New Fraud Scheme Trumps Banking Customers Via Chat
Fraudsters are no longer just stealing customers’ online banking details to steal funds directly from their accounts; they are making banks do it. Guardian Analytics has identified a new scam which targets banks’ recent desire to get closer to their customers. Fraudsters use many banks’ online banking live-chat feature to make the bank complete a wire transfer, without them knowing a fraudster is behind the screen.
According to the online security expert, who first identified the scam in November, the fraudster essentially perform four steps: - “Logs into a user's account using stolen login and password credentials;” - “Tests the account by checking balances and completing internal funds transfers, sometimes from multiple accounts. No external transaction is initiated at first;” - “Initiates a live chat session with customer service;” - “Then asks customer service for assistance with scheduling a wire transfer. Customer service, of course, completes the wire transfer for the fraudster, believing the chat session is actually with the legitimate accountholder.”
The way in which fraudsters obtain the user’s online details varies. “What is clear is that once attackers got in, they were able to launch several fraudulent wire transfers without raising flags,” Chris Silveira, who manages fraud intelligence for Guardian, says. "Because the chat session takes place through an already authenticated online banking session, customer service just assumed it was the customer," Silveira says. "It's like a new type of call center fraud."
Silveira believes fraudsters are hard to identify in this instance, but additional security measures could bar them from carrying out transfers. "In getting requests through things like chat, where it's taking place in an already authenticated environment, they're easily manipulating customer service," he says. "But by relying on other processes to authenticate transactions, like requiring PINs or whatever type of offline authentication that institution requires, could help. [That information] would be something that only the client would know."
Silveira adds, "There has to be more education, for customers and employees. And I think one of the important takeaways for financial institutions is that when suspicious activity is identified, it's important to communicate with other departments, like the frontline departments - the call center and customer service. They need to know when an account has been flagged for suspicious activity."
But Silveira offers other ways banks and credit unions can address this new online chat exploit:
- Look for Anomalous Behavior. "Most of these transactions were less than $8,000," he says. "Too small to raise a red flag. But the way the wires were scheduled was not typical behavior for the users. In some cases, the scheduling of the wires themselves was not something the users had done in the past."
- Assess Chat Risks. Take another look at the processes your institution has in place for accepting wire requests, whether over chat and through the online channel. Setting transactional limits or additional authentication methods could make sense.
But there is no single solution. "I think, overall, this is a reminder that financial institutions are facing a really broad scope of attacks and threats," Silveira says. "They should have a more comprehensive fraud prevention strategy, and understand that some of the older-style tactics still work."