REQUIRED READING: Do you remember all of the suspense-filled spy movies in which the hero must defuse a bomb to save the city? You always hear the familiar ‘tick, tick, tick’ of the bomb's time clock. With ninja-like precision, the hero cuts the wire just in time to stop the clock, neutralize the bomb and save the day. The rush of adrenaline, the intensive focus and the danger seem to only last a few seconds. Then, it is all over, and everything is safe.
In the real world, a similar threat is presented by business-related fraud. Fraud losses cost the financial and retail industries more than $200 billion annually, and industry experts indicate these losses will only increase as criminals and fraudsters become more sophisticated in their approach. To defuse this bomb, we need to understand fraud trends and be our own hero in dealing with them.
Of course, everyone is aware of mortgage fraud – the subject has been covered at great length, and we do not need to circle back around those tracks. However, there is a great deal of other fraud taking place today that damages the viability of financial institutions and puts their customers in harm's way.
The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) recently indicated that over 1.2 million suspicious activity reports (SARs) were filed by financial institutions in 2009, and many of these SARs were attributed to suspected fraud. Consumers, merchants and banking institutions are impacted by fraud that can result in identity theft, account takeover and financial loss. The leading fraud threats include malware attacks, structured query language (SQL) injections, skimming, phishing and employee fraud. Let's consider each of these threats.
Malware wreaks havoc on computers. The malware umbrella covers worms, botnets, Trojan downloads and adware. While initially designed to crash or damage the computer, today's malware focus is to collect and transmit financial data – and new forms of malware escape detection by being designed around the vulnerabilities in various software programs.
Malware includes attacks on individual consumers as well as on commercial banking accounts. According to industry security vendor RSA, ‘The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008.’Â
SQL injections are a popular way to take over websites by entering SQL code into log-in fields or website browser address fields. This allows criminals to take control of the website or system database. A recent study titled ‘Verizon Business Data Breach’ found that SQL attacks were responsible for 79% of the breached records. More advanced criminals use SQL injections to erase files that might detect intrusion and install malware to avoid detection by anti-virus software.
Skimming is an increasingly popular crime that allows fraudsters to steal credit-card data by placing electronic skimming devices over ATMs or fuel pumps' card slots to steal card data as the card is swiped. Skimming devices may transmit data wirelessly, which eliminates the risk of retrieving the devices. Another example of skimming may involve cashiers or other employees who gain access to customers' credit or debit cards, or swipe cards through the skimmer and receive a fee from the fraudsters for his or her participation.
Phishing is used by criminals to acquire user names, passwords and credit card-details from victims by pretending to be a trusted bank or credit-card company. Once they obtain client data, fraudsters may spoof the caller ID and contact the financial institution to perform account takeover fraud. In addition to traditional phishing, fraudsters are now also using vishing (voice-mail phishing) and smishing (SMS or text phishing). Recently, phishing has seen a significant increase in targeting social networking sites such as Facebook and Twitter.Â
But despite the rise in digital crime, person-to-person miscreant behavior is still alive and well. Celent, an industry research firm, recently estimated that internal bank fraud accounts for 60% of cases involving a data breach or theft of funds. Employee fraud is generally driven by a desperate need for money and easy access to customer and corporate data.Â
Employee fraud can include account takeovers, ID theft, journal-entry fraud and policy violations such as incentive fraud, policy overrides and self-dealing. Former employees can also pose a threat, particularly if there is a lag in the removal of their access rights. One of the most significant risks is an insider with malicious intent. According to one industry expert, this method is ‘difficult to detect, and almost impossible to defend against.’
While a two-factor authentication has been considered a best practice for some time, industry security experts warn it may not be enough. Recent threats include man-in-the-browser attacks that overcome dedicated token authentication, and call forwarding that trumps telephone-based authentication or transaction verification.
According to industry research firm Gartner, this brand of fraud is toxic for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts.
However, FinCEN also warns that old-fashioned criminal strategies are still in play. Various cyber crime units have identified both domestic and international organized crime organizations that use fraud to fund their organizations. These groups may use money mules to move the money, and they have teams of hackers, developers and programmers all focused on fraud opportunities. Although there are still rogue individual criminals, there appears to be a movement toward criminal enterprises – and, in some cases, fraudsters actually have their own operations and technology centers and may outsource their call-center functions.
Other schemes include authorized user fraud, which occurs when low-risk customers ‘rent’ their pristine high credit-card limit and solid payment history to other customers seeking to increase their credit scores, and payments fraud, which the American Bankers Association estimated reached more than $1 billion in 2008.
Industry best practices
Even though fraud can seem overwhelming, there is hope. By leveraging industry best practices, financial services companies can help predict, identify and respond to fraud in a timely manner.Â
Lending institutions can benefit by combining all financial crimes detection and case management into one unit. This will allow them to proactively address threats across all products, channels, payment types and geographies. Once a criminal has customer credentials, he or she will attempt to access funds via multiple channels.Â
With an enterprise fraud approach, the firm can identify this risk and take action across channels to minimize the impact. Many enterprise fraud solutions will provide fraud detection, alert notification and case management capabilities.
Some best practices for enterprise fraud detection include the following:
- Real-time monitoring and incident alerts,
- Alert linking with automated risk analysis,
- Enterprise case management,
- Neural networks that ‘learn’ new trends,
- Predictive analytics to limit false positives, and
- Workflows that extend process and control beyond fraud management.
Balancing the process of real-time fraud detection and avoiding the denial of legitimate customer transactions is a challenge. When bank fraud is detected after it has already occurred, it is too late, because the losses are already realized. Rules can help automate some of the processes and reduce human intervention, but rules-based systems alone are not adequate.Â
Real-time or near-real-time statistical models are required for the dissection of large numbers of variables. As more information and data are captured, the system can be dynamically updated based on the appropriate model. These systems can actually get smarter over time, as they have the ability to store patterns and learn from examples.Â
Statistical models provide increased protection, but industry experts suggest that the human capability to detect anomalies is unmatched. This can be particularly helpful in identifying new fraud schemes. Internal processes must be established that make fraud prevention everyone's job. This approach will leverage human intuition to identify potential instances of fraud.Â
In addition, employees can assist with customer contact strategies, particularly if payments are denied or delayed.Â
While technology can automate and streamline, many firms often want the technology vendor to bring them ‘rules.’ Generally, the rules that are in place at one institution should only be used as a starting point for another. The institution must focus on its specific products, customers and access channels to determine the root causes of fraud.Â
For example, some of the most effective models for detecting card fraud focus on risky vendors and risky locations. However, what good are those rules and patterns if the vendors and locations are out-of-footprint for your institution?Â
Regulatory requirements such as the Fair and Accurate Credit Transactions Act and the Red Flags Rule are intended to protect customers from identity theft. These regulations are continually evolving, and adherence is not optional. Organizations are also required to file SARs when necessary.Â
Some firms only worry about fraud once it exceeds a certain level. One industry executive mentioned that at his bank, fraud was only deemed an ‘issue’ when it exceeded 1% of average outstanding balances. Perhaps, in some ways, there is an acceptable or expected level of fraud – admittedly, there is no way to eliminate fraud altogether.Â
In facing the possibility of fraud within your operations, ask yourself the following key questions:
- Have we quantified the fraud losses by product area, as well as enterprise-wide?
- Do we have product fraud silos or an integrated enterprise fraud focus?
- Are we leveraging our employees to help us identify and prevent fraud?
- Have we analyzed our business processes and policies to identify potential pitfalls, as well as process improvement benefits?
- How would we respond to a significant breach, and what are we doing today to avoid this type of scenario?
As you hear the tick, tick, tick of fraud, it is important to act promptly and invest wisely to protect your bank from fraudsters.
Brian King is president of Wisemar Inc., headquartered in Charlotte, N.C. He can be reached at (704) 503-6008.
