Banks can leverage their relationships with clients and empower to better control fraud.
Many financial institutions find themselves in difficult positions as a growing number of their customers are targeted for business takeover attacks. Hackers gain access to company funds through a variety of manipulations, often tricking an internal employee to send a wire transfer. Some corporates have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Banks are often stuck in the middle. Regardless of its lack of involvement in a fraudulent transaction, the bank will likely receive the first call when money goes missing.
Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.
Business takeover cases are simple on the surface, but can have complex details. In one recent example, a portfolio company from a private equity company sent an email to the PE firm’s chief financial officer seeking additional funds. A hacker who took control of the portfolio company’s email sent a follow-up email with the hacker’s bank account information to receive the fraudulent wire transfer. The CFO quickly recognized that something was wrong and called the bank. The company and the hacker used the same bank, which froze the funds. But the hacker successfully convinced the institution to release the funds and wired them out of the country.
While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.
Many banks still do not coach customers on how they can discourage takeover threats, or help them understand the tools at their disposal. For example, many banks offer two-factor authentication for wire transfers that customers choose to disable it, creating unnecessary vulnerabilities. When customers elect to turn off security controls, banks can intervene and help them understand how why those controls exist. Coaching can help clients avoid painful experiences.
In addition, banks should offer security information and training to their clients on a regular basis to help understand threats and the role the bank plays. Institutions need more visibility into emerging risks and the behavior and activity that clients need to avoid. They can use these touchpoints to check on their customers’ status, improve business relationships and discuss any additional necessary services.
Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity.
For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company that usually sends wire transfers under $20,000 suddenly sends one for $60,000. While large banks may not be able to pick up the phone to validate that transaction, community banks have an opportunity to reach out personally and provide more value than their larger counterparts.
Obviously, detecting a fraudulent wire transfer from within the bank is not always this straightforward. But the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.
Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.
Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.
Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.