Cyber-Enabled Fraud

Print Cybercrime Overview

Cyber-Enabled Fraud: Cybercrime Overview

The Federal Financial Institutions Examination Council (FFIEC) shares critical information regarding cybersecurity. The FFIEC defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to attacks.”  Cyber-enabled crime is carried out or facilitated by electronic systems and devices. Credit unions must manage internal and external threats and vulnerabilities to protect their information and infrastructure against cyber-based attacks.

According to the Cybersecurity & Infrastructure Security Agency (CISA) good security habits include the following items below. Educate employees and members on these security habits, enforcing them when possible, to mitigate cyber risk.

• Improve password security - mandate strong passwords, use a password manager, multifactor authentication (MFA), and security questions; create individual accounts, setting only access and permissions needed for each user
• Choose secure networks and implement cybersecurity software
• Keep electronic device software current
• Be suspicious of all unexpected emails - avoid clicking on unrequsted links, downloading unrequested files, and sharing personal information
• Implement automated preventative controls for user access and permissions

The FFIEC created the Cybersecurity Assessment Tool, which credit unions can use to measure their cybersecurity preparedness. Credit unions, for example, should have the following cybersecurity controls to protect their assets, infrastructure, and information and improve risk management:

• Preventative controls - infrastructure management, access management, devide and end-point security, and secure coding
• Detective - threat and vulnerability detection, anomalous activity detection, event detection, and system irregularity alerts indicating a potential incident
• Corrective - patch management and remediation of issues identified in vulnerability and penetration testing

The FFIEC also prepared a Cybersecurity Resource Guide for Financial Institutions, which outlines resources to assist credit unions in strengthening their resilience to cyber threats.

Print ATM and Interactive Teller Machine (ITM) Fraud

Cyber-Enabled Fraud: ATM and Interactive Teller Machine (ITM) Fraud

In their Cybersecurity and Credit Union System Resilient Annual Report, the National Credit Union Association (NCUA) warned credit unions regarding ATM and ITM skimming and shimming activities in 2023. Skimming and shimming fraud involves capturing card information using unauthorized devices. Criminals will secretly attach devices to a machine to record members’ keystrokes and steal personal identification numbers (PINs) and credit or debit card account numbers.

Skimming devices include card-reader overlays, hidden cameras, PIN-capture overlays, fake ATM faceplates, and keylogging keypad overlays. They may be installed in a card reader, within the terminal, and over the machine’s card reader. Cameras would be installed on or around a machine to record a member’s pin entry.

To prevent this type of fraud, the NCUA recommends that credit unions do the following:

• Conduct inspections
• Install anti-skimming devices
• Enhance surveillance
• Educate members and staff
• Monitor transactions
• Update software
• Monitor for physical tampering

Print Deepfakes

Cyber-Enabled Fraud: Deepfakes

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an alert on fraud schemes associated with the use of deepfake media (FinCEN Alert on Fraud Schemes Involving Deepfake Media). The abuse of deepfake media contributes to fraud and cybercrime, two of FinCEN’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) national priorities.

Overview

Deepfake content, also referred to as “deepfakes,” is a type of synthetic content that has been created or modified through artificial intelligence (AI)/machine learning. The resulting content appears realistic but is inauthentic, including synthetic videos, pictures, photos, and text. Generative artificial intelligence (GenAI) can produce deepfakes, creating highly realistic content. FinCEN has observed an increase in suspicious activity reported by financial institutions regarding the use of deepfake media schemes targeting financial institutions and their members.

Deepfake Fraudulent Identities

Fraudsters are using generative AI tools to create deepfake media for fraud schemes. Identity-related exploitation is one of the major cybercrime and fraud concerns for credit unions. These schemes typically involve perpetrators altering or creating falsified identification documents, photographs, and videos to circumvent member identity verification and member due diligence controls.

Fraudsters may use fraudulent identities to open accounts with financial institutions and to receive and launder the proceeds of other illicit activities. The fraud schemes can involve other types of scams, including check fraud, credit card fraud, loan fraud, unemployment fraud, and new account fraud. 

Deepfake Media in Phishing Attacks and Scams

Deepfake media can also be used in phishing attacks and scams, in which fraudsters target credit union employees and members. The use of generative AI allows criminals to impersonate trusted credit union employees or other trusted individuals, such as a member’s family members and friends. When impersonating a trusted individual, a fraudster may instruct the victim to transfer funds or make payments to accounts under the perpetrator’s control. Scams include business email compromise (BEC) schemes, spear phishing attacks, elder financial exploitation, romance scams, virtual currency investment scams, and family emergency scams. 

Detection and Mitigation

The following items are methods to help detect deepfakes:

• Reverse image searches of identity photos
• Open-source research
• Examine an image's metadata
• Use software to detect possible deepfakes or manipulations
• Enhanced due diligence on higher-risk accounts
• Multifactor authentication (MFA)
• Live verification checks

Be aware of and on the lookout for potential red flags that may indicate suspicious activity related to the use of generative AI tools. The following items listed may indicate illicit use of GenAI tools:

• Inconsistencies among multiple identity documents presented by the member, or between the identity documents and other aspects of the member’s profile
• A member’s photo is internally inconsistent, such as visual indicators of alteration, or is inconsistent with other identifying information
• A member who is unable to sufficiently authenticate their identity, source of income, or another aspect of their profile
• An account accessed from an IP address inconsistent with the member’s profile
• Patterns indicating coordinated activity among multiple similar accounts
• High payment volumes to potentially higher-risk payees
• High volumes of chargebacks or rejected payments
• Patterns of rapid transactions by a newly opened account or an account with little prior transaction history
• Patterns of withdrawing funds immediately after the deposit and in manners that make payments difficult to reverse
• Attempts to avoid or circumvent live verification checks
• A member declines to use MFA to verify their identity 
• Requests to change communication methods during a live identity verification check due to excessive or suspicious technological glitches 
• A reverse-image search or open-source search of an identity photo matches an image found in an online gallery of AI-produced faces
• A member uses a third-party webcam plugin during a live verification check
• GenAI- and deepfake-detection software flags the potential use of GenAI 

If you spot these indicators, additional scrutiny and further due diligence may be warranted.

When filing a Suspicious Activity report, FinCEN requests that financial institutions include the key term “FIN2024-DEEPFAKEFRAUD” in SAR field 2 (“Filing Institutions Note to FinCEN”) and in the narrative.
 

Print Phishing Attacks

Cyber-Enabled Fraud: Phishing Attacks

Overviews

Phishing scams are a common method for fraudsters to steal sensitive information or money. Scammers may use emails, social media posts, direct messages, text messages, or phone calls to communicate with potential victims. Other terms for phishing include smishing (SMS phishing) and vishing (voice phishing).

In their communications, the fraudster will impersonate familiar and trusted organizations, including your credit union and its staff members. For example, the NCUA reported phishing schemes targeting credit unions and spoofing NCUA addresses. The criminals aim to lure individuals to click on a bad link or download a malicious attachment to steal sensitive information or install malware on their device. The stolen information or malware can be used to steal sensitive and confidential data and can result in identity theft, financial loss, and unauthorized account access.

Spear Phishing Attacks

Criminals will target both credit union employees and members. Employees may be targeted to gain access to their credentials and other sensitive data. For example, spear phishing is a type of attack that criminals use to acquire sensitive information or access to devices and systems. A cybercriminal will send a seemingly legitimate email designed to convince the victim to open a malicious link or attachment. After a victim opens the bad link or attachment, malicious software (malware) may be downloaded, which an attacker uses to access sensitive information, including usernames and passwords.

Business Email Compromise

The National Credit Union Association (NCUA) issued a letter on Business Email Compromise Fraud (BEC), reporting increases in the frequency of and losses related to BEC fraud schemes. BEC is a type of phishing attack that targets organizations. BEC schemes involve fraudsters impersonating a legitimate business or person, or compromising email accounts, to initiate fraudulent transactions and/or to steal sensitive information. Criminals often target financial institutions that regularly conduct wire transfers and use email for wire communications.

For example, cybercriminals will impersonate cloud-based email services to steal employee account credentials. Following the compromise of an email account, the cybercriminal can impersonate the victim and communicate with vendors and members to request payments be redirected to their account. They may also use the victim’s address book to identify new targets for their phishing schemes.

Additionally, a fraudster can leverage BEC phishing scams to install malicious software onto an employee’s and/or the institution’s network to gain access to sensitive information. Cybercriminals can gain access to company emails, billing and invoice information, financial account information, and account credentials, while going undetected. The Federal Bureau of Investigation (FBI) reports that BEC is one of the most finally damaging online crimes (FBI: Business Email Compromise).

Credit unions should put in place measures to effectively prevent and detect BEC. The following steps can be taken to help prevent business email compromise fraud:

• Never make a payment change without first verifying the change with the intended recipient
• Verify the accuracy of email addresses when checking mail 
• Use a two-step verification process to verify wire requests with members, and use information provided from previously known email addresses and phone numbers, versus what is provided in the wire transfer request 
• Investigate and verify changes to members’ personal information, vendor information or business practices, and member business accounts
• Verify all payment changes and transactions in person or via a known telephone number
• Monitor wire activity for suspicious wire transfers
• Know the routines of members’ wire activity and contact them if there are any changes or concerns before sending a wire transfer
• Verify transaction details with the recipient bank before sending a suspicious wire transfer
• Use email spam folders and email filtering software to identify potential fraudulent/spoofed emails
• Use intrusion detection systems to flag emails with extensions that are similar, but different to, the credit union or its members
• Post information on social media and company websites with caution
• Implement multi-factor authentication (MFA) for employee email accounts
• Educate employees on BEC scams and how to identify phishing emails 
• Add an email banner to messages coming from outside the institution 
• Use security features to block malicious email, including anti-phishing and anti-spoofing policies
• Backup data regularly
• Verify financial transactions

Ransomware

FinCEN issued an Advisory on Ransomware and the Use of the Financial System. Ransomware is a type of malware designed to block a victim’s access to a computer system or data so that the perpetrator can extort payments in exchange for restoring access. Ransomware attacks may target credit unions, given the sensitive, confidential, and financial data that is collected and maintained. The consequences of a ransomware attack can lead to losses of sensitive, proprietary, and critical information and/or the loss of business functionality.

Financial institutions can also play a role in the collection of ransomware payments, as payment processing typically involves at least one depository institution. Following a perpetrator’s demand for a ransom, the victim will usually transmit the funds via wire transfer, automated clearinghouse (ACH), or credit card payment to a convertible virtual currency (CVC) exchange to purchase the specified type and amount of CVC. The perpetrator will then continue to launder the funds in various ways.

To facilitate ransomware attacks, cybercriminals will use wide-scale phishing and targeted spear phishing campaigns to trick victims into downloading a malicious file or going to a malicious site. After the malware is successfully downloaded or installed in the victim’s system, the cybercriminal will likely remove sensitive data from the targeted network, encrypt the system, and demand ransom. They may then threaten to publish or sell the data if the victim does not pay the ransom.

Red flags that may indicate ransomware and associated payments include:

• The credit union or its member detects IT activity – in system logs, network traffic, file information – that is connected with known cyber threat actors or to ransomware cyber indicators
• A member provides information regarding payment in response to a ransomware incident 
• A member’s CVC address is connected to ransomware variants, payments, or related activity
• An irregular transaction occurs between an organization and another that is known to facilitate ransomware payments
• A member who has previously shown limited knowledge of or has limited history with CVC asks about or purchases CVC, particularly in a large amount, in an urgent manner, and outside of their normal business practices
• A member who has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs
• A member uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities
• A member receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs with no apparent related purpose, followed by a transaction off the platform
• A member initiates a transfer of funds involving a mixing service
• A member uses an encrypted network or an unidentified web portal to communicate with the recipient of the CVC transaction

To protect your credit union and your members, it is critical to identify and immediately report any suspicious ransomware-related transactions. When filing a Suspicious Activity report, FinCEN requests financial institutions use the following key term “CYBER FIN-2021-A004” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative, and select SAR field 42 (Cyber Event).

Phishing Prevention and Detection

The OCC created a guide on Phishing Attack Prevention, a type of cyber-enabled crime. Internet fraudsters will send a seemingly legitimate email containing links to a phony website. Typical warning signs an email is a phishing attempt include:

• A sense of urgency and pressure to act immediately, such as the use of urgent, alarming, or threatening language
• Requests for payment
• Requests for sensitive information for verification purposes, including social security numbers, account numbers, passwords, and other personal information
• Generic greetings and signature
• Spoofed hyperlinks and websites that do match the text when hovering over them, or web addresses with subtle differences from a known legitimate site
• Misspelling, poor grammar, or inconsistent formatting
• Suspicious attachments or requests to download/open an attachment
• An offer that is too good to be true
• A strange or unexpected business request

To prevent phishing, follow these tips:

• Do not provide personal or financial information over the phone, Internet, or email message following an unsolicited request
• Be suspicious of unsolicited phone calls, email messages, and text messages from individuals requesting your employee or other internal information
• Verify the sender’s legitimacy by initiating contact with the organization directly yourself, such as using the phone number and website provided on your financial institution’s monthly statement
• Do not provide passwords over the phone or Internet
• Require use of strong passwords and multi-factor authentication (MFA)
• Review account activity regularly for unauthorized transactions
• Do not open attachments or click links from unknown senders
• Install and maintain anti-virus software, firewalls, anti-phishing features, email filters, and other effective cybersecurity controls
• Keep software up to date to reduce infection from ransomware and malware
• Implement a robust backup strategy – backup and protect digital information and critical data by making copies and storing them securely
• Ensure effective business continuity resiliency
• Report any work-related suspicious emails, messages, or transactions immediately and proactively
• Educate employees and members on cyber threats and security awareness
• Monitor remote connections and business-to-business connections  
• Set clear expectations regarding the due diligence of third-party vendors with respect to information security and cybersecurity requirements
• Integrate cybersecurity and operational resilience into the organizational culture, ensuring cybersecurity is a core value in the credit union
• Invest in cybersecurity technologies and tools to enhance defenses
• Emphasize diligent vulnerability management and threat intelligence
• Conduct audits of the cybersecurity program and risk assessments

Print Third-Party Attacks

Cyber-Enabled Fraud: Third-Party Attacks

Credit union third-party service providers can be exploited by cybercriminals and pose a vulnerability within the financial system (NCUA Cybersecurity Briefing). Third-party attacks occur when a credit union’s vendor, supplier, contractor, service provider, or partner becomes compromised by a malicious actor. Cybercriminals will compromise a third party to gain access to a credit union’s sensitive information and disrupt their critical systems. In addition to business disruption and data compromise, breaches can result in reputational damage.

The NCUA recommends that credit unions review their third-party service provider and vendor relationships to assess and mitigate potential risks and strengthen cyber vigilance and preparedness. The following actions can be taken to help prevent third-party breaches:

• Track and monitor third parties with access to sensitive data or systems for unauthorized access to sensitive information and compromised systems
• Establish policies regarding how personal information, member data, and other sensitive data can be shared with third parties
• Ensure an effective third-party risk management program is in place
• Establish minimum cybersecurity controls and requirements for cybersecurity standards for third parties 
• Perform effective vendor due diligence, risk assessments, and annual reviews and/or attestations
• Implement access controls and limit access to confidential information
• Require third parties to use robust authentication systems 
• Conduct ongoing security monitoring
• Train employees in cybersecurity awareness and assessing third-party risks
• Document information security policies

Print Virtual Currency Investment Scam

Cyber-Enabled Fraud: Virtual Currency Investment Scam

Overview

FinCEN issued an alert on a prominent virtual currency investment scam, known as “pig butchering” (FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering). This scam entails the perpetrators leveraging fictitious identities and elaborate stories to make their victims believe they are trustworthy – the scammers are “fattening up” the victims. The fraudsters will then convince their victims to invest in virtual currency in order to steal their assets – the victims are “butchered.” 

Prevention and Detection

Financial institutions can help detect, prevent, and report suspicious activity related to pig butchering by being able to identify red flags in member behavior and transactions. Red flags that could indicate potential pig butchering include:

• A member with no history of using virtual currency attempts to exchange a high amount of fiat currency for virtual currency, and potentially
  • Uncharacteristically liquidating savings accounts before maturation, 
  • Taking out a HELOC, home equity loan, or second mortgage, 
  • Involving a service that has a website or application with poor spelling or grammar, dubious customer testimonials, or an amateurish site design,
  • Or involving a website or application showing warning signs such as a misspelled web address or domain name, a recently registered web address or domain name, no physical street address, international contact information, or contact methods that include only chat or email
• A member mentions an investment opportunity involving virtual currency with high returns that they were told about from a new contact who reached out to them unsolicited online or via text message
• A member appears distressed or anxious to access funds to meet the demands of a virtual currency investment opportunity
• A member receives what appears to be a deposit of virtual currency from a virtual currency address at or slightly above the amount that the member previously transferred out of their virtual currency account
• System monitoring and logs show that a member’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns

If you are filing a SAR in connection with pig butchering, FinCEN requests that financial institutions include the key term “FIN-2023- PIGBUTCHERING” in SAR field 2 (Filing Institution Note to FinCEN) and the narrative, and select “Fraud-Other” under SAR field 34(z) with the description “Pig Butchering.” 

Print Additional Resources

Cyber-Enabled Fraud: Additional Resources

• CISA Good Security Habits
• FFIEC Cybersecurity Assessment Tool
• FFIEC Cybersecurity Awareness
• FFIEC Cybersecurity Resource Guide
• FinCEN Alert on Fraud Schemes
• OCC Phishing Attack Prevention

Print Model Policies

Cyber-Enabled Fraud: Model Policies

CU PolicyPro contains the following model content which can be used to help you craft your own policies and guidance on this topic:

• Model Policy 1645: Fraud
• Model Policy 2290: Wire Transfers
• Model Policy 2615: ATM/Debit Cards
  • 2615.10: Electronic Fund Transfers
• Model Policy 4100: General Security Procedures
• Model Policy 4120: Information Security
• Model Policy 4125: Incident Response
• Model Policy 2220: E-Commerce
  • 2220.10: Website
• Model Policy 2222: Electronic Communications: Acceptable Use
• Model Policy 2225: Digital Banking
  • 2225.10: Anti-Phishing
• Model Policy 2227: Electronic Signatures
• Model Policy 4200: Security Devices
• Model Policy 4340: Remote Access
• Model Policy 4350: Cloud Computing
• Model Policy 4300: Computer Security and Control
• Model Policy 4315: Firewalls
• Model Policy 4320: Computer Hardware and Software Acquisition

Click to login if your credit union subscribes to CU PolicyPro.

If you're not sure if your credit union subscribes, contact policysupport@cusolutionsgroup.com for assistance.