When malware gets on a computer, it can manipulate what is seen.
The following scenarios are examples of what malware can do once it has control of a computer.
Modified Website Message and Login Scam
The user logs onto a familiar website as normal, but instead of seeing their home page on the screen, they get a screen which looks exactly like the log-on page, but with different information.
The information states that the site is currently down for maintenance but if the user would like to have someone call them and help them out, all they have to do is enter their phone number
What actually happened?
The system isn’t actually down. The user did successfully log onto the system and unbeknownst to them, a fraudulent wire was created and sent.
Why the ruse then about the system being down and allowing the user to ask for a call back? Time.
By telling the user the system is down for maintenance, it may cause the user to wait until tomorrow attempt to logon again, giving the fraudulent transaction time to process.
If the user really needs to get something done, they can enter their phone number and get a call back. When they do that, a very polite fraudster will be alerted to the request.
At which time the fraudster will call the user back and “help” the user out on their request or will let them know someone will get back to them as soon as the system is available.
This example works if the user has one-touch authorization. In other words, the user has the ability to create and authorize a transaction.
In this example, the Trojan is attempting to defeat two-touch authentication. Two-touch authorization is when one user creates a transaction but a separate user must authorize it before it is released.
In this example, the user logged on but again instead of seeing their home page, they received a message. The message says their account has been disabled and they need another authorized person from the client to log-on to re-authorize their account. In this example the Trojan even fills in the second person’s user name.
What actually happened?
The first user did successfully log-on to the system and unbeknownst to them, a fraudulent wire was created. The wire is now pending approval from a second person. To acquire the second individuals approval, Trojan injects a screen. As soon as the second person logs onto this computer, the fraudulent wire is authorized and sent.
The second user would probably receive an error message stating the system was down to provide time for the fraudulent transaction to process.
US Department of Transportation Vendor Fraud Scam
This fraud scam first emerged in 2005, but it continues today. The fraudsters specifically target companies who provide goods or services to the US Department of Transportation (USDOT). The company receives a letter that appears to be from the USDOT, instructing them to complete an attached “request for financial information” form. The letter emphasizes that this request must be completed in order for the company to remain on the USDOT’s approved procurement vendor list. The information to be provided on the form includes the company’s tax ID number, bank account and routing numbers, bank telephone and fax numbers, and the actual signatures of all persons authorized on the account. The instructions state the completed form must be returned via fax, using the company’s cover sheet, in order to be “accepted.”
Using this information, the fraudster creates a wire transfer request on the company’s account, including the actual signature of an authorized employee. They send the request to the bank via fax, using the company’s cover sheet, hoping the bank will act on the request without first confirming it with their customer.
For more information, see the website of the USDOT’s Office of Inspector General at
Social Engineering via Phone and Email
The fraudster contacts a company’s controller by telephone, often impersonating an attorney with a well-known law or public accounting firm. He tells the controller that he’s assisting the company’s president with a highly confidential foreign company acquisition, and that instructions will be forthcoming via email from the president regarding a critical wire transfer to be initiated. Shortly thereafter, the controller receives this email, directing a large wire transfer to be initiated to a party in China to close the acquisition deal. Confidentiality and urgency are emphasized repeatedly, often citing “SEC regulations.” The fraudster’s goal is to convince the controller to initiate the wire transfer, by impersonating authority figures (an attorney, and the company’s president) and communicating a need for urgency, secrecy, and the vital role the victim is playing in ensuring the “deal goes through.” Once the wire has been sent, recovering the money is extremely unlikely.
Social Engineering via Email
A fraudster obtains the names and email addresses of key executives from a company’s website or Facebook page. He then creates a new email domain that is imperceptibly different from that used by the company, by replacing the letter “o” with the numeral zero. Next, he creates a fake email account in the name of the company’s CFO under this email domain. He fabricates a chain of email correspondence appearing to be between the company’s president and CFO, discussing a large payment to a foreign “consulting firm.” Using the CFO’s fake email account, he forwards the email chain the company’s controller or accounting manager, instructing the payment to be made by wire immediately. The fraudster is counting on the victim’s belief that the email instructions have actually come from the CFO, and that they’ll be acted on without verbal confirmation.
Altered Check Fraud
An altered check is an original check on which the amount and/or the payee name have been changed. The check is typically intercepted at some point after mailing. The fraudster uses various techniques to “wash” the original numeric and written checks amounts, and/or change the payee name. The check is then cashed, or more likely deposited using a mobile deposit application to eliminate the risk of a teller recognizing the alterations.
An altered check may be returned to the bank that accepted it, if the return occurs within the standard banking 24-hour window (the day following presentment). As a business using the Positive Pay service, you can identify any altered checks and automatically return them within this narrow timeframe. If an altered check is discovered later, the likelihood of recovering the funds diminishes significantly. Many factors impact recovery, such as whether any funds remain in the account and legal precedents in the state where the check was negotiated.
Although certain check stock security features can protect against altered check fraud, widely-available mobile deposit capture technology significantly reduces these protections because the physical paper check is never examined by a teller.
Counterfeit Check Fraud
A counterfeit is a forgery of an actual check. The level of sophistication in check counterfeiting varies widely. The fraudster may use an actual check as a prototype, copying your company’s logo, font and signature. Or, they may simply use your account number and bank routing number on blank business or personal check stock under another name.
Counterfeit checks play a role in a wide range of fraud scams. Four of the most common are:
- Cash-and-wire scams: The fraudster provides a counterfeit check to an unsuspecting victim, having devised a scenario that requires the victim to cash the check and wire most of the funds to a third party. These scams often target individuals selling merchandise through online sites or renting vacation properties, and are also commonly used in fraudulent lottery winner and work- from-home schemes.
- Retail buy-and-return scams: The fraudster uses a counterfeit check to purchase an expensive item from a retailer. Shortly thereafter, they return the item for a cash refund.
- Point of Purchase ACH check conversion: The fraudster provides a blank counterfeit check to a retailer to make a purchase. The retailer uses the check’s account and bank information to create an ACH debit as payment for the purchase.
- Identity Theft: The fraudster has stolen a victim’s identity (social security number, address, driver’s license number, etc.) The fraudster uses falsified identifying documents to impersonate the victim and open one or more bank accounts in the victim’s name. Counterfeit checks, made payable to the victim, are then cashed at these banks.
A counterfeit check may be returned to the bank that accepted it, if the return occurs within the 24-hour window.
ACH Debit Fraud
An ACH debit is a withdrawal from your account that is initiated by a third party through another bank. For example, you may authorize a cellphone provider to debit your account to pay for monthly charges. ACH debit fraud occurs when a third party initiates an unauthorized withdrawal from your account. Most commonly, fraudsters initiate these unauthorized withdrawals to pay down credit card balances, pay cell phone or utility bills, and the like. All the fraudster needs is your account number and bank routing number (readily available on any check). Using a vendor’s online payment functionality, the fraudster enters the account number and bank routing number as his own, and pays his bill.
Because the ACH codes typically used for these types of payments categorize them as “consumer” transactions, the ACH Network allows a longer timeframe for returns of unauthorized debits. Therefore, these fraudulent transactions are often recovered. However, ACH debit fraud is not restricted to this type of activity alone, and has the potential for significant losses.