Bank Scams

by Stu Sjouwerman 0

In simple terms, a bank scam is an attempt by unscrupulous persons or organizations to acquire financial assets from individuals or organizations, including small to medium enterprises (SMEs).

Large corporations routinely purchase fraud insurance or cyber liability policies, but smaller organizations often do not. Although it’s good protection, many SMEs see the insurance as an unnecessary expense; after all, the majority of SMEs believe cybercriminals target large corporations. However, SMEs are highly vulnerable targets. If a malicious attempt against a small business is successful and of large enough scope, the company might not be able to recover.

A Sampler of Recent Banking Scams

There are many methods used to commit banking scams against SMEs. For example, social engineering techniques include phishing and smishing to acquire individual or corporate login access at an institution. An organization’s employees or customers can also be exposed to fraud attempts via email, social networking sites, and Twitter. Criminals sometimes use malicious programs to drain an organization’s assets, which can damage or ruin its reputation or business viability. They may target not only SMEs but also federally sponsored enterprises.

An FDIC and Patriot Act Scam
The FDIC is chartered with maintaining the stability of the US banking system, and the agency regularly issues warnings about the latest banking scams. But the FDIC’s name can be misused in an attempt to gain information that could then be used to victimize individuals and organizations with which they do business. Let’s look at a recent example that involves the FDIC and the Patriot Act.

On January 12, 2011, the FDIC issued special alert SA-10-2011. In this alert, the FDIC stated that several customers had received fraudulent emails claiming to be from the FDIC. These bogus emails said that the FDIC, “in cooperation with the Department of Homeland Security, federal, state and local governments,” had removed its insurance protection against the customer’s account due to “suspected violations of the Patriot Act. “The message threatened to terminate insurance for the recipient’s account, and “all records of your account history will be sent to the Federal Bureau of Investigation in Washington D.C. for analysis and verification.”

The email also attempted a phishing scam. It requested that the customer click a link, supposedly to an FDIC IDVerify system (which doesn’t actually exist), to enter confidential information. Upon entering the fraudulent FDIC site, however, malicious software would be downloaded to the customer’s computer.

The FDIC special alert described methods to identify this specific email scam, including the content of the subject line and body of the email. The FDIC, like most other responsible organizations with protective or other fiduciary responsibility to its customers, doesn’t send unsolicited emails.

If you receive suspicious email invoking the name of the FDIC, the Patriot Act, or another federal agency and believe it’s a scam, you should report it to the FDIC. You can forward the email to alert@ or call the FDIC directly at 877-ASK-FDIC.

KnowBe4 hosts the world’s most popular integrated SecurityAwareness Training and Simulated Phishing platform. Realizing that the humanelement of security was being seriously neglected, Sjouwerman teamed with KevinMitnick, the world’s most famous hacker, to help organizations manage theproblem of cybercrime social engineering tactics through new school security