Online banking fraud: what it is and how to prevent it

Statistics talk clearly: in the past years, cybercrimes have increased exponentially, facilitated by the growing adoption of online channels to purchase and provide any kind of services. 

Among all industries, digital banking seems to be the most affected, as the increased offering of online services opened up a wide range of new possibilities for cybercriminals to attack and complete their illegal activities.  

Fraud in online banking profoundly affects how banks and financial institutions provide their services and do their business. There’s a pressing need to find a balance between innovating and ensuring safety for both retail and corporate customers.   

This article gives an overview of how today's online banking fraud works, the main types of attacks criminals leverage to perpetrate fraud, and how you can keep your customers safe from cyber threats.

An online banking fraud happens whenever a criminal can access and transfer funds from an individual’s online bank account.  

As fraud generally refers to any intentional act aimed at depriving an individual of a legal right, online banking fraud narrows the scope of the illegal activity, which has to happen online and results in an economic loss. 

Online banking fraud refers to any illicit activity completed on the financial institution’s web application or native mobile apps for money management, bank transfers, instant payments, and money lending. 

Today, online banking frauds are multidimensional. They are perpetrated via malware, social engineering, and fast cash-out techniques and include two macro-categories: Account Takeover (ATO) or Automatic Transfer System (ATS). 

Banks and financial institutions’ security departments should be aware of the different types of attacks that these two categories include to manage risk in their systems and set up appropriate security measures to prevent threats.

Account Takeover 

An Account Takeover (ATO) happens every time a cybercriminal takes over an online account to steal information or money. The most common targeted online accounts are bank accounts, social media profiles, and email addresses.   

The first step to accessing a person’s account is stealing personal credentials or login information. Fraudsters can use social engineering techniques or install malware on the victim’s device to do so. Advanced fraud attacks sometimes involve both of them. 

Social engineering techniques include all those activities aimed at tricking customers through psychological manipulation into giving access to personal information or committing security mistakes that let fraudsters accomplish their breach.

Phishing, smishing, and vishing are the most common examples of social engineering attacks, and they are pretty simple to implement. Cybercriminals can spread infectious malware on the victim’s devices via clickable links contained in an email (phishing) or an SMS (smishing) that could look 100% legitimate. Often these links direct the victim towards downloading apps directly from the official marketplaces, such as Google Play Store, making it harder for users to realize the potential danger in advance. Once the malicious app is downloaded and installed, the hidden malware gains complete access to the victim’s device, giving the fraudsters the door they need to perform ATO. For example, this is how one of our Threat Intelligence Teams’ latest discoveries, TeaBot, was being distributed. 

Fraudsters can also trick customers directly via voice calls (vishing) and convince them to perform a straightforward illicit activity without the need to spread any malware. 

SIM Swap is another way to do ATO based purely on social engineering: it is a fraudulent activity that allows cybercriminals to transfer the victim’s phone number to another SIM. The illegal transfer of the phone number is carried out by impersonating the victim and tricking the mobile provider’s operators into releasing a new SIM card for the same phone number. 

Fraudsters then use the new SIM to receive OTP messages and bypass Multi-factor Authentication procedures to access any account connected to that number.

Today fraud analysts face new types of threats and capabilities that can hit digital devices when talking about malware infections. At the moment, the most known are:

• Remote Access Trojans (RATs) are designed to remotely control an infected device, sending commands and receiving data back in response. These are typically spread across a large pool of mobile devices; 
• Man-in-the-Browser (MitB) is a malware that hides within the browser app, intercepts, and alters the communication between the local browser and the banking web application server to commit fraud;
• Overlays, that over impose a layer on top of specific pages of the app (or web app) to intercept private information as the user enters them;
• SMS Sniffers capture SMS messages to steal personal data or read OTP to bypass Multi-factor Authentication procedures.  

Banks and financial institutions have always been the highest priority target of ATO attacks, as usually, cybercriminals’ objective is to make financial gains out of their illegal activities quickly. 

Today the situation is changing, as more and more sectors are witnessing a considerable increase in Account Takeover attacks with the additional intent of stealing cryptocurrency assets or selling personal information.

Cleafy’s Threat Intelligence team has recently analyzed examples of advanced malware that perform ATO at scale: TeaBot and BRATA, both belonging to the RAT family, and Gozi, which belongs, instead, to the MitB family and can also attack via Automatic Transfer System. 

Automatic Transfer System (ATS)

Over the last years, the continuous improvement of fraud prevention solutions has made ATO attacks more difficult to complete. That’s why fraudsters are developing new ways to perpetrate fraud without the need to take over the victims’ accounts. These new techniques are engineered to automate illegal activities and complete them in the fastest possible way.   

Unlike Account Takeover, attacks through the Automatic Transfer System don't require taking over the victims’ accounts. The fraud occurs while the user actively operates on the target application by tampering with the genuine operation without the user noticing it. 

The four main differences between ATS and ATO attacks are:

1. ATS always involves the presence of malware inside the victim’s device, while ATO can happen via social engineering techniques only. 
2. Malware that perform ATS are generally highly tailored to the targeted application and, therefore, more advanced and more challenging to detect. 
3. ATS attacks can bypass fraud detection mechanisms like Two-Factors Authentication, Behavioral Biometrics or Behavioral Analysis because the actions are all performed by the real users with the real device, unaware of the malicious malware installed in their digital device. In this case, cybercriminals are not interested in collecting the users’ credentials or OTPs, as genuine users transfer money to the fraudsters’ account (without realizing that). 
4. Frauds via ATS attacks don’t require the manual intervention of fraudsters, as they are automated and easily scalable. Unlike ATO attacks, which target a few customers for large amounts, ATSs target a large number of victims for small amounts. This makes it easier for anti-fraud systems to miss a potential fraud.  

ATS attacks on mobile are performed by gaining control over Accessibility Services, a suite of Android services provided by Google to make Android devices more accessible to users with disabilities. 

Cleafy’s Threat Intelligence team has recently discovered an example of advanced malware that performs ATS at scale: SharkBot, a new generation of Android Trojans that is targeting banks around the globe. 

We have described in detail how SharkBot works in our Cleafy Labs’ Technical Report. 

Today, fighting online fraud is more challenging than ever before. Fraud schemes evolve fast and are less and less predictable. 

Traditional fraud management systems are not enough to detect complex attacks: multi-dimensional patterns, ultra-tailored malware, structured social engineering, and fast-changing cash-out networks bypass current risk-based siloed solutions.

To prevent and stop online banking fraud, it is essential to integrate multiple advanced detection mechanisms with the right processes, mindset, and tools. 

Moreover, advanced threat intelligence insights, tailored to a specific business and industry, have become crucial for staying ahead of all relevant threats, and for avoiding getting caught off-guard by the most advanced cyber-attacks. 

At Cleafy, we kept all this in mind when developing our solution. A solution that continuously analyses online activities across all digital channels, combining multiple detection technologies with threat intelligence data.

Thanks to this, we enable fraud management teams to collect and analyze all the information related to the user identity, the device, and the transaction, and automate the most appropriate responses based on actual threat patterns rather than generic risk scores.

Continuous monitoring, complete visibility, and response automation: these are the key ingredients to preventing today’s and tomorrow’s advanced attacks.