FBI Finds Online Fraud Aimed at Hotel Guests, Internet Cafes

By Robert Schmidt
May 3, 2007

Tens of millions of dollars have been looted from online brokerage accounts in a fast-growing fraud that targets unsuspecting hotel guests and Internet cafe patrons, Federal Bureau of Investigation officials say.

The US Justice Department has stepped up enforcement against the schemes, which combine elements of 21st-century identity theft and old-fashioned stock fraud; the department unsealed its first criminal charges in March. Five civil complaints have been brought by the Securities and Exchange Commission since December.

The scams cost New York-based E*Trade Financial Corp. $18 million in last year’s third quarter to reimburse customers whose accounts were pilfered. TD Ameritrade Holding Corp. said it spent $4 million.

“I don’t want it to be this panic, but the fact of the matter is everyone’s vulnerable,” Shawn Henry, deputy assistant director of the FBI’s Cyber Division, said in an interview at the bureau’s Washington headquarters. “We are very focused on it.”

The fraud relies on a variation of the old pump-and-dump scheme in which criminals illegally hype a stock to inflate its price. In the latest twist, crooks install keystroke-logging programs on computers in hotel business centres and Internet cafes. When an investor uses the public computer to check stock holdings or make a trade, his or her username and password are captured.

Liquidating Holdings

Somewhere around the world, another member of the crime ring has opened an online trading account and purchased the shares of a low-price, thinly traded stock. They then access the investor’s account, liquidate it and use the money to buy more of the securities they already own. Because the stocks are thinly traded, the shares rise and the gang sells its own stock for a profit.

In variations on the theme, passwords are also captured after a customer downloads an infected application from the Internet or responds to a so-called phishing e-mail that purports to be from a financial institution and requests sensitive information.

The Justice Department’s first criminal case related to the scheme named three men from India who are accused of manipulating the accounts of 60 customers at nine brokerages. One firm lost more than $2 million, and the government is still tallying the thievery.

Fishing, Not Phishing

One unidentified customer returned from a five-day fishing trip to learn that his account, which had held $180,000 in cash and securities, was $200,000 in the red.

The SEC filed a related civil action and has brought four other cases involving the fraud since late last year.

Alan Sorcher, associate general counsel for the brokerage industry’s main trade group in Washington, said firms are putting a “tremendous amount” of resources into security.

“We’ve had accounts that have essentially been pilfered,” said Sorcher, who handles privacy issues for the Securities Industry and Financial Markets Association. The firms “are doing all they can to prevent this.”

“It’s on their front burner, at the highest levels, guaranteed,” said Henry, who said the FBI is working closely with the industry to help plug gaps in security.

More Common

With an estimated 30 million customers using discount brokers, Internet scams are becoming more common.

“We think that as this problem grows, we have to show strong action,” said Alice Fisher, assistant attorney general and head of the Justice Department’s criminal division. “People can get in and hack into brokerage accounts and manipulate the markets in a way to take a lot of money from several victims.”

In the recent spate of frauds, brokerage firms have reimbursed their customers for losses, though not all companies have such policies of repaying victims.

Internet security specialists say criminals are particularly drawn to brokerage firms because they often have more money than bank accounts and because stock trades happen quickly.

“This is very difficult to defend against,” said Marc Gaffan, director of product marketing at RSA, a unit of EMC Corp. Based in Bedford, Massachusetts, RSA provides information security for more than 26,000 businesses, including financial firms.

Freedom and Ease

Companies are struggling to protect customers who are accustomed to the freedom and ease that come with trading online, Gaffan said.

“You don’t want to disturb innocent traders and inconvenience them,” he said. “When they want to make a trade, they want to make a trade now.”

Some brokerage firms say they are taking more precautions. Omaha, Nebraska-based TD Ameritrade is phoning customers before signing off on some wire transfers or if it notices suspicious activity in an account, said spokeswoman Katrina Becker.

The company also provides free software to help prevent computers from being taken over with keystroke logging and other programs.

“Criminals will always find a way around the system, and as they become more sophisticated our methodology has to as well,” Becker said. “We work on it every day.”

The FBI’s Henry said online brokerage customers shouldn’t use computers they don’t know are secure.

“I don’t think a lot of people would think twice about going to an Internet cafe or the business centre in a hotel and using the computer,” he said. “I want people to be aware that this is a potential threat.”

[ RGM Short Selling Home page ]