Social Media Sites: An Open Door for Financial Fraud

Hackers can steal employee personal data, conduct email phishing campaigns and commit various types of fraud just by browsing social media sites. They use lies and manipulation to trick people into connecting with them, then gather personal information on their new friends and their connections. This presents a challenge to organizations that are already spending a fortune on firewalls, secure managed file transfer and secure email systems.  It’s difficult to monitor employees’ willingness to leak sensitive company data when they are befriended by hackers.

Dell Computer reported that fraudsters, thought to operate out of Iran, created dozens of fake LinkedIn accounts, posing as corporate recruiters to entice employees at telecoms, government agencies and defense contractors to give up sensitive information, including business emails. Symantec’s investigation also uncovered dozens of fake LinkedIn accounts across a variety of industries used by hackers to target employees.

Hackers Impersonate Employees and Vendors

Once hackers have successfully stolen employees’ personal data — including reporting structures, titles and emails — they are able to conduct email phishing campaigns.  By using company emails, hackers can pose as a senior executive, often the CFO, controller or CEO and issue a communication directing a lower-level employee to urgently execute a financial transaction to a fraudster’s account.

Hackers can also send bogus emails to employees, impersonating legitimate suppliers.  Vendors’ emails are spoofed by adding, removing or subtly changing characters, making it difficult to distinguish the perpetrator’s email address from the legitimate address. The scheme is usually detected only when employees are asked to verify the transaction. According to the FBI’s Internet Crime Complaint Center (IC3) the average dollar loss per victim is approximately $55,000, although IC3 has received complaints reporting losses that exceeded $800,000.

Emails can also be used to infect employees’ computers with malware.  For example, the Carbanak cyber gang stole $ billion from more than 100 financial institutions worldwide by sending employees emails with a link that, once clicked, triggered the download of malware that was used to identify employees responsible for ATM software. Next, the hackers installed a remote access tool (RAT) on their computers, collected snapshots of their screens and used the information collected to dispense money remotely and transfer money to fake accounts.  All of this was accomplished by initially sending supposedly legitimate emails to bank employees.

Social Media Banking Increases the Risk

As banks continue to compete for the best customer experience, they are becoming more forward thinking by using social media platforms to engage their customers and enhance their service offerings.  For example, Turkey’s DenizBank offers their customers access to their accounts via Facebook.  Kotak Mahindra Bank, one of the largest private sector banks in India, launched Kaypay, a multi-social payment app that allows customers to transfer money through social media channels.

Banks that use social media banking services are more vulnerable to brand hijacking where hackers can blatantly copy and misuse company logos and website content.  Fraudsters can impersonate a business’ online presence and deceive unsuspecting visitors into believing they are visiting the real organization’s website, opening them up to the risk of divulging personal information.

User Education and Monitoring is the best Defense

Organizations that want to protect their assets and reputation need to invest in employee training to raise awareness of the risks of using social media.   Employees should be instructed to adopt a position of sensible caution when engaging with members of colleagues’ or friends’ networks who they don’t know personally.  When evaluating inquiries originating from LinkedIn, users should seek confirmation that the individual is legitimate by directly contacting the individual’s purported employer. In addition, it may be prudent to monitor user behavior and applications on corporate networks to detect potential takeover of social media accounts and identify suspicious activity early, before damage is done.

Companies have competing priorities when it comes to social media and LinkedIn. They want to reach customers, recruit new talent and drive up online visibility. But they also have a driving need to protect their data — especially in regulated industries like banking, where a data breach could cost them not only customer loyalty, but also countless dollars.