Check Fraud: A New Way to Exploit an Old Payment Method

June 1, 2023 | 4 min read

Nizzan Kedar

Cyber Threat Intelligence Analyst

Nizzan kedar calcite

Banks and financial institutions have embraced the digital economy over the past decade or so, transitioning many of their services from in-person to online transactions and emphasizing mobile banking as opposed to on-premise branch visits. Threat actors have spent years trying to poke holes in their cyber defenses to commit fraud, but more recently there has been a movement to go “off the grid” and use physical checks as an attack vector to evade detection by advanced cyber threat intelligence platforms.

Over the past year, BlueVoyant has observed a significant spike in the trade of compromised and fraudulent checks on the deep and dark web, particularly in the United States. Both the number of new cyber threat instant messaging (IM) groups specifically pertaining to the exchange of checks and the total number of checks published in these groups have grown aggressively since the start of 2022. The number of check fraud reports filed by U.S. banks nearly doubled year-over-year between 2021 and 2022, as the Wall Street Journal recently reported.

BlueVoyant recently published a report demonstrating some of the cyber threat activity pertaining to check fraud that our analysts have been tracking over the past year. Download the report for the full details, or continue reading to read some of the highlights.

Where the Cyber Threat Action Takes Place

Fraudulent checks are primarily shared in underground groups on various instant messaging platforms – Telegram in particular – where new groups dedicated to advertising compromised checks spawn daily. BlueVoyant's monitoring of thousands of communities in the deep and dark web allows us to research the check fraud methodology firsthand, including the methods used by threat actors to obtain, distribute, and redeem fraudulent checks.

We observed a sharp increase in the average number of fraudulent checks posted each month across all Telegram groups monitored by BlueVoyant, from an average of a few hundred checks per group per month in the first half of 2022 to thousands per month in early 2023.

With more than 6,000 checks shared monthly in each group, the scope of potential financial loss to any given financial institution cannot be underestimated. Not all fraudulent checks eventually processed by a financial institution would have been previously exposed online, meaning the trend's observable scale is likely just the tip of the iceberg.

The price of the checks in these groups varies, but stays between a few hundred and a few thousand dollars, which keeps this form of fraudulent activity at a relatively affordable price and can help explain the trend dimensions.

How Check Fraud is Carried Out

Our cyber threat analysts embarked on a mission to fully understand the tactics, techniques, and procedures (TTPs) threat actors use to obtain, distribute, and cash out fraudulent checks. We found that threat actors are predominantly carrying out check fraud using two methods:

1. Stolen Checks: genuine, legitimate checks stolen from mailboxes, mostly using stolen mailbox keys. These checks are sold in dedicated IM groups, "re-cooked" (edited), and sent to the buyer through physical mail or email. Like real checks, they are deposited at financial institutions. This method uses the original check owner’s funds.

Threat actors and criminals break into mailboxes and empty out the mailbox's contents, or get keys by robbing mailmen and making copies of their master keys that allow access to all mailboxes – and to a renewable pool of envelopes containing checks. Master keys can be easily purchased in underground communities, with entire Telegram groups dedicated to trading mailbox keys. The keys are priced at around $1,000 and are delivered straight to the buyer's doorstep.

2. Forgery, or “Slips”: counterfeit checks created by threat actors to appear legitimate. This process typically involves creating an entirely new fake check using photo editing software. These checks are referred to as "Slips", and are often claimed to be of such outstanding quality that it would be difficult to distinguish them from a genuine check.

There are several kinds of Slips, including printed Slips, where a threat actor sells mostly fake physical checks, and templated slips, that allow other actors to create DIY checks using online check templates as examples.

How to Mitigate the Risk of Check Fraud

Checks, as a payment method, are not going away any time soon. That means banks and FIs will need to be wary of fraud campaigns using checks as a primary attack vector. Customers can suffer massive financial losses from these campaigns, but their banks will ultimately be on the hook for any damages, as well as possible reputational harm as a result of a high-profile check fraud campaign.

BlueVoyant recommends educating customers and employees alike on the growing threat of check fraud, as well as leveraging a Digital Risk Protection solution that can proactively identify check fraud attempts targeting specific brands.

As part of our Dark Web Watcher service, BlueVoyant monitors thousands of IM groups dedicated to this matter. We report to our clients any time a fraudulent check is presented for sale. This helps financial institutions revoke fraudulent checks before they pose a real threat to our clients and their customers. The effectiveness of the service has been proven against the increasing amount of fraudulent checks of all types published in the various IM groups and the financial losses it opposes.

BlueVoyant will continue to monitor the deep and dark web for any fraudulent activity and fraudulent methods aimed at our clients.

Digital Risk Protection

Related Reading