Upheaval at banks—and cutbacks in IT security—have created ideal conditions for theft
When rumors swirled in late September that regulators had brokered a deal for Citigroup (C) to buy Wachovia (WFC), cybercriminals capitalized on the chaos. An estimated 5,000 Wachovia customers received a fraudulent e-mail instructing them to update their accounts in anticipation of the merger. Many gave the hackers Social Security numbers and other sensitive financial information. Wachovia posted an alert within 24 hours, and Wells Fargo (WFC) emerged as the buyer a few days later. But the damage had been done. "It's us against these criminals," says Matt Wadley, a spokesman for Wachovia, which is helping those duped by the fraud.
The toxic combination of a weak economy and a widespread banking crisis is offering an opening for criminals who operate online to steal valuable financial information. Cybercrime was up 53% in 2008, according to a report by security consultant McAfee (MFE). Says Nikos Passas, a professor at Northeastern University who specializes in organized crime: "With rising unemployment and a deepening recession, you have a growing number of desperate people."
It's yet another blow to banks and financial firms, which bear the brunt of the cost of online attacks. When customer information is compromised, banks often absorb any fraudulent transactions, give clients new accounts, and provide credit-monitoring services. The tab for each data breach: $197 per person, according to research firm Ponemon Institute. Total losses from cyber-related crime at financial institutions topped $20 billion last year, estimates security consultant Lance James, whose clients include the top brokerages and banks.
Cybercriminals are employing familiar tools. Banks and financial firms weather daily attacks by hackers trying to breach their firewalls. Heartland Payment Systems (HPY), which processes more than 100 million credit card transactions each month, announced in January that a cybergang had penetrated its database last year. Others target consumers, using fake e-mails and Web sites to trick people into giving up their financial data.
Many of the latest schemes have a distinctly topical twist—preying on consumers' confusion amid a spate of bank mergers and corporate layoffs. In one, criminals set up sites that purport to link job seekers with employers to coax credit card and Social Security numbers from them.
Financial firms may be exacerbating the problem. With profits under pressure, some banks are cutting back on tech departments to save money. Citigroup announced last year that it would slash spending on information technology by 20% for 2009. Those sorts of reductions, say experts, can weaken security. "Companies are tempted to cut IT because it's seen as a cost and not a benefit," says Mark Rasch, head of the IT unit at FIT Consulting (FCN). "This is the perfect environment for cybercriminals." Janis Tarter, a Citi spokeswoman, says the company has been recognized for its programs to prevent and detect online fraud and that security will continue to be a main focus.
Even so, consumers may be more vulnerable to attacks. Christine Tetreault, a 51-year-old writer, didn't think twice when she received an e-mail supposedly from Bank of America (BAC)regarding "suspicious" activity in her bank account. She filled out the online form, confirming her four-digit PIN and account number. Days later Tetreault discovered an unauthorized $1,000 transfer. It took two days for the bank, which covered the losses, to resolve the matter. "Protecting customer information is a top priority," says a spokeswoman for BofA. Says Tetreault: "I was embarrassed to have fallen for the e-mail scam and lucky to be able to protect my account."