Each depositor insured to at least $250,000 per insured bank

The Federal Deposit Insurance Corporation (FDIC) is alerting financial institutions that provide Web-based payment origination services for business customers to increased reports of fraudulent EFT transactions resulting from compromised login credentials. Over the past year, the FDIC has detected an increase in the number of reports and the amount of losses resulting from unauthorized EFTs, such as automated clearing house (ACH) and wire transfers. In most of these cases, the fraudulent transfers were made from business customers whose online business banking software credentials were compromised.

Web-based commercial EFT origination applications are being targeted by malicious software, including Trojan horse programs, key loggers and other spoofing techniques, designed to circumvent online authentication methods. Illicitly obtained credentials can be used to initiate fraudulent ACH transactions and wire transfers, and take over commercial accounts. These types of malicious code, or "crimeware," can infect business customers' computers when the customer is visiting a Web site or opening an e-mail attachment. Some types of crimeware are difficult to detect because of how they are installed and because they can lie dormant until the targeted online banking session login is initiated. These attacks could result in monetary losses to financial institutions and their business customers if not detected quickly.

Financial institutions and technology service providers can refer to the following guidance for additional information on authentication and information security for high-risk transactions:

FFIEC Guidance Authentication in an Internet Banking Environment
Authentication in an Internet Banking Environment Frequently Asked Questions
FFIEC Information Security Examination Handbook - PDF 866k (PDF Help)
FFIEC Retail Payment Systems Examination Handbook
and
FDIC Guidance on Mitigating Risks from Spyware

Consumers who want to learn more about computer security and online scams can find additional information at http://www.fdic.gov/consumers/consumer/guard/index.html and http://www.onguardonline.gov/topics/overview.aspx.

Businesses and local government agencies can find cyber security resources at http://www.us-cert.gov/.

Information about cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted electronically to alert@fdic.gov. Questions related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp.

For your reference, FDIC Special Alerts may be accessed from the FDIC's website at www.fdic.gov/news/news/SpecialAlert/2009/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.

Distribution: FDIC-Supervised Banks (Commercial and Savings)