Check kiting, counterfeit checks and instruments, misuse of position, and computer intrusion suspicious activity reports (SARs) were sampled during this quarter.

Check kiting reports increased; however, the average loss per SAR declined as a result of fewer large kiting schemes being discovered by FIs. Synthetic identity theft used in combination with credit card “bustout” and kiting schemes emerged as a significant new trend.

Reports of counterfeit checks and related losses declined as FIs adjusted their controls to adapt to an imaged check environment.

Counterfeit instruments reports declined; however, losses increased as counterfeiters deceived professionals and small businesses into accepting fake cashier checks and wire transferring large sums to overseas bank accounts resulting in large losses.

Misuse of position reports and losses declined. Two-thirds of losses in this SAR category were associated with lending functions. Theft from customer’s accounts caused the second highest loss amount.

Computer intrusion SAR losses and reports jumped; however, the cause of the majority of computer intrusions remained unknown.

Most anti-virus software labs are reporting an increase in websites hosting malicious code. The number of malicious code programs targeting FIs (Banker Trojans) doubled in 2006 and increased at a 62 percent rate during the first half of 2006.

The number of consumer records breached doubled compared to prior quarters, which will impact ID theft, account takeovers, and account application fraud in the future.

Examination staff reported a sharp decline in debit/credit card breaches at retailers and independent service organizations that impacted FDIC-regulated institutions.

Phishing spam tapered off as cyber thieves are making more use of more focused “spear” phishing attacks and Trojan horse keyloggers.

The decline in spam during the quarter coincides with the FBI efforts to dismantle botnets located in the United States.

Scope

This report is a centralized collection of information related to cyber fraud and financial crimes that impact FIs for the 2^nd quarter 2007. The information in this report may be used for risk assessments, examination scoping, training, and outreach. Internal FDIC information systems, open source intelligence, and Suspicious Activity Reports (SARs) submitted by FIs was analyzed. Check Kiting, Counterfeit Checks/Instruments, Misuse of Position, and Computer Intrusion SARs were sampled this quarter to estimate mean (average) loss per SAR and identify other statistical trends and is presented in aggregate or redacted format.[1]

Findings

Lending

Mortgage fraud SAR filings increased during the quarter and caused the highest estimated losses suffered by FIs of all SAR categories.

Commercial loan fraud SAR filings increased 46 percent, and consumer loan fraud reports declined slightly but are twice the level reported during the 2^nd quarter 2005.

Check-Related

Check fraud SAR filings increased slightly; however, counterfeit checks and instruments SAR filings declined.

The average loss per SAR associated with counterfeit checks declined, which indicates that FIs are adapting their controls in a check-imaged environment.

Consumer and FIs awareness of counterfeit checks has increased and is reflected in fewer losses reported using SARs; however, counterfeiters are inventing more elaborate schemes and targeting small businesses.

Losses from counterfeit instruments increased significantly as a result of elaborate confidence schemes targeting small businesses.

Check kiting SAR filings increased significantly as credit card bust out suspects used kiting schemes to make monthly payments, avoid detection, and prolong their fraudulent activity.

Payment Card

Credit card fraud and counterfeit card reports increased slightly. Losses from counterfeit cards, which were extremely high during the 1^st quarter, subsided during the current quarter.

Fewer retailer payment card data breaches during the quarter caused lower losses to FIs.

Retailers are resisting PCI data security standards, which could lead to lower compliance, additional breaches, and more counterfeit card losses absorbed by card-issuing institutions.

ID Theft and Computer Intrusion

The level of identity theft reports by FIs was high, but the growth rate has slowed. This trend may change in the future because of a large spike in the number of consumer records compromised and reported in the media during the quarter.

The number of computer intrusion SAR filings are relatively low but growing at a fast pace. The estimated mean (average) loss per SAR almost tripled the estimated mean loss per SAR identified one year ago.

Unknown unauthorized access was the most frequently identified type of computer intrusion: meaning the FI could not or did not identify how the intrusion occurred. Unknown unauthorized access also caused the most losses to FI followed by ID theft/account takeover.

Online bill payment applications were most frequently targeted by cyber thieves; however, unauthorized access to ACH and wire transfer applications caused the most losses to FIs in the computer intrusion category. ACH and wire transfers give FIs less time to detect and recover from unauthorized access.

In several significant cases where the source of the computer intrusions was identified suggest that Trojan horses and key logging software infecting the customers’ computers might also be responsible for a large portion of the unknown unauthorized access to online bank accounts.

An increase in websites hosting malicious code was noted by FDIC and anti-virus software vendors.

Spear phishing (when end users with high computer access levels are targeted) was also sited in several sampled computer intrusion SARs.

Insider

Misuses of position self-dealing SAR samples indicated that lending-related insider abuse caused the most losses followed by theft from depositor accounts.

Demographic analysis was performed on misuse of position SARs. Females were more frequently reported as primary suspects; however, male suspects caused higher losses to FIs. Suspects in their 20’s were most frequently reported, while suspects who were in their 30’s caused greater losses to FIs.

Phishing and Email Scams

Overall phishing spam declined during the quarter, and FDIC-insured FIs were targeted less frequently. Ecommerce and credit unions phishing attacks increased, and PayPal spam showed a declining trend.

Phishers targeted specific business employees using emails with malware links or attachments to gain access to payroll, accounts payable, and other ACH applications. This is referred to as spear phishing (aiming for a specific target) or whaling (going after accounts with larger balance and transaction amounts).

Open Source Information

Consumer records compromised during the quarter doubled compared to prior quarters due to a large breach at a Georgia government health care agency.

The majority of data breaches are low-tech incidents: loss or theft of laptops and computers, thumb drives, tapes and other removable media from businesses, schools, health care providers, and government.

The Secret Service made a relatively small number of arrests compared to the amount of previous payment card fraud because many “carders” are located outside of the United States. The FBI launched operation “Bot Roast” to identify and dismantle botnets that broadcast spam, host phishing and malware sites, and launch denial of service attacks.

Local police often discover that individuals involved with illegal drugs are also often involved with identity theft. Criminals involved in the counterfeit card trade are often operating from foreign countries, which make investigation and prosecution difficult.

Most anti-virus software vendors are reporting increases in Trojan horse programs that target bank customers. Malware is more often embedded in popular online social networking services or other compromised websites that encourage users to click on banner ads and images.

The Storm Worm was wide-spread and distributed malware to replenish botnets for spamming and distributing more malicious code.

Delaware became the 27^th state to enact a credit report freeze law, and Oregon became the 38^th state to pass a breach notification law. All 38 states provide exemption if the compromised data is encrypted. Minnesota became the first state to approve a data breach cost reimbursement law.

Analysis

SAR Category	No. SARS Filed	Est. Avg. $ Loss/ SAR	2nd Quarter 2007 Loss Reckoning ($000)	Percent Change from 1Q07
Mortgage Loan Fraud	12,554	47,997	602,554	15%
Check Fraud	17,558	18,894	331,741	1%
False Statements	8,188	37,905	310,366	16%
Commercial Loan Fraud	885	201,000	177,885	6%
Credit Card Fraud	7,962	17,580	139,972	2%
Identity Theft	7,791	17,719	138,049	9%
Check Kiting	7,384	16,617	122,700	-65%
Consumer Loan Fraud	4,067	27,217	110,692	-2%
Other SARs	18,264	3,761	68,691	-17%
Embezzlement/Defalcation/Theft	1,633	41,969	68,535	-9%
Wire Transfer Fraud	2,195	26,741	58,696	43%
Counterfeit Checks	8,845	3,972	35,132	-64%
Counterfeit Instruments	83