Bankers go undercover to catch bad guys
Funny, you don't look like a banker
FIVE years ago MI5,Britain's security service, sent a document to British firms, giving warning that Chinese spies could be seeking to “exploit vulnerabilities such as sexual relationships” among Western businesspeople. Moneymen are obvious targets for honey traps, but they can set them too—as they are increasingly doing to catch cyber-fraudsters.
A midsized American bank has taken a leaf out of Ian Fleming's book with a project, known internally as “Honey Banker”, to smoke out fraudulent payments. It has created a coterie of non-existent bankers, with fake e-mail addresses and biographies, whose details appear on bogus web pages not linked to the rest of the bank's website. If a transfer request comes in to one of these aliases, it is likely to be from a fraudster. The bank blocks the sender's internet address, pending further investigation.
Though not yet widespread, this sort of counter-intelligence tactic is becoming more common as banks look for creative ways to ensnare the online scammers, says Aaron Glover, a fraud expert at SunTrust, another American bank. Some banks have hired professional spies, as HSBC did when it employed a former head of MI5.
The amount a fraudster can steal depends on the number of “mule” accounts—set up by paid or cajoled accomplices—that he has to divert funds into. This number is constrained by account-opening restrictions, including requirements that accounts have to be opened in person. East European crime rings will pay mules to fly toAmerica, where they can set up accounts as non-resident aliens. Other fraudsters will persuade gullible Americans to open accounts in their own name and hand over the details, after convincing them that they have been picked as “secret shoppers” to rate bank service. Even so, “scammers have a finite supply of mule accounts,” says Mr Glover. “The more of them that can be identified and shut off using undercover operations, the less room [criminals] have to operate.”
Banks are also using similar strategies to infiltrate the dark recesses of the internet in which criminals buy and sell stolen financial data. A fraud investigator at a large American bank says that since the massive theft of credit-card data last year from Target, a retailer, his bank has become a more active participant in “carder forums”, where card numbers are hawked for between $20 and $100 apiece, often in batches of 1m or more. Two recent sales were dubbed “Tortuga” and “Eagle Claw”.
银行也使用类似的策略渗透到互联网的黑暗角落,罪犯在这里购买和出售偷来的财务数据。一个美国大型银行的欺诈调查员说,自从去年从一个名为Target的零售商店那里发生大量盗用信用卡数据的事件后，他所在的银行变得更加活跃的参与 “持卡人论坛” ,在这里人们叫卖信用卡号从每个20美元到100美元不等,通常一次性交易一百万串卡号或更多。最近的两次交易代号为“龟岛”和“鹰爪”。
Some banks scour the forums in the hope of gathering intelligence on which of their cards have been compromised, so they can cancel them before they are sold on—as opposed to waiting for suspect transactions to appear on statements. A few banks are even believed to have bid in black-market bazaars to buy the details of cards they suspected they issued themselves, but could not identify for certain because details were concealed until purchase, in order to learn more about where and when data breaches occurred.
This subterfuge partly reflects the need to be more proactive in the face of rampant cyber-fraud. But there is a regulatory motive, too.America's Financial Crimes Enforcement Network, the arm of the Treasury tasked with fighting illicit finance, has been broadening its definition of money laundering, bankers say. This raises the prospect of large fines for inadequate anti-money-laundering controls for banks that aren't deemed to be doing enough to combat these scourges. Some bankers may feel they have as much to fear from the agencies that regulate them as from the criminals who infiltrate them.