Division of
Supervision
And
Consumer
Protection
Cyber Fraud
and Financial Crime Report
November
9, 2007
As of June 30,
2007

ID Theft and Computer Intrusion
Credit and Debit Card-Related Fraud
ID Theft Computer Intrusion Wire Transfer Fraud
Phishing – Spam – Online Scams
APPENDIX - OPEN SOURCE INTELLIGENCE
Check Kiting - $14 Million Losses Associated with
Synthetic ID Fraud & Credit Bustout
Computer Intrusions - ACH Fraud $56,000 Loss
Computer Intrusion - Spyware - Account Takeover –
$289,000 Loss
Computer Intrusion - Better Business Bureau Trojan
Horse $187,000 Loss
Computer Intrusion ID Theft – Account Takeover
$106,000 Potential Loss
Computer Intrusion - Unknown Unauthorized Access -
Wire Transfer - $50,000 Loss
Computer Intrusion – Unknown Unauthorized Access – ACH
Transfer $28,000 Loss
Misuse of Position - Branch Manager Removes $1.4
Million From Customer CD Accounts
Counterfeit Instrument – Internet Business - $902,000
Loss
This
report is a centralized collection of information related to cyber fraud and
financial crimes that impact FIs for the 2nd quarter 2007. The information in this report may be used
for risk assessments, examination scoping, training, and outreach. Internal FDIC information systems, open
source intelligence, and Suspicious Activity Reports (SARs) submitted by FIs
was analyzed. Check Kiting, Counterfeit
Checks/Instruments, Misuse of Position, and Computer Intrusion SARs were
sampled this quarter to estimate mean (average) loss per SAR and identify other
statistical trends and is presented in aggregate or redacted format.[1]
Mortgage
fraud SAR filings increased during the quarter and caused the highest estimated
losses suffered by FIs of all SAR categories.
Commercial
loan fraud SAR filings increased 46 percent, and consumer loan fraud reports
declined slightly but are twice the level reported during the 2nd
quarter 2005.
Check
fraud SAR filings increased slightly; however, counterfeit checks and
instruments SAR filings declined.
The
average loss per SAR associated with counterfeit checks declined, which
indicates that FIs are adapting their controls in a check-imaged environment.
Consumer
and FIs awareness of counterfeit checks has increased and is reflected in fewer
losses reported using SARs; however, counterfeiters are inventing more
elaborate schemes and targeting small businesses.
Losses
from counterfeit instruments increased significantly as a result of elaborate
confidence schemes targeting small businesses.
Check
kiting SAR filings increased significantly as credit card bust out suspects
used kiting schemes to make monthly payments, avoid detection, and prolong
their fraudulent activity.
Credit
card fraud and counterfeit card reports increased slightly. Losses from counterfeit cards, which were
extremely high during the 1st quarter, subsided during the current
quarter.
Fewer
retailer payment card data breaches during the quarter caused lower losses to
FIs.
Retailers
are resisting PCI data security standards, which could lead to lower
compliance, additional breaches, and more counterfeit card losses absorbed by
card-issuing institutions.
The
level of identity theft reports by FIs was high, but the growth rate has
slowed. This trend may change in the
future because of a large spike in the number of consumer records compromised
and reported in the media during the quarter.
The
number of computer intrusion SAR filings are relatively low but growing at a
fast pace. The estimated mean (average)
loss per SAR almost tripled the estimated mean loss per SAR identified one year
ago.
Unknown
unauthorized access was the most frequently identified type of computer
intrusion: meaning the FI could not or did not identify how the intrusion
occurred. Unknown unauthorized access
also caused the most losses to FI followed by ID theft/account takeover.
Online
bill payment applications were most frequently targeted by cyber thieves;
however, unauthorized access to ACH and wire transfer applications caused the
most losses to FIs in the computer intrusion category. ACH and wire transfers give FIs less time to
detect and recover from unauthorized access.
In
several significant cases where the source of the computer intrusions was
identified suggest that Trojan horses and key logging software infecting the
customers’ computers might also be responsible for a large portion of the
unknown unauthorized access to online bank accounts.
An
increase in websites hosting malicious code was noted by FDIC and anti-virus
software vendors.
Spear
phishing (when end users with high computer access levels are targeted) was
also sited in several sampled computer intrusion SARs.
Misuses
of position self-dealing SAR samples indicated that lending-related insider
abuse caused the most losses followed by theft from depositor accounts.
Demographic
analysis was performed on misuse of position SARs. Females were more frequently reported as
primary suspects; however, male suspects caused higher losses to FIs. Suspects in their 20’s were most frequently
reported, while suspects who were in their 30’s caused greater losses to FIs.
Overall
phishing spam declined during the quarter, and FDIC-insured FIs were targeted
less frequently. Ecommerce and credit
unions phishing attacks increased, and PayPal spam showed a declining trend.
Phishers
targeted specific business employees using emails with malware links or
attachments to gain access to payroll, accounts payable, and other ACH
applications. This is referred to as
spear phishing (aiming for a specific target) or whaling (going after accounts
with larger balance and transaction amounts).
Consumer
records compromised during the quarter doubled compared to prior quarters due
to a large breach at a Georgia government health care agency.
The
majority of data breaches are low-tech incidents: loss or theft of laptops and
computers, thumb drives, tapes and other removable media from businesses,
schools, health care providers, and government.
The
Secret Service made a relatively small number of arrests compared to the amount
of previous payment card fraud because many “carders” are located outside of
the United States. The FBI launched
operation “Bot Roast” to identify and dismantle botnets that broadcast spam,
host phishing and malware sites, and launch denial of service attacks.
Local
police often discover that individuals involved with illegal drugs are also
often involved with identity theft.
Criminals involved in the counterfeit card trade are often operating
from foreign countries, which make investigation and prosecution difficult.
Most
anti-virus software vendors are reporting increases in Trojan horse programs
that target bank customers. Malware is
more often embedded in popular online social networking services or other
compromised websites that encourage users to click on banner ads and images.
The
Storm Worm was wide-spread and distributed malware to replenish botnets for
spamming and distributing more malicious code.
Delaware
became the 27th state to enact a credit report freeze law, and
Oregon became the 38th state to pass a breach notification law. All 38 states provide exemption if the
compromised data is encrypted. Minnesota
became the first state to approve a data breach cost reimbursement law.
|
SAR Category |
No. SARS Filed |
Est. Avg. $
Loss/ SAR |
2nd Quarter 2007
Loss Reckoning ($000) |
Percent Change
from 1Q07 |
|
Mortgage Loan Fraud |
12,554 |
47,997 |
602,554 |
15% |
|
Check Fraud |
17,558 |
18,894 |
331,741 |
1% |
|
False Statements |
8,188 |
37,905 |
310,366 |
16% |
|
Commercial Loan Fraud |
885 |
201,000 |
177,885 |
6% |
|
Credit Card Fraud |
7,962 |
17,580 |
139,972 |
2% |
|
Identity Theft |
7,791 |
17,719 |
138,049 |
9% |
|
Check Kiting |
7,384 |
16,617 |
122,700 |
-65% |
|
Consumer Loan Fraud |
4,067 |
27,217 |
110,692 |
-2% |
|
Other SARs |
18,264 |
3,761 |
68,691 |
-17% |
|
Embezzlement/Defalcation/Theft |
1,633 |
41,969 |
68,535 |
-9% |
|
Wire Transfer Fraud |
2,195 |
26,741 |
58,696 |
43% |
|
Counterfeit Checks |
8,845 |
3,972 |
35,132 |
-64% |
|
Counterfeit Instruments |
83 |