In India, the financial services industry no longer views banking fraud as the Cost of Doing Business. Reports suggest that reported fraud cases have decreased during the Covid-19 pandemic, but the amount of money lost has significantly increased. This underscores the importance of the fraud risk management function in Indian banks and companies.

The irregularities and fraud cases not only involve outsiders who are just customers, or partners of the financial institutions or companies but also senior management as seen in some of the cases. In this post, we discuss various different aspects associated with fraud risk management.

Early Warning Signals

Reserve Bank of India introduced a mechanism called Early Warning Signals (EWS) and Red Flagged Accounts (RFA) for the banks wherein it stated about 45 red flags. The concept of a Red Flagged Account (RFA) was introduced in the 2015 framework as an important step toward fraud risk control.

Red Flag Account

A Red Flag Account is one where a suspicion of fraudulent activity is raised by the presence of one or more Early Warning Signals (EWS). A bank cannot afford to ignore such EWS but must instead use them as a trigger to launch a detailed investigation into an RFA. Even after these precautionary steps and according to the observations of Risk Professionals; Weak implementation of EWS (early warning signals) by banks, non-detection of EWS during audits, non-co-operation of borrowers during the Forensic Audits, inconclusive Audit Reports, and also sometimes the lack of decision making in joint lenders’ meetings, account for a delay in detection of frauds.

Fraud Risk Intelligence

Currently, the banking system, being the backbone of the nation’s economy, is scourged by high levels of NPAs and it is certainly a worrisome situation. The rising high-value frauds are not just the key concern of the banking industry, and stock markets but for the government and regulators too. While fraud investigators, compliance professionals, and forensic accountants are engaged in assignments like forensic audits, asset tracing, and skip tracing, such types of assignments are categorized into post-mortem activities. There is another emerging area that the banks, companies, and regulators should pay more attention to that is Market Intelligence. One way to prevent fraud and make deterrent measures is revamping the EWS mechanism with the introduction of alerts generated by the activities of Market Intelligence.

Market Intelligence (MI) activity plays a very crucial role in the prevention of these financial crimes. MI is a very independent, proactive, and responsive service through investigative, accounting, and technology capabilities.

Market Intelligence is ultimately a nexus-building activity wherein a banker, an investor, or a company can find out who they are dealing with. Corporate Governance should view Market Intelligence as one of the best practices to employ across industries and thus an integral part.

The risk of dealing with third parties has grown significantly and it has become essential to verify the business partners to avoid unpleasant surprises. In light of new global laws, companies bear more responsibility, including liability for the actions of their business partners.

In the wake of the Foreign Corrupt Practices Act, the UK Bribery Act, and other such enactments across the world, data, and discreet checks play a significant role in investigating the nexus of the (individuals who are acting as) director with the politically connected, exposed, high net-worth or sensitive persons. Data which is gathered under the market intelligence activity is helpful to understand the background of the promoters when the investors are conducting the due diligence over the investee companies; when publicly listed companies are dealing with vendors, business partners, dealers & even employees.

When organizations enter into any kind of relationship without an appreciation of the possible downside can expose them to financial and reputation risks. The Intelligence team aids private equity firms in identifying hidden factors and red flags. This helps them make informed decisions when investing, acquiring/merging, or hiring. The team gathers public and non-public information to assess a potential partner’s background, track record, reputation, and associations.

According to the RBI’s annual report for 2019-20, Bank Frauds worth more than INR.1.85 lakh crore were reported in the year ended June 2020 compared with over INR. 71,500 crore in the previous fiscal. The report also states that Fraud has been occurring predominantly in the loan portfolio (advances category), both in terms of number and value.

Ministry of Corporate Affairs

MCA has revised CARO to check corporate fraud. Auditors must report on fraud, loan defaults, whistleblower complaints, and Benami properties. The report acts as an early warning signal for management and regulators. However, its effectiveness for better governance is uncertain. The auditor must be qualified and capable to act as both an auditor and a forensic accountant.

Securities Exchange Board of India

The appointment, removal, and remuneration of the chief risk officer, should be subject to review by the risk management committee. Generally, it is a joint process with the nomination and remuneration committee. The Chief Risk Officer addition is welcoming. They bring market intelligence and investigative expertise. The CRO will be unbiased. They will help the committee understand risks. This will aid in charting out a mitigation plan.

Further, the risk management committee should coordinate its activities with the audit committee in instances where there is any overlap with audit activities. It should ensure that appropriate methodology, processes, and systems are in place to monitor and evaluate risks associated with the business of the listed entity, according to the consultation paper.

It was reported in the case of the cosmos bank investigation that a large number of account holders were used to withdraw money from the various ATM Centers in different cities across the world. A large number of participants involved in ATM withdrawals clearly indicate that they are not the mastermind of the fraud but are the Money Mules or the account holders who are paid small money to withdraw cash from ATM for a percentage cut.

They are people who serve as intermediaries for criminals and criminal organizations. Whether or not they are aware of it, they transport fraudulently gained money to fraudsters. The use of intermediaries makes it difficult to figure out the identity of the fraudster.

Once the fraud incident takes place, the fraudster needs the bank accounts to transfer the funds to either foreign countries or to cryptocurrency wallets. In certain cases, when the ATM centers spit the cash, these mules are asked to purchase the goods and are asked to Export the same to another country under the pretext of Exports.

Money mules, just like fraudsters, are guilty of illegally transporting fraudulently gained money and can be prosecuted for this.

In order to disguise the nature of the transaction, huge manpower is required to create the layers of the transactions, and recruitment of the money mules is one of the options.

Who are money mules?

How do money mules get caught?

Generally, banks have sophisticated systems in place to track fraudulent transactions and can identify these within short notice. Surveillance cameras at ATM centers capture their faces. Some mules use their true identity such as their KYC-verified bank accounts to transfer the funds to other countries. Law enforcement agencies can easily identify individuals and track down money mules by using their photographs and addresses.

Role of Law enforcement

Law enforcement agencies use various methods to catch them. One of the most common ways is through transaction monitoring. Banks and financial institutions flag suspicious transactions and report them to authorities.

They may also detect patterns in the behavior of the money mule, such as frequent cash withdrawals or international transfers. Law enforcement agencies may also conduct undercover operations to catch money mules. They pose as buyers of illegal goods or services.

Additionally, investigations into larger fraud schemes may lead to the identification and arrest of money mules involved in the operation. Once caught, money mules may face criminal charges and possible imprisonment. Knowingly or unknowingly assisting in the movement of stolen funds is illegal and can have serious consequences.

Indian Banking sector was shocked when Cosmos Bank admitted to the ATM Heist of $11 Million and SWIFT Attack which caused the loss of another $2.5 Million to the bank due to the presence of the malware. Looking at the information available in the electronic media about the statements given by the Chairman of the Cosmos Bank, there are three primary elements of the whole heist. This article discuss these three elements in detail in the wake of the fraud.

Data Theft

According to the preliminary information available in Public domain, there are more than 15000 ATM Withdrawals, made from different countries without validations on 11/08/2018 in only 7 hours. In order to carry out the ATM Withdrawals, besides the software code planted in Malware, there is a need to have Debit cards. Money can be withdrawn only if the Debit cards are present with the master mind of the fraud. Embossed plastic cards are available easily in the market, but the information stored in the magnetic stripes is not. In order to get this information, there must have been some data theft incidence.

• Data Theft could be as simple as stealing the bank’s data in the pen drive and handing it over to the outsiders
• Data theft may have occurred through the incidence of hacking or through the presence of the virus in the systems of the bank but have gone un-noticed and un-reported.
• Data theft may have occurred through a third party payment processor which have access to the sensitive information.

In order to narrow down the modus operandi, Digital forensic audit needs to be done which focus on the possibilities of internal compromise and external attacks. This would also be important in order to get the Insurance claim if the Bank is insured against such attacks, else $13.5 million is a big blow to the bank.

ATM Withdrawals

Data theft is the first chapter in the league of this ATM heist. However, when the mastermind of this fraud was in possession of the sensitive data of the account holders, the information was probably copied to the magnetic stripes and the Debit cards of the Account holders were cloned. Now, the media information reveals that the withdrawals were made from the different countries. Which means the operation was well orchestrated and the withdrawals were synchronised and monitored throughout the world. Various agents in the different countries would have withdrawn the money at same time. While withdrawing the money from the account of the customer, now a days the banks send the SMS to the account holders. The press statement have no mention of the complaints from the customers, which means the SMS were not sent through the banking channel. It is a smart malware which had attacked the computer system that allows banks to settle cash dispensation requests raised at ATMs.

Once a request is raised by swiping of the card at an ATM, it is transferred to the Core Banking System of the bank using a “switch”. After checking the available credit in the individual account, the Core Banking System either allows or rejects request. Acceptance or rejection is transmitted back to payment systems via the “switching”. This is the most important aspect of the ATM withdrawal operations, where the Proxy Switch was created by the malware and the balances were not checked with the Core Banking System. Which means there are certain accounts in the bank which are used in the process of the ATM heist which may not even have balance, but the withdrawals were processed.

National Payment Corporation of India (NPCI) runs India’s biggest network of shared ATMs called National Financial Switch.

SWIFT Attack

In last few months, this is second time when the name of SWIFT is in news for the wrong reasons. It was in discussion when the employees of Punjab National Bank misused the same to favor the infamous fraudster Nirav Modi. Now the SWIFT is in news due to the transfer of $2.5 million to the Hongkong based companies. In order to loot the hard cash of the bank, help of the insider used to be a of a great help.

Pune based co-operative bank was in news because of the ATM heist it witnessed in the second week of August. Hackers targeted 112-year-old Pune headquartered co-operative sector bank, Cosmos Bank, to transfer over INR. 94 crore ($13.6 Milion) to foreign bank accounts. Out of the $13.6 Million about 80% of the amount ($11 Million) was  withdrawn on 11th August’2018 alone. More than 12,000 ATM transactions were recorded in 28 countries between 3 pm and 10 pm on 11/08/2018.

On 13th August’2018 INR 13.5 crore was transferred to a Hong Kong-based entity using the Society for Worldwide Interbank Telecommunications (SWIFT) facility. Read: Analysing Cosmos Bank SWIFT Attack from forensic Angle

According to the reports in one of the Indian News Papers, which quotes some cyber experts, this could be the handiwork of Lazarus, North Korea’s most prolific hacking group that has pulled off some audacious attacks around the globe.

Lets us try to understand what is Lazarus and How it operates ? This article is an attempt to create awareness about the methodology followed by the Lazarus Group in banking attacks worldwide.

What is Lazarus ?

This group is considered to be one of the most prolific hackers group in the world. This group orchestrated the attack on Sony Pictures in 2014, when US openly blamed North Korea for this attack. Wannacry attack of 2017 was also perpetrated by them. Lazarus and its offshoots have been blamed for different attacks on the financial institutions. Bluenoroff is their subgroup which is focused on attacking foreign financial institutions. They are responsible for a wide array of financial theft incidents.

Lazarus Attack on Banks

Some of the most prominent attacks conducted by the Lazarus in the recent past are

• February’2016 – February 2016 heist, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to order the transfer of nearly $1 billion from its account but was successful in transferring $80 Million to Phillipines Bank.
• February’2017 – Website of the Polish Financial Regulator was used for conducting the watering hole attack perpetrated by Lazarus.
• October’2017 – Far Eastern International Bank ATM Heist where the Taiwan based bank lost more than $60 Million due to attack on SWIFT.
• May’2018 – There was an attempted $110 Million attack on SPEI of Mexico’s Trade Bank detected but swept under the carpet.
• June’2018 -Banco de Chile, the largest bank of Chile where attackers had stolen $10 million before the bank disabled 9,000 workstations due to alleged attack on SWIFT

Why North Korea is becoming Aggressive ?

Sanctions increase the money laundering related to trade. North Korea is becoming increasingly starved of hard currency as the United Nations imposes sanctions amid a standoff with the U.S. over Kim Jong Un’s nuclear weapons program. In order to fund the ambitious programs, the country needs internationally acceptable currency. Dollars and Bitcoins are the two they have identified. Bluenoroff is the subgroup focussed on the banking attacks and other sub-group Andariel is focussed on the South Korean Bitcoin exchanges. Many security firms have made an attempt to link the Lazarus as state funded activity, though there are no evidences.

Modus Operandi of Lazarus

• Lazarus/Bluenoroff group finds a vulnerability in one of servers in the targeted organization
• Or they would infect a website which employees of a targeted organization often visit
• They would infect the IT infrastructure of the target with malware and would identify where a server running SWIFT software is installed
• They would download additional malware to interact with SWIFT software and would try to drain the organization’s accounts

SWIFT System is Compromised

In all the attacks mentioned above Lazarus group have targeted the SWIFT. Most international transfers are executed through SWIFT, a co-operative society, founded in 1974 by seven international banks, which operate a global network to facilitate the transfer of financial messages. The SWIFT System would be focus of a negative news in India for the second time in recent past. It became known to the common Indian when Nirav Modi used the SWIFT system for his benefit and duped the Punjab National Bank for billions of Rupees. Using these messages, banks can exchange data for funds transfer between financial institutions.

SWIFT system is always seen to be the focus of the Lazarus group activities, hence there is strong likelihood that the attack on the Cosmos Bank which is claimed to have been the attack on the SWIFT network could have been perpetrated by the Lazarus.

Last word about Cosmos Bank

Logically, forensic investigation would be the next step for Cosmos Bank, whether for damage control or to settle the Cyber Insurance Claim. However, the banking industry throughout the country is shattered due to this incidence and should follow few cautions in the new age criminal world. Here is a advise of caution

1. If your organization has software tools for conducting money transactions, SWIFT, invest into additional protection (Recommended is the Seqrite solution offered by Quickheal Technologies Limited) and regular security assessment in addition to standard protection measures implemented on all other parts of the organization’s network
2. When deploying specialized software for money processing follow recommendations and best security practices from your software vendor and security professionals.
3. In case of suspicion of intrusion, request for professional assistance with incident response. Again the experts like the Quickheal are recommended.