Skip to main content

Why internet bank fraud is so much more than IP addresses

September 22, 2023
Read Time: 0 min

Internet bank fraud is here to stay; learn how to detect and stop it.

Every type of fraud has something unique it leverages to dupe unsuspecting citizens. Learn what is different about internet bank fraud.

Would you like other articles like this in your inbox?

How to monitor internet bank fraud more effectively

When someone inquires about the capability of a system to detect internet bank fraud, encompassing online banking and mobile banking fraud, the immediate question that arises is, “what is meant by internet banking fraud?” If the clarification is, “the intention is to detect instances where fraudsters access accounts via online banking using stolen credentials,” then it's necessary to delve further. Is the interest in detecting money movement, or merely account access?

If both aspects are of concern, then it's pertinent to note that the movement of money through online banking primarily occurs via ACH and wire transfer. For business online banking, wire fraud dominates as the chief money movement fraud scheme, especially with the rise of Business Email Compromise (BEC) fraud. According to the AFP Payments Fraud and Control Survey of US businesses, 64% of respondents stated their organizations had been targeted in a BEC attack. In the consumer domain, the prevalent method for moving money in online banking is through the ACH system for bill payments and transfers.

In discussions about online banking fraud, the subject of IP addresses frequently emerges. This is why internet bank fraud encompasses much more than just IP addresses.

What are the trends in mobile and internet banking?

When discussing online banking behavior, it is important to understand some of the data associated with activity. This data can shed light on how fraudsters are able to access the system.

  • 65% of all online banking click events were balance inquiries and account history clicks
  • 9% were transfers
  • 6% were integrated bill payments
  • The remaining clicks were events such as log outs, viewing checks and statements, going to an externally linked bill payment system, making a P2P payment, etc. (only 40% of legitimate consumers/business logins actually clicked the logout button while nearly 100% of fraudsters click the logout button.)

Each time a user connects, it can be from a new IP address, depending how their home router is configured or how often they restart their home router. Mobile Banking can also add to the number of IP addresses used if that customer or member is a traveler and checks his/her account from their phone. Each time the traveler enters a new invisible boundary between mobile operators or wireless networks, it is likely that they are receiving a new IP address for their mobile device.

Many times the mobile banking channel rides on the internet banking channel’s rails, so the likelihood of conflicting device setups will cause more device fingerprints and IP addresses. According to Malauzai, which hosts mobile banking for over 350 US institutions, the log in frequency for mobile users is 2X that of online banking.

Learn how to use your BSA Exam findings to
strengthen your program.

Download Now

Why are these data points relevant?

These data points suggest that Americans are 5-7X times more likely to check their balances and history than move money via online banking and mobile banking. That means that there are possibly 5-7X the number of IP addresses for an account that did nothing transactional other than a balance inquiry.

Data suggests most Americans use online banking to see how much money they have and whether certain items had cleared. For example, no one goes into a branch to ask what their balance is. Typically, they check online. The most significant effect of the balance checking is the amount of noise it creates in monitoring for logins from stolen credentials, since most of these logins have an ultimate goal of either using the account as a mule account or draining funds from the account.

The Internet Banking and Mobile Banking providers have built fairly sophisticated engines to look for anomalous login behavior including such variables as time of day, day of week, IP address ranges involved, device fingerprinting of the OS, browser, and browser plug-ins, biometric features such a keyboard pacing, and a variety of additional multi-factor technologies such as one-time passwords and other token-based systems. Smart fraudsters are aware of these monitoring tools and attempt to bypass by using local IP addresses using a proxy server or browser plug-in which allows them to select the IP address range for that financial institution’s location. 

What does this all mean?

This data has implications for internet bank fraud. It suggests unsophisticated fraudsters and terrorists log in with bad IP addresses. In the San Bernardino case, the terrorists in the US shared their login credentials with the terrorists in the Middle East. That subsequent login is what FinCEN wanted to chase after the Middle Eastern terrorists. However, for each case of a unsophisticated terrorist, your will have hundreds if not thousands of false positives when someone is traveling abroad, has a spouse in a different city (especially military), or has multiple people with valid credentials checking from a variety of devices, if you rely solely on IP addresses. Likewise, smart fraudsters and terrorists are going to avoid IP address monitoring by spoofing their addresses via a proxy server.

Balance inquiries make up a serious chunk of IP addresses vs. money movement transactions. Therefore, it is more efficient and a better use of a financial institutions’ time to monitor ACHs and wires leaving the institution from all channels, including online banking and mobile banking. If someone filing a SAR needs an IP address, they can easily ask their online banking team to give them the IP addresses that accessed an account by looking at the online banking/mobile banking portal. If the team members monitoring online/mobile banking do see alerts coming from their system, the institution can establish a policy of notifying the back office using a tool such as BAM+.


About the Author


Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo’s platform centralizes the institution’s data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth. Make Big Things Happen.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.