Fraud & Cybersecurity

June 13, 2025: Fraud & Cybersecurity Articles

China Could Be Accessing Browsing Data on VPNs

Julia Shapero, The Hill

More than a dozen private browsing apps on Apple and Google’s app stores have undisclosed ties to Chinese companies, leaving user data at risk of exposure to the Chinese government, according to a new report from the Tech Transparency Project.

Thirteen virtual private network (VPN) apps on Apple’s App Store and 11 apps on Google’s Play Store have ties to Chinese companies, the tech watchdog group said in the report released Thursday. Chinese law requires Chinese companies to share data with the government upon request, creating privacy and security risks for American users.

Several of the apps, including two on both app stores and two others on Google Play Store, have ties to Chinese cybersecurity firm Qihoo 360, which has been sanctioned by the U.S. government, according to the report. The Tech Transparency Project previously identified more than 20 VPN apps on Apple’s App Store with Chinese ties in an April report. The iPhone maker has since removed three apps linked to Qihoo 360.

“After being informed of this issue once already, Apple and Google continue to make many of these VPN apps available to Americans without warning them of the security risks,” said Michelle Kuppersmith, executive director at Campaign for Accountability, the group behind the Tech Transparency Project. Read more

First Person: How Fraud Found My Family

Maddy Perkins, The Financial Brand

Six words I didn’t want to hear: “Something weird happened with the bank.”

Amid a rush to find a new apartment after my landlord decided to sell at the last minute, my mother and I had been dividing and conquering the multi-step cashflow nightmare of signing a new lease in the New York City area. Deposit, two months rent, broker fee. Several banker’s checks. It was all moving too quickly and something had to go wrong.

“Some guy from Chase called and told me I had two fraudulent transactions — $1,500 and $3,000 — processing via Zelle and that I had to act quickly to cancel,” she said. The man on the phone went on to give her a “cancellation code,” a code for “a manager at Chase” and instructed her to plug them into Zelle’s recipient field. Knowing something felt off, she checked to see if there were any pending transactions. There weren’t any she could find. She plugged in the “codes” and noticed they added a new recipient. He explained that by inputting the codes, she would stop the bad transactions before they went through. “Shouldn’t you guys be handling this?” she asked. “No, there’s not enough time.” She hung up — it was too suspicious. It appears the “codes” were likely Zelle usernames made to look like codes.

In my decade of covering the financial services industry, I’ve come across, written and edited countless stories on fraud. I, too, could smell B.S. Mom told me the call came from a number identified as “Chase” on caller ID. Curiously, he knew her name and that she was an accountholder.

I urged her to call Chase. They confirmed they saw no fraudulent transactions processing. It was weird that someone called, they said, but it wasn’t them. Nothing they could do. Read more

Fog Ransomware Attack Uses Unusual Mix of Legitimate and Open-Source Tools

Bill Toulas, Bleeping Computer

Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.

The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks. Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.

Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.

New attack toolset
Researchers at Symantec and the Carbon Black Threat Hunter team discovered the unusual attack toolset during an incident response last month on a financial institution in Asia. Symantec couldn’t determine the initial infection vector but documented the use of multiple new tools that have not been previously seen in such attacks.

The most unusual and interesting of those is Syteca (formerly known as Ekran), a legitimate employee monitoring software that records screen activity and keystrokes. The attackers could use the tool to collect information like account credentials employees type in unaware that they are monitored remotely. Read more

Banking Groups Urge US Treasury to Improve Security After Email Hack

Jake Bleiberg, Bloomberg

Financial-sector trade groups are urging the US Treasury Department to bolster its cybersecurity in response to hackers intercepting the sensitive emails of more than 100 bank regulators for more than a year.

In a letter sent Monday to Treasury Secretary Scott Bessent, the associations urged federal regulators to strengthen their data-protection standards and inform organizations they oversee about security breaches affecting their data within three days. They also suggested that regulators stop requiring banks and other financial institutions to submit sensitive information through online portals or email.

The American Bankers Association, Bank Policy Institute, Managed Funds Association and Securities Industry and Financial Markets Association signed the letter.

“We are deeply concerned about the cybersecurity risk management practices at federal regulatory agencies, and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses,” the groups said in the letter, which was reviewed by Bloomberg News. Read more

June 6, 2025: Fraud & Cybersecurity Articles

Four Ways Banks Can Turn Fraud into a Loyalty Play

Suman Bhattacharyya, The Financial Brand

 Executive Summary

  • Fraud often casts financial institutions in a poor light, leaving customers feeling ignored and at risk of churn.
  • Proactive communication, improved service standards, and smart use of tech can help keep these customers loyal.
  • While automation is key to streamlining how financial institutions handle claims and disputes, human touch remains important as it makes customers feel heard and cared for.
  • The need for banks to meet service standards set forth by regulators doesn’t mean they can’t aim higher.

When customers fall victim to fraud, it can undermine trust, leaving them feeling vulnerable and exposed.

Banks can respond by relying on legalese and process instead of empathy — but that typically makes a bad situation worse for both parties.

Efficient fraud resolution processes matter to customers. Poorly handled incidents increase the risk of customer churn, recent research shows. In a survey of 1,000 credit card fraud victims conducted by fintech firm Quavo last year, two thirds of respondents said they would be “highly or extremely likely” to switch banks due to long, tedious dispute resolution processes.

Experts say financial institutions can turn these events into opportunities to build trust. To succeed, they need to be proactive — investing in better fraud detection technology, communicating empathetically after an incident, and sometimes going above and beyond what’s required to make things right. Read more

Banks Struggle to Talk About Fraud

Lynne Marek, Banking Dive

Financial institutions battling an increase in fraud, particularly push-payment scams, have been stymied in sharing information that might help them better protect customers.

Financial institutions are facing a flood of fraud, from push-payment scams to business email compromises to bad checks. Nonetheless, they’re often stymied in trying to work together to root out bad actors.

That was painfully clear to attendees listening to several panel discussions at the Nacha Smarter Faster Payments conference last month. The industry event attracted about 2,100 payments, bank and credit union professionals between April 27 and April 30 in New Orleans.

Push-payment schemes, also known as credit-push fraud, that move over Nacha’s ACH and other electronic payment rails have been particularly problematic. In these situations, consumers and companies are duped into sending payments to criminals under false pretenses, but because they do so voluntarily, it’s more difficult to combat.

It’s become a pain point partly because the financial system revolves around monitoring for crooks sending payments, not those receiving them. Today, “mule” accounts belonging to unsuspecting holders are used by criminals to receive funds that are quickly drained. Read more

Palm Scanning Gains Ground as Retail Biometric of Choice

Wesley Grant, Payments Journal

Fingerprint and facial scanning are commonplace due to their use in mobile devices, but palm scanning is finding a niche in retail.

One of the main reasons palm biometrics have been adopted in new merchant implementations across Europe, Asia, and the Middle East is that they don’t require users to touch the scanner. Additionally, palm scans are highly accurate and secure due to the uniqueness of palm ridges and veins.

China’s tech giant Tencent has led several recent palm payment initiatives, including a new launch in Thailand to compete with rival Alipay’s PL1 palm reader. Early trials of Tencent’s platform have focused on convenience stores, where the demand for frictionless checkout may drive biometric adoption.

In Europe, Poland’s Autopay is piloting its HandGo palm payment system. The company has highlighted the product’s potential impact in the wellness and sports industries.

Fan Facial Recognition
Sports arenas are becoming a proving ground for payments, as they can reduce long queues and improve the fan experience. Biometric authentication is a natural fit in these environments, but U.S. consumers’ relative comfort with facial recognition has positioned this technology ahead of palm scanning. Read more

ICYMI: Infrastructure Laundering Blending in with the Cloud

Krebs on Security

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers.

Research published this week on one such outfit — a sprawling network tied to Chinese organized crime gangs and aptly named “Funnull” — highlights a persistent whac-a-mole problem facing cloud services.

In October 2024, the security firm Silent Push published a lengthy analysis of how Amazon AWS and Microsoft Azure were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages.

Funnull made headlines last summer after it acquired the domain name polyfill[.]io, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren’t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites. Read more

May 30, 2025: Fraud & Cybersecurity Articles

Cybercriminals Exploit AI Hype to Spread Ransomware, Malware

Bill Toulas, Bleeping Computer

Threat actors linked to lesser-known ransomware and malware projects now use AI tools as lures to infect unsuspecting victims with malicious payloads.

This development follows a trend that has been growing since last year, starting with advanced threat actors using deepfake content generators to infect victims with malware. These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks.

Cisco Talos researchers have discovered that the same technique is now followed by smaller ransomware teams known as CyberLock, Lucky_Gh0$t, and a new malware named Numero. The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.

AI tool impersonation
CyberLock is PowerShell-based ransomware delivered through a fake AI tool website (novaleadsai[.]com) posing as the legitimate novaleads.app. Victims are lured by offers of a free 12-month subscription, leading them to download a .NET loader that deploys the ransomware. Read more

Telling the Security Story: How FIs Can Leverage Security Centers to Fight Fraud

Wesley Grant, Payments Journal

In response to fraud attacks that increasingly target individuals, there have been continued calls to ramp up consumer education.

Many financial institutions have introduced security centers in mobile banking apps that are designed to keep customers informed on the latest threats.

Although this is a positive step, as Lea Nonninger, Digital Banking Analyst with Javelin Strategy & Research, found in the report ” Security Centers in Digital Banking: How to Tell an Empowering Story of Prevention, Detection, and Resolution, ” many security centers still have room to improve.

Shifting to Empowerment
In the past, financial institutions largely took the tack that security matters were better handled behind the scenes. The thinking was that it was best not to worry customers with a constant barrage of updates about potential threats.

As more financial institutions have realized that consumers are an integral part of security, they should now focus on including more education within their security centers. This can pay dividends by helping customers feel more confident in spotting and addressing fraud. In turn, they are more satisfied with their banking relationship. Read more

Russian Government Hackers Caught Buying Passwords from Cybercriminals

Ryan Naraine, Security Week

Microsoft flags a new Kremlin hacking team buying stolen usernames and passwords from infostealer markets for use in cyberespionage attacks.

Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America.

In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks.

In recent weeks, Microsoft said it watched the team adopt a more surgical “adversary-in-the-middle spear-phishing” tactic that spoofs the Microsoft Entra login page with a a typo-squatted domain and a malicious QR-code invitation to a fake European defense summit.

While the techniques are textbook for government-level cyberespionage campaigns, the targeting is very specific with a victim list that overlaps with other Russia-linked cyberspies, Microsoft said, noting that the Russian hackers are likely pilfering wartime intelligence that can be fed back into military or diplomatic planning.  Read more

ICYMI: New Treasury Pro Survey Shows Fraud’s Penetration into US Financial Services

Scott Hamilton, Finextra

There’s hope in them thar hills… or, at least, with some of the responses showing dips among several new peaks in one of the US financial service arena’s largest and longest-running annual payments fraud surveys.

These insights from treasury colleagues across the country might not be worth their weight in gold. In fact, though the results include mostly bad or ‘not great’ news, they are probably worth much more than a few ounces of precious metal to corporate treasurers, finance teams, accounts payable directors, fintech leaders and managers, and of course, banks and credit unions.

Payments fraud in 2024, as reported in the findings of the 2025 AFP Payments Fraud and Control Survey, was down overall vs. the previous year – by a narrow margin. Meanwhile, “classic BEC” (Business Email Compromise) scams may be declining – even if they’re just morphing into other forms.

However, with that sliver of hope comes more news on just how harmful financial fraud is and can be to those who are targeted and lose billions every year to the criminals. These statistics and comments from financial professionals illustrate just how creative and persistent financial fraudsters have become in the US, and across the globe. Read more

May 23, 2025: Fraud & Cybersecurity Articles

Taming the Hacker Storm: Why Millions in Cybersecurity Spending Isn’t Enough

Stu Sjouwerman, Security Week

Despite massive investment, the explosion of sophisticated malware and deepfake attacks persists because organizations struggle to verify digital identities and establish fundamental trust.

According to the AV-TEST Institute, more than 450,000 new malicious applications are found every day, illustrating the rapid rate of malware spread. Despite substantial investments in cybersecurity, why are malware and hackers so ubiquitous? Because we cannot stop what we cannot see or identify. With AI-driven deepfakes, attackers can assume anyone’s identity to create convincing impersonations and execute successful attacks. Our inability to discover their true identities has worked in favor of threat actors, enabling them to easily evade arrest.

The Pervasive Trusted Ecosystem
The key to taming the hacker storm is founded on the core principle of trust: that the individual or company you are dealing with is who or what they claim to be and behaves accordingly. Establishing a high-trust environment can largely hinder hacker success. Following are elements defining a pervasive, trusted ecosystem:

Trusted identities: A key component of establishing trust between interacting parties can be achieved by ensuring the identities of all participants are verified and authenticated if desired and agreed upon by all parties in the communication stream.

There can be three types of identities: Real ID, or real identity, tied to human identity, which is strongly authenticated and assured. Pseudo identity, or pseudo anonymity, is like a made-up label. An example of this is an email address that is not necessarily a person’s real name (i.e., rogerg@knowbe4.com, digsrock32@gmail.com) or strongly verified to who it belongs to. I could make up a fake email address claiming I’m Bill Gates (e.g., BillGatesMicrosoftBestCEO@hotmail.com) and there isn’t any identity mechanism to stop me. Most email addresses and logon names on the Internet are that type of identity today. Read more

Five Lawsuits Target Credit Union Over Data Breach

Peter Strozniak, Credit Union Times

Five former members of the $544 million Neighbors Credit Union in St. Louis filed separate proposed class action lawsuits over a September 2024 data breach that allegedly exposed members’ personal information to a cybercriminal group known as Black Suit.

Former Neighbors member Richard Wilbur said he received a May 7 letter from the credit union that it recently detected suspicious activity within its computer network. Wilbur is one of five former members who filed a civil lawsuit against the credit union in Missouri federal court earlier this month.

The credit union said it launched an internal investigation, notified law enforcement and worked to secure the computer network. Neighbors also hired a forensic security firm. The investigation determined that an unknown and unauthorized third party accessed the credit union’s computer system between Sept. 20 and Sept. 21, 2024, and acquired certain files. However, it was not until Jan. 14 when the credit union said it determined the identified files contained personal information that included Wilbur’s name and his Social Security number.

The credit union, which currently serves 47,326 members, has not disclosed the number of former and current members affected by the breach. Wilbur’s lawsuit cited a notice from the Texas Attorney General’s office indicating that 2,406 members residing in the Lone Star State were impacted by the breach. He alleged that the credit union delayed notifying members for 229 days after the breach began, which prevented members from making timely mitigation efforts. Read more

Hackers Are Distributing a Cracked Password Manager That Steals Data, Deploys Ransomware

Sead Fadilpašić, TechRadar Pro

Cybercriminals are distributing a tainted version of a popular password manager, through which they’re able to steal data and deploy ransomware.

This is according to security researchers WithSecure Threat Intelligence, who recently observed one such attack in the wild. A tainted version of KeePass is making rounds

  • A malicious variant of KeePass is being offered online
  • The malware deploys an infostealer and a Cobalt Strike beacon
  • The cybercriminals are using the access to deploy ransomware

In an in-depth analysis published recently, the researchers said a client of theirs downloaded what they thought was KeePass – a popular password manager. They clicked on an ad from the Bing advertising network, and landed on a page that looked exactly like the KeePass website.

The site, however, was a typosquatted version of the legitimate password manager. Since KeePass is open-source, the attackers kept all of the legitimate tool’s functionalities, but with a little extra Cobalt Strike on the side. Read more

3AM Ransomware Uses Spoofed IT Calls, Email Bombing to Breach Networks

Bill Toulas, Bleeping Computer

A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.

This tactic was previously linked to the Black Basta ransomware gang and later observed in FIN7 attacks, but its effectiveness has driven a wider adoption. Sophos reports seeing at least 55 attacks leveraging this technique between November 2024 and January 2025, linked to two distinct threat clusters.

Those attacks followed the BlackBasta playbook, including email bombing, vishing via Microsoft Teams, and Quick Assist abuse. The leak of Black Basta’s internal conversations helped other threat actors get up to speed, as it included a template to use during Microsoft Teams phishing attacks impersonating IT help desks.

The 3AM ransomware attack, targeting a Sophos client, occurred in the first quarter of 2025 and used a similar approach but with a twist of real phone phishing instead of Microsoft Teams. The threat actors spoofed the target’s real IT department’s phone number to make the call appear legitimate. The call happened during an email bombing wave of 24 unsolicited emails received in three minutes.

The attacker convinced the employee to open Microsoft Quick Assist and grant remote access, supposedly as a response to malicious activity. Next, the attacker downloaded and extracted a malicious archive from a spoofed domain, containing a VBS script, a QEMU emulator, and a Windows 7 image pre-loaded with QDoor backdoor. Read more

May 15, 2025: Fraud & Cybersecurity Articles

Bags of Cash from Drug Cartels Flood Teller Windows at U.S. Banks

Dylan Tokar, Wall Street Journal

 Chinese money-launderers allegedly made six-figure deposits at Chase, Bank of America and Citibank branches across Los Angeles County

On a hazy Southern California morning, undercover police officers watched Jiayong Yu step out of a Range Rover in a strip-mall parking lot and walk into a Chase bank with a black-leather backpack full of cash. At the teller window, Yu pulled out stacks of bills and waited while a woman fed them into a cash-counting machine. After Yu left, an officer asked the teller if he had deposited more than $10,000, the threshold requiring banks to flag transactions to federal regulators.

More like $100,000, the teller said. By then, Yu was already on his way to Chase and Bank of America branches in Claremont, Calif., about 35 miles away. Federal authorities allege that Yu worked for an underground banking network that bought dollars at a discount from Mexico’s Sinaloa drug cartel and sold them at a premium, largely to Chinese nationals in the U.S.

The network allegedly handled some $50 million in proceeds from drug trafficking over four years, depositing a portion of the tainted cash at ATMs and teller windows at major banks including Citibank in cities around Los Angeles County, according to federal prosecutors.

Similar money-laundering operations operate in plain sight around the U.S., hiding the staggering returns which are the sole reason cross-border cartels smuggle the fentanyl, methamphetamine, cocaine and other illegal drugs consumed by millions of Americans, according to current and former law-enforcement officials and court records. Read more

INSIGHT: Reflections and Future Vision After 25 Years of Evolution in AML Compliance

Sujata Dasgupta, Anti-Financial Crime & Financial Crime Compliance

It was Y2K, or the year 2000 when I started my first job. I had joined India’s largest public sector bank along with a fresh batch of recruits and trained across all the different banking functions.

We started with account opening and moved across various desks – deposits, withdrawals, loans, accounting & ledgers (including trial balance), forex and so on. This was a time when the bank was moving from manual entries to computerization of banking operations, and I do not recall hearing the words KYC or AML. Account opening simply comprised of filling up a physical form in the branch which was just 2 pages for individuals, slightly lengthy for entities. There was no core banking at that time, so branches were standalone.

As we approach the middle of 2025, I cannot think of any other banking function that has transformed as dramatically and on the road to more disruption as KYC-AML, while acquiring the name ‘financial crime compliance’ (FCC) somewhere along this journey!

What Changed and How
The 9/11 incident of 2001 has arguably been the most pivotal moment in transforming how KYC and AML were performed, which also prompted including CTF (countering terrorist financing) in its fold. USA enacted the USA PATRIOT ACT in response to this tragedy. The rest of the world followed suit, and a slew of AML Regulations were enacted in every part of the world. Global organisations like UN, FATF and Wolfsberg Group came up with more comprehensive guidelines and recommendations on AML, now including CTF in scope. Read more

Cybercrime Spree That Hobbled British Retailers Now Aimed at U.S., Google Says

Kevin Collier, NBC News

At least three top British retailers have experienced cyberattacks in recent weeks.

Hackers behind a series of destructive, financially motivated cyberattacks against some of the U.K.’s largest retailers are now going after big American brands, Google said Wednesday. “Major American retailers have already been targeted,” John Hultquist, the chief analyst for Google’s Threat Intelligence Group, told NBC News.

At least three top British retailers have experienced cyberattacks in recent weeks. Marks & Spencer was forced to pause online orders for weeks. Hackers who contacted the BBC provided evidence of “huge amounts of customer and employee data” stolen from the Co-op Group. The third, Harrods, restricted some internet access at store locations, though a spokesperson told NBC News that it has not seen evidence that customer data was stolen.

Hultquist declined to name which American retailers the hackers may be going after. The National Retail Federation, which represents thousands of companies including Walmart and Target, acknowledged the threat.

“U.S.-based retailers are aware of the threats posted by cybercriminal groups that have recently attacked several major retailers in the United Kingdom, and many companies have taken steps to harden themselves against these criminal groups’ tactics over the past two years,” Christian Beckner, the NRF’s vice president of retail technology and cybersecurity, told NBC News in a statement. Read more

RansomHub Tops Group-IB’s 2025 list of Most Prolific Cybercriminal Groups

Gintaras Radauskas, Cybernews

RansomHub, a ransomware-as-a-service (RaaS) operation, is topping the list of the most prolific cybercriminal groups that Group-IB, a cybersecurity company, has investigated this past year.

To compile the list of the Top 10 Masked Actors for 2025, Group-IB dove into its very own High-Tech Crime Trends Report, full of in-depth insights from over 1,550 successful investigations. Cybercrime rates keep growing, Group-IB CEO Dmitry Volkov said. Ransomware attacks increased by 10% in 2023, and financial losses from cybercrime have reached staggering levels.

“As we turn our focus to 2025, the cybersecurity landscape will grow even more dynamic. Ransomware and APT (advanced persistent threat) tactics will evolve, pushing defenders to adopt increasingly proactive, intelligence-driven approaches,” said Volkov.

We’ll steal your face and your money
Group-IB says its Top 10 list of cybercrime’s main villains is precisely that: proactive reporting about the threats so that more potential victims would know what to expect. According to the company, the criminal organizations included in the list were identified “through extensive intelligence, highlighting the scale, sophistication, and impact of these active threat groups across sectors and geographies.” Read more

May 9, 2025: Fraud & Cybersecurity Articles

Huge Ecosystem of Unregulated Payment Providers Helps Scammers Collect Victims’ Money

Tom Stocks, Holger Roonemaa, Lawrence Marzouk, Margaux Farran, Begoña Ramirez & Richard Smith; Organized Crime and Corruption Reporting Project

Key Findings

  • Scammers seeking to move money from their victims can access the global banking system quickly, while distancing themselves from the transactions, through a large number of services they referred to internally as “payment service providers,” though they were not licensed and did not appear to correspond to real legal entities in most cases.
  • Some of these payment services, like one operating under the name Bankio, provided scammers with instant access to bank accounts they could instruct their victims to send money to.
  • Bankio and other providers would also create invoices for non-existent goods or services that the scammers could use to justify the transfer of funds.
  • Another payment system helped funnel millions of euros out of Spain through over a dozen companies and 18 bank accounts, including some at major banks.
    In the U.K., a system known to scammers as “Britain Local” connected call centers to U.K. bank accounts held by companies owned by apparent proxies. Experts said the movement of funds through these bank accounts raised several red flags for money laundering.
  • Scammers coach their victims in how to bypass anti-fraud controls at major commercial banks, and often instruct them to open new accounts at online-first “neobanks” to make it easier for them to send money without facing questions.

“Liliana Molina” was a scammer based in a call center in Tbilisi. Over the course of a few weeks in March and April 2024, she had spent hours on the phone with “Mark,” a cheerful British tradesman, convincing him to invest in what she insisted were can’t-lose cryptocurrency and stock opportunities. “If … you do what I say, believe me, we’re going to be very profitable,” she told him. Finally, he agreed.

Payment needed to be arranged quickly. Liliana loaded up the messaging service Telegram and fired off a request to her call center’s finance department: “I need UK details for 7k please,” she wrote. Read more

Hacking Group That Wreaked Havoc on Las Vegas Appears to Be Back

Robert McMillan, Wall Street Journal

Attacks on U.K. retailers appear to mark comeback of ‘Scattered Spider,’ a network that has disrupted operations at dozens of corporations.

Key Points

  • Hacking group Scattered Spider, known for disrupting the Las Vegas Strip, is suspected in recent cyber intrusions at U.K. retailers.
  • Harrods, Marks & Spencer, and Co-op have reported cyber intrusions, with attacks bearing hallmarks of Scattered Spider’s methods.
  • Scattered Spider, which went silent after several arrests last year, uses social engineering and other methods to steal data and demand extortion payments.

The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers. The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.

U.K. retailers Harrods, Marks & Spencer MKS -0.28%decrease; red down pointing triangle and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.

The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open. Read more

White House Proposal Slashes Half-Billion from CISA Budget

Ryan Naraine, Security Week

The proposed $491 million cut is being positioned as a “refocusing”of CISA on its core mission “while eliminating weaponization and waste.”

The White House has signaled plans to cut the Cybersecurity and Infrastructure Security Agency’s (CISA) budget by $491 million on the grounds that the agency became a “censorship industrial complex” at the expense of cyber defense.

In budget documents sent to Congress, the proposed $491 million cut is being positioned as a “refocusing” CISA on its core mission “while eliminating weaponization and waste.” “The Budget also removes offices that are duplicative of existing and effective programs at the State and Federal level,” according to documentation published by the White House.

“The Budget eliminates programs focused on so-called misinformation and propaganda as well as external engagement offices such as international affairs. These programs and offices were used as a hub in the Censorship Industrial Complex to violate the First Amendment, target Americans for protected speech, and target the President,” OMB Director Russell Vought wrote in his justification for the cuts.

“CISA was more focused on censorship than on protecting the Nation’s critical systems, and put them at risk due to poor management and inefficiency, as well as a focus on self-promotion,” the White House added. The White House justification was echoed by Department of Homeland Security Secretary Kristi Noem in an RSA Conference keynote that accused CISA of straying from its founding purpose. Read more

Google Identifies New Malware Linked to Russia-Based Hacking Group

Deborah Sophia, Reuters

Alphabet’s Google, opens said on Wednesday it has identified new malware called “LOSTKEYS” tied to the Russian-based hacking group Cold River, which is capable of stealing files and sending system information to attackers.

The malware “marks a new development in the toolset” of Cold River, Wesley Shields, a researcher with Google Threat Intelligence Group, said in a blog.

Cold River, a name used to track hacking campaigns previously linked, to Russia’s Federal Security Service, is primarily known for stealing login credentials for high-profile targets, including those within NATO governments, non-governmental organizations and former intelligence and diplomatic officers, Shields said in the blog. The central goal was intelligence collection in support of Russian strategic interests.

Recent targets, observed in January, March and April 2025, include current and former advisers to Western governments and militaries, as well as journalists, think tanks and NGOs, and unnamed individuals connected to Ukraine, according to the blog. The Russian embassy in Washington did not immediately respond to a request for comment.

Past high-profile campaigns have included targeting three nuclear research laboratories in the U.S. in the summer of 2022, and the publishing of the private emails of former British spymaster Richard Dearlove, alongside pro-Brexit individuals, in an operation revealed in May 2022.

May 2, 2025: Fraud & Cybersecurity Articles

Debunking Security ‘Myths’ to Address Common Gaps

Arielle Waldman, Dark Reading

Dan Gorecki and Scott Brammer’s interactive session during RSAC Conference 2025 encourages security professionals to rethink their security postures and address evolving and emerging risks.

Organizations struggling to implement and maintain a basic security foundation need to start rethinking compliance checklists. Following industry best practices generally includes managing authentication, compliance, and risk management issues. However, it can be difficult to know what items to prioritize and even more challenging to know which ones are necessary.

One prime example is implementing multifactor authentication (MFA) to bolster security and make it harder for attackers to gain initial access. While MFA is a highly important control to put in place, it is not strong enough on its own, Dan Gorecki, principal and CISO at NGC Risk, warned in his session “Cybersecurity Myth-Busting: Fact vs. Fiction in Cyber Programs” during RSAC Conference 2025 this week in San Francisco. Whether MFA is the strongest security control, Gorecki said “it depends.”

“It’s defense in depth, super strong control, but it needs to work with a lot of other controls to be very effective,” Gorecki said. “We’ve seen with SIM swapping and other things that MFA, while a very strong control, it is not enough.”

Focus on Third Parties That Matter Most
With supply chain risks on the rise, made especially evident by last year’s ransomware attack against United Health’s Change Healthcare, organizations are increasingly tasked with third-party risk management. While it is important to stay updated on what’s happening with third-party vendors, especially as risks rapidly evolve, the methods organizations are currently using can improve and expand beyond questionnaires that may be intentionally or unintentionally misleading. Read more

DOJ Releases Its Data Security Program Compliance Guide

Jeewon K. Serrato, Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco, Leighton Watson, Sheetal Misra; Pillsbury Law

The guide outlines the requirements of a newly implemented Data Security Program designed to prevent China, Russia and other foreign adversaries designated by the U.S. Department of Justice from accessing American’s sensitive personal data and U.S. government-related data.

Takeaways

  • The Data Security Program (DSP), which effectively establishes export controls on data subject to the Program, applies to a wide range of transactions by U.S. persons, including data brokerage and vendor, employment and investment agreements, involving U.S. government-related data or the bulk sensitive personal data of Americans.
  • U.S. persons must comply with core DSP prohibitions, restrictions and other requirements beginning April 8, 2025, with additional affirmative obligations—including due diligence, reporting and audit requirements—taking effect on October 6, 2025.​
  • U.S. persons must implement risk-based DSPs, conduct annual audits and maintain detailed records for at least 10 years, with noncompliance potentially resulting in civil or criminal penalties.

On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule (28 C.F.R. Part 202) implementing former President Biden’s Executive Order 14117 (Order), “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Order and final rule create the Data Security Program (DSP), which provides for restrictions or prohibitions on access to U.S. government-related data and Americans’ bulk sensitive data by specified countries of concern or covered persons. The regulations largely took effect on April 8, 2025, but additional affirmative compliance requirements for U.S. persons will take effect on October 6, 2025.

On April 11, 2025, the DOJ, through its National Security Division (NSD), issued a Data Security Program Compliance Guide, along with a list of more than 100 Frequently Asked Questions (FAQs) and an Implementation and Enforcement Policy, to assist entities in understanding rule compliance and enforcement.

Below we discuss the key components of the DSP and offer thoughts about compliance.

The DSP provides for:
prohibitions on covered data transactions by U.S. persons that involve data brokerage with countries of concern, covered persons or other foreign persons (unless certain requirements intended to prevent onward transfer of data are met) or involve access to bulk human ’omic data (i.e., large-scale, molecular-level biological datasets) to countries of concern or covered persons designated by the DOJ; Read more

AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover

Ionut Arghire, Security Week

Vulnerabilities in Apple’s AirPlay protocol could have allowed attackers to execute code remotely without user interaction.

Vulnerabilities in Apple’s AirPlay protocol and the accompanying SDK could allow attackers to take over devices, in some instances without user interaction, runtime protection firm Oligo Security says. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK.

Two of the discovered vulnerabilities, tracked as CVE-2025-24252 and CVE-2025-24132, enable attackers to build wormable zero-click remote code execution exploits. The compromised devices could be used as a launchpad for additional compromise. “This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more,” Oligo says.

A total of 17 CVE identifiers were issued for the disclosed issues, and Apple worked together with Oligo to address them in the recent iOS, iPadOS, and macOS releases. These vulnerabilities, which Oligo calls AirBorne, could be exploited independently or chained together for remote code execution (RCE), protection bypasses, file read, information disclosure, man-in-the-middle (MiTM) attacks, and denial of service (DoS).

CVE-2025-24252, a use-after-free bug, could lead to RCE on macOS. If chained with CVE-2025-24206, a user interaction bypass, it leads to zero-click RCE on “macOS devices that are connected to the same network as an attacker with the AirPlay receiver on and set to the ‘Anyone on the same network’ or ‘Everyone’ configuration”. Read more

Where Can Financial Institutions Turn for Guidelines in Cyber Resiliency?

Tom Nawrocki, Payments Journal

Regulation continues to recede from the realm of cybersecurity, leaving organizations to fill these gaps on their own, using their own knowledge bases. The onus now falls on the financial services industry to self-govern and for cybersecurity leaders to come up with their own standards to ensure best practices.

In 2024, the nonprofit organization MITRE released ATT&CK for mobile, which maps out where a financial institution might be vulnerable to an attack. According to Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research, this could be an important step toward enforcing cyber resiliency in an age of lax compliance regulations. Her new report, Leverage MITRE Frameworks for Effective Cyber Investment, examines how financial institutions can use this and other new tools to preserve their cyber resiliency.

Looking for New Guidelines
As we see less regulatory oversight of financial institutions, particularly in the United States, cybersecurity teams must look to their own resources to make decisions on budgeting. Typically, financial institutions set their budgets for cybersecurity based on their need to comply with regulations or to meet certain standards. Without compliance regulations in place, they are forced to seek guidelines elsewhere.

For many years, organizations looked to the Federal Financial Institution Council, or FFIEC, for standards to follow. But the recent downsizing of the Consumer Financial Protection Bureau underscores the fact that the FFIEC has lost some of its efficacy in providing guidance for financial institutions. This has put institutions in the position of not having much oversight or regulatory scrutiny, which is not necessarily a positive thing. Read more

Apr. 25, 2025: Fraud & Cybersecurity Articles

AI-Powered Polymorphic Phishing Is Changing the Threat Landscape

Stu Sjouwerman, Security Week

Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.

Our threat research team has observed a rise in polymorphic phishing campaigns being launched on a much larger scale than before. We found a 17% increase in phishing emails in February 2025 compared to the previous six months. Last year, at least one polymorphic feature was present in 76%of all phishing attacks.

Understanding Polymorphic Phishing
Polymorphic phishing is an advanced form of phishing campaign that randomizes the components of emails, such as their content, subject lines, and senders’ display names, to create several almost identical emails that only differ by a minor detail. In combination with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.

Traditional detection systems group phishing emails together to enhance their detection efficacy based on commonalities in phishing emails, such as payloads or senders’ domain names. The use of AI by cybercriminals has allowed them to conduct polymorphic phishing campaigns with subtle but deceptive variations that can evade security measures like blocklists, static signatures, secure email gateways (SEGs), and native security tools. For example, cybercriminals modify the subject line by adding extra characters and symbols, or they can alter the length and pattern of the text.

Most polymorphic phishing attacks use compromised accounts (52%), followed by phishing domains (25%) and webmail (20%) to send phishing emails that can bypass domain authentication checks. Read more

IDV in Anti-Money Laundering: Navigating Modern Threats and Countermeasures

Nikita Dunets, Regula

Over the past few decades, the international community has built an extensive anti-money laundering (AML) framework—and it keeps evolving year by year.

For example, the Financial Action Task Force (FATF) introduced new changes in their 40 recommendations in February 2025. They now encourage simplified measures in lower-risk scenarios while still promoting a certain level of caution when performing risk assessment in the first place.

This update is a good representation of how the world is treating AML right now: trying to achieve the delicate balance of user-friendliness and security in all operations. And how does it happen?

In this article, we’ll provide an overview of current AML threats, describe the role of FATF in countering them, and see how biometric verification is playing its part in this process.

Modern money laundering threats
Money laundering methods continue to adapt in response to law enforcement and regulatory measures. Today’s launderers exploit emerging technologies, global trade, and regulatory gaps, and also commit identity fraud. Read more

FBI Says Online Scams Raked in Record $16.6 Billion Last Year, Up 33% from 2023

Kerry Breen, CBS News

Scammers stole a record $16.6 billion in 2024, the FBI said on Wednesday.

That marked a 33% increase from 2023, according to the FBI’s Internet Crime Complaint Center’s annual report. More than a quarter million complaints reported money lost to a scam, with an average of a loss of more than $19,000.

“As nearly all aspects of our lives have become digitally connected, the attack surface for cyber actors has grown exponentially,” the FBI’s Operations Director for Criminal and Cyber B. Chad Yarbrough said in a note attached to the report. While most losses were caused by fraud, ransomware prevailed as the largest threat to critical infrastructure in 2024, the FBI said. Complaints related to ransomware rose 9%.

The reported losses are likely an undercount of the actual amount of money lost to scammers, experts say, because not all targets report the incident to law enforcement or the FBI. Rich Brune told CBS News he never saw the faces of the criminals who scammed him for $1.7 million in three months.

Instead, one day working on his computer, a message popped up claiming that his information had been compromised and that he was under investigation for “unlawful computer uploads.” “Contact this number, lock up your computer, don’t shut your computer off,” Brune recalls to CBS News the message read.

The criminals convinced the Vietnam War veteran to wire money and open up access to his bank account to clear things up. Read more

Complaints About Ransomware Attacks on US Infrastructure Rise 9%

A.J. Vicens, Reuters

Summary

  • Record $16.6 billion in cyber losses reported, 33% increase over 2023
  • Cryptocurrency fraud losses reached $9.3 billion, up 66% from 2023
  • Older adults most affected by cyber-enabled fraud, $4.8 billion in losses

Ransomware was the most pervasive cyber threat to critical infrastructure in 2024 as complaints regarding such attacks jumped 9% over 2023, the FBI said on Wednesday.

Ransomware attacks on critical infrastructure accounted for almost half of all ransomware complaints received in 2024 by the agency’s Internet Crime Complaint Center (IC3), a top FBI cyber official said ahead of the release of the agency’s annual Internet Crime Report, which details scam and cyber-enabled fraud impacts across sectors and to various demographic groups.

Critical manufacturing, healthcare, government facilities, financial services and information technology were the top critical infrastructure sectors targeted, Cynthia Kaiser, deputy assistant director of the FBI’s Cyber Division, told reporters on a call.

Ransomware attacks – which lock a target’s files until an extortion payment is made – are just one of the types of cyberattacks targeting critical infrastructure, a term encompassing 16 sectors, including chemical plants, communications, energy, food production, transportation, and water systems. Their “incapacitation or destruction would have a debilitating effect” on public health and security, according to the Cybersecurity and Infrastructure Security Agency (CISA). Read more 

Apr. 18, 2025: Fraud & Cybersecurity Articles

Deepfake Detection Partnerships Span AI, Academia, C-Suite, and Celebrity Content

Joel R. McConvey, Biometric Update

Advances in cheap, easy tech mean threat presents at every level.

The deepfake threat continues to spur partnerships, as providers aim to refine their technology in the face of increasingly sophisticated synthetic media, AI-generated audio and likeness theft.

Reality Defender has announced a strategic data partnership with the AI voice generator platform PlayAI, which will see it leverage data generated from PlayAI’s voice models to improve the accuracy and resilience of its deepfake detection tools.

A release says the collaboration demonstrates PlayAI’s “commitment to the ethical and responsible use of AI, and the importance of maintaining trust and accountability within the digital landscape.”

The firm presumably feels the need to specify that they are not among those causing the deepfake problem Reality Defender aims to solve. However, their stated offering – “generate AI voices as real as humans. Deploy everywhere – to web, to phone, to apps, and beyond” – certainly sounds like the kind of cheap, easy speech engine technology deepfake warriors warn about. Read more

Why ‘One Community’ Resonates in Cybersecurity

Marc Solomon, Security Week

Our collective voices and one community will provide the intelligence we need to safeguard our businesses in today’s modern digital environment.

The annual 2025 RSA Conference is fast approaching and as we prepare for the biggest event impacting cybersecurity professionals, I couldn’t fail to notice how the key themes over the past few years, including this year, really resonate with what we are seeing across the cybersecurity industry.

A fitting anchor theme
The key theme for this year’s event is “Many Voices. One Community”. And there really are many voices at RSA with 531 sessions, 600 exhibitors and more than 40,000 delegates. But this is a great anchor theme and one that is very close to my heart because it emphasizes the importance of sharing, collaboration, and unity within the cybersecurity sector.

Of course, like any major event, there’ll be lots of hype, noise and a flurry of announcements to sift through, but the reality is that big conferences, like RSA, really help to move the needle and drive the industry forward. Naturally, there will be all the major vendors who already have an established presence, but it is worth exploring the smaller booths – the startups – who will undoubtedly be showcasing new innovative ideas that could become tomorrow’s big idea.

Falling into the ‘Innovator’s Dilemma’ trap
That isn’t to say that the larger vendors don’t have the wherewithal to innovate, but they often fall into the ‘Innovator’s Dilemma.’ This happens when successful vendors focus too heavily on sustaining core products that serve their existing customer base, while neglecting disruptive innovations and technologies that initially target niche markets but eventually redefine whole industries. Read more

The Cost of Inaction: Why FIs Are Investing in Scam Prevention Now

Wesley Grant, Payments Journal

A consumer receives a text about an unpaid toll bill demanding immediate payment—only they haven’t driven on a toll road recently.

A homeowner locked out of their house calls a locksmith, only to discover the business listing on Google Maps was fake, and they have been redirected to a criminal trying to manipulate them into sending funds. These scams are alarmingly common, with new tactics emerging every day. Yet despite the persistence and damage caused by these threats, many financial services companies still fail to allocate sufficient budget to protecting themselves and their customers.

In the Battle of the Budget: Prioritizing Scam Classification for Future Cost Savings report, Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, examined the scam identification and prevention tools available to financial institutions—and the growing urgency of dedicating more resources to the fight against fraud.

Altering the Priority List
Though most financial institutions often notify their customers about emerging scam types, there have not been as quick to invest in the technology needed to mitigate them.

“A huge issue as far as budgets go—whether the funds are there or not—there’s always something flashier to spend the budget on,” Sando said. “This goes for any organization. So many are going to spend their money on enhancements that will improve the user experience and keep them competitive in the market, or things that might handle regulatory issues that come up. As these things crop up, the priority list changes.” Read more

Google Blocked Over 5 Billion Ads In 2024 Amid Rise In AI-Powered Scams

Lawrence Abrams, Bleeping Computer

Google blocked 5.1 billion ads and suspended more than 39.2 million advertiser accounts in 2024, according to its 2024 Ads Safety Report released this week.

The company says the increasing enforcement activity is caused by the growing threat of AI-generated content, impersonation scams, and abuse of its ad platform. In particular, Google highlighted the use of generative AI tools to create deepfake video impersonations of celebrities and public figures to promote scams, which in the BleepingComputer experience are commonly investment and cryptocurrency scams.

As a result, Google says it permanently suspended over 700,000 advertiser accounts for policy violations related to AI-driven impersonation scams.

“To fight back, we quickly assembled a dedicated team of over 100 experts to analyze these scams and develop effective countermeasures, such as updating our Misrepresentation policy to suspend advertisers that promote these scams,” explains Google’s 2024 Ads Safety Report.

“As a result, we were able to permanently suspend over 700,000 offending advertiser accounts. This led to a 90% drop in reports of this kind of scam ad last year. While we are encouraged by this progress, we continue to work to prevent these scams.” Read more

Apr. 11, 2025: Fraud & Cybersecurity Articles

Phishing Kits Now Vet Victims in Real-Time Before Stealing Credentials

Bill Toulas, Bleeping Computer 

Phishing actors are employing a new evasion tactic called ‘Precision-Validated Phishing’ that only shows fake login forms when a user enters an email address that the threat actors specifically targeted.

Unlike traditional mass-targeting phishing, this new method uses real-time email validation to ensure phishing content is shown only to pre-verified, high-value targets. Although not overly advanced or particularly sophisticated, the new tactic excludes all non-valid targets from the phishing process, thus blocking their visibility into the operation.

Email security firm Cofense, which documented the rise in adoption of this new tactic, noted that it has created a significant practical problem for them. When researching phishing sites, it is common for researchers to enter fake email addresses or ones under their control to map the credential theft campaign.

However, with this new technique, invalid or test email addresses inputted by researchers now display an error or redirect them to benign sites. This impacts automated security crawlers and sandboxes used in research, reducing detection rates and prolonging the lifespan of phishing operations. “Cybersecurity teams traditionally rely on controlled phishing analysis by submitting fake credentials to observe attacker behavior and infrastructure,” explains Cofense. Read more

In Salt Typhoon’s Wake, Congress Mulls Potential Options

Alexander Culafi, Dark Reading

While the House Committee on Government Reform was looking for retaliatory options, cybersecurity experts pointed them toward building better defenses.

The threat of state-sponsored groups targeting US critical infrastructure remains top of mind, and there’s no better example of this than Salt Typhoon.

Congress waded into the issue on April 2. The House Committee on Government Reform dedicated a hearing to Salt Typhoon, the infamous state-sponsored Chinese threat group that was found last fall to have targeted a swath of major telecommunications providers, including T-Mobile, Verizon, and AT&T. In one of the worst US critical infrastructure attacks in recent memory (if not ever), the group breached the systems that law enforcement agencies use for wiretapping.

This gave the Chinese government access to sensitive data belonging to politicians as well as the Republican and Democratic 2024 Presidential campaigns. Despite this, and despite continued fallout (such as the April 2 hearing), Salt Typhoon has continued its siege on telco infrastructure around the world and well into the new year.

Before the Department of Homeland Security more or less shuttered the Cyber Safety Review Board in January, it was in the middle of a Salt Typhoon investigation. House committee chairman William Timmons (R-SC) hosted the meeting, hearing testimony from Josh Steinman, CEO of operational technology security vendor Galvanick; Edward Amoroso, research professor at New York University; and Matt Blaze, McDevitt chair in Computer Science and Law at Georgetown University. Read more

Treasury’s OCC Says Hackers Had Access to 150,000 Emails

Eduard Kovacs, Security Week

The Office of the Comptroller of the Currency (OCC) has disclosed an email security incident in which 100 accounts were compromised for over a year.

The US Treasury Department’s Office of the Comptroller of the Currency (OCC) on Tuesday shared information on a recently discovered email system breach that has been described as a “major incident”. The OCC, whose role is to regulate and supervise national and foreign banks, revealed in late February that it had become aware of a security incident involving an administrative account in its email system.

The initial investigation revealed that a “limited number” of email accounts were affected and there was no evidence of impact on the financial sector. An update shared by the regulator on Tuesday provided more information on the incident, which it discovered on February 12, 2025, after learning of unusual interactions between OCC user inboxes and system admin accounts.

An analysis showed that threat actors had gained access to emails of executives and employees, including messages containing “information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes”.

Based on a draft letter from the OCC to Congress and information from sources, Bloomberg reported that 103 email accounts were compromised and the attackers gained access to highly sensitive financial information. Read more

Who’s Calling? The Threat of AI-Powered Vishing Attacks

Bleeping Computer 

Imagine receiving a call from a high-ranking official, urgently requesting a wire transfer to resolve a national crisis. This was the case for several wealthy entrepreneurs in Italy recently, leaving them in an awkward position.

However, it was in fact fraudsters impersonating the Italian Defense Minister Guido Crosetto, trying to trick individuals into transferring large sums of money. This is an example of vishing—a growing cybersecurity threat that’s at risk of going nuclear thanks to AI.

Vishing, or “voice phishing,” is a form of social engineering where scammers use phone calls to deceive victims into revealing sensitive information or making fraudulent payments. While traditional vishing relied on human impersonation, AI now enables attackers to generate highly convincing synthetic voices, even cloning the voices of real individuals.

How can your voice be cloned?
AI can create realistic human voices using text-to-speech (TTS) synthesis and deep learning techniques. Advanced models like Google DeepMind’s WaveNet and AI-powered vocoders are able to replicate human speech patterns with remarkable accuracy. Microsoft claims that a voice can be cloned in just three seconds, meaning a scammer could phone someone for a very brief conversation and then create a realistic AI voice using only that recording. Read more

Apr. 4, 2025: Fraud & Cybersecurity Articles

Congress Urged to Reform AML Rules, Repeal Corporate Transparency Act Amid Rising Fraud Costs

Pymnts.com

Witnesses from the ranks of business and banking told lawmakers that efforts to fight payment and investment scams must be aided by a “whole government” approach, along with fine-tuning of suspicious activity reporting — in addition to a repeal of the Corporate Transparency Act.

Tuesday, (April 1), the House Financial Services Subcommittee on National Security, Illicit Finance, and International Financial Institutions held a hearing titled “Following the Money: Tools and Techniques to Combat Fraud” that delved into the rising costs of fraud, and the ways in which advanced technologies can be, and are being, leveraged by criminals and banks as they do battle with one another.

But most witnesses charged that existing regulations have not kept pace with new attack vectors, and impose burdens on smaller businesses as they seek to comply with those regulations. Subcommittee Chair Warren Davidson, R-Ohio, said in his opening remarks that the Federal Trade Commission has estimated that U.S. consumers lost $5.7 billion to investment scams last year.

“Criminals are increasingly finding ways to bypass U.S. financial regulations to scam Americans into draining their life savings for the sake of their own illicit gain,” he said.

Eyeing the Bank Secrecy Act
Separately, in demonstrating the scope of illicit activity, Kathy Stokes, director of fraud prevention at the AARP, said in her testimony that even the FTC has underreported the amount of money stolen annually; in 2023, there were reports that the money stolen from fraud topped $158 billion.

“These criminal enterprises leverage a vast array of tools to commit their crimes, including all methods of communication and forms of payment, complex impersonation schemes, anonymous shell companies, and human trafficking,” Stokes said. Read more

Explosion in Identity and Payments Fraud Forces Governments, Private Companies to Act

Joel R. McConvey, BioMetric Update

UK sees formation of data sharing fraud squad as easy access to tech democratizes fraud

A common enemy can bring together unlikely allies, and right now the common enemy of banks, tech and telecoms firms is fraud. According to the UK Office for National Statistics, fraud accounts for around 41 per cent of all crimes in England and Wales, costing an estimated £6.8 billion (US$7.3 billion) each year. In the U.S., data breaches are having more severe consequences, and payment fraud is growing like a bad mold across the digital financial landscape. Injection attacks, deepfakes and other products of generative AI are getting easier to execute and distribute. The problem has become severe enough to force responses from both governments and the private sector.

Supergroup of UK banks, tech and telecom firms bands together to fight fraud
The Financial Times reports on a plan by some of the UK’s biggest companies to begin sharing live fraud data, in a united front against a fierce and fast-advancing foe.

A joint statement from the coalition says that after a period of testing, it is transitioning to real-time exchange of fraud indicator data, such as suspicious URLs or unusual transaction activity. Signatories include Barclays, Lloyds, Santander, Nationwide, HSBC, NatWest and Monzo on the financial side, as well as tech giants Amazon, Google, Match Group and Meta, and telecoms groups BT and Three.

Ruth Evans, chair of Stop Scams UK, a cross-sector umbrella group leading the initiative, says that “by making this pledge, our members are redoubling their efforts to create a safer environment for all businesses and consumers online.” Read more

How Visa Fights Financial Crime with its Anti-Scam Unit

Louis Thompsett, FinTech Magazine

Visa combines AI-driven detection with human expertise to combat increasingly complex fraud techniques in the digital economy.

Visa has established a dedicated scam disruption practice that aims to identify and interrupt sophisticated financial crimes as they emerge. The unit, which sits within Visa Payment Ecosystem Risk and Control (PERC), provides an additional layer of security beyond traditional fraud prevention systems.

In its first year of operation, the department prevented £335m (US$433m) in attempted fraud across various scam operations, complementing the £39bn (US$50bn) in attempted fraud PERC blocked across Visa’s broader network during the same period.

Paul Fabara, Chief Risk and Client Services Officer at Visa, explains the strategy behind the unit: “Visa has invested over £11bn (US$14.2bn) in technology over the last five years, including to reduce fraud and enhance network security.

The hybrid approach to fraud prevention
The Visa Scam Disruption (VSD) unit represents an evolution in financial crime prevention by combining technological capabilities with human expertise from diverse professional backgrounds. What distinguishes this approach from conventional fraud management is the recruitment of specialists beyond the traditional technology sector. Read more

Further Clarity Regarding Coverage for Funds Transfer Fraud

Alexander Cogbill and Jane Warring; Zelle LLP/JD Supra

At this point, your IT department has almost certainly warned you to approach your e-mail inbox with skepticism–for good reason. Cybercriminals regularly and effectively impersonate our legitimate contacts for illegitimate gain.

They may be targeting your servers and systems—through attacks like malware, ransomware, viruses, and hacking—or they may just be targeting you to authorize transmission of your company’s data and money without ever infiltrating your computer. This distinction between manipulating computer systems and manipulating people is an important one. Your IT department has comparatively fewer tools to prevent you from being manipulated (sometimes called social engineering). Education is the best—and, perhaps, only—protection against social engineering attacks. As cyber insurers attempt to align coverages and policy limits to the risks inherent to each industry and each insured, the risk of social engineering remains difficult to measure. For this reason, coverages for this risk are sometimes limited.

Given this limited coverage for social engineering schemes, insureds often claim that social engineering risks come within coverages written to insure risks of computer system manipulation. Courts responding to these arguments in the context of disputed claims have taken divergent approaches with respect to this legal question.

For example, a circuit split in the federal courts has developed in deciding whether social engineering triggers coverage for “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property.”.[1] Some circuits interpret this language to apply only where bad actors gain control over an insured’s computers, while others have employed a chain-of-causation analysis with differing results. This split introduces uncertainty for insureds and insurers alike when social engineering claims arise under policies containing this “Computer Fraud” provision. Read more

Mar. 28, 2025: Fraud & Cybersecurity Articles

Future of Bank Security Is Being Written by Ethical Hackers

PYMNTS.com

Historically, banks built security the same way they built vaults: thick walls, high fences and minimal exposure.

But digital transformation has upended that perimeter. Open banking APIs, third-party FinTech integrations, cloud-native architectures and rapid app deployments have created an attack surface far too broad for static defenses. Banks’ security postures have to evolve in parallel with the products they launch.

“Banks work with money, so they’re always targeted,” Santiago Rosenblatt , founder and CEO of Strike, told PYMNTS. “Attackers are using AI too,” he said. “If you’re not automating and continuously testing, you’re going to be outpaced. Cybercriminals are optimizing their ROI. They’ll target the weakest link which is the bank testing least often.”

Since launching Strike, Rosenblatt’s team has worked to flip the paradigm from annual penetration tests, or “pen testing,” a sluggish, bloated ritual, to adaptive resilience. After all, the stakes in financial services are uniquely high. Regarding traditional pen testing, “you’d wait a month to launch a test, then three more to get the report. And in between, zero visibility,” Rosenblatt said, noting that the down time might as well be a welcome mat for cybercriminals.

Breaking the Traditional Pen Test Model
As the pace of payments innovation accelerates toward embedded finance, programmable money and artificial intelligence (AI)-generated fraud, the gap between defense and offense will continue to narrow. Banks that thrive will not be those with the thickest walls, but those with the most adaptive immune systems.

Rosenblatt, who started hacking when he was six and a half, considers himself a reformed ethical hacker: someone who uses his hacking knowledge and know-how for good. That’s what inspired him to start Strike. “Luckily for me, and my parents, I realized I was better off helping companies get protected,” he said. Read more

How Staffing Inadequacies Are Driving AML Troubles

Allissa Kline, American Banker

When TD Bank pleaded guilty last fall to criminal money-laundering conspiracy charges and agreed to pay $3.09 billion in fines, its board of directors also promised to improve AML staffing.

Not only was the board to ensure that the bank always had an officer in charge of Bank Secrecy Act compliance, but it also needed to make sure TD had enough managers and staff to support the officer and the bank’s overall Bank Secrecy Act/anti-money-laundering compliance program.

In the wake of TD’s troubles and other consent orders last year related to money laundering, banks moved quickly to assess potential vulnerabilities within their own programs, including whether their staffing is adequate and whether the teams have enough authority to do the job right.

At Texas Capital Bancshares in Dallas, the Bank Secrecy Act officer and head of financial crimes compliance spoke directly to the board, offering “lessons learned” from TD’s situation, according to David Oman, who became Texas Capital’s chief risk officer in June.

Texas Capital employs about 300 people across risk and compliance, including a few dozen contractors. Staffing in the anti-money-laundering segment is “very, very stable,” in part because the company prioritizes expansive training and career progression opportunities, Oman said.

“My job is so much easier when the CEO says that we need to do it the right way and staff it appropriately and be totally supportive of risk and compliance,” Oman told American Banker. Read more

Inspector General Report Points to Banks’ Cybersecurity Risks and Dwindling FDIC ‘IT Expertise’

PYMNTS.com

A deep dive into Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General’s latest audit and report on the agency reveals key risks to banks:

They face threats from cyberattacks and from vulnerabilities in third-party relationships. As the number of problem banks remains elevated, the FDIC is also facing the prospect of skilled examiners with IT expertise — the very experts who uncover those risks — walking out the door.

The 191-page report, released Thursday (March 20), took note of the fact that in the latest fiscal year, which ended in September, the number of “problem institutions” for “safety and soundness” concerns stood at 66, with total assets on hand of $87.3 billion. Those figures are up sharply from the 44 similarly defined institutions with $54.5 billion in assets seen in the previous year.

Banks are placed on this list when a range of issues are identified, including operational risks. As can be seen here in the examination guidelines, which exists as a separate document, information technology, anti-money laundering (AML) compliance and other technological processes are sources of information in measuring an examined bank’s safety and soundness.

Elsewhere in the audit, the FDIC examiners made supervisory recommendations — including matters requiring banks’ board attention — in 104 cases tied to risk management and 90 cases tied to information technology. “IT examinations identify areas in which a financial institution is exposed to IT and cyber-related risks and evaluate bank management’s ability to identify these risks and maintain appropriate compensating controls,” the report stated.

Looming Staffing Shortage?
But there are pressures looming: “Currently the FDIC faces risks in ensuring that it has examiners with the requisite skillsets to perform IT examinations using existing examination procedures.” Call it a staffing shortage on the horizon. The audit detailed that a total of 53% of examiners classified as “advanced IT subject matter experts were eligible to retire in 2024 with retirement eligibility rising to 63% for this population in 2028.” Those examiners qualified as having “intermediate IT expertise” have commensurate retirement eligibility rates of 16% last year and 27% in 2028. Read more

State Of Ransomware: Evolving Threats and Strategies to Stay Safe

Dale Zabriskie, Security Magazine

Ransomware in 2025 is no longer just a cybersecurity challenge — it has escalated into a global crisis affecting economies, governments, and essential services.

From multinational corporations to hospitals and schools, no organization is immune to these increasingly sophisticated attacks. According to Cohesity’s Global Cyber Resilience Report, 69% of organizations paid a ransom in the past year, emphasizing the urgent need for stronger defenses against cybercriminals.

Recent and notable attacks
Over the past year, ransomware gangs have grown bolder and more advanced in their tactics. The ALPHV (BlackCat) ransomware group targeted several hospitals across Europe, crippling emergency services and demanding multimillion-dollar ransoms. Meanwhile, LockBit attacked a major United States energy provider, disrupting fuel distribution and causing regional shortages.

Attackers have also refined their extortion techniques. While double extortion (encrypting and leaking stolen data) has become standard, triple extortion has emerged, incorporating distributed denial-of-service (DDoS) attacks to further pressure victims into paying. In another unprecedented move, ALPHV (BlackCat) attempted to exploit SEC regulations to pressure MeridianLink, a publicly traded digital lending solutions provider, to comply with their ransom demands. To escalate pressure, ALPHV filed a complaint with the SEC against MeridianLink for this alleged non-compliance, marking a novel tactic in ransomware extortion strategies.

Additionally, supply chain attacks are on the rise, with ransomware infiltrating cloud platforms and software providers, allowing malware to spread across multiple organizations. From security weaknesses in black-box commercial software to cryptocurrency applications and infrastructure, supply chain attacks are an increasingly popular tool for bad actors. Read more