Recognizing that cybercriminals are using increasingly more sophisticated methods to obtain access to bank accounts, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory on December 19, 2011 to assist financial institutions with identifying and reporting account takeover activity through the filing of Suspicious Activity Reports (SARs). FinCEN explained that account takeover is distinct from other forms of computer intrusion because account takeover targets the customer rather than the account-holding institution. Account takeovers often involve unauthorized access to PINs, account numbers, and other identifying information obtained through the use of malware such as SQL injection attacks, spyware, Trojans and worms. (An explanation of these techniques is found in the chart below).
Computer intrusion generally refers to gaining access to a computer system of a financial institution to: (i) remove, steal, procure or otherwise affect funds of the financial institution or the institution’s customers; (ii) remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or (iii) damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution. But, with account takeovers, at least one of the targets is a customer holding an account at the financial institution with the cybercriminal’s ultimate goal being to remove, steal, procure or otherwise affect the funds of the targeted customer.
According to the FinCEN Advisory, financial institutions are advised to be particularly vigilant of irregularities with a customer’s account such as unusual ATM activity, clustered Automated Clearing House (ACH) transactions in different geographic areas, sudden wire transfers, or changes to customer and account profiles. If a financial institution suspects an account takeover and is required to file a SAR, financial institutions are encouraged to, among other things, use the term “account takeover fraud” in the narrative section of the SAR and provide a detailed description of the activity. The complete Advisory is available here