FraudSMART.ie the new home for Fraud Alerts

FraudSMART.ie is a new fraud awareness initiative, developed by Banking and Payments Federation Ireland (BPFI) in conjunction with Allied Irish Bank plc, Bank of Ireland, KBC Bank Ireland, PermanentTSB and Ulster Bank.

The new website will serve as a one stop shop fraud information service for businesses and consumers alike, including case studies, top tips, advice and fraud alerts to those who want to prevent and protect themselves against fraudsters.

For the latest in fraud awareness and for all future fraud alerts, please check FraudSMART.ie

Vishing (Telephone) Scam

There are reports of consumers being cold-called by fraudsters claiming to be from their Bank.

Key Details

  • Fraudulent calls have been targeting customers trying to persuade them that their Credit / Debit Card have been compromised.
  • These scams will usually request a transfer of funds or disclosure of card/account details.
  • Other variants of the fraudulent calls involve the customer’s account being over credited and that the customer must transfer money back to a third party account.
  • Some fraudulent callers are also advising that the customers branch will not be aware of this call as it is being handled by a third party.

Red Flags 

To assist in identifying such calls please be aware:

  • Your Bank will never call you to ask for a refund of credit in this manner.
  • Your Bank will not request for a transfer to any third party accounts.

Action

Be wary of such calls, as they are not genuine.

  • If you suspect a call may be fraudulent you may hang up and call the phone number on the back of your card, or your local branch for verification
  • Make sure you hear a dial tone if calling from a landline or call from your mobile phone and tell them about your recent contact
  • Don’t transfer money out of your account unless you are doing so of your own accord – not being instructed to do so by a ‘caller’. Once your money leaves your bank account it is gone.

 

This is a general notice issued by the Financial Crime and Security Department of BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this fraud.

Overpayment Scam

For the attention of:  Irish Businesses

Purpose of Advisory

A number of businesses in Ireland have recently been targeted by fraudsters posing as new customers. They order goods or services for which they make an overpayment and then seek a refund. The original order payment, usually a cheque or draft, later turns out to be bogus leaving the business with a loss.

A PDF version of the Overpayment Scam alert is available to download here.

Key Details

 How Does the Scam Work?

  • The fraudster targets a legitimate seller of goods/services
  • They pose as a new customers, often based abroad, and make an initial order
  • Payment is generally made by a cheque or draft that is delivered directly to a bank branch (even if an electronic method of payment has been discussed)
  • The sum received is higher than the purchase price of the order
  • The seller then receives a request, usually be email, to return all or part of the monies electronically as quickly as possible
  • While the seller is pressured to return the money, the original cheque or draft, which is usually forged, counterfeit or fraudulently altered in some way, will be rejected and not paid – so the seller loses out

Red Flags

 Businesses should be wary of the following

  • New customers and/or an unusually large orders
  • Customers who will only provide an email address for contact purposes
  • When the method of payment differs from what was previously discussed e.g. customer has been paid by means of cheque when an electronic transfer was agreed and expected
  • Buyers who make a payment above the quoted or invoiced price and ask for the overpayment to be returned electronically
  • Customers who put you under pressure to release goods/funds without undertaking essential checks

Action

 To Protect your Business from overpayment Scams

  • Always make sure you know that any funds paid into your account are irrevocable before making a refund
  • Always exercise caution when forming new relationships with potential customers, undertaking appropriate due diligence
  • Never feel pressured into making a refund until you are sure original funds are legitimate and secure
  • If you are concerned you have been targeted by an overpayment scam, immediately contact your Bank and report to the Gardaí / Police

 This is a general notice issued by the Financial Crime and Security Department of BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this fraud.

 

Vishing (Telephone) Scam

Purpose of Advisory

There are increasing reports of consumers being cold called by fraudsters claiming to be from a major computer company and or financial institutions.  A number of individuals have been duped and have disclosed their information and have suffered financial loss.

A pdf version of the BPFI – Vishing (Telephone) Scam is available to download here.

Key Details

The consumer is contacted, and the caller purports to be:

  1. From a computer company and advises they can help in the resolution of PC issues
  2. From their financial services provider and advises there has been a fraud on their account.

In both instances, during the call the customer is requested to provide their date of birth and their bank card details to the perpetrator. Following disclosure of this information customer accounts are subject to fraud as a result of this scam.

Red Flags

  • Consumers are contacted via an unsolicited phone call or cold called
  • Caller claiming to be from major computer company or their financial institution
  • The consumer is requested to provide personal information (e.g. date of birth)
  • The consumer is requested to provide their bank card (i.e. debit or credit), PIN (Personal Identification Number), CVV/CSC number & 3D secure password details
  • Older consumers appear to be particularly targeted.

 Action

  • Customers are reminded to treat all unsolicited phone calls with scepticism.
  • Never allow a ‘cold caller’ take control of your computer or laptop. Strangers who ring advising that you are having a problem with your computer are trying to defraud you.
  • Financial institutions are committed to protecting consumers from fraud. While they may contact their customers to discuss the operation of their account and/or their satisfaction with their banking arrangements, they will never make contact asking for personal banking details.
  • Emails or phone calls that consumers may receive requesting such information are an attempt to defraud.
  • Consumers must never disclose their personal banking login or other details in response to any unsolicited request.
  • Consumers are reminded to keep their personal banking login and card details safe and that personal banking login and card details must never be shared.

This is a general notice issued by the Financial Crime and Security Department of BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this fraud.

CEO/CFO Fraud

Purpose of Advisory

A number of businesses in Ireland have recently been targeted by fraudsters using bogus emails which purport to be from a senior member of staff within the organisation requesting an urgent payment or electronic transfer be made outside of normal procedures or trading patterns.

A pdf version of the BPFI CEO/CFO Spoofed Email Payment/Mandate Request Fraud Alert is available to download here.

Key Details

A member of staff at the finance or accounts department receives an email purporting to be from a senior member of staff within the organisation, whether Director, CEO, Chairman, levels etc., requesting they arrange an urgent payment outside of their normal procedures due to exceptional circumstances.

The email appears to be genuine due to the address in the “From” box reflecting the genuine email address of the senior member of staff. With the recipient believing the email to be genuine, they arrange for the payment to be made through their preferred payment method for the credit of the fraudster’s account, from where the monies are usually quickly withdrawn or transferred out.

There are two methods which the fraudster could use to facilitate this type of fraud attempt:

Email Spoofing

Using technical know-how, social engineering or malware, the fraudster is able to construct an email which appears to have come from another source, whilst disguising the true originator. Hovering the curser over the name in the “From” box will not reveal the true origination address in these cases and therefore the email appears genuine. The difference in the spoofed email account is very subtle and can easily be mistaken for the legitimate email address.

Hacked Email Accounts

The fraudster hacks into the victim’s email account and starts issuing emails in the victim’s name, including payment requests to banks or work colleagues. Customers that are more vulnerable to this type of attack are normally users of free email services such as Gmail, Hotmail and Yahoo, for example.

Red Flags

  • Any payment request which is outside of normal policy or process, especially if received by email
  • Any urgent or confidential request not respecting the standard working procedure or trading patterns
  • Any unusual payment request such as transfer of high amounts to an unknown or foreign account or to a country where the company has no market relations

Action

  • Businesses should have a specific documented internal process for the arrangement and authorisation of payments
  • Any requests outside of that procedure, especially if received by email, should be regarded as suspicious
  • For such requests, verbal contact should be made with the person sending the email, using a known contact number from the company’s internal records, to confirm the request
  • Businesses should strengthen their passwords for access to their email accounts, to include a mixture of uppercase letters, numbers and special characters, e.g. $&, etc.
  • Businesses should avail of password manager applications and use passphrases instead of passwords

This is a general notice issued by the Financial Crime and Security Department of BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this fraud.

Vishing Scam

Purpose of Advisory

There are increasing reports of bank customers being cold-called by persons claiming to be from a well-known a retail outlet and being told that a third party is in the outlet at that time attempting to fraudulently use the customer’s card (visa debit or credit). A number of customers have been duped and substantial sums have been paid away/transacted.

A pdf version of BPFI’s Vishing Scam Fraud Alert is available to download here.

Key Details

The customer is advised by the caller to contact their card services team, using the number on the reverse of their card to notify the bank of the compromise. The customer proceeds to immediately call this number (sourced from the back of their card), however as the initial caller has not hung up, the line remains open for a number of minutes. The customer proceeds to disclose their personal banking information to the bogus card unit (i.e. the perpetrator) who has remained on the telephone line.

In recent incidents, the bogus card unit advises the bank customer to ring An Garda Síochána. The bogus card unit provides the customer with a phone number to ring. Yet again the phone line remains open as the second call was also not terminated. The bank customer, in turn thinks they are actually speaking with the Gardaí and acts on the advice they are given.

In recent cases the perpetrator pretending to be the Gardaí instructs the bank customer to move their money to a “new safe bank account” overseas. Substantial sums have been lost by victims as a result of this crime.

Red Flags

  • Bank customers are cold called – receiving unsolicited telephone calls.
  • Caller claims to be from a well-known Retailer informing them of a fraud involving their bank card (debit or credit).
  • The initial phone call is not terminated (i.e. the phone line remains open) as the perpetrator does not hang up.
  • On the second call (this in fact is a continuance of the first call) the bogus card unit does not know any personal information about the customer (e.g. where I live, my date of birth, etc.).
  • The bogus card unit seeks details of the customer’s bank account.
    Either the bogus card unit or the perpetrator acting as the Gardaí attempts to dupe the customer into transferring a large sum from their account to a bank account overseas (possibly in the UK or other destinations).
  • Customers are advised by the perpetrators/fraudster that their bank/branch staff cannot be trusted.

Action

  • Consumers are encouraged to treat all unsolicited phone calls with scepticism and to be vigilant in this regard.
  • Hang up the call – in advance of making any subsequent calls ensure and listen for a dial tone.
  • “Phone a Friend” in order to ensure that any suspect call has terminated – call and speak with someone who is known to you (e.g. a loved one, a family member, a neighbour etc.)
  • Phone your bank’s customer services team using the number from the reverse of your bank card, ensure there is a dial tone before you ring.
  • Your bank will never contact you and ask for your full PIN number, neither will the bank ask you to input your full PIN number onto your phone keypad during a phone call.

Remember your bank will never initiate contact with you by phone/email asking for account/personal financial information details.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this fraud.

Invoice Re-direction Fraud

Purpose of Advisory

To advise that a number of businesses in Ireland have recently fallen victim to a scam involving bogus emails being received that purport to be from an existing creditor. The email generally contains a letter as an attachment, the letter purports to notify the receiver of new (amended) bank account details to which all future payments are to be sent.

A PDF version of BPFI’s Invoice Redirection Fraud Alert can be downloaded here.

Key Details

  1. Irish businesses are increasingly experiencing attempted invoice re-direction fraud.
  2. This involves a creditor’s beneficiary details being fraudulently altered.
  3. The business is misled into believing that a beneficiary’s bank account details have been changed and so funds that are due to be paid out are transferred to a fraudulent account.
  4. Attempts such as this could be successful if the change of details request is not confirmed directly with the source supplier- use a phone number from your files, not from the letterhead of the suspect letter.

There are various other measures a business can take to safeguard itself against such fraud. For further details please see below.

Background

There is a growing trend in payment fraud involving beneficiary details being fraudulently altered. This bogus invoice fraud usually involves genuine invoice details being intercepted by unknown means, the beneficiary account details are altered so that payment is redirected to an account under the fraudster’s control. The fraud will usually be discovered some time afterwards when the legitimate company sending the invoice queries ‘non-payment’.

What Are the Tell Tale Signs?

Invoice Re-direction Fraud

The email notifying the change of details may be in the name of someone that the receiver is used to dealing with, however the fraudsters will have created a bogus email account and the sender’s name which will carry a minor variation, see following examples:

james.ryanabcd@hotmail.com (genuine)           jamesryanabcd@hotmail.com (bogus)
liz.smythabcd@stantons.com (genuine)           liz.smythabcd@stantonz.com (bogus)

Fraudsters may then submit bogus invoices. These invoices, and any covering letters, may appear to be printed on company headed paper but are more likely scanned copies from an original document and printed onto paper using a domestic printer so the company logo may appear less sharp and slightly blurred.

Action

Although not exhaustive, some examples of action you can take to protect yourself are:

  • Make a phone call to a known contact within the firm that appears to be requesting fundamental changes in banking details
  • Always confirm change of bank account requests with the company making the change, being mindful not to use the contact details on the letter requesting the change.
  • Look out for different contact numbers and email addresses for the company as these may differ from those recorded on previous correspondence.
  • Consider reviewing change of account details already acted upon where payment is due at a future date and confirming the authenticity of the request.
  • Consider setting up designated single points of contact with companies to whom you make regular payments.
  • Instruct staff with responsibility for paying invoices to be cognisant of checking invoices for irregularities and checking out their concerns with the company requiring payment.
  • Consider setting up a system whereby when an invoice is paid you also send an email to the recipient informing them that payment has been made and to which bank account. Be mindful of account security and consider including the beneficiary bank name and the last four digits of the account to ensure security.
  • Fraudsters may have found information regarding contracts and suppliers on the victim organisation’s own websites. Consideration should be given as to whether it is necessary to publish information of this type in the public domain as it has been demonstrated that it can be used to facilitate fraud.
  • For payments over a certain threshold, consider organising a meeting with the company who are requesting payment, and satisfy yourself that payment will be sent to the correct bank account and recipient.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this

Bogus Lodgements

Purpose of Advisory

To advise that a number of banking customers in Ireland have fallen prey to frauds that involve bogus lodgements being credited to Bank accounts, disguised as electronic payments from overseas.

A pdf version of BPFI’s Bogus Lodgements fraud alert is available for download here.

Key Points

Common characteristics identified to date are:

  • A company (the victim) advertises a product for sale (usually on the internet).
  • The criminal agrees to buy goods from the company. The sum involved is usually relatively small (ranging between €2k – €4k).
  • The victim provides details of their bank account to the criminal and asks for the payment to be sent electronically.
  • The criminal sends a counterfeit cheque / draft, usually for the sum of €50k – €130k to the account holding bank with a request that the item be lodged and the accompanying reference number be quoted on the lodgement.
  • The narrative may convey the impression to the victim company that the funds are cleared.
  • The criminal then contacts the victim company advising that they overpaid the invoice and requests that the surplus funds be redirected back to an overseas account.
  • The counterfeit cheque or draft is received back unpaid some days after the above scam has been carried out.
  • The risks associated with brand new contracts entered into with strangers over the internet need to be recognised, particularly where you are asked to send monies to these parties.

Action

  • Should you or your staff receive notice of such an unusual lodgement being made into your bank account, exercise considerable caution.
  • Do not return any funds to the remitter unless / until you are fully satisfied that the underlying transaction is genuine. Overseas cheques can take 4 weeks or more to clear.
  • Have clear procedures in place so that unusual scenarios are handled with appropriate caution and that all instances of suspect incidents are reported to management and to the Gardaí / Police.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this.

Social Engineering

Purpose of Advisory

To advise that a number of banking customers in Ireland have fallen prey to frauds that involve various forms of social engineering – where the information required is garnered from a person rather than breaking into a system.

A pdf version of BPFI’s Social Engineering fraud alert is available for download here.

Key Points

1. Phone Fraud Scam

  • Some businesses and individuals have recently fallen victim to a sophisticated phone scam. The fraudster uses an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
  • An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.
  • During the course of a phone call or series of calls, the perpetrators obtain enough information to take control of the victim’s bank account including full details of the online banking passwords following which fraudulent high value payments are made.

2. Email Account Hacked

  • Personal email accounts of some customers (particularly company directors and individuals of high net worth) are being compromised, in many cases as a result of the individual responding to a phishing email.
  • Having gained unlawful access to the company director’s email account, the hacker will familiarise themselves with the email correspondence therein.
  • The hacker will then issue emails from this account, posing as the company director, providing an excuse as to why all contact with him must be by email (“I’m boarding a plane and will be out of reach”)
  • The hacker may then either:
    • Contact the bank purporting to be the company director, and instruct that a payment be made to a fraudulent beneficiary account, or
    • Contact a colleague in the company’s finance department (e.g. financial controller, or some such person) instructing the issuance of a high value payment to a fraudulent beneficiary. In this latter situation, the bank will have been given a legitimate payment instruction by the finance department.

Action

Attempts to ‘socially engineer’ (manipulate) staff into divulging sensitive data, whether this is banking data or some kind of client data, must be recognised by the recipient for what it is – criminal activity.

In order to recognise such situations, all inbound calls/emails that seek any kind of sensitive information (re banking data, transaction data, customer records etc.) or payment instructions should be treated as potentially suspect.

Where a staff member receives payment instructions via email, then enhanced checking procedures should be implemented at all times, e.g. call-backs must be made to ensure that customer emails have not been hacked. No customer information should be permitted to be disclosed via email and payment instructions should only be processed in accordance with existing procedures.

Businesses should adopt robust identification processes and ensure that all calls/emails from strangers who are seeking potentially sensitive information of any kind are handled with appropriate caution and that all instances of suspect calls are reported to management and to the Gardaí/Police.

Always remember: Your bank will never send you an e-mail requesting you bank security details.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.

*Social Engineering in this context means techniques of manipulating people to obtain information ( via email or phone calls) or retrieving information from social networks for the purpose of fraud.

Disclaimer Note: The information contained in this alert notice is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this

Trojans/Malware

Purpose of Advisory

The purpose of this note is to make customers aware of Trojans/Malware activity and to implement safeguards in order to protect themselves.

A PDF version of BPFI’s Trojans/Malware Trojans/Malware Security Advisory is available to download here.

Key Points

For business/corporate banking:

  1. There has been heightened activity from new Trojans / Malware variants attacking primarily business banking customers across Europe.
  2. Malware is delivered via an email attachment or a link to infected web site.
  3. Malware can also be disguised as a pdf, a word file or even a Powerpoint file.
  4. Once the attachment is opened, the machine is infected with keyloggers and remote access Trojans.

Action

Ways customers can protect themselves:

  • Keep your PC’s patching up to date.
  • Run a recognised anti – Virus (AV) and anti – malware programme and ensure it is up to date and actively scanning.
  • We advise to carry out your own virus check before opening any attachment.
  • We recommend switching on heuristic scanning option if available.
  • Change passwords regularly.
  • On online business banking review your beneficiary lists and account numbers regularly.
  • Ensure that transaction limits are set at a value threshold equal to or just above your regular payment amount.

Always remember: Your bank will never send you an e-mail requesting your bank security details.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.

Disclaimer Note: The information contained in this advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this