About the Author: ID Insight President Adam Elliott contributed this blog post.
I hear about new fraud schemes just about every week, but sometimes even I’m surprised by how easily criminals can find a new way in to consumers’ bank accounts. Usually, these schemes rely on a tried-and-true formula: impersonate the customer, change their contact information, request funds and cash out. But I just learned about a new wrinkle that takes account takeover fraud to a new level.
- A fraudster got a hold of a customer’s email address and online banking password
- Instead of changing the customer’s email, the fraudster used an email rerouting provider to hijack all of the customer’s email messages
- The fraudster then used email to request a $40,000 transfer using ACH
- Initially, the bank didn’t flag the request as suspicious, since it came from an email address that matched the customer information file
- When the bank realized the customer did not have enough money in his account to execute such a large transfer, a representative emailed the “customer” asking for clarification.
- The fraudster refused to agree to a phone authorization and the bank finally got suspicious and called the legitimate account-holder
- The customer was oblivious to the fraud attempt, though he had noticed that “something was up” with his email
Fortunately, this particular attempt was foiled by a very diligent banker.
We often see this sort of scam perpetrated with address changes (fraudulently changing an address by contacting the bank). But today – thanks to improved controls by financial institutions and USPS – fraudsters are taking a less traditional path: changing email or phone contacts and rerouting communications.
How can banks prevent this type of scam?
- Don’t wire funds based on a customer email
- Be suspicious of wire transfer requests made by phone (especially large dollar amounts)
- Take extra steps to get customer authentication before approving transfers
- For all transfer requests, make sure the customer has not recently changed their phone number, mailing address or email address
Vigilance is always a best practice in fraud prevention, but adaptability is just as important. You need to be ready not just for today’s scams, but for every future possibility. Fraudsters always choose the path of least resistance, so make sure every path to your customers’ accounts is well-defended (especially the digital ones).