If you're a Fraud Prevention Exec at a financial institution (FI), this story should sound like a thousand others you hear every day from your investigative staff. If it isn't, you might want to have a look at your defenses.
If you're NOT a bank Fraud Prevention Exec, this blog post is for you! As I discussed in a recent blog post, risk management must comprehensively address all types of risk, including identity theft, unauthorized access, and financial fraud. Read the story below and ask yourself whether your FI is addressing this holistically as a risk to the enterprise.
- A teenage hacker in Alabama (or Shenzhen China, for that matter) downloads the code for a Zeus, URLzone, or Champi trojan virus. He experiments and figures out how to secretly place it on a computer via email.
- He brags online about his feat, and soon is contacted by a more seasoned fraudster, who buys the virus for $100. The teenager is ecstatic! Party on!
- The fraudster sends it out to 1,000 random email addresses from an anonymous account. The virus takes hold on several hundred computers. It is structured to avoid most common virus scans.
- The fraudster then places an ad online offering to sell access to the infected computers (yes, there are Craigslist-like sites just for criminals) for about $30 to $300 for one month. He knows he has broken some laws, but feels his exposure is limited.
- A criminal in Eastern Europe buys access, allowing him to activate the trojan and receive the victims' balances, account numbers, usernames, passwords, pins, identifying info, and even secret questions.
- The criminal uses this real customer info to set up a series of "mule" accounts at FIs he knows are vulnerable. The real customer doesn't even know these accounts exist.
- The criminal then uses all the usernames and passwords he has gathered to set up funds transfers from the unsuspecting customer accounts to his mule accounts. He knows to do it quietly over a period of time in order to stay under everyone's radars. He probably knows, from anecdotes of other criminals (yes, there are fraudster blogs and chatrooms), exactly what patterns or thresholds the FI is looking for.
- The criminal opens anonymous or mule offshore accounts in countries with weak laws Anti-Money Laundering and Know-Your-Customer laws so he doesn't have to provide any of his own identifying info.
- The criminal places an add on Monster.com or Craigslist for a "work-from-home payroll analyst" who can naively move money for him without raising any alarms.
- He hires a person in the US who, based on the criminal's legitimate-looking instructions, transfers money from the mule accounts to offshore accounts over a period of weeks. By the time the "payroll analyst" realizes they're not getting paid for their work, it's too late. The criminal is gone and his tracks are covered. Once FIs and police investigate the fraud, the "payroll analyst" looks like the prime suspect.
- Meanwhile, the criminal launders the funds through a series of transfers, checks, debit card transactions, bill pays, and stored value card purchases. Once the money is clean, he puts it right in his pocket and takes a 6-month vacation with YOUR paycheck.