Skip to main content

Why internet bank fraud is so much more than IP addresses

Abrigo
September 22, 2023
0 min read

How to monitor internet bank fraud more effectively

What is internet bank fraud and how do financial institutions detect it?

Internet bank fraud is a type of fraud where criminals access financial accounts via online banking using stolen credentials.

When someone inquires about the capability of a system to detect internet bank fraud, encompassing online banking and mobile banking fraud, the immediate question that arises is, “what is meant by internet banking fraud?” If the clarification is, “the intention is to detect instances where fraudsters access accounts via online banking using stolen credentials,” then it's necessary to delve further. Is the interest in detecting money movement, or merely account access?

If both aspects are of concern, then it's pertinent to note that the movement of money through online banking primarily occurs via ACH and wire transfer. For business online banking, wire fraud dominates as the chief money movement fraud scheme, especially with the rise of Business Email Compromise (BEC) fraud. According to the AFP Payments Fraud and Control Survey of US businesses, 64% of respondents stated their organizations had been targeted in a BEC attack. In the consumer domain, the prevalent method for moving money in online banking is through the ACH system for bill payments and transfers.

In discussions about online banking fraud, the subject of IP addresses frequently emerges. This is why internet bank fraud encompasses much more than just IP addresses.

What are the trends in mobile and internet banking?

When discussing online banking behavior, it is important to understand some of the data associated with activity. This data can shed light on how fraudsters are able to access the system.

  • 65% of all online banking click events were balance inquiries and account history clicks
  • 9% were transfers
  • 6% were integrated bill payments
  • The remaining clicks were events such as log outs, viewing checks and statements, going to an externally linked bill payment system, making a P2P payment, etc. (only 40% of legitimate consumers/business logins actually clicked the logout button while nearly 100% of fraudsters click the logout button.)

Each time a user connects, it can be from a new IP address, depending how their home router is configured or how often they restart their home router. Mobile Banking can also add to the number of IP addresses used if that customer or member is a traveler and checks his/her account from their phone. Each time the traveler enters a new invisible boundary between mobile operators or wireless networks, it is likely that they are receiving a new IP address for their mobile device.

Many times the mobile banking channel rides on the internet banking channel’s rails, so the likelihood of conflicting device setups will cause more device fingerprints and IP addresses. According to Malauzai, which hosts mobile banking for over 350 US institutions, the log in frequency for mobile users is 2X that of online banking.

Learn how to use your BSA Exam findings to
strengthen your program.

Download Now

Why are these data points relevant?

These data points suggest that Americans are 5-7X times more likely to check their balances and history than move money via online banking and mobile banking. That means that there are possibly 5-7X the number of IP addresses for an account that did nothing transactional other than a balance inquiry.

Data suggests most Americans use online banking to see how much money they have and whether certain items had cleared. For example, no one goes into a branch to ask what their balance is. Typically, they check online. The most significant effect of the balance checking is the amount of noise it creates in monitoring for logins from stolen credentials, since most of these logins have an ultimate goal of either using the account as a mule account or draining funds from the account.

The Internet Banking and Mobile Banking providers have built fairly sophisticated engines to look for anomalous login behavior including such variables as time of day, day of week, IP address ranges involved, device fingerprinting of the OS, browser, and browser plug-ins, biometric features such a keyboard pacing, and a variety of additional multi-factor technologies such as one-time passwords and other token-based systems. Smart fraudsters are aware of these monitoring tools and attempt to bypass by using local IP addresses using a proxy server or browser plug-in which allows them to select the IP address range for that financial institution’s location. 

What does this all mean?

This data has implications for internet bank fraud. It suggests unsophisticated fraudsters and terrorists log in with bad IP addresses. In the San Bernardino case, the terrorists in the US shared their login credentials with the terrorists in the Middle East. That subsequent login is what FinCEN wanted to chase after the Middle Eastern terrorists. However, for each case of a unsophisticated terrorist, your will have hundreds if not thousands of false positives when someone is traveling abroad, has a spouse in a different city (especially military), or has multiple people with valid credentials checking from a variety of devices, if you rely solely on IP addresses. Likewise, smart fraudsters and terrorists are going to avoid IP address monitoring by spoofing their addresses via a proxy server.

Balance inquiries make up a serious chunk of IP addresses vs. money movement transactions. Therefore, it is more efficient and a better use of a financial institutions’ time to monitor ACHs and wires leaving the institution from all channels, including online banking and mobile banking. If someone filing a SAR needs an IP address, they can easily ask their online banking team to give them the IP addresses that accessed an account by looking at the online banking/mobile banking portal. If the team members monitoring online/mobile banking do see alerts coming from their system, the institution can establish a policy of notifying the back office using a tool such as BAM+.

 

FAQs

Why is an IP address not enough to detect internet banking fraud?

An IP address is only one fraud signal because legitimate customers may appear under different addresses when they change networks, restart routers, travel, or use mobile banking. Sophisticated fraudsters can also route traffic through local proxies, so institutions should evaluate IP data alongside device, authentication, behavioral, and transaction signals.

What is the difference between suspicious account access and fraudulent money movement?

Suspicious account access indicates that someone may have entered online or mobile banking with stolen credentials, while fraudulent money movement involves an unauthorized transfer of funds. Separating the two helps investigators distinguish a risky login from a potential loss event and determine whether subsequent ACH, wire, bill-payment, or other transfer activity requires escalation

How can normal online and mobile banking behavior create false positives?

Normal digital banking activity can look suspicious when customers log in from multiple devices, travel, switch wireless networks, or share legitimate access among authorized users. Because many sessions involve balance or account-history checks rather than transactions, relying heavily on changing IP addresses can create substantial alert noise without identifying actual money movement.

How can fraudsters bypass IP-based fraud controls?

Fraudsters can mask their true location by using proxy servers or browser tools that present an IP address near the customer or financial institution. That technique can make a malicious login appear routine, which is why IP reputation should be combined with device fingerprinting, login timing, authentication results, behavioral indicators, and transaction monitoring.

Why should financial institutions monitor ACH and wire activity across digital channels?

ACH and wire monitoring focuses attention on attempts to move money, the point at which suspicious access can become a financial loss. Reviewing outgoing transfers across online and mobile banking also helps institutions connect login anomalies with higher-risk activity, including business wire fraud and consumer ACH transfers, while allowing investigators to retrieve relevant IP records when supporting a SAR.

About the Author

Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo’s platform centralizes the institution’s data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth. Make Big Things Happen.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.