“But I don’t bank online!”

You might think that someone who doesn’t choose to have online access to his or her bank account would be safe from online banking fraud.

Think again.

The fraud intelligence team at Guardian Analytics has found a flurry of attacks that target precisely such victims, resulting in successful attacks that steal money through online bill pay, transfers, and credit card fraud.

Types of accounts hit by this pattern

Despite the popularity of online banking, there is still a segment of the population that is not actively banking online.

Some account holders simply have never established online access to their account. Others have banked online in the past but currently are inactive.

Examples include military personnel deployed overseas and prior online banking users who have passed away but their bank account has not yet been closed. This combined group of customers is often referred to as “absent account holders.”

While this fraud scheme is not new, in 2013 our fraud analysts have detected a significant uptick as part of their ongoing tracking of fraud attacks and trends. What makes this attack scheme popular among fraudsters: There’s a low likelihood that the absent account holder will discover it.

Fraud incident details

Here is how these frauds generally occur, step by step:

1. Compromise the absent account holder’s credentials.

Two variations appear here:

• Account holder never had an online account: The fraudster acquires the account number and enough information about the account holder to set up online access. The crook may get this initial information from many different sources, such as a compromised email account, a large data breach, Facebook, or by social engineering the call center.

Because online access has never been set up, there are no online credentials to steal. The fraudster creates them as part of the online registration.

• Account holder has not used online banking for 90 days (dormant account): The fraudster acquires existing online banking credentials through data breaches, social engineering, data purchased through criminal websites, malware, or other established methods. The fraudster is counting on the victim not noticing the renewed online activity due to the pattern of not using online banking.

2. Change user profile information. The fraudster accesses the account and sets up the attack. Our analysts have detected fraudsters using this attack to move money out of the account through bill pay or external transfers, or by requesting a replacement credit card.

They change contact information as needed to support the scheme in play. If they’re going to request a replacement credit card, they change the mailing address. Or if they’re requesting a wire transfer, for example, they change the phone number or email address used for out-of-band authentication.

3. Launch the attack. The fraudster initiates the transfer or requests a replacement credit card.

How can this be stopped?

A common thread across all of the attacks of this type is that they happen very quickly. Unlike other schemes that may play out over several weeks or months, in this case fraudsters gain access and immediately execute all aspects of the attack. 

• Pay close attention to any profile changes. Account holders change their profile infrequently, so any change is cause for closer analysis. And as this is one of the first things the fraudsters do, it’s an opportunity to detect the attack early.

• Look for a rapid and unexpected series of activities. The fraudster might initiate online account access, set up a new profile, or change the existing one, and initiate a transaction all in short order, trying to complete the transfer before anyone notices.

• Look for behavioral anomalies (for dormant online access vs. new online access). While the victim’s earlier online behavior may be dated, the account holder will still have a history of prior usage. And as with all online fraud attacks, the fraudster’s activity will differ in some way from the victim’s normal behavior—a different location, ISP, computer, payee, payment amount, time of day, etc.

• Follow established procedures. For example, if your policy is to not send credit cards to a new address, then be sure to follow that policy, regardless of how good or longstanding of a customer this account holder has been.

About the author

Craig Priess is a founder and vice -president, products, at Guardian Analytics.