Businesses face a growing threat of account take over attacks as fraudsters become more sophisticated and take advantage of advances in technology. This week, we're pulling back the curtain to take a closer look at them and how to add this to your fraud protection strategy.
Fraud Trivia: Phishing
Phishing is a prevalent type of social engineering that aims to steal data from the message receiver. Typically, this data includes personal information, usernames and passwords, and/or financial information. Phishing is consistently named as one of the top 5 types of cybersecurity attacks.
1. What are the four types of Phishing? Spear, whaling, smishing and vishing. Some lists also add emailing and search engine as a category.2. What is evil twin phishing? a cyberattack in which a hacker creates a fake Wi-Fi access point that mimics a legitimate network and tricks users into connecting.
3. What is whaling? A whaling attack is a type of spear-phishing attack directed at high-level executives where attackers masquerade as legitimate, known, and trusted entities and encourage a victim to share extremely sensitive information.
4. Where did the word phishing originate? Famous hacker and spammer Khan C. Smith is credited to have coined the term phishing. He first introduced the term “phishing” in the Usenet newsgroup after AOL rolled out measures to prevent using fake, algorithmically generated credit card numbers to open accounts.
Continuing with our theme, look behind the curtain we need to highlight cyber fraud perpetrated by account take over.
Account Take Over Attacks Threaten Business Success
What is an account takeover (ATO) attack? An account takeover attack occurs when a malicious actor gains unauthorized access to a user's account credentials and assumes control of the account to commit fraud, data theft, or other malicious activities. Other ATO schemes for business include credential stuffing, malware attacking, man in the middle attacks (MitM), and SIM card swapping
It can all be done in the background without the account owner noticing a thing. It happens to individuals, which can be devastating. But it also happens to companies of all sizes siphoning off profits and potentially causing widespread damage.
There are many reasons why I choose to write about this subject. First my friend Sheila Sellers suggested I write a blog on account take over. Second, when I travel abroad to speak, I always search for fraud in that country. The most common topic is account take over. Lastly, account takeover is a critical fraud risk assessment topic.
In fraud identification, the starting point is identifying who is the perpetrator, the next step is to rank the sophistication of the perpetrator. For account takeover of a company, the perpetrator is external to your organization and most likely part of a crime group. We can assume their fraud sophistication is high and they have no fear of getting caught. This is despite the recent The Fraud Risk Management Guideline that suggests getting caught is a deterrent.
Account Take Over can then be linked to every business system and most likely every fraud scheme. Coud the a hacker add an employee (ghost employee) or set up a dummy vendor simply drain your bank account? Yes, to all.
Just a Few Scary Statistics on this Topic
Juniper Research anticipates global losses from online payment fraud to surpass $362 billion between 2023 and 2028, including a staggering projected loss of $91 billion in 2028 alone.
E-commerce, in particular, is witnessing a significant surge in fraudulent activities, with $48 billion expected to be lost to fraud in 2023, according to Forbes.
According to Aberdeen, financial services companies can lose up to 8.3% of their annual revenue to ATO attacks.
It’s estimated in the Cybersecurity Market Review that in the first quarter of 2022, online fraud attacks rose by 233% worldwide. During the same period, the number of online transactions only increased by 65%.
Approximately 26% of Companies Are Targeted by Weekly ATO Attempts, according to Abnormal.
So, what should we do?
Our ability to manage this fraud risk is a combination of IT security controls and our traditional business controls. But before you start down your internal control world, I want to continue my stress of going down the knowledge road. Then and only then will you be able to look behind the curtain.
First you must understand Federal Financial Institutions Examination Council's latest guidance on the risks and risk management controls necessary to authenticate services in an Internet banking environment. For those of you not familiar with the acronym FFIEC:
The Federal Financial Institutions Examination Council (FFIEC) on behalf of its members1 is issuing this guidance titled Authentication and Access to Financial Institution Services and Systems (the Guidance) to provide financial institutions with examples of effective risk management principles and practices for access and authentication. These principles and practices address business and consumer customers, employees, and third parties that access digital banking services and financial institution information systems.
The second step should be to review the court cases involving account take over and banks. Here are two:
Choice Escrow and Land Title, LLC, Plaintiff – Appellant/Cross-Appellee, v. BancorpSouth Bank
United States Court of Appeals for the Eighth Circuit
754 F.3d 611 (2014)
“Choice Escrow and Land Title, LLC (Choice) (plaintiff) maintained an account at Bancorpsouth Bank (Bancorpsouth) (defendant). Bancorpsouth offered four security procedures to protect against fraud: a username and password for each online user; device authentication; dollar limits on transactions; and a dual-control system. The dual-control system required approval of two unique users to authenticate a payment order. Choice declined the dual-control security measure. A third party hacked into Choice’s online bank account and ordered a wire transfer of $440,000. Bancorpsouth processed the transfer. Choice brought suit against Bancorpsouth, seeking to recover the lost money. The district court granted Bancorpsouth’s motion for summary judgment. Choice appealed.”
Now that you know how a court ruled in this matter, you have industry knowledge. No, I do not expect you to be an attorney. But here are the questions you should be asking:
- Has you company implemented all the security protocols offered by the financial institution?
- If not, has management communicated these decisions at the senior management level? Board Level?
PATCO Construction ACH Fraud Ruling Reversed
Appeals Court Calls Bank's Security 'Commercially Unreasonable
The 43-page ruling describes the bank's security procedures as "commercially unreasonable," saying the institution should have detected and stopped the fraudulent transactions that drained more than $500,000 from PATCO's commercial account in 2009.
Here on the questions, you should be asking about your financial institution.
- Is your company using a financial institution that is in compliance with FFIEC?
- Has your financial institution made representations to your company in writing?
- If not, why are using the financial institution.
One last thought on this subject: “Although cybersecurity continues to improve by leaps and bounds, history demonstrates that no matter how good of a mousetrap we build, some people will stop at nothing until they’ve found a way to beat it.” For an analogy (my good friend Larry Harrington once said this to me) fraud risk mitigation on this subject would be like trying to change a tire on a car traveling at 100 miles an hour.
Lastly, it begs the question, do we spend our internal control money on prevention or detection?
Fraud Trivia: Hacks and Hackers
1. Who is called the god of hackers?
2. Which country is number one in cybercrime, according to PLOS ONE?
3. Which hacker inspired the movie War Games?
4. What is hacktivism?
5. What is the difference between Hackers and Hacktivism?
