These illicit wire transfers have ranged from $400,000 to $900,000, the FBI said. Most of the reported cases involved small- to medium-sized banks, but a few large banks have also been affected, the agency added.
Increasing the cybersecurity of financial networks, electric supply, water systems and other critical infrastructure has been a top policy issue for the White House. The Obama administration is currently crafting a cybersecurity executive order that would create a voluntary program where companies operating this key infrastructure would verify that their computer systems meet a set of security standards.
The White House is taking action as Congress is gridlocked on cybersecurity legislation after Senate Republicans blocked a sweeping cybersecurity bill from Sen. Joe Lieberman (I-Conn.) this summer. They argued that it took too great of a regulatory approach and warned that it would prevent industry from properly securing their computer systems.
The FBI fraud alert raises fresh concerns about whether the right cybersecurity measures are in place at banks and credit unions to protect their consumers' money from cyber wire fraud.
The alert noted that in one case a hacker was able to raise the wire transfer limit on a customer's account so they were allowed to illicitly transfer a larger sum of money. Even more disconcerting, the FBI observed that most of the failed wire transfers didn't go through only because the hacker had entered the account information incorrectly.
The alert said hackers gain access to bank employees' log in credentials by sending targeted spam or spear-phishing emails to employees at financial institutions. These emails appear to be from someone the employee knows and prompts them to click on an infected link that lets the hacker compromise their account.
The hackers were able to use these login credentials to circumvent authentication methods used by financial institutions to spot fraudulent activity happening on their networks.
The FBI listed a series of recommendations in the alert that banks and credit unions can follow to prevent these authorized wire transfers. The recommendations included educating employees on the threats posed by clicking on links and attachments in unsolicited emails, not allowing employees to access email systems or the Web on the same computers used to initiate payments, and barring employees from accessing administrative accounts from their home computers.