News & Commentary

10:05 AM
Chris Silveira, Guardian Analytics
Chris Silveira, Guardian Analytics

How to Detect Wire Fraud When No Two Attacks Are the Same

Fraudsters have developed a variety of methods for initiating fraudulent wire transfers, but a security approach based on data and analytics from customer behavior can be an effective countermeasure to these wire fraud schemes.

What's great about wires from a customer service perspective – their speed – is also their greatest liability. Fraudsters target wire transfers precisely because of the speed with which the money is moved, making it harder for financial institutions (FIs) to reverse the transactions. Fraudsters have launched a wide range of attacks and schemes, many of which use a combination of banking or communications channels. If the schemes work, they expand quickly. If they don’t, the fraudsters quickly change tactics and launch additional attacks. The impact on banking security professionals is the need to be constantly on guard for the latest new twist or variation.

Here are just a few of the schemes that cyber criminals have developed to complete fraudulent wire transfers. These are followed by an explanation of how behavior-based anomaly detection solutions have been proven to detect early attack indicators before any money is transferred.

1) Online Wire Request – The most common wire scheme starts with compromising an online account. The fraudster then disables security alerts or enters a new phone number or email address for confirmation, bypassing customer notifications. The fraudster then simply submits a wire request through the compromised online account.

2) Online Live Chat – A fraudster compromises an online banking account, gathers (or changes) personal information, and then engages in a live chat session with the call center to have the agent complete the wire request for him. The agent believes the fraudster is legitimate because he has successfully logged into online banking.

3) Funeral Scheme – A fraudster compromises an online banking account to view check images to get the victim’s signature. He then compromises the victim’s email account and sends a request to the FI’s relationship manager explaining that he’s out of country for a funeral and needs money for expenses. The FI emails the necessary Letter of Authority, which the fraudster receives, signs and faxes back, complete with an accurately forged signature.

4) Commercial Account Takeover – A fraudster will compromise an online banking administration account and then create a new user with the authority to approve wire requests. He submits a wire request from the administration account, and then signs into the newly created account and approves his own wire request.

5) Inside Access to the Wire System – Using a spear-phishing scheme, malware designed to compromise the back-end payment system is installed on a bank employee’s computer. The malware takes over the victim’s computer, enabling the fraudster to directly initiate a large-dollar wire transfer (there was a FBI alert from 2012 on this). This clearly is a more sophisticated attack, but the ability to steal a large amount of money makes it worth the effort to the fraudster.

Guardian Analytics, transactions chart

These are not the most sophisticated or elaborate schemes, but they do illustrate the range of schemes that fraudsters deploy, all of which result in a fraudulent wire. Fortunately, there is a common element that financial institutions can leverage to prevent all of these.

Detect Fraudulent Wires Using Anomaly Detection

In all of these schemes there is some online or other form of electronic banking that leaves a footprint of the fraudster’s activity. In some cases it’s submitting a wire request online, or gathering or changing information online, or using the in-house wire system. In all cases, if the fraudster’s activity were compared to the previously demonstrated behavior of the legitimate account holder, differences would emerge that could tip off the FI to the fraud scheme.

Behavior-based anomaly detection solutions monitor all banking activity for each account holder, building a profile of each user’s typical behavior. Tracked activity could include such factors as when, where, and how the user is logging in, how long it’s been since their last session, the sequence of activities during each session, plus payment amounts and payees. When the fraudster starts his reconnaissance or initiates a transaction, there will be something different, unusual, or suspicious when compared to the victim’s typical behavior. And that is when the financial institution can intervene, well before a wire request has been submitted or a transaction has been initiated.

Chris Silveira is the fraud intelligence manager at Guardian Analytics, which uses analytics-based solutions to detect online fraudulent transactions for financial services organizations.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.