A Look Forward

Using machine learning is essential to providing depth to a security program where humans might be exploited.

Bouncing fraudulent transactions through multiple “mule” accounts before ultimately transferring those funds out of the country is nothing new. Crooks want to stay as far away from the trail of dirty money as possible, making money mules the perfect way to cover their tracks.

Reported instances of money mule use in fraud cases have never been higher at Q2. The scenario works like this: An account holder falls victim to some flavor of online scam, be it romance, elderly, work from home; take your pick. The victim is coerced into receiving funds into their account with specific instructions to transfer them back out of the account essentially immediately. These situations occur much more often than you may think and are particularly difficult to defend against, as the institution’s actual account holder is initiating the transactions.

This is where transaction monitoring using behavioral analytics comes in. The moment “Authorize” is clicked on the outgoing transfer, Q2’s proprietary Risk and Fraud Analytics (RFA) engine immediately scrutinizes that transaction. In the case of the money mule fraud scheme, the recipient account is a new recipient to that account holder. As this particular end user has never transferred funds to the recipient before, this transaction—which appears suspicious based on the user’s history—will be stopped by RFA.

Just this week, we saw this exact scenario play out in a case reported to the Q2 Fraud team. RFA blocked an outgoing transfer and, upon callback, the customer service representative discovered the account holder was working under instructions related to an exciting new online work-from-home opportunity. Recognizing this as a scam, the institution canceled the outgoing transaction to prevent a loss.

If there is a moral to this anecdote, it’s that security awareness is not perfect. Humans will inevitably fall victim to the constant online hustle of the cyber crook. Combining machine learning with education and awareness training is key to a well-rounded defense. Leveraging a layered security model with the technology of algorithmic intelligence at its backbone provides the security depth needed when the human element is exploited.

As we move past Cyber Security Awareness month, it’s essential to maintain the mindset that security is not a “set it and forget it” practice. The threat landscape is constantly evolving, and we as security practitioners must continually work to keep pace. Looking forward, expect to see continually innovative security solutions being developed as we at Q2 work to provide our institutions with the tools you need to keep the upper hand.

*RFA is now known as Q2 Sentinel.

10 security tips your account holders need to hear

As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders

As we move into Cyber Security Awareness Month, we’ve assembled a list of security awareness tips that should be top of mind for account holders doing any type of online banking, or even just accessing the Internet in general. Many of these are likely things you have heard before, but a little repetition can go a long way. As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders:

  1. Take infections seriously; a virus may not just be a virus. Most of us, if we’re honest, have probably been guilty of thinking that if our PC gets infected with something, it’s not that big of a deal—that’s what our IT department is for, after all. They’ll have whatever the latest nasty bug we’ve contracted wiped from our machine and we’ll be back on track in no time… right? Wrong. These things are not named after scary critters for no reason—they are serious and have serious implications. Think about the effect financial malware can have on your personal finances or to your small business’s network immediately upon download.
  2. Control access to your machine. Think twice before walking away from your computer to get that third cup of coffee without first locking it. Even worse is leaving your machine unattended in public, or in the backseat of your car during happy hour. Malicious physical access to devices can be an overlooked attack vector. It’s amazing how quickly files can be dumped or unintended access to sensitive information gained during a quick few minutes away from your machine.
  3. Trust but verify: if it sounds too good to be true, it probably is. Don’t fall prey to schemes that play on your natural inclination to trust. Being trusting is not necessarily a bad thing, but it’s important to verify before taking action. Be wary of things like employment offers to make a quick buck, claims that you are a lucky winner of something, or limited time offers to cash in on an opportunity. Simply put: if it sounds too good to be true, don’t be too quick to believe it.
  4. Don’t use insecure Wi-Fi or unknown machines for banking. Sensitive online activity, such as online banking, should only be conducted from a device that belongs to you on a trusted network. Paying a few bills while you’re sipping your favorite latte at a local coffee shop may seem innocent enough, but what do you really know about others who are connected to that public Wi-Fi? Sniffing traffic on a public Wi-Fi connection can be shockingly simple, and can leave everything you are doing on that network free for the taking.
  5. “TMI” – Don’t overshare on social media. We may all be guilty of sharing too much information (TMI) at times. Don’t let social media be your outlet for sharing “TMI” about yourself to millions of people all over the world. Social media outlets are information gold-mines for anyone who may be looking to learn more about their next victim. Knowing where you vacation, the name of your pet, and your mother’s maiden name may come in quite handy for someone attempting to impersonate you.
  6. If you’ve got it, update it. If you don’t need it, delete it. Updating your software is not something you should do only when your machine slows to an unbearable crawl because it hasn’t been updated in months. Installing the latest versions of software ensures that what you are running has the latest security patches and keeps you protected. Update your software as soon as new releases are announced, and delete any unnecessary programs on your devices that you don’t need in day-to-day business. Installing lots of nonessential software just provides increased exposure points for you and your information.
  7. Scrutinize your email. Many of us comb through hundreds of emails every day, and clicking through and opening these emails is second nature. However, email is one of the most common attack vectors and is a quick and easy way for attackers to drop malware onto your PC or mobile device, or to trick you into providing sensitive information. Pay close attention to any emails that appear to come from slightly odd senders, and be extremely wary of any email requesting you to provide or confirm sensitive information. Your financial institution should never ask you to confirm or provide any type of personal information via email. Report suspicious emails to your employer and delete them completely without opening or clicking any contained links.
  8. Be mindful of what you plug in. Throwing files onto a USB drive can be a quick and easy way to share information. However, it’s also a quick and easy way to spread malware. Only plug removable media that you know and trust into your devices, and never share these storage devices amongst multiple parties.
  9. Knowledge really is power. When it comes to online banking, it pays to be in the know. Use your financial institution’s real time alerts to keep yourself aware of anything that is going on in your account that may not be normal. Setting these alerts to deliver to multiple targets (voice calls, SMS text messages, and email) can help ensure their safe and quick delivery. Notify your financial institution immediately if you receive an alert regarding activity you did not generate.
  10. Get away from the “that can’t happen to me” mindset and prepare yourself. Live by the adage that it’s better to be safe than sorry. Believing that “it can’t happen to you” is a very risky position to take. Educate yourself on security precautions that you can take to prevent yourself or your business from becoming a victim. Work to spread the word of online safety to your friends, colleagues and families and be proactive in putting security measures into place.


Cyber security and the threat landscape are constantly evolving, and keeping your institution and your account holders as secure as possible requires their participation. Use October to stress the importance of cyber security and remind your account holders of their own role in keeping themselves safe.

When trust turns sour: The threat of social engineering attacks to your institution

Tips to building a successful defense strategy

Hunter S. Thompson once said, “I am a generous man, by nature, and far more trusting than I should be. The real world is risky territory for people with generosity of spirit. Beware.”

This quote could not be truer or resonate more today, especially when discussing the topic of social engineering attacks in the financial sector.


“The real world is risky territory for people with generosity of spirit” is incredibly accurate if you think about it. The unfortunate truth is that, as humans, our natural inclination is to trust and to look for the good in people—particularly in the case of individuals working in customer service positions. Unfortunately, this makes us easy prey for fraudsters. Trusting, helpful human spirits are the low hanging fruit. Attacks aimed at humans don’t require an attacker to place malware on a device or inject anything into a browser—often all it takes is a simple phone call into the back office. With just a few nuggets of information about an end user, fraudsters often have all of the necessary tools to convince a financial institution’s (FI’s) employee to readily “help” them.

While we all would like to think that our staff will not fall for such schemes, I’d caution that the shift in transaction amounts occurring in such attacks are raising fewer and fewer eyebrows. Why? In many cases fraudsters are moving toward initiating smaller transactions—generally less than $10K—rather than high-dollar amount wires, so as not to gain unwanted attention. These smaller dollar amount transactions are bounced through multiple mule accounts before ultimately leaving the country.

Particularly where social engineering is concerned, we have seen a 63 percent increase in fraud cases reported to Q2, when comparing only the first quarter of this year to all of 2014. That’s a dramatic upsurge in just three months, as compared to
the prior 12.

At a high level, these reports consist of phone calls, faxes or emails into the back office attempting to generate transactions or change sensitive information on an end user’s account. And, with the amount of personal and company information available and accessible on the internet, the reality is that these scams are not difficult to pull off.

As we look to the future, a combination of factors will continue to contribute to fraudsters’ use of social engineering as an attack of choice, to name just a few:

  • The shift toward Europay, MasterCard and Visa (EMV), and the reduction of fraud via the reselling of reproduced cards.
  • The continued evolution of anomaly detection anti-fraud tools catching transactions generated online.
  • The fact that these attacks really are just too easy, as they rely simply on trusting human nature.


Building a successful defense strategy for these types of attacks ultimately comes down to consistent training and testing of employees’ reactions to a variety of challenging scenarios. The Q2 Security team has built a targeted, customized Social Engineering Testing service designed to pressure employees in scenarios we’ve seen used in actual fraud cases. The reality is that we truly don’t know how staff will react to these types of schemes until they are faced with the situation in a real-world scenario. Trust itself is not a bad thing, however, encouraging a culture of “trust, but verify” may just pay off in the long run.

What cyber security lessons were learned in 2014?

Arguably, 2014 will be remembered as a year that left its mark on the state of cyber security across the industry. From massive retail data breaches to cyber attacks waged by nation states against organizations, the widespread impacts led to unprecedented repercussions. These types of attacks can cause brand damage, increased audit scrutiny and significant loss of market share. Let’s take a closer look at what we saw in 2014.

Massive Retail Breaches

2014 was a record year for retail data breaches – at least in terms of number of records lost. Between Home Depot, Target and JP Morgan Chase, nearly every American felt the impact in some way, shape, or form. And while the large retailers occupied the mainstream headlines, a slew of small and mid-size retailers experienced similar breaches. POS (Point-of-Sale) systems became a popular target for criminals, as they obviously play a significant role in processing financial transactions. This, coupled with the increased demand for stolen credit cards, had a significant impact on the surge of malware targeting POS systems. Until merchants and manufactures get serious about securing these terminals and their networks, they will remain a rich target for cyber criminals.

Sophisticated Banking Trojans

An underground market once dominated by ZeuS, Carberp, Citadel and SpyEye has given birth to more advanced variants and copycats boasting additional functionality and capabilities. In 2013 nearly a million new banking malware variants were uncovered, which more than doubled the volume of the previous year.  Institutions amped up their security to protect against these threats, but the rise of banking malware continued into 2014 as fraudsters tried to stay one step ahead. Last year we were introduced to Kronos, Emotet, Dridex and Dyre. Although core functionality (e.g. stealing online banking credentials) still existed, these newer variants included enhancements in the form of anti-detection techniques and intelligent communication mechanisms.

Surges in Crypto-malware

Researchers observed a global surge in the occurrence of crypto-malware families such as CryptolockerCryptodefense and Cryptowall. Cryptomalware is a particularly sinister threat that encrypts data on a compromised device and then attempts to extort money from the victim in order to have the data decrypted. Across the world, we watched as crypto-malware targeted a wide range of victims, from state governments to small towns, and large corporations to the average consumer. Faced with really no other option, most victims reluctantly paid the demanded ransom, crossing their fingers and blindly trusting their data would be restored. Unfortunately, this wasn’t always the outcome.

Attacks Aimed at the Weakest Link

The threat of attack directed towards the human element of security had been predicted. Frankly, it continues to prove to be the easiest path of resistance and yields a high rate of success. Attackers are no longer “throwing the kitchen sink” in hope the victim bites at the phish. Instead, techniques evolved as social engineering efforts became more specially crafted, targeting the victim in a manner that increased the chance the victim would divulge information or perform actions that would be unlikely in ordinary circumstances. Well-planned attempts targeted the back office at financial institutions, and fraudsters impersonated legitimate customers and coerced victimized employees into approving fraudulent transactions.

2015 and Beyond

So, what does 2015 have in store? Not surprisingly, we should probably be hedging our bets towards more of the same. However, I strongly believe institutions can tip the scale of power in their favor. Security requires vigilance and accountability. The threats we face are too pervasive to allow us to believe we can prevent them all. Financial institutions must leverage the right technology solutions that not only help defend against these threats, but also provide real-time detection. Ideally, these solutions can improve our ability to not only respond, but also remediate all types of attack. Tipping the scale, we greatly improve our chances for winning this ongoing fight.

Our Shared Responsibility: Q2 Honors National Cyber Security Awareness Month

Sponsored by the Department of Homeland Security, National Cyber Security Awareness Month celebrated its 11th year this October. Each year, this month serves as an opportunity for not only Security professionals, but also consumers, small and medium sized businesses, corporations, and financial institutions to spread awareness and share information about Cyber Security.

The theme of National Cyber Security Awareness Month for 2014 was “Our Shared Responsibility.” As we’re constantly connected to the internet, our risk of exposure to theft, fraud, and abuse is significant. Cyber Security attacks can affect our finances, identity, and privacy making it an important national security priority.

Throughout the month, Q2 presented a weekly series of Security presentations with the goal of educating its employees of not only the risks and threats the Security team sees on a daily basis, but also countermeasures they can use to protect themselves and the company. Topics such as how to recognize social engineering attempts, information about security threats such as Heartbleed and POODLE, and a demonstration of common hacking techniques were presented to Q2 employees to increase awareness of Cyber Security protection.

By the end of the month, the Q2 Security team recognized a notable increase in the awareness of Cyber Security amongst coworkers. Employees are actively reporting suspicious emails and seeking out the Security team for advice about personal Cyber Security. By opening a dialogue with our employees about the importance of Cyber Security, Q2 is helping to protect our customers, our employees, and our company.

Cyber Security awareness doesn’t end in October. We encourage you to make security-minded thinking a part of your day-to-day routine. Talk to your account holders and employees about Cyber Security awareness and security basics. Education and information are the first steps in combatting Cyber Security threats. If you have questions about Q2’s Cyber Security recommendations and best practices, please feel free to reach out to the Q2 Security team by contacting Jean Twaddell at jean.twaddell@q2ebanking.com.