Funds Transfer Risk: Awareness and Mitigation
Funds transfer fraud is growing at an alarming rate, affecting both financial institutions and customers of all sizes, types and geographies. Given the growing frequency of incidents and the similarities of methods and circumstances, this note will be our most prescriptive comment yet about actions every user of commercial funds transfer systems should take for their own protection.
The schemes typically work this way:
- First, the criminal acquires the logon credentials of a legitimate funds transfer system user. This typically happens two ways: Legitimate users visit ordinary-looking websites that plant malicious software on their computers. Or legitimate users may open innocent-looking email attachments that infect their computers with malicious software. In either type of infection, the malicious software is a "key logger" that captures keystrokes and transmits them to a remote computer, where system logon credentials, URLs where they were used, and other sensitive information are extracted.
- Second, the criminals in possession of this information - logon credentials plus the sites where they can be utilized - signs in to the funds transfer application and executes one or more transfers to a destination beyond the reach of U.S. law, or occasionally to a U.S. based intermediary who has been duped into serving as a relay point in exchange for a small percentage of the dollars involved. Sometimes but not always, the first transfer is a small amount that tests whether the end user and their financial institution have monitoring systems and controls in place. Other times, the criminals are bolder and initiate one or more large transfers in a short time period. In still other cases, the criminals set up new users and modify permissions and passwords of existing legitimate users to help conceal their actions and position themselves for future crimes.
Sometimes these fraudulent transactions can be reversed, and sometimes they cannot. Timely detection and reporting are essential. But every situation is different, and there is no guarantee that a fraudulent transfer can be reversed and the funds recovered. However, there are specific tactics that can help prevent these incidents, and we strongly advise you to take the following steps to ensure the security of your funds transfer environment
- First, please be especially attentive to the security of your network. Up-to-date anti/virus and anti-spam programs can prevent attacks from emails with infected attachments. Programs that filter and monitor web surfing can prevent visits to sketchy sites that are most often used to distribute keystroke logger programs, and appropriate browser settings can prevent accidental or unwanted downloads. Finally, there is no substitute for regular, thorough employee security awareness training.
- Second, please be especially vigilant in your implementation and enforcement of internal controls. We advocate daily (or even more frequent) review of all outgoing funds transfers to ensure that fraud is detected as quickly as possible, when there may still be a chance of reversing the transaction.
Please know that Level One Bank is firmly committed to delivering secure solutions that merit your full confidence. Although the tools have changed, bank robbers still look at our industry as the ripest of targets because we are where the money is. Staying one step ahead of the bad guys is a shared responsibility. There will always be people trying to defeat our security systems and processes, but with your cooperation and your support of the measures outlined in this bulletin, we can effectively address the immediate and growing threat of funds transfer fraud.