Industry Letter

Alert to Increased Cyber Fraud Through Web-based Payment Services

September 23, 2010

Industry Letter: Alert to Increased Cyber fraud Through Web-based Payment Services to Financial Institutions

The New York State Banking Department (“Department”) is taking this opportunity to alert institutions to the increased threat and cyber fraud through Web-based payment services, particularly effecting businesses and government entities. There have been increased reports of fraudulent EFT transactions resulting from compromised login credentials.

A Cyber Security Advisory has been issued by the various Federal and State Information Security Agencies and a Special Alert has been issued by the Federal Deposit Insurance Corporation. The details of that advisory and guidance may be obtained at the following web sites:


The Department would further like to take this opportunity to remind institutions of their obligation to report cyber fraud instances to the Department, such as reporting of malicious software intrusions in accordance with the May 28, 2003 industry letter, which is available through the Department’s website at, and the filing of a Superintendent’s Part 300, as may be appropriate.

Also, it is the Department’s expectation that an institution’s risk management system be robust to incorporate the risks associated with cyber fraud. Cyber fraud not only incorporates IT risk, but expands to include both the institution’s Legal and Reputational risks. Financial losses to cyber fraud may be significant, but more damaging and significant to an institution can be the loss of customer and the institution’s reputation.

Therefore, the Department encourages institutions to adopt the “best practices” guidelines identified in the Cyber Security Advisory and FDIC Special Alert. Below are selected highlights the best practices for cyber fraud prevention for a financial institution:

Financial Institution Specific Recommendations:

  • Consider offering the following security measures:
  • Online credit card purchase verification programs, such as Verify by Visa.
  • Automatic blocking of wire transfers to particular countries.
  • Delayed transaction or batch processing of money transfers and/or immediate user notifications.
  • Procedures to require account owners to verify transactions over certain amounts, possibly through call backs.
  • Out of band token/pin delivery, possibly via SMS, or automated phone calls.
  • Give account owners the option to create a “white list” containing all the approved accounts between which transactions may take place.
  • Establish procedures with intermediary banks and law enforcement for responding to potential fraudulent activity.

Further, the institution is encouraged to communicate to its customers the “best practices” that the customer can employ to protect themselves against cyber fraud. Below are selected highlights but not all of the best practices for cyber fraud prevention for customers of financial institutions:

Financial Institution Recommendations for Users:

  • Check with your financial institution about enabling “alerts” and other security measures that may be available. Some financial institutions offer additional security measures, but they are only available upon request.
  • If possible, set up accounts that cannot or are not accessed through the Internet and use those accounts for long-term savings. Move money between those accounts and active accounts via the phone or in-person visits.
  • Immediately report any suspicious activity in your accounts. There is a limited recovery window and a rapid response may prevent additional losses.

Should you have any questions, please contact Deputy Superintendent Manzar Atabaki at (212) 709-1530.

Thank you for your cooperation.



Richard H. Neiman
Superintendent of Banks
New York State Banking Department