MOUNTAIN VIEW, Calif.-A new attack scheme is hitting banks and credit unions that takes advantage of the live chat feature in the FIs' online banking platform, Guardian Analytics reports.
The criminals impersonate a member or customer and initiate fraudulent wire transfers. Many have been successful.
"It's difficult to predict how it will spread, but criminals usually stick with what works. When it stops working they find another approach," said VP of Marketing Tiffany Riley.
Here's how the scheme operates:
From his own computer, using his own ISP, the fraudster logs into online banking using stolen credentials.
The fraudster does some initial reconnaissance and fraud setup, such as checking account balances and completing internal transfers into the checking account, sometimes from multiple accounts. But no transaction is initiated.
The fraudster then enters into a live chat session with customer service.
The fraudster requests assistance with a wire transfer over chat and the customer service rep completes the wire transfer request on behalf of the fraudster.
"Social engineering of contact center agents is a common form of fraud," Riley explained. "The new twist here is a novel combination of online account takeover fraud with online contact center fraud. Using chat as a vehicle is attractive because it is presumably easier to fool the customer service representative-the fraudster has 'disguised' himself as the legitimate user by authenticating into online banking and with an instant-style messaging interaction can effectively hide voice or speech cues that might lead a call center agent to pick up on a fraudulent call."
'Under the Radar'
In all cases the attacks were executed from locations, computers and ISPs that were unusual for the accountholder, Guardian explained. The attacks included internal transfers, into the checking account from which a wire transfer could be sent.
"Although internal transfers as an online banking activity were not unusual for the victims, the dollar amounts of the transfers were significantly larger than what was typical for the victims," said Riley. "All of the transfers were under $8,000, keeping the scheme under the radar of most financial institutions."