In today’s rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.

IBM Security Trusteer recently observed a new trend in a Spanish retail bank with the creation of virtual credit cards for fraudulent purposes, which turned out to be a little-protected service of the offering bank. Fraudsters exploited it to defraud victims of their entire account balance, reinventing a known and effective scam.

The fraud, step by step

Each security attack has a unique anatomy and flow. We will examine the flow of this specific fraud here.

  1. Fraudsters initiate the attack by sending an SMS to the victim. The SMS will appear under the same section as previous messages from the bank. This is done using a tactic called SMS spoofing. The topic of SMS spoofing is outside the scope of this blog but is indeed a facilitator of this fraud flow.
  2. The fraudsters, appearing to be the bank, inform the victim via SMS of a security issue with their banking account. They further explain that a bank representative will call the victim soon and provide a numeric code to identify themselves. The code is provided in the message as well.
  3. Next, a fraudster calls the victim, providing the code from the SMS sent earlier to “identify” themselves and elaborate on the security issue: they often claim that the victim’s banking account was compromised and that to protect the money, they will need to move it to a new banking account that was created for them.
  4. Note that the fraudster established reliability via the SMS and by providing the code at this point. The stressed victim provides the fraudster(s) with their credentials, allowing them to log into the banking account.
  5. At this point, fraudsters have two options. They can try to empty the banking account using traditional wire transfers. However, these are often capped at a specific daily limit, are monitored for fraudulent activity by the bank, and require a fraudulent destination account (otherwise known as a mule account). The second option is to create virtual credit cards, which is a convenient alternative for the following reasons:
    • No daily limit: The virtual cards’ limit is several thousand euros, but the fraudster can create as many virtual cards as the victim’s account balance allows. For example, if the victim has 10,000 euros in the account, the fraudster could create multiple virtual cards with a limit of several thousand euros each. This action requires authentication, but the victims provide the 2FA under pressure.
    • No need for a mule account: Once the credit card is created, fraudsters use it to buy cryptocurrency and disappear from the traditional banking system.

This MO surfaced in early 2023 and slowly grew in popularity. It now compromises 41-48% of the fraudulent “transaction” attempts.

Discover the ROI of fraud detection

Trusteer’s solution

The virtual credit card creation is, for now, exclusively available via the browser (and not the banking app). As such, we addressed this fraud by analyzing the user flow data (URLs) and transactional data.

In general, user flow data can provide valuable insights into potentially risky and unauthorized actions in the account. This includes, but is not limited to:

  • Reset passwords — an action that occurs before the actual login
  • Change of contact details, such as phone numbers
  • Change of transaction limits
  • Enrolling a new device to receive soft tokens (2FAs)

The prerequisite for user flow analysis is complete visibility into all flows of the banking application and a risk assessment at the correct time during the session (pre-login or post-login).

Once the data is available in Trusteer’s systems, our fraud prevention solutions can incorporate the data into the security policy.

In this specific case, Trusteer alerts the bank to suspicious virtual credit card creations, allowing them to take action.

What banks must keep in mind

As banks continuously innovate and introduce new services to meet their clients’ expectations, they simultaneously open new opportunities for fraud. End-to-end visibility and robust data collection are key to creating security controls for new offerings.

By using Trusteer’s risk assessment, banks have the essential resources to stay ahead of the curve and promptly identify and prevent developing fraud trends. This approach safeguards both the banks and the trust of their valued clients.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today