Throughout the years, banks have expanded their services by offering an ever-evolving set of online capabilities. As a result, financial institutions have become an obvious target for cybercrime and have been quick to deploy various layers of protection to keep their customers safe.

Cybercriminals are looking for online money to grab as a day job. Many operate like startup companies, consistently evolving methodologies and tools, and then measuring their return on investment (ROI). With banks adapting customer account protections and traditional cybercrime tools becoming less effective, we have observed a few key changes in criminal operation patterns.

Cybercrime Trends Are Shifting

In its “2016 Internet Crime Report,” the FBI’s Internet Crime Complaint Center (IC3) revealed that account takeover and identity theft claims had decreased by 23 percent since 2015, while the average loss per incident increased by 33 percent to $3,491.

This change can be attributed to fraudsters’ efforts to optimize their ROI by focusing more on attacking commercial and treasury banking customers. These customers are attacked using more targeted, well-planned methodologies such a remote-access Trojans (RATs), business email compromise (BEC) and email account compromise (EAC). The FBI IC3 report showed a 53 percent increase in BEC/EAC attacks from 2015 to 2016 and a 46 percent increase in the monetary losses associated with these incidents, scaling up to more than $360 million in 2016.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Repurposing Malware for Ransomware

Of course, cybercriminals have not forgotten retail banking users. They seem to have learned that it can be easier to extort money from victims directly rather than siphon funds from their bank accounts. To facilitate that, they have figured out ways to reuse some of the advanced malware capabilities they already have to act as ransomware.

Ransomware is a form of malicious malware that blocks system access or threatens to publish data until a sum of money is paid. Examples include Gameover Zeus, which distributed CryptoLocker ransomware, and the Gozi banking Trojan, which fraudsters combined with the Nymaim ransomware downloader to create the GozNym banking malware.

Another example is Svpeng, which was turned from a credential-stealing malware to a ransomware, impersonating the FBI and demanding a payoff to release the victims’ devices from lockdown.


Figure 1: Svpeng used to steal credentials and credit card information.


Figure 2: Svpeng used as ransomware with fake FBI allegations and payment demands.

The FBI IC3 reported a 63 percent year-over-year increase in the average ransom payment per incident from 2014 to 2016, peaking at $910 in 2016.

Loyalty Fraud on the Rise

Cybercriminals have been aiming for an even more accessible target. New virtual currencies such as airline miles and loyalty points, which allow fraudsters to cash out through gift cards, have been suffering from increasing levels of fraud.

According to the Loyalty Fraud Association, 72 percent of airline loyalty programs have issues with fraud. Furthermore, 30 percent of airline programs reported that the problem was growing rapidly each year. The FBI IC3 report also supported these cybercrime trends, showing a year-over-year average increase of 30 percent in phishing, vishing and smishing attacks from 2014 to 2016.

Stealing Identities to Break Accounts

Stealing credentials and circumventing two-factor authentication is complex. With the immense amount of personal information available on the Dark Web, it is easier to create fake accounts using synthetic identities based on stolen information. The account can be used to apply for new credit lines on the victim’s behalf, to gain access to pension funds for users who never established digital access or to accumulate loyalty points for users who shop exclusively in brick-and-mortar shops.

Scams such as these allow attackers to control authentication details to the account, since they were the ones to register it in the first place. Validating legitimate customer identities is a challenging and costly task for businesses in many industries, including banking, insurance, payment services and retail.

Fighting Fraud

Retail and banking institutions must adopt higher security measures to decrease fraud. Business and treasury managers should implement dual-authorization processes to help verify that any money transfer instructions are coming from the legitimate business counterpart, colleague or customer requesting it — not from fraudsters.

Airlines and loyalty programs are starting to adopt stricter security measures for account access, but are still mostly behind the curve in protecting accounts. Customers should demand better protection of their accounts, since, in many cases, they will not be reimbursed for lost miles or points.

With ransomware campaigns such as WannaCry and Petya on the rampage, businesses and individuals must have robust and continuous data backup solutions in place for both devices and storage servers. Customers should be diligent in checking their statement balances and tracking their points themselves. Even more importantly, both consumers and businesses must stay abreast of emerging cybercrime trends to stay one step ahead of fraudsters looking to monetize their sensitive data.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…