There’s a new term making the rounds in financial and security circles: cyberheists. The hallmarks of these kinds of financial scams include businesses that use smaller community banks, “mules” and the nation’s biggest banking entities.
Brian Krebs, a security analyst who recognizes trends faster than most hired guns, has written many columns around this newer form of security breaches and there are a few common denominators he outlines in his most recent columns. They include victims that use smaller community banks, what he refers to as “money mules” that are always on standby, ready to launder the stolen money and big global banks that unwittingly become partners with these criminal ventures. In fact, the nation’s five biggest banks have all fallen prey to these scams.
And now there are even bigger considerations. The Credit Union National Association Mutual Group, in December, issued a Risk Alert for its bond policyholders regarding the planned massive cyberheists said to be targeting 30 U.S. financial institutions in the Spring of 2013. It cited a warning received by RSA in October regarding a planned attack by a Russian group that said it was also responsible for another attack that latched on to 500 computers here in the U.S. Meanwhile, McAfee followed up with its own report that mirrored RSA. Dubbed “Project Blitzkrieg” it’s believed banks could be facing massive hits over the next couple of months. Both security companies are preparing for the worst as the group is believed to be honing in on bank accounts that have “weak authentication methods”. McAfee is referring to it as “a credible threat to the financial industry and appears to be moving forward as planned”.
These thieves will log into a business – usually a small business – and its servers with the goal of then rerouting their efforts to those business banking accounts. Hacking into the business to get to the bank is easier since often, credentials are already stored on the business computers. Once the thieves are able to tunnel to the bank accounts, they will then add ghost names to the payrolls and will begin sending ACH payments to the waiting money mules. From there, the mules will then take their ACH pay and direct deposit it into the big bank accounts and soon, the mules will withdraw cash from their accounts and then wire it overseas, most often to Ukraine and Russia.
These cyberheists are successful because the smaller banks rarely question new employees being added to a company payroll and especially if the company computers are used to do so. Several transfers are often made before the bank and business are even aware there’s a problem. The mules will have already opened their accounts at banks such as Bank of America, Wells Fargo or Citibank, so a paycheck that hits the accounts aren’t raising eyebrows, either.
There has also been concerns about “phone flooding” equipment that could prevent banks from calling or texting their customers to verify the wire transfer requests; however, the thieves could even call the bank and provide just a bit of information to convince the bank that the transfers are legitimate. McAfee believes these will likely hit smaller banks first. Because not as many drastic efforts would be necessary, it could mean thieves could move forward for awhile before they’re even detected.
The fact is, the big banks simply aren’t inclined to monitor new accounts for “mule activity”. After all, it’s rarely their customers who are taking hits. The money mules aren’t victimized – they’re the ones who are doing the victimizing. One fraud analyst, however, says there should be precautions put into place by the bigger banks that would better prevent this from ever happening. Regulators should be citing this kind of activity and holding someone accountable. All it takes is one glitch in the process and the cyberheists would be halted. If all of the dynamics are in place, it stands to reason they’re going to move through the process with fewer worries – and bigger paydays.
While regulators are finally beginning to monitor this kind of activity with some consistency, and there have been revisions made in security and privacy policies, there still remains much to be done. The Federal Financial Institutions Examination Council (FFIEC) has come out in support of these revisions and changes and says that a financial institution’s board of directors and management “have the responsibility for ensuring that outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations.”
Another suggestion making the rounds includes the possibility of smaller banks and credit unions of pooling resources in an effort to secure better offers from service providers. Keeping the public in the loop is another way these efforts could hit their mark, too. The ability to spot potential problems could ultimately become the best proactive approach to these cyberheists.
There’s another problem for businesses and banks – it’s becoming increasingly difficult to know when a computer has been infected. Hackers have become even more resourceful and can penetrate firewalls, often with little resistance and certainly with greater success. With fewer laws on the books that directly address cyberheists, it looks as though it’s an “every man for himself” mentality – or in this case, every business for itself. There are also anti fraud services that many banks of all sizes are offering businesses and business owners are being encouraged to consider anything their bank offers.
In a specific case mentioned by Krebs, he reports a successful cyberheist in December resulted in $170,000 being stolen from a nursing home before the owners or their bank representatives even realized it. This is another reason why it’s so important for any business – and most certainly a small business – to incorporate every suggestion meant to protect its interests. One effective cyberheist would be catastrophic for many companies.
Prosecuting these criminals is difficult. After all, many are operating outside the U.S. and as mentioned, some are in Russia, the Ukraine and a number of other countries. It can prove impossible to even identity the thieves, much less get them on American soil to stand trial.