Mitnick In The News
Banking Fraud and Social Networking
Jul 5, 2016 - Payments Journal, by Stu Sjouwerman
Criminals can use social networking venues, such as Facebook and Twitter, the same way they use email and texting to perpetrate crimes against individuals and organizations.
A cybercrook can spoof a Facebook or Twitter account, and then send a Facebook message or Tweet to an SME employee on the weekend. The message might purport to be from a coworker, requesting that person’s login information because the “coworker” forgot his or her own and needs it to finish an important project. If the SME employee takes the message at face value and doesn’t use another means of verifying the sender’s identity, he or she may end up transmitting the login information to a malicious person. That person then has access to whatever accounts, records, and assets the SME employee manages.
If the employee has access to the company’s bank accounts, the malicious person can drain large sums of money or other resources, and the soonest the crime will be discovered is the following Monday. The SME employee will be left holding the “smoking gun.”
SMEs Vulnerable to Banking Scams
In 2012, a survey conducted by Ponemon Institute and Guardian Analytics  revealed some startling facts about how vulnerable SMEs are to banking scams:
- Of the 998 SMEs surveyed, 52% had experienced a fraud attack within the preceding year, and 74% say their businesses experienced online fraud.
- Of the SMEs that had experienced attacks, 59% failed to recover their lost funds.
- About 75% of the banks included in the survey failed to detect fraud prior to funds being transferred.
Many SMEs aren’t covered under private fraud insurance.
In addition to having their employees divulge sensitive data as a result of phishing and other social engineering scams, bank accounts for SMEs are vulnerable to the same sort of attacks as personal bank accounts.
SMEs and Banking Trojans
Malicious persons can take advantage of unpatched computer vulnerabilities. Newly developed malware is designed to go undetected by traditional antivirus solutions. Various malware types can gather sensitive data from SME computers and servers, including banking authentication information. A single swift attack can remove hundreds of thousands of dollars from an SME’s bank account in a short time. Because SMEs traditionally don’t monitor their bank accounts daily, the theft might go undiscovered for days.
The probability of recovering the stolen funds declines sharply more than 24 hours after the theft.
Banks aren’t obligated to reimburse victim SMEs for their losses. However, they do generally work with a company to attempt to reverse any fraudulent asset transfers. However, the window for doing so successfully is only about 24 hours. Corporate accounts are responsible for any Automated Clearing House (ACH) debits after two days. If an SME fails to review its corporate bank accounts daily, it may not discover the fraudulent money transfers in time to avoid liability.
Large-Scale ACH Fraud
A single SME’s loss may not draw the attention of federal authorities, but the combined losses of a large number of SMEs will.
ACH fraud takes advantage of computer vulnerabilities and malware to transfer millions of dollars in bank funds out of numerous SME accounts. The fraudsters parcel those funds out to money mules—people who are duped into thinking that they are managing payroll transfers for international companies. The mules receive money transfers of less than $10,000 per transfer to avoid triggering a suspicious activity report (SAR) from the bank. Once the mule makes the required overseas wire transfer, those funds are gone forever.
Amounts as low as $5,000 can trigger a SAR. However, the mandatory requirement is for amounts of $10,000 or more. Therefore, most ACH fraud transactions are around $9,000.
The ACH scamming mechanism is an example of spear phishing.
Sometimes, malicious parties can add themselves or their proxies to the payroll of an SME. When the bank issues biweekly electronic paychecks, the fraudsters are “paid” along with the real employees. Remarkably, individuals can be added to a company’s payroll at the SME’s bank of record without the required documentation (for example, a canceled check or deposit slip from the employee’s bank or a completed payroll authorization form). In this case, the bank, not the SME, has failed to take the proper protective measures.
This type of fraud requires a coordinated effort, including soliciting the services of a large number of money mules. However, the rewards for the thieves are vast, and the money mules are expendable.
KnowBe4 hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, Sjouwerman teamed with Kevin Mitnick, the world’s most famous hacker, to help organizations manage the problem of cybercrime social engineering tactics through new school security