Protect your assets from fraud: Tips from a former cybercriminal

Think online fraud can’t happen to you? One of America’s formerly most wanted cybercriminals, Brett Johnson, says it’s not just possible, it’s likely.

Once dubbed the “Original Internet Godfather,” Johnson created the online criminal forum “Shadowcrew,” an organized network through which criminals bought stolen credit cards, Social Security numbers and more. Johnson’s fraud activity earned him a place on the U.S. Secret Service’s Most Wanted List. Now, Johnson advises Fortune 1000 companies on how to spot and prevent fraud. In SVB’s fraud prevention webcast, Confessions of a Fraudster, Johnson explained how to think from the fraudster’s point of view. Here are Johnson’s key insights:

Here’s how it works – start with identity theft

To access your financial accounts, cybercriminals first steal your identity. They start by creating a “Fullz,” or stolen identity profile that includes your name, address, phone number, Social Security number, date of birth, mother’s maiden name and any other access/personal data they can gather. If criminals don’t want to create these “Fullz” identities, they can easily buy them from the dark web for as little as $20 per individual, Johnson says.

Email compromise in six easy steps

Cybercriminals gain control of your email by using “phishing” techniques that mimic your official email domain. It looks like your email, but it isn’t. Once you click on the fake link in the email or respond to the phishing email itself, you have invited the fraudster to take over your device and send emails out on your behalf. The FBI estimates that $12.5 billion is lost each year due to business email compromise. The number of identified global exposed loss compromises has increased 136 percent between December 2016 and May 2018 (FBI Bulletin 2018). As Johnson says, criminal “…phishing and especially spearphishing (targeted phishing attempts) will get you eventually. It’s a bad lottery you don’t want to win.”

Account takeover for financial access

Once an email is compromised, account takeover (ATO) is a logical next step. Account takeover fraud occurs when a cybercriminal gains access to unique details of a trusted user’s online accounts by posing as the real customer using ill-gotten ID details.

Once criminals have this much detailed identity information and an email channel, they can
• Open new credit card accounts
• File fraudulent tax returns on your behalf
• Amend your credit reports
• Take over your online accounts and change account details
• Make purchases
• Withdraw cash from accounts, including accounts you did not open
• Breach your company’s data or systems using your own employee access

Hacking business payment and approval systems

Personal and business email hacks can easily lead to hacks of business approval and payment systems. And bigger account hacks can result in massive ATO fraud with higher potential payouts. Cybercriminals often specifically “spearphish” emails of high net-worth individuals and officers in charge of corporate payment approvals, hoping to make large, unauthorized payments. As Brett notes, “spearphishing” is now more than 80 percent successful.

Small businesses should be particularly vigilant. Forty-three percent of cyberattacks target small businesses, and 60 percent of small businesses that are compromised close their doors within months because the financial damages are simply too massive to bear (Small Biz Trends).

Take preventive steps

As Johnson warns, “Fraudsters like people who assume it cannot happen to them.” Their ignorance usually leaves them more vulnerable and often unaware when an incident occurs.

Here are ways to help avoid being victimized:
  • Check your online financial account activity often
  • Add two-factor authentication to all your accounts
  • Change your passwords often, especially for email using high security formats
  • Don’t use the same or similar passcodes for multiple accounts
  • Avoid using public information in passcodes, such as your date of birth
  • Change the privacy settings on your social media accounts to prevent strangers from viewing your personal or family information
  • Use unique, unknowable information on your “personal questions” for account authentication

Preventive measures for businesses

Every business, no matter the size, should have a fraud prevention plan in place before an incident occurs. Employees should be trained on what to do, and the plan should be refreshed often.

Fraud prevention practices that can help support your plan:
  1. Enforce dual administrative approval on all accounts
  2. Segregate duties so that a fraudster can’t access multiple powers with one hack (e.g., payment approvals)
  3. Train your employees not to click unknown or even personal email attachments / links using company computers
  4. Keep systems patched with the latest upgrades
  5. Take advantage of monitoring tools
  6. Protect yourself from email fraud by adding known contacts to the “Safe Senders” list in your email settings
  7. Practice protocols for breach control, and train your current and new employees regularly
  8. Consistently assess your fraud prevention plan for vulnerabilities

Take advantage of SVB’s fraud prevention and mitigation tools

  • Online payments and ACH approval tool
  • IBM Trusteer Rapport® fraud detection and mitigation software
  • SVB Security Alerts and Notifications
  • Fraud control services, like check fraud mitigation tools
  • SVB’s complimentary risk assessment report — contact your SVB representative for details

As SVB CIO Nick Shevelyov advises, technology is a double-edged sword; it enhances our lives, but it can also make us vulnerable. Don’t give away your hard-earned gains. Stay vigilant, it’s worth the effort.

For more information

Outside resources:

Contact U.S. Government agencies and industry groups that can assist with identity theft and cybercrime prevention, including the following:

FBI Internet Crime Complaint Center. Ability to file a report to the FBI concerning suspected internet facilitated criminal activity

US Secret Service
Electronic Crimes Task Force mission is to protect and investigate areas of cyber banking and finance.

US- Cert
United States Computer Emergency Readiness Team specifically for cyber defense, incident response, and operational integration center.

National Institute of Standards and Technology implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.
©SVB Financial Group. All rights reserved. Silicon Valley Bank is a member of the FDIC and of the Federal Reserve System. Silicon Valley Bank is the California bank subsidiary of SVB Financial Group (Nasdaq: SIVB). SVB, SVB FINANCIAL GROUP, SILICON VALLEY BANK, MAKE NEXT HAPPEN NOW and the chevron device are trademarks of SVB Financial Group, used under license.

This material is provided for informational purposes only. The conclusions expressed are based upon limited information available to Silicon Valley Bank regarding your company's fraud detection and prevention programs, and should not be seen as a substitute for obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.

Trusteer is an independent third party and is not affiliated with SVB Financial Group. IBM Security Trusteer Rapport is an IBM software product offered by Silicon Valley Bank. IBM is solely responsible for the performance and maintenance of its product, as well as for related customer service and support.  

FBI Crime Complaint Center, United States Computer Emergency Readiness Team, U.S. Secret Service, and National Institute of Standards are 3rd party government agencies not affiliated with Silicon Valley Bank or SVBFG.


About the Author

Rob is SVB's Deputy Bank Secrecy Act (BSA) Officer, responsible for fraud and anti-money laundering investigations. He has spent more than 20 years in banking focused on risk management, information technology, and decision science. Prior to joining SVB, Rob served as the manager of operations for Financial Crimes Investigations with Wells Fargo Bank.