The following feature appears in the fourth quarter 2024 edition of Bank Director magazine. It and other stories are available to magazine subscribers and members of Bank Director’s Bank Services Program. Learn more about subscribing here.
Sam Truitt regularly hunts for fraud. Recently, that had the senior analyst at Jack Henry & Associates exploring an encrypted messaging app named Telegram, where she was surprised to find fraudsters in public domains selling bank login credentials and instruction manuals on how to commit fraud. Interested parties, she found, could pay $750 per month for a chatbot to scam victims to gain access to their bank or PayPal accounts. One promised a “sophisticated AI voice” that included 24/7 multilingual support. Others sold looted credit cards and credentials on Instagram and Facebook. One marketing promotion for check printing software bragged of its superiority but was polite enough not to use a full expletive: “Other guys don’t even have shi*,” it said.
“What struck me was how blatant it is,” Truitt says. “They are not trying to hide at all.”
In years past, fraudsters operated in the shadowy world of the dark web, which requires a special browser to enhance anonymity, but these fraudsters are now on social media selling manuals on how to commit scams. Criminal organizations have been selling bank account and card information for more than a decade, but recent years have seen a proliferation of cybercrime as a business. The risks are rising for banks.
The increased frequency and sophistication of cyberattacks is putting global financial stability at risk, according to a May report from the International Monetary Fund. Incidents have been rising since the Covid-19 pandemic started in 2020, in part because of more digitization, dependency on technology and financial innovation, the group said. Financial firms have reported $2.5 billion in direct losses since the start of 2020, according to the IMF. “For financial institutions, the result of a cyberattack could mean funding challenges, reputational damage and could even lead to insolvency,” the group said.
Nowadays, cybercrime has morphed into a full-scale business enterprise perpetuated sometimes by organized gangs that commit scams using kidnapped people as slaves, as reported by National Public Radio and other news organizations. Or they hire staff. “It’s very much office culture,” says Trevor Hilligoss, vice president of SpyCloud Labs, which mines the dark web for threats to its clients, such as stolen data. “We’ve seen people ask for a day off and having someone say, ‘It’s not approved; we need you to work today.’” Such groups may operate with the sanction of corrupt regimes around the world. A few nations employ cybercriminals to disrupt elections, infrastructure or stability.
But most cyberattacks are motivated by financial reasons, according to Verizon Communications’ 2024 Data Breach Investigations Report. Some are lone wolves who form loose organizations on apps such as Telegram and in forums on the dark web. They sell no-code malware and chatbots to people who don’t know how to write code, helping to proliferate the attacks. “Historically I would say there’s growth in the organizations becoming bigger, more sophisticated, but then at the same time it is easier for basically anybody with a computer to launch some pretty scary things,” says Ben LeClaire, a principal at Plante Moran.
Tranches of credit cards are marketed with a ratings system similar to the credit rating agencies. Stores are reviewed by customers in an eBay-like system. There are even escrow services to ensure payment is made for services. “It’s 100% business, and they want to make as much money as they can as quickly as they can,” says Rick Holland, field chief information security officer for ReliaQuest, a cybersecurity firm.
Hilligoss, who worked for the U.S. Army and later the FBI on cyber investigations, has put away his gun and badge to cyber sleuth for the private sector. “What really concerns me, and this has concerned me for a long time, is the criminals are getting better at what they’ve been doing,” he says. “That mimics the capitalist economy … We specialize, we make a profit, we see what is profitable, what’s not profitable, and we pursue the profitable. It’s the same way that the criminal ecosystem functions.”
Capitalism’s Dark Underbelly
The dark web, the place where Hilligoss and his team spend part of their time, is a place on the internet where capitalism runs amok. Its origins can be found in the Tor network, developed by the U.S. Department of Defense in the 1990s to protect the identities of spies serving around the world, according to the IMF. People who visit the dark web use a special, free browser also called Tor. You can’t get there with Google Chrome or Safari, in other words. Tor is short for “The Onion Router” and like layers of an onion, it protects users from surveillance by moving traffic through a series of encrypted servers. Political dissidents living in countries where information is suppressed can exchange news. The New York Times has a dark web version of its site, for example. So does the CIA, according to the IMF. It’s also a place to buy drugs, sex, an assassin, a slave. You name it, and it’s for sale.
Will Hubbs, Bank Director’s director of data intelligence, took me on a tour of the dark web recently in Bank Director’s offices in Brentwood, Tennessee. We found U.S. passports for sale for 4,000 euros, driver’s licenses and national IDs of all sorts. We found ways to scam other people that appeared to be scams themselves, such as $55,000 worth of credit cards for $20. Someone offered a way to break into a specific credit union.
Sellers were eager to get positive reviews for their products. One promised a free stolen credit card in exchange for positive feedback. On the dark web, criminals sell check printing software to forge checks. They sell photos of themselves with a forged driver’s license to bypass multi-factor authentication online.
A major risk for a cybercriminal is getting caught, especially for those living in countries where such crimes are prosecuted. A common joke is that 20% of dark web users are criminals and 80% are law enforcement trying to catch the criminals. Because of that, marketplaces often require a complicated set of verification tools to enter, hoping to verify the legitimately criminal.
The Threat to Banks
The finance industry is a popular target. After all, Willie Sutton said the reason he robbed banks was “because that’s where the money is.” The finance and insurance industry had 3,348 cyber incidents last year, including security incidents and breaches — the second highest number after public administration, according to Verizon’s 2024 Data Breach Investigations Report. Of those, about 1,115 breaches occurred, lower than in healthcare, education or professional services, showing that the financial industry’s defenses may be more robust than other sectors. Nearly one-fifth of all cyber incidents in the past two decades involved the financial sector, according to the IMF. Banks are the prime target, followed by insurers and asset managers.
Banks are obviously worried about breaches and the reputational and financial harm that results. But a growing threat to banks is that their customers are getting scammed out of their savings as well, creating a potential liability. What happens if a scam victim happens to be a major borrower, now bankrupted by the loss?
Also, regulators may force banks to reimburse customers. Banks typically differentiate between scams and fraud, reimbursing customers in compliance with Regulation E if their losses are tied to a breach of the bank’s systems. However, many banks won’t reimburse customers victimized by scams, when the customer authorized the transaction. Recent Congressional scrutiny of the bank-owned Zelle payments network has been followed by a Consumer Financial Protection Bureau investigation into reimbursement practices at large banks, according to The Wall Street Journal.
Among multiple types of scams targeting banks and their customers, phishing is one of the more common. The criminal pretends to be someone else to obtain information such as passwords or login codes, or to induce someone to send money. It remains popular because it’s successful.
Other types of attacks don’t involve scams, but hacks. Attacks can be especially successful if a hacker obtains access to someone’s phone. Financial organizations and others frequently verify a customer’s identity by sending a unique code to their mobile phone. “A phone number is not really an identity document, but it’s treated like one,” says Allison Nixon, chief research officer at Unit 221B, which tracks English-speaking cybercriminals for clients. The technology for “sim swaps,” as they’re known, has existed for decades but emerged in 2018 as a criminal tool to raid crypto exchanges, Nixon says. Criminals obtain certain verifying information about customers, perhaps on the dark web, and use it to fool telecommunications companies into sending messages from a customer’s phone to the attacker. The hacker could then access bank and crypto accounts using codes sent to customer phones.
Around 2017 or 2018, crypto exchanges became one of the most popular places to hack, Nixon says. That was because bitcoin valuations soared. Criminals discovered they could make millions breaking into those exchanges, which weren’t as well protected as banks and didn’t offer deposit insurance. Nixon thinks that wealth incentivized even more crime around the globe, leading to the current uptick in scams and frauds. “That was an era of overnight millionaires and just unbelievable levels of wealth that were appearing out of nowhere because they were emptying out crypto exchange accounts,” she says.
But inevitably, telecommunications companies started cracking down on sim swap fraud, and it became more difficult to hack crypto exchanges. “A couple of years into the pandemic now, like about 2022, there was a pivot to ransomware,” Nixon says. “It became genuinely more difficult to steal bitcoin using sim swap fraud, and these people wanted to continue to make millions of dollars.”
Following a breach, ransomware involves a criminal demanding payment in exchange for not releasing stolen data on the dark web. Criminals sell specific instructions, guides and malware to proliferate these kinds of attacks. They also offer their own services up for sale. “Hacking for hire is a common thing that you can purchase on the dark web,” says Lee Laslo, vice president of infrastructure and security for the identity verification and risk firm Alloy. Criminal organizations offer affiliate programs where hackers can pay up front for the hacking know-how and then share a portion of the proceeds with the organization. “It works well as a business model because everybody gets paid if the attack is successful,” Laslo says.
Companies across all industries have been grappling with ransomware attacks for a few years now. Increasingly, some of the victims are refusing to make the ransom payment, according to the insurance brokerage Marsh. About 20% of ransomware victims make the payment, down from 63% in 2021, the firm said. Evolve Bank & Trust, a $1.6 billion bank in Memphis, Tennessee, was one such company. Holding company Evolve Bancorp said in a statement in July that the hackers published customer data online after the banking company refused to pay the ransom.
Emerging Risks
Nixon believes hackers could become increasingly violent. The dark web is filled with “proper mafias” and a “disorganized petty thief ecosystem” that sometimes burst into violence in the physical world, as in the case of organized crime using slaves to perpetuate scams on Western customers. Some call centers for financial institutions are housed in countries where organized criminals threaten employees with physical violence if they don’t cooperate on inside jobs against banks. “Banks are going to have to think about how they’re going to physically protect their people in ways that they didn’t have to think about before,” Nixon says. Also, she says that in her travels through the dark web, she has found evidence that malicious hackers are in universities getting computer science degrees. How will banks avoid hiring them to staff IT departments?
Another emerging threat is artificial intelligence, which can be used to create so-called deep fakes, mimicking someone’s voice or image. Criminals can use deep fakes to gain access codes or persuade someone to send money. In a few reported cases, deep fakes have induced employees into sending funds to fraudsters. In one, Hong Kong police said earlier this year that an employee of an international firm sent roughly $25 million to fraudsters after getting fooled by a video conference call with the chief financial officer and other executives, all of whom turned out to be AI-created videos, according to CNN. “Deep fake is scarier than e-commerce, synthetic fraud and data breaches combined,” says Canh Tran, the CEO and cofounder of Rippleshot, which builds cybersecurity tools for financial institutions. “I’m scared. I literally am.”
Criminals also sell FraudGPT, similar to OpenAI’s ChatGPT but with the safety precautions removed, to help other criminals scam customers. You can make a phishing page. You can ask it to write malicious code to break into a bank. You can create a bot that sounds like a normal person to scam someone. “You can subscribe to it for 89 euros per month,” Laslo says. There’s also a pro version available.
Truitt found a user manual publicly available on Telegram for an “OTP Bot,” or one-time password bot. OTP bots try to exploit victims with automated software that collects the one-time password financial institutions use to verify customers. Bots in general can help such attacks proliferate because they’re less manual — criminals can use them to send mass phishing emails or text messages to thousands of people in the hope of scamming one or two by getting the victims to enter their one-time passwords into the scammer’s fake website, for example. The bot buyer can write a script for the bot. For example, if you’re a criminal, you might want your bot to text, “Hi.” If someone responds, you might answer, “I’ll send you money.”
Scammers try to sell these to other scammers, using well-worn, if awkward, marketing language. One said, “Whether you are a old and experienced OTP Bot user or a new user just trying something new, this is for you.” Buyers could pay for the bot with a variety of cryptocurrencies.
Sounil Yu, a cybersecurity executive and former chief security scientist at Bank of America Corp., says the large language models leveraged by artificial intelligence can mine through content much quicker than humans can. For example, one of the hindrances to cybercriminals when they break into a bank is the complexity of the environment. Artificial intelligence in the future could rapidly look through such environments to find critical vulnerabilities and data. AI also could look for material nonpublic information that could be used to extort companies.
But there’s disagreement in the industry about how much of a threat AI really is now. For one, the technology has a lot of bugs. “There’s one thing that AI is going to be good at, and that’s defeating KYC [Know Your Customer identification rules],” says Nixon. She says bank authentication tools are inadequate because they rely on methods that can be forged or stolen, such as access to someone’s phone, passwords, dates of birth, or photos of people holding up their driver’s licenses. “In light of everything else that I’m seeing that’s actually successful, I’m not impressed by AI,” she says.
Yu agrees large language models aren’t reliable in their mining of data, at least not yet.
And AI can be used to catch fraud as much as it can be used to commit fraud. Although Yu expects increasing numbers of deep fake scams, “the alternative [to deep fakes] is to have deep fake detectors,” he says. And in fact, many such tools exist.
Other than preventing customers from sending money to scammers, “there are technology solutions that exist now that are effective,” says Tommy Nicholas, the CEO of Alloy. “It’s also expensive for banks to use every single defense that they could possibly use under the sun. So, they’re constantly in a balancing act around that.”
Sarah Biller, a director at $722 million Thread Bank, a subsidiary of Thread Bancorp in Brentwood, Tennessee, is working on a federal government initiative to create regional technology hubs. Separately, she’s also in charge of creating a principled approach to digital identities. She agrees that many tools exist, but they aren’t universally deployed, and the United States needs to do a better job authenticating people.
Yu says the industry needs a “root of trust” to prove someone is truly who they say they are, just as web browsers are part of a system to authenticate legitimate sites from criminal enterprises. But even if the root of trust problem were solved, criminals would be working to subvert it.
They’re always advancing their techniques, forcing the cybersecurity industry to stay nimble and move fast.
“It’s a computational arms race,” Yu says. While attacks become increasingly sophisticated, the tools to perpetuate them are being sold in an elaborate business enterprise to less sophisticated fraudsters, helping spread them across the globe.
“Right now, the bad guys are getting ahead of us,” Biller says.