Cyber Security
INTERNET FRAUD & CYBER THREAT
Regardless of the ever changing threat environment that Banking is subject to, fraud remains a major threat, one that American Business Bank takes seriously. On an almost daily basis, users of the Internet are warned about the latest hacking or infectious spyware incident perpetrated by criminals who are seeking to profit illegally by obtaining your financial information and/or identity. By arming yourself with the knowledge to protect your identity and ensure your Internet security, we can fight back against this crime. Remember, it is always best to be on the defense when it comes to protecting your financial security.
Wire Fraud Is Growing Alarmingly
Wire Transfer Imposter Fraud is one of the costliest cybercrimes against corporations and small businesses. While this threat is real and growing, there are steps you can take to protect your business from these types of activities.
New Approaches to Wire Fraud
It has been called Imposter Fraud, Business Email Compromise, and CEO Fraud. It is a disturbing trend in fraud that has grown at epidemic rates since it was first identified by the FBI in 2013. Imposter Fraud scams use email and social engineering to pose as a senior manager in order to trick employees into sending “urgent” and “confidential” wire transfers directly to the fraudsters’ accounts. This type of fraud can manifest itself in a variety of methods.
Email Account Takeover/Business E-Mail Compromise (BEC)
The thief uses phishing or other means to install malware on an executive’s computer and gains access to the executive’s email account. Once they have this access, thieves will take time to understand the organization’s relationships and the ebb and flow of routine wire transfer requests. They search the email account for words like “invoice,” “deposit,” or “president” to learn about the processes at the business for wire transfers, money movement, and vendor relationships.
Once they have learned the organization’s standard practices, they use the compromised email account to create a money transfer request. The fraudsters continually monitor the email account and reroute emails questioning the wire transfer. The real executive is unaware of the request email and any email responses from employees.
Look-Alike Domain
In this case, the fraudster will use publicly available information to learn about the organization’s executives and activities. They will typically send emails to executives in an effort to receive out-of-office replies. They attempt to understand when an executive will be unavailable or traveling.
They create a domain that looks similar to the victim company domain. These are a few examples of the false domain names they typically create: they replace the letter l with the number 1 (example.com becomes examp1e.com); they drop the last letter of a domain (example. com becomes example.co); or they may add an extra letter to a domain name that is difficult to spot (progress.com becomes progresss.com).
The thief uses the look-alike email address and, based on information they have gathered on the business, makes money movement requests of company employees.
Forged Vendor Invoice
Fraudsters may also target an organization’s vendor relationships. To forge a vendor invoice request, the fraudster may compromise an email address from the vendor, or from an individual within the organization’s finance department. The thief will attempt to obtain sample invoices and gain insight into the relationship between the vendor and the organization, including typical invoice and payment patterns.
With that information in hand, the fraudster will either use a compromised email account or look-alike domain email account to submit an invoice with altered payment information. The invoice payment is routed to the fraudster’s account rather than the vendor.
Confidential and Urgent – Phishing
Thieves may also craft an elaborate story when sending a compromised or look-alike email. Often the story involves events that must be kept confidential such as an upcoming acquisition or large purchase. The requests are extremely urgent in nature requiring the target employee to act immediately. The combination of extreme urgency and high confidentiality persuades the employee to act quickly and secretively, sometimes conflicting with or bypassing company safeguards and practices. Do not respond to unsolicited emails asking for account or credit card information, usernames or passwords, Social Security Number date of birth or any other personal and financial information. (American Business Bank will NEVER ask for personal information in this manner.)