants said they lost 5.40 basis points (0.054 percent) per dollar spent through signature debit transactions in 2007 and 1.09 basis points (.0109 percent) through PIN debit transactions. All of the 62 financial institutions surveyed in the 2007 Pulse study had debit cards potentially compromised in skimmers, and more than 80 percent of those surveyed reported implementing new fraud tools within the past year.
Even with the new fraud tools, stopping criminals from placing skimmers on your institution's ATMs require vigilance and monitoring by your employees.
Phishing continues to change and grow, and crimeware (or malware) is also growing, says noted phishing and crimeware researcher Dr. Markus Jakobsson, Principal Scientist at the Palo Alto Research Center, Palo Alto, CA. "There is a notable tendency for phishing to become more technical -- for example, using advanced obfuscation to combat anti-spam techniques," Jakobsson notes. At the same time, crimeware (what used to be called malware) is becoming increasingly more reliant on social engineering. "Trojan horses commonly use clever social engineering techniques to improve their success rates," he says.
Another information security researcher, Paul Kocher, Chief Scientist at the Cryptography Research Institute, sees that phishing is continuing to hit banking customers. "Bad guys have been devastatingly effective at tricking end users into installing malware and divulging personal information, but their methods for monetizing this data have been fairly crude," Kocher explains. This is starting to change, however, and brokerage accounts are an area of particular concern to Kocher. One specific scenario that's particularly alarming to him is the use of victims' account balances to buy up stocks that the adversary owns. "The openness of public markets makes it extremely difficult to unwind the trades or identify the counterparties who perpetrated in the fraud. As a result, financial institutions are being left with furious customers and very expensive messes to unwind," Kocher notes.
The increased number of "vishing" - or phone-based phishing -- scams hitting regions is cause for alarm. In the last week, there have been five different regions of the country hit by phishers using phone calls to solicit information about the person's credit union or bank account:
- New England Federal Credit Union in Williston, VT reported that a vishing scam hit residents, and the Heritage Family Credit Union in Rutland, VT also reported a similar scam.
- Customers of the Forward Financial Credit Union in Niagara, WI and the River Valley Bank in Iron Mountain, MI received calls last week from fraudsters asking for account information.
- Asheville Savings Bank, Asheville, NC was alerted last week by its customers that a vishing scam targeting area residents was trying to get debit card numbers.
- The final vishing scam of last week targeted all 22,000 residents of Guilford, CT. The calls started coming on May 24. Guilford Police say they believe by the time they were done every land line telephone in the town of 22,000 residents received a call.
In the Guilford, CT. case, the automated call was a female voice claiming to be from Guilford Savings Bank. It prompted those on the other end of the line to enter bank card and PIN numbers, along with their card's expiration date. Police and bank officials say they aren't aware of anyone who entered their personal information. Guilford police said this appears to be a complex scam that involves hacking into various business telephone lines from across the country. The calls appear to be generated from companies, but the businesses are not involved in the fraud, police say.
6. Insider Threat
The threat of a trusted employee or vendor taking sensitive information is not new, but the ways that insiders are getting to the juicy data or dollars is changing, according to Randy Trzeciak, Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Collusion is the new way insiders are getting sensitive data.
"To put it into context, people who stole information with the intent to sell it, more than half of them were recruited to do by parties outside of the organization," Trzeciak notes. When fraud is involved with insiders, half of those involved another insider, he says of the incidents Carnegie Mellon has studied. "Collusion is occurring and is a more recent trend we've been seeing," Trzeciak states.
This trend is reinforced by the New York DA indictment of 18 persons for check fraud. Three of those indicted were bank tellers at banks.