Bank and state investigators who have a growing number of Internet bank fraud cases on their hands warn that bank clients must be proactive in protecting themselves from Internet fraud.
Judicial Investigation Police (OIJ) have seen an explosion in Internet banking fraud complaints as the industry in Costa Rica has begun offering more online banking options to clients. Of an estimated 600,000 online banking users in Costa Rica, 150 have filed complaints with the OIJ, most of them this year due to an increase in fraudulent activity.
Victims, though many are older, include men and women, Costa Ricans and foreigners.
The most popular form of banking fraud, according to OIJ investigators and bank industry insiders, is a method known as “phishing”, in which hackers send bank clients a fraudulent e-mail that appears it was sent from their bank, requesting clients to provide or update personal financial information.
When the client clicks on a link in the e-mail, they’re taken to a fake Web site that is nearly identical to the bank’s official site and asked to plug in their info.Many fall for the bait.
“They’ve made Web pages that are just like the bank’s page. And they ask you to update your information, your PIN number and card number,” said OIJ spokesman Francisco Ruiz, “and people don’t verify the security of the Web site.” Once clients have been reeled in to the scam, hackers use the info to access the victims’ accounts and transfer money from them.
Since November of last year, the OIJ has received some 150 complaints of Internet banking fraud, totaling $1.5 million.
OIJ’s four-agent Internet fraud department shined the spotlight on Internet banking fraud when they orchestrated the biggest bust of an online banking fraud network in Costa Rica earlier this month. OIJ agents arrested 18 people in seven raids around the Central Valley, for their alleged involvement in an Internet banking fraud ring, allegedly involved in authoring some 13 cases of bank fraud for a total of nearly $200,000.
Despite the online ransacking of their clients’ funds, the nation’s banks insist the scams aren’t due to weaknesses in their systems, but to clients not being careful enough. “The Internet banking system is secure and it hasn’t been broken into by unauthorized third parties,” the public bank Banco Nacional said in a statement prepared for The Tico Times.
OIJ spokesman Francisco Ruiz agreed, adding that there are no signs that a banking industry insider is giving out information or that the banking system has been infiltrated.
But the fact that banks and authorities are telling clients to be more careful has angered some.
“You must be joking. How can the bank responsible for protecting its depositors not investigate themselves? Any bank in the civilized world would look at themselves before they blame their customers,” said Robert Crawford, a Californian and frequent visitor to Costa Rica, in a letter to The Tico Times.
He was referring specifically to a story that ran in the online newspaper AM Costa Rica, in which a U.S. businesswoman living in Costa Rica had $215,000 wiped out of her Banco de Costa Rica (BCR) account.
Crawford said he’s going to pull his money out of his BCR upon reading the story.
Ruiz said the OIJ is investigating the case.
Though there are no leads that suggest anyone in the bank was involved, investigators haven’t ruled out that possibility, he said.
According to Ruiz, suspects were allegedly able to take out chunks of money exceeding the $10,000 withdrawal limit.
“The bank must do an internal investigation,” he said.
Banco de Costa Rica didn’t return The Tico Times’ repeated requests for comment on that case.
Banco Nacional insisted that less than 0.05% of Internet banking users have been affected by online scams, which shows the security system is effective, but also shows clients are taking precautions (see sidebar).
Banco Nacional said that in addition to having passwords that guard clients’ accounts and information, their online banking system allows clients to fix a maximum daily transfer limit and to change their password whenever they want. They are also considering adding new security mechanisms to accounts accessible online. Because public banks manage most of Costa Rica’s banking clients, their clients account for about 90% of those affected by online banking fraud cases, according to the OIJ.
Not just Phishing
Ruiz added that in phishing cases, investigators have ended up arresting suspects of alleged networks who had no idea why they were being arrested.
“These networks recruit people so they can use their accounts. They make friends with people then offer to pay them in exchange for letting them use their accounts.
They say they are going to use their accounts to send money to family abroad, and many believe it’s legitimate,”Ruiz said. Instead, they transfer phished funds to the accounts. He said this happened in the case of the Internet banking fraud ring the OIJ busted earlier this month. Ruiz said the people who offer up their accounts have to go through a judicial process that will determine whether they knowingly participated in the crime or not.
The OIJ Internet fraud department is also investigating cases in which key loggers, small finger-sized devices, are planted inside computers to record keystrokes and access passwords. The loggers can be deactivated without any trace. Another popular form of Internet fraud is sending “Trojan horses,” security-breaking programs named after the technique the Greeks once used to topple Troy. They come in benign forms of downloadable software or e-mails that, upon opening, can automatically install “spyware” on the recipient’s computer, allowing the sender to get information from the recipient’s computer, among other threats.
Which is why Ruiz advises: “Be very careful.
If it doesn’t look familiar, don’t even open it.” He applauded the preventive measures some banks are taking to educate clients, but said banks still need to do more to prevent Internet banking fraud.
“We constantly have warnings up on our Web site that warn clients about phishing and say we would never solicit their personal information via Internet,” said Kathy Araya, communications manager at Scotiabank. She added that the bank now offers its 20,000 clients in Costa Rica, a quarter of which use the bank’s Internet services, the capacity to provide secure e-mails. Also, when people open an account, they receive information about the bank’s security measures.
“Online security is an agreement that requires both parts to participate. Clients have to protect their computer and information as well,” she said.
Don’t Take the Bait
How to avoid being “phished,” according to the Judicial Investigation Police (OIJ):
– Don’t answer electronic e-mails that ask for your personal or financial information.
– Don’t enter your bank Web site by clicking on a link in an e-mail. This could be a fake link to a fake banking site. Instead, type in your bank’s Web site to log on.
– Change your password periodically, and make sure it isn’t anywhere on your computer.
– Don’t make important transactions or manage important information on computers at Internet cafés or other public places where computers are shared.
– Occasionally review your accounts and immediately report any possible frauds. First contact your bank, then contact the Judicial Investigation Police at 295-3000, or file complaints in person at the OIJ building in downtown San José.