WASHINGTON (9/20/12)--Cybercriminals are obtaining the login details of financial institution employees--targeting credit unions and small- to mid-sized banks--to illegally wire themselves hundreds of thousands of dollars, according to a new Federal Bureau of Investigation (FBI) fraud alert.
Fraudsters obtain the logins through phishing and spam e-mails before installing keystroke loggers and remote access Trojans on their computer, gaining complete access to internal networks and logins to third party systems.
In some of the incidents, before and after unauthorized transactions occurred, financial institutions were victimized by a distributed denial of service attack against their public websites or Internet banking URLs. The attacks likely were used as a distraction for credit union or bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer, said the FBI.
The illicit wire transfer amounts have ranged between $400,000 and $900,000. In at least one case, the fraudsters raised the wire transfer limit on a member/customer's account to allow a larger transfer. In most of the identified wire transfer failures, criminals were unsuccessful only because they entered the account information incorrectly.
The FBI recommended that financial institutions educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails. Also, financial institutions are advised not to allow employees to access personal or work e-mails on the same computers used to initiate payments. For a list of further FBI recommendations, use the link.