Warning for Ye Olde Bank: Don't Do This!

by lg0p89

I won't waste space and time with the disclaimer or indemnity language.  Let's get right to it!

Banks and financial institutions are a natural target for the deviants using various hacking techniques.  The banks have a ready supply of one of the more coveted items: cash.  This is not referencing necessarily the tangible $20s and $50s, not to mention the $100s, but the digital version.  With a few keystrokes, the unwitting/ignorant personal banker can wire or ACH $1,500 or $100,000 to any other bank account on the planet.  Once received on the other end, these funds can then be sent to other various banks again and again until the trail is cold.  If this is sent outside of the U.S., it may be virtually impossible to track or get returned in the case of fraud.

This can be an issue for the banks.  Once the funds are wired out and weren't supposed to be, there is a direct and immediate loss to the bank.  Recently, we had another issue at Ye Olde Bank.  We all receive the usual phishing emails.  For example, UPS sent an "individualized" email to you and 15 others informing you there was an attempted delivery for a package and that you need to click on the official looking UPS icon at the bottom of the email to arrange an alternative email.  Or, better yet, a certain multinational bank - let's say BofA - sends yet another personal email to you and 20 others asking you to verify your personal account information due to a security breach.  But you don't have an account there!

The phishing scam has been dumbed down a bit for the latest exploit that came across my cubicle quasi-desk.  Instead of emailing this, they faxed the request to an individual company.  Yes, they went old school.  They also added a sprinkle of social engineering for good taste.

The fax appeared to be official.  This has the Equifax logo in the upper-right hand corner.  The head of the fax read "EQUIFAX - ADM R DEPT (date) (time)."  This also was in a standard three paragraph format.  The first paragraph showed the company was "registered as a prospective contractor for procurements issued by the U.S. Federal Government."  Also, the company had not submitted a financial information release form.  The second paragraph stated the bank may not provide the financial information to Equifax (the faux Equifax) without the company's consent.  Equifax needs the information to determine the credit score.  This is used by federal and state governments for procurement decisions.  The third paragraph stated the consent and release form had to be faxed to them.  The letter impressed on the company that this had to be completed as soon as possible.  The second sheet was the consent and release form.  This had the company name typed in.  The EIN, bank name, operating account number, and signature block were blank.  The number to fax the form to was a U.S. number in the 202 area code (Washington, DC).

The request had no typos, as usually are seen.  You can guess what happened next.  The company's secretary completed the form and faxed it in.  Within 24 hours, the bank received two international ACH requests for the company.  The only action that saved the client even more of a headache than what they were going to get (Excedrin was not going to even be able to touch the pain) was that the personal bank reviewed the form.  It is odd for the company to have an international ACH request and, also, the signature was just enough off to slightly start the red flag up the pole.  The personal banker looked at the signature card and verified that the signature was not quite right and called the client.  Indeed, it was verified with the bank's client that this was very fraudulent.

There are several reasons why this should not have happened:

*  The second paragraph notes a "procurement credit score."  I have not heard of this before with government contracting.  If the government would be contracting with you, there are other independent third-party sources of information they can readily get versus procurement credit score.  After all, they are the government.  They can do what they want!

*  Equifax is a personal credit reporting agency.  This is not applicable to businesses.  Anyone or any entity would request a Dunn and Bradstreet (D&B) report for a business.

*  The fax and pseudo-Equifax requested the operating account number.  This would be the account that the company uses for paying their bills, for example.  Usually, this will have the most money in it, in comparison, for instance, to a payroll account.  There is no rationale or good reason for them to ask for this.  It is only bad news to give this out.  Hands down - never do this!

*  The company also does not do government work and had not applied to do government work.  This should really have set off the alarm bells, but they were silent.

The lesson learned is still do not give out confidential information, no matter how pressing it may be.  Always ask questions.  I continue with the (duh) notation for the bank's client.  If the request is odd, it is probably not quite right.  Common sense rules above all.  This is a teaching opportunity for us to pass along to the non-IT areas or friends and family.