Types of Fraud and Security Attacks

Types of Fraud

Understanding how fraud affects your business is an important step in preventing it. Here are some of the common methods fraudsters use. It’s important to note that multiple techniques are often used in a single fraud attempt.

Social Engineering

Social engineering techniques are designed to manipulate you into performing actions or divulging confidential information by making you believe you are dealing with a known, trustworthy, or official source. Social engineering can occur via emails (called “phishing”), text messages, web browser pop-up windows, or even telephone calls.

Social engineering is most frequently used to deceive you into opening an email attachment or link, or clicking on a pop-up window, that will in turn cause malware to be installed on your computer (see below). Alternatively, you might be directed to a fake website where you’re asked to provide confidential information such as account numbers, passwords, balance information, or even your Social Security number. These messages often take one of the following forms:

• A warning about unauthorized access or fraudulent activity on your account
• A threat to suspend or deactivate your account
• A notice that a recent wire or ACH transaction has been rejected or cancelled
• A notice from the US Postal Service, UPS, or FedEx of a failed package delivery
• An offer of a reward for completing a survey

Sophisticated social engineering schemes targeting businesses are a growing threat. The fraudster impersonates a senior company manager, such as the president, CEO, or board chairman, and instructs an unsuspecting employee via email to initiate a wire transaction to a party in a foreign country. The fraudster may have gained access to the senior company official’s email, or may have created a new email account imperceptibly different from the legitimate account. Extreme urgency and an emphasis on confidentiality are other techniques the fraudster uses to encourage the employee to complete the transaction.

Cyber Account Takeover via Malware

Malware is a malicious software program that gets installed on your computer without your consent. Once installed, it can record your keystrokes (to capture passwords), re-direct your browser, display fake pop-up messages, or allow a hacker to take control of an online banking session and initiate outgoing wire or ACH transactions – all without you being aware of what’s happening.

Malware may be hidden within an email attachment, a hyperlink within an email, or an infected document, image, or other type of file. Drive-by malware downloads may happen when visiting a malicious or vulnerable website or social media site, or by clicking on a deceptive pop-up window.

Email Account Breach

Public email services such as GMail®, Yahoo®, Hotmail® and the like are more vulnerable to being breached. Once a fraudster has access to a business email account, a wealth of information is available to them to perpetrate a fraud.

• Saved emails provide the fraudster with vendor information, employee correspondence and the like which they can “forward” or copy, giving legitimacy to a request to an unsuspecting recipient for confidential information or to initiate a transaction (read more about vendor fraud below).
• Stored contacts may allow the fraudster to communicate with the company’s banking, payroll, or other financial services provider representatives.

Because public email services are quick, easy, and free, a fraudster can create a new email account that is imperceptibly different from that of your business – then use this fake email account as part of a social engineering scheme. For example, a legitimate email address of abcadditives@hotmail.com could be faked as abcadditive@hotmail.com.

Invoice/Vendor Fraud

This type of fraud scheme is impacting businesses in the U.S. and worldwide, resulting in billions of dollars lost. It involves making a payment to what appears to be a legitimate vendor or supplier — but the payment is diverted to another, unintended recipient. There are several ways this type of fraud is perpetrated; but all result in a payment request that appears to come from a vendor you know and trust:

• A fraudster, impersonating a vendor, requests that you change the payment instructions you have on file for them – thereby diverting future payments to the fraudster’s account. The request could come via phone, email, or letter.
• A hacker breaches your email system, and studies the pattern of payment requests received by your Accounts Payable department. The hacker then creates a fraudulent invoice that appears legitimate, except for subtle changes to the payment instructions.
• A hacker breaches your vendor’s Accounts Receivable system and generates a fraudulent invoice or payment request.

Check Fraud Variation

• Alteration — Changing the check amount or payee name in an undetectable manner. Mobile check deposit technology further facilitates altered check fraud, because the paper check is not examined by a bank teller.
• Counterfeit — Fictitious check created using the victim’s account number and bank routing number.
• Forged Signature — Legitimate blank check stock is stolen and the authorized signature is forged on the face of the document.
• Forged Payee Endorsement — A check is intercepted and cashed by forging the payee’s endorsement on the back of the document.

Check stock security features, while important, only help protect against check alternations — not counterfeits. A fraudster only needs a valid account number and associated bank routing number (easily obtained from public sources) in order to create a counterfeit check that will successfully post to an account. Counterfeit checks in particular are used in a variety of consumer fraud scams. Fraudsters exploit the “float” period by enticing a fraud victim to cash or deposit a counterfeit check and wire the funds to a third party before the check is returned for fraud. Fraudsters use various social engineering tactics to convince the victim that the counterfeit check is legitimate.