Staff Shortages Snarl Fraud Oversight

For some community banks, workforce attrition and hiring pressures could be adding an extra layer of difficulty to their ability to combat fraud. 

Concurrent with the Great Resignation, financial institutions have been fending off fraud of all kinds, from spear phishing attacks to account takeovers to check fraud, sometimes with a digital twist. In response, boards should understand where their organizations might be vulnerable and what kinds of proactive measures they might take. 

“That intersection of increasing fraud attacks with the strain on the workforce — I would say that is the biggest thing that we are seeing our clients struggle with,” says Vikas Agarwal, financial crimes unit leader at PwC. 

Specialized anti-fraud talent is in high demand, and prospective employees can command higher wages than they could before.

Seventy-eight percent of the senior executives and directors who responded to Bank Director’s 2022 Compensation Survey in March and April say that it’s been harder to attract and retain talent in the past year. Forty-one percent indicate that their bank increased risk and compliance staffing in 2021, and 29% expect to fill more of these positions in the year ahead. 

Attrition in the risk and compliance functions can eventually lead to a backlog of alerts to work through, experts say. 

“With turnover, you lose institutional knowledge and some efficiencies with how to run a risk and compliance department. As you have turnover, backlogs may build up,” says Kevin Toomey, a partner with the law firm Arnold & Porter. “Backlogs are a scary concept for banks, but also for the boards of banks. It could mean that not everything is running like a well-oiled machine.”  

Higher turnover could also make an institution more vulnerable to phishing and spear phishing attacks, says Ron Hulshizer, managing director at the accounting firm FORVIS. Those are both types of email impersonation attacks, used to install malware or gain access to information; spear phishing tends to be targeted to a specific individual. Noting that his firm has seen an increase in ransomware and extortion attacks against banks, Hulshizer says phishing attempts often give fraudsters a foot in the door.  

“It’s typically a phishing email that comes in, somebody falls for something, eventually, [and] the really bad malware gets installed,” he says. “Then it starts doing its thing and destroying files.”  

Scams, account takeovers and synthetic identity fraud are among the more common forms of fraud that community banks are dealing with right now. A LexisNexis Risk Solutions study published earlier this year identified synthetic ID as a big driver of fraud losses and also noted a rise in phishing scams during the pandemic. Scams have gotten particularly sophisticated, says Christina Williams, financial crimes consulting manager at the accounting and consulting technology firm Crowe. In some cases, she says, scammers have spoofed a financial institution’s 800-number to fool customers into giving up information that is then used to gain account access. 

But fraud seldom ever goes extinct, and some financial institutions have seen a resurgence in various types of check fraud since the pandemic began. Many businesses still rely on paper checks and physical mailboxes, both of which can be compromised, says Williams. Remote deposit capture tools can also be vulnerable to check fraud. Williams says that in some cases, fraudsters have been able to make a phony deposit using the image of a check on another device. Often, the scammer will stick to amounts under $1,000 or $5,000 to avoid triggering a review before the fraudster is able to withdraw the money. 

“A lot of the automated systems don’t necessarily pick up on it,” Williams says, emphasizing the importance of having adequate staff to carry out those reviews. “The fraudsters are aware of this; they still are trying to operate under dollar amounts where they believe there won’t be a secondary review.” 

Debit card fraud has also been a perennial pain point for community banks, Hulshizer says. 

Though the board doesn’t need to get involved in day-to-day fraud oversight, directors should know enough to ask the right questions of senior management. In the first place, that means understanding the organization’s baseline: how many and what type of fraud attempts does it experience in a given period, and how much of that fraud is stopped? 

“Do they understand, month to month, is it trending up or is it trending down?” says Agarwal. “Oftentimes, we find that people don’t have simple metrics that help them gauge if their risk to fraud is increasing as an institution or decreasing.” 

Agarwal adds that it’s worth asking whether the bank can contract a third-party firm in the event of a staffing shortage. 

Boards can ask whether management is looking into any new fraud-mitigating technologies, like biometric features meant to curb password fraud, says Hulshizer. 

And make sure that existing technology is regularly updated. “When technology gets old, over time, it ends up not being supported,” Hulshizer says. “When we do audits, we’ll find old operating systems that Microsoft no longer supports.”  

Not only should directors ask about trends in fraud and risk, but they should also be prepared to question senior management about trends in the bank’s staffing and resources, says Toomey. 

“What directors were asking a year ago may be different than what they’re asking 6 months from now,” says Toomey. “And to effectively exercise their oversight responsibilities, they need to start asking these questions now, to assure that their bank isn’t one of the ones that you read about in the papers.” 

Banks in Cyber-Fraud Crosshairs

5-21-13_Cyber_Fraud.pngIn September 2012, the FBI warned financial institutions about malware attacks targeting bank employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new. Because banks are generally doing a better job at protecting customers against malware, criminal gangs are looking for another entry point. They are now turning their attention to bank employees with the same advanced malware and extensive money mules (people who transfer funds stolen from online banking accounts to the criminals). They are also using money laundering to commit fraud against online banking users.

Advanced Malware Battle
The FBI report specifically mentions two types of malware attacks: keylogging and remote access tools (RATs). While keylogging (which copies keystrokes typed by the victim) has existed for many years, RATs (which are used to remotely access and control an infected computer) are a relatively new addition to financial malware toolkits. They have been specifically added to enable pre-attack reconnaissance and target non-browser based applications like email on employee computers.

Compromising employee devices (PCs and laptops) is relatively straightforward. Cybercriminals use phishing emails to trick users into either opening documents infected with malware or lure users to click on embedded links that lead to websites that serve up malware. Cybercriminals also compromise legitimate websites that can automatically infect devices just by visiting a compromised page. Once there, popular exploit kits, such as Blackhole, actively scan a user’s device for a variety of vulnerabilities and then use the appropriate files to invisibly install malware. Cybercriminals target both undisclosed and disclosed, but unpatched, vulnerabilities to bypass system restrictions that would otherwise prevent these infections. 

Most financial institutions implement controls like anti-virus protection on endpoint devices and intrusion prevention systems (IPS) on the network—both of which are evaded by readily available malware kits. Trusteer Intelligence has found that up to 4 percent of employee devices can be infected with dangerous data stealing malware over the course of a year at a typical financial institution. Most financial institution security professionals understand that anti-virus solutions are ineffective against advanced data-stealing malware that is specifically designed to evade such protections. Evidence of this is readily apparent on bank customers’ computers, which are continuously infected with malware, despite running up-to-date anti-virus software.

Unfortunately, even anti-malware solutions like sandboxing that place suspicious files in a safe, isolated container on the computer and virtual machine analysis which inspects suspicious files on a separate, isolated computer are not very effective. Worse, these solutions require considerable information technology (IT) management oversight to analyze suspicious files and respond to employees who are prevented from running legitimate, yet blocked applications on their computers. Additionally, network-based security approaches, such as intrusion prevention systems, only function when the endpoint device is connected to the corporate network. Many employees use corporate devices to connect to the Internet when they are outside the office (e.g., when they are at home or traveling). In fact, a large Trusteer customer recently revealed to us that their corporate-issued employee laptops are ten times more infected with malware than their employees’ desktops.

To Protect the Enterprise, Secure the Endpoints
Knowing that cybercriminals are targeting employee devices, financial institutions must detect and remove the malware before it can do harm. Malware can cause damage only when it is executing on the endpoint machine, such as a laptop or mobile phone. Once malware executes, it exposes itself for what it is. Although we can’t fully prevent malware from infecting a device, we can certainly determine when malware is running—if we know what to look for. This means conducting real-time, persistent device monitoring to find active malware threats and specifically those that seek to compromise a bank’s critical internal information technology systems.

Bank boards should ensure that their IT security and fraud prevention teams are aware of the fact that criminals are attacking bank employee computers to commit fraud. These groups should be able to articulate the defense mechanisms that are in place to prevent malware from infecting employee computers (both desktop and laptop). They should also have protection measures deployed that can prevent infected computers from being used to compromise other systems on the corporate network. Boards should expect the bank to be protected by  several layers of security that use multiple technologies, periodic threat assessments, and a detailed mitigation plan in case fraud does occur.