Throughout the years, banks have expanded their services by offering an ever-evolving set of online capabilities. As a result, financial institutions have become an obvious target for cybercrime and have been quick to deploy various layers of protection to keep their customers safe.

Cybercriminals are looking for online money to grab as a day job. Many operate like startup companies, consistently evolving methodologies and tools, and then measuring their return on investment (ROI). With banks adapting customer account protections and traditional cybercrime tools becoming less effective, we have observed a few key changes in criminal operation patterns.

Cybercrime Trends Are Shifting

In its “2016 Internet Crime Report,” the FBI’s Internet Crime Complaint Center (IC3) revealed that account takeover and identity theft claims had decreased by 23 percent since 2015, while the average loss per incident increased by 33 percent to $3,491.

This change can be attributed to fraudsters’ efforts to optimize their ROI by focusing more on attacking commercial and treasury banking customers. These customers are attacked using more targeted, well-planned methodologies such a remote-access Trojans (RATs), business email compromise (BEC) and email account compromise (EAC). The FBI IC3 report showed a 53 percent increase in BEC/EAC attacks from 2015 to 2016 and a 46 percent increase in the monetary losses associated with these incidents, scaling up to more than $360 million in 2016.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Repurposing Malware for Ransomware

Of course, cybercriminals have not forgotten retail banking users. They seem to have learned that it can be easier to extort money from victims directly rather than siphon funds from their bank accounts. To facilitate that, they have figured out ways to reuse some of the advanced malware capabilities they already have to act as ransomware.

Ransomware is a form of malicious malware that blocks system access or threatens to publish data until a sum of money is paid. Examples include Gameover Zeus, which distributed CryptoLocker ransomware, and the Gozi banking Trojan, which fraudsters combined with the Nymaim ransomware downloader to create the GozNym banking malware.

Another example is Svpeng, which was turned from a credential-stealing malware to a ransomware, impersonating the FBI and demanding a payoff to release the victims’ devices from lockdown.


Figure 1: Svpeng used to steal credentials and credit card information.


Figure 2: Svpeng used as ransomware with fake FBI allegations and payment demands.

The FBI IC3 reported a 63 percent year-over-year increase in the average ransom payment per incident from 2014 to 2016, peaking at $910 in 2016.

Loyalty Fraud on the Rise

Cybercriminals have been aiming for an even more accessible target. New virtual currencies such as airline miles and loyalty points, which allow fraudsters to cash out through gift cards, have been suffering from increasing levels of fraud.

According to the Loyalty Fraud Association, 72 percent of airline loyalty programs have issues with fraud. Furthermore, 30 percent of airline programs reported that the problem was growing rapidly each year. The FBI IC3 report also supported these cybercrime trends, showing a year-over-year average increase of 30 percent in phishing, vishing and smishing attacks from 2014 to 2016.

Stealing Identities to Break Accounts

Stealing credentials and circumventing two-factor authentication is complex. With the immense amount of personal information available on the Dark Web, it is easier to create fake accounts using synthetic identities based on stolen information. The account can be used to apply for new credit lines on the victim’s behalf, to gain access to pension funds for users who never established digital access or to accumulate loyalty points for users who shop exclusively in brick-and-mortar shops.

Scams such as these allow attackers to control authentication details to the account, since they were the ones to register it in the first place. Validating legitimate customer identities is a challenging and costly task for businesses in many industries, including banking, insurance, payment services and retail.

Fighting Fraud

Retail and banking institutions must adopt higher security measures to decrease fraud. Business and treasury managers should implement dual-authorization processes to help verify that any money transfer instructions are coming from the legitimate business counterpart, colleague or customer requesting it — not from fraudsters.

Airlines and loyalty programs are starting to adopt stricter security measures for account access, but are still mostly behind the curve in protecting accounts. Customers should demand better protection of their accounts, since, in many cases, they will not be reimbursed for lost miles or points.

With ransomware campaigns such as WannaCry and Petya on the rampage, businesses and individuals must have robust and continuous data backup solutions in place for both devices and storage servers. Customers should be diligent in checking their statement balances and tracking their points themselves. Even more importantly, both consumers and businesses must stay abreast of emerging cybercrime trends to stay one step ahead of fraudsters looking to monetize their sensitive data.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read