Here at the end of the year, I normally produce a top ten list of information security breaches or “opps” moments of companies that got hacked during that year. But there are so many companies having cybersecurity issues and so many big breaches, that type of list has become obsolete. So instead I will call out the top ten cyberattacks that are being perpetrated on banks and small and medium-sized businesses. So without further ado, here they are.
1. Wire Transfer Fraud
This area has long been a target for fraudsters but they are getting more and more sophisticated. They are targeting firms that tend to transfer large amounts to overseas companies. To avoid wire fraud on your account, be sure that if you don’t use these services, they are specifically turned off in the online banking system. And if you do use them, insist on a call back verification and dual factor authentication devices such as a security token to approve transfers.
2. ACH Fraud
Automated Clearing House or ACH is the system used to execute most transfers from your bank account to pay recurring bills and other electronic payments. With the tighter controls over wire transfer and the spread of ACH transfers of all kinds, this fraud is growing fast as many banks now offer online banking access to ACH transfers. Many banks are implementing cybersecurity controls such as tokens required for large ACH transactions. And as before, a call back verification for large amounts tends to stop fraudsters in their tracks.
CATO or Corporate Account Take Over is one of the fastest growing areas of online banking fraud. Since the banks are tightening their standards and policies, the bad guys often go after the companies online banking accounts instead. By infecting a top level officer’s PC with malware, criminals can the take over their online banking and initiate ACH or wire transfers. Good company security and training are key to avoiding being “CATO’d”. Also, unless you frequently execute transfers from the road, let your bank know not to allow it. If you do, deputize a company employee to approve them in your absence. Criminals will often take advantage of traveling executives to execute fraudulent transactions.
4. Point of Sale (POS) Hijacking
If you are a business that accepts credit cards in any form, you could be the victim of POS Hijacking. From gas pumps to retailer credit card terminals, the bad guys are designing software and hardware attachments to steal credit cards directly from the point of sale. Good internal network security (firewalls, anti-virus and intrusion prevention systems) as well as frequent inspection of credit card terminals can help prevent your company from becoming a victim of this crime
Also known as Cyptolocker, this malware is particular insidious in that it targets all sizes of companies even down to a sole proprietorship. It encrypts a victim’s hard drive and then demands a ransom to unlock the data. The ransom is usually a relatively small sum (a couple of hundred dollars to a few thousand) and paid in Bitcoin so as to avoid tracking. If a small company is hit with this, they often just pay the ransom to get back in production versus the costs of hiring a forensic firm that might not be able to recover the data. The problem is, sometimes the ransomers will not unlock the data after the first payment and instead demand more. The best countermeasure for this attack is keeping good backups with a history feature. Just doing mirrored hard drives or servers is NOT sufficient to avoid this attack as the mirrored data will often have the malware as well.
6. BillPay Fraud
Many people and companies take advantage of these online services to easily pay bills and automate payments. Unfortunately, if cyber-thieves get access to your BillPay account (often accessed via your online banking), they can use it to empty your account. They typically initiate one-time payments to new vendors that are just fronts for their operations. Corporate BillPay accounts are particularly sought after as the amounts can be large. To avoid this fraud, keep a close eye on your BillPay account and if possible don’t allow payments to one-time vendors.
7. Accounts Receivable Fraud
Companies that receive payments from customers via wire or ACH transfers will want to be aware of this new type of fraud. Hackers get ahold of your customer list and send emails in the guise of a company official to change the routing number and bank account for their payments. They will have often set up domain names to mimic the company domain and have the correct name for company officers. If you transact business this way, be sure to let your customers know that they will never receive such information via email, only from a direct phone call from a specific officer they know.
8. Accounts Payable Fraud
In this scheme, cybercriminals will contact vendors for a company and send them a credit app to establish an account. They will usually have the information needed for an application such as references, banks used, etc. If the account is set up, they will then order small parts or electronics that can easily be fenced to be shipped to shared warehouse facilities. There, they can easily pick up the shipments anonymously and resell them. The issue with both this and A/R fraud is that it requires little or no direct access to a company’s systems. A/R and A/P information can often be “socially engineered” out of accounting staff with phone calls or emails. The best defense for this kind of fraud is a strict process for applying for credit, and good training for staff so they do not respond to inquiries without proper verification or give out this kind of information.
9. Payroll or HR fraud
This fraud involves tapping into the companies HR or payroll systems. It can often be done by gaining access to the CFO or financial clerk who inputs the company’s payroll info. Since most payrolls are paid out electronically these days, if a cybercriminal can gain access to this system, they can redirect employee’s paychecks into their own accounts. And companies often use large companies for this service such as ADP or Paychex who have poor authentication processes for authorizing payrolls. A good countermeasure for this is to insist on strong controls on payroll and HR admin accounts, ideally using a token or some two factor authentication method. Additional training for HR/financial employees is also highly recommended so they can catch any red flags or warning signals to this kind of activity.
10. Mortgage Fraud
This new fraud vector involves the stealing of entire houses! It sounds incredible, but savvy hacker groups are able to doctor up false deed and title information for houses using online public resources. They then sell the house via normal realtor listings. They typically target empty rental properties or investor properties that are not occupied. They use imposter realtors or title lawyers or sometimes they are able to fool legitimate professionals into representing and closing the sale. Once the payment is transferred from the Bank, they are long gone, leaving the new owners holding an invalid title. For property owners, make sure you or someone is checking on the property and neighbors know how to get ahold of you if something suspicious is going on. For Banks and other professionals in the transaction chain, use your intuition and double check ID’s, titles and other documents if something seems fishy.
These new methods are just some of the top ways that hackers are using to steal money from companies and banks. There are many more and new ones are being invented very day. To be sure your bank or company does not fall victim to them, make sure that you are using the latest information security technologies and train your staff frequently in the proper policies and procedures to avoid cyber-fraud. NSS is available to provide training on these methods and their countermeasures to bank employees or key customers. We are also available to perform FFIEC recommended cybersecurity assessments to make sure you are properly protected. Please contact us at 281-378-1551 or email firstname.lastname@example.org. You can also follow us on Facebook at:
or Twitter @fearlessecurity for the latest and up to date security bulletins.