Malware and phishing schemes targeting online bankers have spurred a jump in Automated Clearing House (ACH) fraud that has led to $100 million in attempted losses as of October, according to the FBI.
In an intelligence note released earlier this week by the Internet Crime Complaint Center (IC3), the FBI said that it is seeing several new complaints opened every week as cyber-criminals continue to up the ante. Many of the victims are small and midsize businesses, as well as court systems, schools and other public institutions, authorities said.
“Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts,” the agency said in a statement.
According to the feds, the typical scenario involves the victims receiving a phishing e-mail with an infected attachment or malicious link. If the recipient falls for the trick, they end up downloading a key logger that swipes their business or corporate bank account credentials. The thieves then create another user account with the stolen data and begin transferring funds via traditional wire transfers and ACH transfers while pretending to be the legitimate user.
“Further reporting has shown that the transfers are directed to the bank accounts of willing or unwitting individuals within the United States,” the FBI said. “Most of these individuals have been recruited via work-at-home advertisements, or have been contacted after placing resumes on well-known job search Websites.”
According to the IC3 – which is a partnership between the FBI, National White Collar Crime Center and the Bureau of Justice Assistance – the FBI analysis shows that the victims’ accounts are often held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions.
“FBI interviews revealed that the threat stems not only from the malware involved in these cases, but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider level,” according to IC3. “For instance, in several cases banks did not have proper firewalls installed, nor antivirus software on their servers or their desktop computers. The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system.”