In today’s rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.

IBM Security Trusteer recently observed a new trend in a Spanish retail bank with the creation of virtual credit cards for fraudulent purposes, which turned out to be a little-protected service of the offering bank. Fraudsters exploited it to defraud victims of their entire account balance, reinventing a known and effective scam.

The fraud, step by step

Each security attack has a unique anatomy and flow. We will examine the flow of this specific fraud here.

  1. Fraudsters initiate the attack by sending an SMS to the victim. The SMS will appear under the same section as previous messages from the bank. This is done using a tactic called SMS spoofing. The topic of SMS spoofing is outside the scope of this blog but is indeed a facilitator of this fraud flow.
  2. The fraudsters, appearing to be the bank, inform the victim via SMS of a security issue with their banking account. They further explain that a bank representative will call the victim soon and provide a numeric code to identify themselves. The code is provided in the message as well.
  3. Next, a fraudster calls the victim, providing the code from the SMS sent earlier to “identify” themselves and elaborate on the security issue: they often claim that the victim’s banking account was compromised and that to protect the money, they will need to move it to a new banking account that was created for them.
  4. Note that the fraudster established reliability via the SMS and by providing the code at this point. The stressed victim provides the fraudster(s) with their credentials, allowing them to log into the banking account.
  5. At this point, fraudsters have two options. They can try to empty the banking account using traditional wire transfers. However, these are often capped at a specific daily limit, are monitored for fraudulent activity by the bank, and require a fraudulent destination account (otherwise known as a mule account). The second option is to create virtual credit cards, which is a convenient alternative for the following reasons:
    • No daily limit: The virtual cards’ limit is several thousand euros, but the fraudster can create as many virtual cards as the victim’s account balance allows. For example, if the victim has 10,000 euros in the account, the fraudster could create multiple virtual cards with a limit of several thousand euros each. This action requires authentication, but the victims provide the 2FA under pressure.
    • No need for a mule account: Once the credit card is created, fraudsters use it to buy cryptocurrency and disappear from the traditional banking system.

This MO surfaced in early 2023 and slowly grew in popularity. It now compromises 41-48% of the fraudulent “transaction” attempts.

Discover the ROI of fraud detection

Trusteer’s solution

The virtual credit card creation is, for now, exclusively available via the browser (and not the banking app). As such, we addressed this fraud by analyzing the user flow data (URLs) and transactional data.

In general, user flow data can provide valuable insights into potentially risky and unauthorized actions in the account. This includes, but is not limited to:

  • Reset passwords — an action that occurs before the actual login
  • Change of contact details, such as phone numbers
  • Change of transaction limits
  • Enrolling a new device to receive soft tokens (2FAs)

The prerequisite for user flow analysis is complete visibility into all flows of the banking application and a risk assessment at the correct time during the session (pre-login or post-login).

Once the data is available in Trusteer’s systems, our fraud prevention solutions can incorporate the data into the security policy.

In this specific case, Trusteer alerts the bank to suspicious virtual credit card creations, allowing them to take action.

What banks must keep in mind

As banks continuously innovate and introduce new services to meet their clients’ expectations, they simultaneously open new opportunities for fraud. End-to-end visibility and robust data collection are key to creating security controls for new offerings.

By using Trusteer’s risk assessment, banks have the essential resources to stay ahead of the curve and promptly identify and prevent developing fraud trends. This approach safeguards both the banks and the trust of their valued clients.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today