Online Bank Fraud: Think Big, Act Small

I was surprised not to find an article about it in the international press. But in Belgium the economic journal Tijd came up with a huge fraud network via online banking that was discovered after a two-year investigation. It surprises me not a to find an English version because it was not only Belgian online banking customers that were involved, there were also victims in for example Denmark, Germany, Portugal, United States... and the money ended in Russia.

 

How did it work? The computer of users of online banking got infected with malware that became active only when the user tried to make bank transactions. At that moment an error message appeared asking the fill in their password again and at that moment a rather small amount was automatically transferred to another account.

 

The amounts that were transferred were maximum about 4 000 euro, and a customer was only attacked once in order not to create a pattern in the criminal’s working methods. That was also with a meaning: these amounts were automatically reimbursed by the bank in order not have reputational damage. For that reason a lot of hackings like this are probably not even made public at police for investigation. This make the whole case probably a lot bigger than it looks right now.

 

As I said the money was transferred to another account, that account was of a so called money mules, located in another European country. These people were in most cases unemployed and looking for easy money. The first times they got about 20%, after a short term only 2.5% was left. The rest they has to transfer via Moneytrans of Western Union to Ukraine or Russia, where the money arrived at another level of money mules. Via anonymous credit- and debit cards another level in the criminal hierarchy got the money ready to be laundered.

 

That is how the upper level of the chain finally got their money. “Think big, act small” was a pretty smart tactic here: banks are afraid of the reputational risk and these criminals know it, so they take small amounts that can be easily reimbursed. Because of this reimbursement clients didn’t feel the need of going to the police with this incident. Even if the client would file a report at police, not would probably happen for an amount less than 3 000 Euros, definitely not an international investigation via a spaghetti of accounts and payment methods these small amounts do not get checked and can easily enter Russia for the money laundering.

 

Of course there is not a lot to do by banks to eliminate the risk for other scenarios like this. As Belgium is perceived as a very safe online banking environment: thanks to a digipass you use another password every time you go online. But if criminals can capture the password during a transaction that it is more important to have a safe computer than to make banks look for even safer strategies I guess.

 

One thing they should do, an that is also what was written in the article is that banks shouldn’t be afraid of the reputational risk, because if they just reimburse customers without filing a report at police there is not much to prevent more cases like this.

 

The biggest problem is the modal bank customers do not realize that and think: “Online Banking Isn’t safe” and “Internet should not be trusted for bank transactions”.

 

What do the fraud specialists reading this think about this story? Is there anything more a bank should do to prevent it, next to informing police if they experience another case?