New Fraud Scheme Launched Via ChatSocial Engineering Scam Fools Customer Service Reps
Socially engineered schemes aimed at compromising bank accounts and perpetrating fraud just keep getting trickier. Here's the newest one: fraudsters conning customer support staff through the online banking chat feature.
See Also: Passwords Alone Aren't Enough
Guardian Analytics, an anomaly-detection and online security vendor, first identified the scam in mid-November. Researchers soon connected the dots, learning that the scheme was striking several institutions, large and small.
Once attackers got in, they were able to launch several fraudulent wire transfers without raising flags.
It's a pretty simple scam, but one that does require takeover of the online user's account, says Chris Silveira, who manages fraud intelligence for Guardian.
Based on incidents Guardian identified, the scheme involves four steps through which the fraudster:
- Logs into a user's account using stolen login and password credentials;
- Tests the account by checking balances and completing internal funds transfers, sometimes from multiple accounts. No external transaction is initiated at first;
- Initiates a live chat session with customer service;
- Then asks customer service for assistance with scheduling a wire transfer. Customer service, of course, completes the wire transfer for the fraudster, believing the chat session is actually with the legitimate accountholder.
How scammers obtain the online user's credentials varies - either through a Trojan attack or a separate socially engineered scam - but Silveira says Guardian finds that many of the owners of the compromised accounts are also victims of a work-at-home scam that involves one-time direct deposits to their online accounts. Later the fraudsters pulled funds from those accounts, but it's not clear whether the users voluntarily provided the credentials for account access or if they were hacked.
What is clear is that once attackers got in, they were able to launch several fraudulent wire transfers without raising flags, Silveira says.
"Because the chat session takes place through an already authenticated online banking session, customer service just assumed it was the customer," Silveira says. "It's like a new type of call center fraud."
The scheme, once again, reinforces the need for additional levels of authentication, even for transactions initiated through an already authenticated channel.
Increases in Call Center Fraud
Banking institutions have seen upticks in call center fraud as they've improved efforts to authenticate users online. In March 2012, security experts warned about this popular mode of attack after several banking institutions saw fraud migrate from other channels to the call center.
Silveira says the newest scheme involving chat exposes the same vulnerability - customer service reps who are too often fooled by fraudsters disguising themselves as legitimate accountholders.
"In getting requests through things like chat, where it's taking place in an already authenticated environment, they're easily manipulating customer service," he says. "But by relying on other processes to authenticate transactions, like requiring PINs or whatever type of offline authentication that institution requires, could help. [That information] would be something that only the client would know."
But no process is foolproof. Banking institutions can expect more cross-channel fraud. Experts have warned of this concern for years. And as more distributed-denial-of-service attacks strike banking institutions, distracted management and IT departments set the stage for schemes like this one to exploit weak points, like call centers and customer service departments.
"While those [DDoS] attacks are large and getting the attention of financial institutions, there are other attacks that are being waged that are just as real and have a chance of success," Silveira notes. "And when customer service is over-sensitive to the need to help customers who are frustrated because they can't access online banking when the bank is hit by a DDoS attack, they are more susceptible to fall for a scheme."
Besides, socially engineered schemes that exploit helpful bank personnel are among the easiest to pull off.
What Can Banks Do
The biggest lesson: Cross-departmental communication is critical, and so is cross-channel fraud monitoring.
"There has to be more education, for customers and employees," Silveira says. "And I think one of the important takeaways for financial institutions is that when suspicious activity is identified, it's important to communicate with other departments, like the frontline departments - the call center and customer service. They need to know when an account has been flagged for suspicious activity."
It all goes back to fundamentals. And it illustrates why banking institutions can get too focused on one scheme or one channel, as the Federal Financial Institutions Examination Council points out in its updated authentication guidance .
But Silveira offers other ways banks and credit unions can address this new online chat exploit:
- Look for Anomalous Behavior. "Most of these transactions were less than $8,000," he says. "Too small to raise a red flag. But the way the wires were scheduled was not typical behavior for the users. In some cases, the scheduling of the wires themselves was not something the users had done in the past."
- Assess Chat Risks. Take another look at the processes your institution has in place for accepting wire requests, whether over chat and through the online channel. Setting transactional limits or additional authentication methods could make sense.
"I think, overall, this is a reminder that financial institutions are facing a really broad scope of attacks and threats," Silveira says. "They should have a more comprehensive fraud prevention strategy, and understand that some of the older-style tactics still work."