August 25, 2014
Forty Years and Still Scamming
I suspect that a lot of us have received a letter or an e-mail supposedly from another country's government official or banker informing us that there were some unexpected riches coming our way. We could become millionaires, these strangers tell us, by claiming a prize from a lottery that we don't remember entering. Or they say we just might become millionaires by helping them transfer money out of their country, since they can't because of some sort of bureaucracy or regulation. Before tossing these letters or e-mails into the trash, did you ever linger for just a moment wondering if these riches could actually be coming to you?
A large number of people, particularly in the United States, think the scam is legitimate and are willing to invest up to tens of thousands of dollars to claim their share of the pot of gold. Sadly, they find not only that there is no gold, but also that there isn't even a pot. This type of fraud is classified as an advance fee fraud because the scam involves the victim having to send money in advance, to cover fees or taxes, before they can receive their share of the bounty. The advance fee fraud is one type of 419 Nigerian fraud, so called because early versions originated in Nigeria, where criminal code 419 describes the fraud. 419 fraud began in the 1970s with letters—often with counterfeit postage marks—that targeted small business owners, requesting their help in handling new oil wealth.
Over the next three decades, the solicitations grew at such a tremendous pace that in 2002, the Department of Justice got a court order to allow postal employees to open every letter from Nigeria that was handled through the United States Postal Service's mail facility at John F. Kennedy Airport. They found that more than 70 percent of these letters contained some sort of fraudulent scheme solicitation.
As law enforcement's focus on Nigeria intensified, the 419 groups moved to other countries. These groups reportedly have major operations in at least 150 countries and the involvement of more than 800,000 people. Ultrascan Advanced Global Investigations (UAGI), an Amsterdam-based association focused on disrupting the operations of criminal networks, stated in a preliminary 2013 report that U.S. victims lost $2.3 billion in 2013—more than in any other country.
As with other types of criminal activity, the techniques that advance fee criminals use have become more sophisticated, evolving alongside technological advances. They've moved their method of solicitation from mail to faxes and then to e-mails. And now, instead of just sending mass mailings or e-mails, many of the criminals are tailoring e-mail messages, lacing them with personalized information obtained from social networks and professional and dating websites. For lottery-themed advance fee schemes, the UAGI estimates that 3 percent of the targets respond and make at least one advance payment.
Even more interesting, the report refutes some common misconceptions about the victims usually being lower income or with less education and desperate for some sort of financial windfall. In fact, a number of high-income professionals are taken in by some of the more sophisticated schemes involving high-dollar ventures including real estate development and medical equipment. The report also notes that, for victims losing more than $200,000, 85 percent of them had recently experienced some sort of life-changing family trauma such as a death, divorce, or major illness.
Education by financial institutions remains the most valuable tool to defend against these schemes. These institutions should use in-house media and other methods, such as public service announcements, to alert consumers to these scams, particularly those that appear in the FIs' service areas. I know of some institutions that train their frontline staff to watch for such unusual transactions, particularly by the elderly, as a supplement to their anti-money-laundering education. Financial institutions and consumers should report advance fee fraud attempts immediately to the local Secret Service or FBI office for investigation.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 18, 2014
Crooks Target Business Clients
Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.
Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:
- Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
- Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system
Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.
The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 11, 2014
Improving Mobile Security with Biometrics
During the last year, the release of two smartphones with fingerprint readers by two different manufacturers was met with a lot of excitement. People in the payments industry were keen on the ability of the new phones to better authenticate mobile payments. Fingerprints are one of several biometric methods used today to supplement passwords.
Biometrics refers to techniques that use measurable physical characteristics that lend themselves to automated checking techniques. In addition to fingerprints and vein recognition, biometrics can include voice, facial, and iris recognition, and even DNA matching, among others.
As the Federal Reserve's report Consumers and Mobile Financial Services 2014 noted, consumers' security concerns are a big barrier to the adoption of mobile banking. Mobile proponents believe this barrier can be reduced with the additional security features that mobile phones can provide, along with consumer education. There is no question that the mobile phone offers a number of ways to authenticate the user more positively, using both overt and covert methods. One well-known covert option is the smartphone's geolocation function, which allows verification that the phone is in the location it's supposed to be. Another covert method is "device fingerprinting," whereby a number of digital characteristics about the consumer's phone can be captured and used to verify that the phone being used is the one originally registered.
The most common overt biometric methods being tested today are fingerprint and facial recognition. While only a small number of mobile phones in use today in the United States have fingerprint readers, the vast majority have a camera that could support a facial recognition application. Both of these biometric methods are minimally invasive.
The key difference between biometric verification and user ID and password verification creates the greatest challenge for implementing biometrics authentication: with passwords, unless there is a 100 percent match between the data on file and the data the user enters in trying to gain access, the request is automatically rejected. It may be the legitimate user trying to gain access but maybe he or she forgot the password. Nevertheless, the system rules block access until the user's identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that a 100 percent match between the stored template value and the live template value is rare—possibly because of differences in lighting conditions or angles when biometric measurements are made, or differences between readers, or some other reason. To deal with this gap, the manager of each application has to determine an acceptable accuracy level for both false-positives (whereby a party incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, false-positives pose the greater threat. False-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access.
No matter what biometric authentication methodology a system uses, the most important step is validating each customer's biometrics upon enrollment in the program. We will discuss this issue and other challenges for biometric programs in future issues of Portals and Rails.
By Dave Lott, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 04, 2014
Fishing for Your Private Data
Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.
Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.
In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.
In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.