A new wave of payments fraud has emerged in the U.S., as millions of consumers have shifted their banking and purchasing activity to online channels since the COVID-19 outbreak forced mandatory stay-at-home orders, and most major businesses shifted their employees to work from home on a full-time basis.
The drastic shifts in e-commerce and mobile banking opened up an entire new target set for malicious actors to exploit weaknesses in remote corporate networks, merchant e-commerce sites and financial institutions dealing with massive increases in mobile banking transactions.
Tom Kellerman, head of cybersecurity strategy at VMware Inc., testified before the House Subcommittee on National Security, International Development and Monetary Policy late last month, that cyber attacks against the financial sector rose by 238% between February and April, the peak period when COVID-19 was spreading across much of the U.S., forcing government imposed stay-at-home orders.
“At an alarming rate, transnational organized crime groups are leveraging specialist providers of cybercrime tools and services to conduct a wide range of crimes against financial institutions, including ransomware campaigns, distributed denial of service attacks, business email compromise scams and access mining,” Kellerman testified before the House subcommittee. “Criminals are increasingly sharing resources and information and reinvesting their illicit profits for the development of new, even more destructive capabilities.”
He told the committee that the growing availability of readily available malware is making it easier for even inexperienced criminal actors to launch their own operations. He added that the growing availability of mobile devices, cloud-based data storage and digital payment systems has provided an ever-expanding host of attack vectors for cybercriminals to exploit.
Earlier this month, the FBI warned of a heightened risk of cyber attacks as more U.S. consumers embrace digital banking. The agency warned that malicious apps are being embedded inside third-party software, and banking trojans can appear to be legitimate login pages.
The agency noted that mobile banking use has increased as much as 50% during the COVID-19 lockdown period as millions of Americans have been forced to work from home and banks have in many cases closed lobby access to retail customers in favor of mobile banking, ATM and drive-thru.
“The primary goal of these attacks is to capture banking credentials to access funds,” Chris Hazelton, director of security solutions at Lookout, a San Francisco-based provider of mobile phishing solutions, told this website via email. “This could be either criminal gangs or state actors, such as North Korea, that are part of a much larger global campaign to steal cash for the state.”
He noted a couple of recent examples of specific campaigns. In February, Lookout Phishing AI discovered a campaign that used SMS messaging to target customers to fake websites of well known banks in Canada and the U.S., including Scotiabank, CIBC, HSBC, Chase and others. The campaign was designed to capture the banking credentials and login information of users.
“The entire banking ecosystem is under stress,” Jennifer Singh, director, channel partnerships, North America, at Entersekt, told Mobile Payments Today, via email. “The hasty deployment of business continuity plans and a transition to remote work has heightened the risk posed to banks and fintechs alike, the latter which have been in existence for less than a decade and are only now dealing with their first real crisis.”
Singh said that fraudsters used strategic phishing campaigns to lure unsuspecting victims into disclosing personal information. Another tactic seen during the pandemic has been to use SIM swap fraud, in which carriers are tricked into porting a number to a new device, unsuspected by a target.
Payments firms have also seen a rising level of fraud activity, as merchants and other businesses have been limited since the March stay-at-home orders.
Jackie Ward, vice president of risk and compliance at Dwolla, said she’s seen cases of micro-deposit fraud with some clients where bots attack numerous accounts simultaneously.
“The fraudsters are fine with only earning a small amount if they don’t have to work too hard at it,” Ward told Mobile Payments Today via email. “They are also going to extremes and purchasing off the Dark Web fake personas, whether personal information and identification or even business websites to set up fake accounts, tie someone else’s bank account and try to get the money out before the return happens.”