The work of so many bank fraud teams is to ensure that they don’t wake up to a crime scene.
In the latest episode of Reinventing Banking, a special podcast brought to you by Bank Director and Microsoft, we discuss the evolution of technology that helps fight cyber fraud and where the industry goes from here.
Seth Ruden is director of global advisory for the Americas for BioCatch, a behavioral biometrics company that helps financial institutions gain actionable insight, including fighting fraud. He talks with Bank Director’s FinXTech Research Analyst Erika Bailey about the promise that machine learning and automation have for bank fraud teams.
He also talks about the increasing sophistication of data analytics in tracking, and finding, potential fraud. Ruden also reveals his strategy for getting resources for bank fraud teams at your bank.
Finally, he chats a bit with Bank Director’s Erika Bailey on their mutual love for classic rock.
Fraudsters always look for the path of least resistance.
Recently, the most vulnerable targets have been government funded pandemic relief programs. According to recent research from several academics, 15% of Paycheck Protection Program loans were fraudulent in the 18 months leading to August 2021, totaling $76 billion. And the U.S. Department of Labor reported $87 billion in unemployment benefit scams during that same period.
As Covid-19 relief programs wind down, fraudsters are redirecting their focus from government-backed programs to bank customers and employees. The latter half of 2021 saw an uptick in traditional types of cybercrime: identity fraud, ransomware, social engineering and money laundering. So, what can a bank do to keep itself safe?
Arm employees and customers with knowledge. Share resources and stories to help employees and customers understand the risk of cybercrime, defend their devices and detect suspicious activity. Employees are the first line of defense; it only takes one breach to compromise an institution. Provide training programs to educate staff about the different types of financial crimes and detection mechanisms. In addition, take steps to heighten customers’ awareness of fraud trends through campaigns and educational programs. For example, it is important that employees and customers know how to verify host files and certificates, determine the difference between valid and scam websites, store confidential information and private data on their devices and set-up their devices on different network servers to minimize damage in case of an attack.
Build financial crime programs.
Investing in fraud, anti-money laundering and cybersecurity tools without a long-term strategic plan is a futile and expensive proposition. It’s common for organizations to have strategic initiatives for digital delivery channels and customer experience, but lack a financial crimes strategy. Many financial institutions do not realize they need one until it is too late: they suffer a large loss that could have been prevented. Banks should first identify, evaluate and classify assets and risks and then build a program as part of the long-term business strategy rather than a disconnected component. This approach helps to recognize an institution’s vulnerabilities and launch the most effective defensive strategy.
Invest in modern defense technologies. Encryptions, patching software, firewalls, multi-factor authentication and real-time monitoring systems are all part of the complex, multifaceted defense that mitigates the risk of an attack. There’s not a single solution that can do it all. For instance, early breach detection mechanisms act as a strong defense, sending alerts and implementing backup and recovery programs in the event of an attack. Artificial intelligence and machine learning technologies can go on the offense, analyzing customer behavior, tracking transactions and reporting on deviations from usual behavior in real-time. Adding workflows to automated alerts allows accountholders to be involved with challenging transactions, reducing the risk for errors down the line. The foundation of any security program is continuous monitoring and evaluation of vulnerabilities, defense technologies and risk plans.
Test your incident response plan.
It is vital to test the resiliency of plans with simulated fraud or cybersecurity attacks. Don’t underestimate the chaos that a breach will cause. Everyone at the bank, from directors and the C-suite to the branch managers, must understand and be comfortable with their role in mitigating loss.
Banks spend plenty of resources building sticky customer relationships, but fraud immediately breaks that bond. A research paper by Carnegie Mellon University found that 37% of customers leave their financial institution after experiencing fraud. When a customer account is compromised, the user needs to completely modify the information on that account, including direct deposits and utility payments. The lack of trust in their financial institution, coupled with the need to rebuild their account from scratch, pushes customers to shop for another institution.
As new technologies emerge and the financial services industry becomes increasingly digitalized, the risk of financial fraud also grows. Fraudsters are constantly evolving their strategies to take advantage of new vulnerabilities. To keep safe, banks need a top-down management approach that focuses on education, long-term defense programs, modern technologies and continuous testing. Customers expect a high level of security and fraud protection from their financial institution; if they don’t get it, they will look elsewhere. In order to grow and retain their customer base, banks need to have an upper hand in the war on bank fraud.
Community banks are under pressure from the latest apps or start-ups that attempt to lure customers away with features that they may lack: cutting edge technology, international capabilities and a digital-first approach.
However, much less attention is focused on where established banks thrive: compliance. It might not be as flashy as the latest app, but being able to offer customers a sense of protection is more valuable than many would believe. Main Street banks have long been integral parts of their communities, serving both local businesses and families through their people-first approach. These institutions are well known for reinvesting back into their communities, making them intertwined with their neighborhood. This approach is unique and solidified the reputation of these institutions as personable — a sentiment that remains today, even as tech giants grow within the financial sector. Established institutions have an edge as their long histories and reputations are deemed by consumers as more trustworthy than fintechs.
Public trust is a valuable asset, especially after high-profile data breaches in recent years and coronavirus scams. Payment scams suffered by banks and companies are typically front-page news and can cause significant damage to the business with costly fines and reputation harm. More than 75% of customers say security is a top consideration when choosing a financial institution. Interestingly, even if the organization is not directly at fault, consumers still consider them culpable. In fact, 63% say a company is always responsible for their data — even if the scam resulted from their direct actions, including falling for an email scheme.
$1 Billion Threat The realization that banking customers hold their banks accountable for all types of fraud and scams may be surprising to some financial leaders. It underscores the importance of banks taking an active role in educating users, as well as protecting their own security behind the scenes.
One of the most common schemes is business email compromise: a cyber crime where a payee sends fraudulent banking information to a business or individual, who unknowingly sends funds to the wrong account. The fraud grew during the coronavirus pandemic as many businesses worked remotely for the first time and relied on email in place of phone calls or in-person interactions. The FBI reported $26 billion in losses in just a three-year period.
Such numbers should concern financial institutions, especially since these funds can be difficult to recover. These incidents are likely underreported, meaning the real figures are likely much larger.
Three Immediate Actions Today’s challenging environment for financial institutions means that little focus is placed on non-revenue generating activities, especially with the emergence of new fintechs and start-ups. However, helping to ensure that customer funds are protected and providing them with preventative advice could become a huge value-add for banks.
Though some banks do make information available on their websites or in-branches, this is often an afterthought. Showcasing your institution as an authority on these matters will emphasize your desire to put customers first — and they will take notice.
Many customers ignore the threat of fraud because they do not see themselves or their business as a potential victim. Taking the time to explain how a scam targets each customer segment will demonstrate your institution’s ability to identify and mitigate risks to each person.
Monitoring fraud is particularly difficult for many institutions because threats are constantly evolving. Working with larger partners can be an asset, as bigger organizations are more likely to invest both funds and personnel in monitoring and combatting scams.
Many misconceptions regarding fraud still exist, and customers may not realize they are at risk before it’s too late. Transforming your institution into their financial protector could be a low-cost — yet valuable — way to stand out.
Cybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.
As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.
Common Cybersecurity Gaps Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:
Inaccurate monitoring or unattended security information and event monitoring functions
Inadequate system patching procedures
Lack of cyberintelligence (external information gathered on known attacks)
Lack of incident response planning
Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.
The Need for a Tailored Approach Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.
For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.
To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.
Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.
Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.
Critical Steps To adopt an enterprise-wide cybersecurity program, financial services organizations should:
Identify and prioritize sensitive assets.
Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
Educate employees specific to their roles and the associated.
Manage cybersecurity at the enterprise level and on employee devices.
Continuously monitor significant areas and environmental changes.
Keep software and systems up to date.
Multiplying the Benefits Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.
Every week there is a new headline regarding the latest data breach or newly discovered vulnerability in widely deployed software. Below, we’ve compiled a list of five threats we think will see increased importance in the upcoming year.
Zero Day Attacks The past year has brought unprecedented levels of mainstream media attention to a number of zero day vulnerabilities including Heartbleed, Shellshock, and Poodle. A zero day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public. These vulnerabilities have taken advantage of long standing but previously undiscovered programming bugs in widely deployed software platforms. Due to the discovery and subsequent exploitation of these vulnerabilities, cyber criminals and nefarious nation state actors have begun to take a much closer look at these previously ignored code bases. The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don’t necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices, which are often overlooked when developing a security model.
Social Engineering We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution’s network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the previously mentioned zero day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank’s internal network or the customer’s workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.
Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank’s customers, often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.
Credit/Debit Card Theft Banks and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on a nearly weekly basis, including Home Depot, Jimmy John’s Gourmet Sandwiches, P.F. Chang’s, Michaels, and many more. In October 2014, Special Agent Jason Truppi of the FBI told USA Today that in the previous 12 months, over 500 million financial records had been stolen, thanks in large part to the breaches listed above.
Cyber Extortion Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption. This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.
Attacks on Mobile Devices With mobile platforms continuing to become more popular for activities such as mobile banking, it’s no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users often don’t use the same level of caution when downloading applications and accepting windows that pop up that they would when on a personal computer, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of antivirus solutions available for mobile devices has led to a 112 percent increase in mobile malware samples detected in the past year by McAfee.
More than most companies, banks rely on the trust and confidence of the public. The 81-year-old deposit insurance program has made Depression-era bank runs, where frightened depositors once lined the street waiting to withdraw their money, a relic of the past. But there’s a new risk that the deposit insurance system can’t protect against—the theft of sensitive customer information by cyber crooks—and banks of all sizes need to have a crisis management plan at the ready in case they get hacked.
Recently, I participated in Bank Director’s 2014 Bank Audit & Risk Committees Conference in Chicago, where there were several presentations on cyber security, and one message came through loud and clear: All banks are at risk, including even small and medium-sized ones. In fact, smaller institutions might be in even greater danger than much larger ones because the bad guys—and I’m talking about hackers in Eastern Europe and Russia—figure that they’re an easier mark.
Any community bank CEO or director who thinks their institution is too small to worry about cyber crime is living in an altered reality.
There were also a couple of presentations on crisis management, which goes together with cyber crime like ham and eggs. Not only is your bank at risk of getting hacked, but you need to have a crisis management plan that can be put into effect quickly in case it does. This is important! If your data systems are broken into and sensitive customer information gets into the wrong hands, your customers will feel differently about the bank unless something is done quickly and done well.
The issue here is public trust and confidence.
It’s important to know in advance what to do—and what not to do when a crisis explodes (and often that’s how crises announce themselves to the world, with a big boom) because you probably won’t have a lot of time to react.
In her presentation on crisis management, Rhonda Barnat, a managing director at the New York-based communications firm The Abernathy MacGregor Group, cautioned against the urge to over-disclose information such as how many customers were impacted by the breach, or how the breached occurred, because this factual information will end up becoming the story. Barnat also said banks should be careful how they use social media during a crisis—for example, they shouldn’t necessarily respond to a negative video on YouTube with a rebuttal video. Instead, the bank’s primary focus should be on taking care of the affected customers. In other words, the best way to rebuild trust and confidence is to fix the problem and make customers whole, not wage a public relations campaign. Do the right thing and word will get around soon enough.
Barnat says there are 10 common mistakes that companies make when managing a crisis, including getting out in front of the story, which often just leads to confusion because facts have a way of changing.
Maureen Morrissey Brown, who is the senior vice president and public relations director at Huntington Bancshares, also gave a presentation on crisis management. Brown said it’s important to have a plan in place so that if a data breach does occur the bank can hit the ground running. This plan should do the following:
Create a crisis management team that can quickly go to work if the bank is hacked and customer information is stolen. This team would normally include the CEO, legal counsel, the bank’s compliance officer, senior public relations officer and an outside public relations firm.
Take some time to identify possible scenarios – a data break is one such scenario obviously, but others might be an acquisition gone bad, an earnings restatement if it’s a public company or old-fashioned fraud by an insider.
Create what Brown refers to as “holding statements,” which are statements that you will release to the public if any of those scenarios occur. These might have to be modified depending on the circumstances, but at least you’ll have something to work with.
Appoint a spokesman to deal with the media and give that person training on how to respond publicly in crisis situations.
Assign roles and responsibilities to team members so that everyone knows who does what.
Brown had this last bit of advice: Design the plan to be comprehensive but allow for unforeseen situations, update the plan frequently, always be on the lookout for developing challenges, and monitor the reactions of competitors, peers, customers and suppliers.
Brown ended her presentation with a recent comment that Warren Buffet made to CNBC about General Motor’s poor handling of the controversy involving faulty ignition switches, which have been blamed in 13 deaths.
“Get it right. Get it fast. Get it out. And get it over.”
Cybercriminals are stepping up their attacks on financial institutions by gaining control of customer devices with sophisticated malicious software installed on a computer or mobile device to secretly read online credentials. The criminals then conduct real-time credential theft and take over accounts. Current technologies are simply not capable of identifying and preventing these attacks and are overloading bank fraud prevention operation teams with unnecessary false positive alerts. In the latest real-time account takeover scheme, cybercriminals use malware to steal user credentials at login, block users from logging into online banking, use the credentials in real time to log into victims’ accounts, and also steal any secondary authentication requests the bank receives from the user to bypass the bank’s security and gain full access to accounts.
The main reason cybercriminals continue to succeed is that they are using highly evasive advanced financial malware for a wide variety of attacks that are very difficult to detect. Cybercriminals are acutely aware of the technologies deployed by most financial institutions and simply design attacks to circumvent these controls. Bypassing them remains relatively straightforward because the controls are isolated rather than integrated with each other.
The Four Keys to Holistic Fraud Prevention
A holistic platform to prevent fraud must be built on four key elements that ensure sustainable prevention of cybercrime in light of the rapidly evolving threat environment.
Comprehensive Coverage A comprehensive fraud prevention platform is required to protect an organization from fraud attempts across all possible access devices and all attack methods.
Real-Time Intelligence An intelligent fraud prevention platform correlates data from multiple sources including malware infection, phishing incidents, and device identification, to conclusively detect and prevent attacks.
Adaptable Controls A fraud prevention platform should adapt to changes in fraud attacks by rapidly deploying countermeasures without overloading your internal resources.
Transparent Protection A transparent fraud prevention platform does not burden customers with complex authentication protocols or long delays in processing while transaction alerts are sorted out.
Financial institutions that adopt such a holistic solution acquire highly accurate fraud detection that entails negligible customer involvement. When it does involve customers, it is only because the bank has conclusively determined there was attempted fraud, malware or phishing. Additionally, the bank’s fraud prevention capabilities should meet the critical regulatory requirements delineated in the Federal Financial Institutions Examination Council Authentication Guidance Supplement.
Fighting the war on cybercrime will not get easier for financial institutions. Cybercriminals use a divide-and-conquer approach by relying on poor communication about fraudulent activity between financial institutions as well as poor communication between fraud prevention systems that exist in silos. Traditional fraud prevention technologies help reduce fraud but are easily defeated by advanced cyber fraud techniques. To date, advanced financial malware has bypassed virtually every authentication method. Malware also has bypassed risk engines that detect anomalies by learning behaviors and transaction patterns to conduct fraud within tolerable statistical limits.
To win the war on cybercrime, institutions must wage their battles on the front lines—at the customer endpoint. This is where malware and phishing initiate the chain of events that eventually leads to fraud. Breaking the first link of the chain keeps fraud from ever entering the system where it can be overlooked by risk engine analytics or bypass authentication methods. Focusing fraud prevention efforts on the customer endpoint affords the highest likelihood of preventing cyber fraud. This protection, however, cannot be accomplished by simple customer education. The attack sophistication requires banks deploy equally advanced protection technologies, including customer endpoint malware detection.
A holistic fraud prevention platform focuses on preventing fraud at the customer endpoint. Just as important, it incorporates the four key elements that ensure maximum effectiveness with minimal disruption, today and into the future. As cybercrime threats evolve, so does the fraud prevention platform, quickly and seamlessly.