Digital transformation has taken hold as organizations adopt digital technologies that improve business processes. The payments industry has followed the adoption of these new formats. Digital payments have boomed in the last year due to their flexibility and reliability in ensuring a more seamless payment process for businesses.

With the influx of digital payments, naturally cyberattacks follow suit, with hackers targeting vulnerable victims across several industries. These attacks come in all shapes and sizes and can result in major losses. The International Journal of Engineering & Advanced Technology found that salami, phishing, ransomware and cryptojacking attacks were among the four most common for financial gain. Let’s focus on salami attacks.

Salami attacks consist of a sequence of small, fraudulent transactions that can easily bypass detection but, combined, can result in considerable losses. While not new to the modern payments landscape, fraudsters are constantly developing new ways to automate processes with enhanced technology that attacks before businesses can detect or take action.

One area cyberattackers may target are ACH bank transfers, where micro-deposit verification of accounts is exploited for this specific purpose. By design, micro-deposits happen before bank accounts are verified, granting bad actors the opportunity to fraudulently hoard funds. While micro-deposits only take a few cents at a time, they can become a fraudster’s paradise to target and abuse.

How micro-deposits can pave a path to salami attacks

Applications use micro-deposits to verify a user actually has access to the bank account they have provided. When the user provides an account and routing number, the application initiates small payments, usually pennies, to that account. Once the payments clear, the user can report the actual amounts of the deposits back to the application and verify the bank account.

Fraudsters leverage micro-deposits for “salami” attacks when they manipulate transactions to be abused by them or their groups. In doing so, fraudsters create thousands of new accounts with bank account and routing numbers to test against the systems or steal them. They verify the information is accurate by seeking out successful return codes and transfers before plotting their attacks.

Think about the impact of thousands of new user signups initiating micro-deposits for verification in the timeframe of a couple of hours. In terms of direct losses, this may result in a few hundred dollars, which seems minimal, but indirect losses from the manual labor and severe reputational damage in cleaning up these messes can accumulate.

So why do cybercriminals execute these attacks that may yield a relatively small sum of money? 

1. To bury it in alerts and logs, making it harder for finance organizations to detect and respond to; or to draw attention elsewhere while planning an even more impactful parallel attack.
2. To pinpoint bank accounts they can easily target. If fraudsters can determine micro-deposits weren't returned — regardless of whether they can see the actual amount — the attackers have confirmation the account and routing number combination is valid. This can directly impact consumers if businesses fail to be proactive, even if the costs to the business are minimal.
3. To test the waters and see what an organization’s reaction is in a situation where suspicious activity is present. By examining a bank’s defenses, fraudsters can plan a secondary or more significant attack down the road. High-level fraudsters know the ins and outs of staying under the radar to make a big move before financial organizations can detect activity.

Safeguarding financial organizations from salami attacks

While a bank’s application is the primary provider of payment capabilities to its users, financial organizations must be the principal defender of their end users by monitoring for suspicious activity, taking actions to prevent attacks from happening and reacting quickly to fraudulent activity within the application. But what if banks don’t have the resources to combat these attacks? What can cybersecurity leaders do to prevent or eliminate fraudulent activity? These are some of the best practices to protect the platform from attacks:

• Use the Application Programming Interface (API) to suspend or deactivate suspicious accounts or unusual activity when detected.
• Stay informed of the use of disposable email domains that showcase signs of attacker activity, precisely when associated with an alarming number of user signups.
• Audit for oddities in the rate or number of account signups or funding source additions, exclusively for those sharing similar characteristics such as bank account, email or name.
• Forbid micro-deposit validation as the typical first step and use Instant Account/Bank Verification (IAV/IAB).
• Scan for multiple accountancy that shares the same funding source by using bank account fingerprinting.
• Incorporate guidelines that require validation of email addresses upon an end-user signup and multi-factor authentication for end-user login. Having these verifications in place makes automation of account abuse undoubtedly harder.
• Administer limits to the number of bank accounts an end user can attach. This will also make it significantly more difficult for a fraudster to carry out an attack.

As digital payments continue to expand, it’s increasingly crucial for businesses to remain vigilant of fraudsters carrying out attacks that can cause impacts on multiple levels. Implementing these best practices and staying attentive to defending end users can decrease the likelihood of fraudsters executing a salami attack.