We’re all familiar with the ubiquitous Capital One ad campaign featuring celebrities asking the now cliché’ question “What’s In Your Wallet?” Leveraging a misconfigured web application firewall on a cloud server used by one of the largest credit card issuers in the U.S., the investigation continues into the massive Capital One breach that exposed the personal information of nearly 106 million of the bank’s customers and applicants. The New York Attorney General’s office is looking into the breach and the company’s failure to have appropriate safeguards in place to prevent the incident. The chairman of the Senate Banking, Housing and Urban Affairs Committee also said the committee will look into the matter. Sen. Mike Crapo (Idaho) plans legislation that would establish new data safeguards for consumers. While Capital One asserts that no credit card account numbers or log-in credentials were compromised, a treasure trove of consumer data was compromised that can be used to open new accounts and perpetrate targeted phishing scams. Capital One victims are likely to be phished for years to come – long after the complimentary 12 month credit monitoring service runs out.
In the wake of the Capital One breach and other high-profile hacking incidents that have exposed consumers’ PII (personal identifiable information), the question consumers, businesses and banks should consider is “What’s in Your Inbox?”
In July, following a meeting held in New York City with industry players that focused on identifying and combating BEC (Business Email Compromise) scams, FinCEN issued an update to its “Advisory to Financial Institutions on E-mail Compromise Fraud Schemes,” first published in 2016. Since FinCEN’s 2016 BEC Advisory, the agency has received over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes affecting U.S. financial institutions and their customers. A Financial Trend Analysis of Bank Secrecy Act data released by the agency revealed that the total value of attempted BEC thefts reported in SARs climbed to an average of $301 million per month in 2018 (up from $110 million per month in 2016). The advisory highlights the potential for institutions to share BEC schemes they encounter to help identify risks of fraudulent transactions and money laundering, including convertible virtual currency payments. It alerts financial institutions to risks associated with the targeting of vulnerable business processes and provides updated operational definitions for email compromise fraud, information on the targeting of non-business entities and data by BEC schemes, highlights general trends in BEC schemes targeting the financial and other sectors and jurisdictions, and alerts financial institutions to risks associated with the targeting of vulnerable business processes by BEC criminals.
According to reports published by the FBI’s Internet Crime Complaint Center (IC3) earlier this year, the number and sophistication of BEC scams have been on the rise over the past several years. Losses associated with BEC scams in the U.S. reached $1.3 billion last year alone, according to the FBI, who also reports that the number of BEC complaints were up as well. Between October 2013 and May 2018, this type of fraud caused potential losses of more than $12 billion globally.
In November 2018, cyber thieves siphoned $2.5 million in an elaborate BEC scheme that started with phishing emails targeting Cabarrus County, North Carolina. Employees of Cabarrus County Schools and Cabarrus County Government received emails purporting to be from Branch and Associates, a general contracting firm who was hired for construction of a new high school.
The cyber conspirators posed as representatives from the contracting firm in a series of emails requesting updated bank account information, which county employees unwittingly provided to the attackers. When the county started making vendor payments, the scammers diverted the payments through multiple different accounts. The scam was discovered when the contracting firm notified the county about a missed payment. SunTrust, the bank from which the funds were transferred, and Bank of America, the bank to which funds were transferred, were notified. While $776,518.40 of the funds remained in traceable accounts and were recovered, more than $1,700,000 remains missing.
Earlier this year, email security firm Agari released details about a new type of BEC fraud targeting HR or payroll departments where scammers attempt to divert funds by adding fictional accounts to company payrolls. The attackers masquerade as existing employees asking to update their bank accounts. Allowing the attackers to siphon off smaller, but continuous, amounts of money. Depending on how often the employee checks their bank account, this scheme can continue for weeks, or even months, before the scheme is even discovered.
Financial institutions play an important role in identifying and reporting fraud schemes. While most BEC scams are carried out via wire transfer, FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through other methods of payment, to include convertible virtual currency payments, automated clearing house transfers, and purchases of gift cards. The agency stresses the importance of communication and collaboration among internal AML divisions, compliance, business, fraud prevention, legal and cybersecurity departments as well as with other institutions across the financial sector.
A new “2019 Phishing by Industry Benchmarking Study” released by security awareness training and simulated phishing platform KnowBe4 revealed that security awareness training can dramatically decrease the chances of employees falling prey to phishing scams. The study showed that after training, far fewer phishing emails were clicked on by employees. Any industry can be targeted by phishing scams. Companies and financial firms need to protect themselves by ensuring that employees are security aware. Turn your weakest links into one of your strongest defenses.
Written for and originally appeared in Bankers’ Hotline Vol. 29, No. 8, 8/27/19