5 Recent Takeaways on Fraud

It will come as no surprise to anyone working in the banking industry that fraudsters are getting smarter, moving faster and acting bolder every day.

But to understand just how much fraud has escalated over the past 12 months, Alloy polled more than 250 compliance, fraud and risk decision-makers at U.S. financial institutions ranging from start-up fintech companies to enterprise banks to uncover how much fraud they are actually seeing, the impact fraud has on organizations and how banks and fintech companies are fighting back against fraudsters. Here are the five biggest takeaways from Alloy’s inaugural “State of Fraud Benchmark Report:”

1. 91% of respondents said fraud increased year-over-year since 2021.
Over the past few years, the industry saw an enormous increase in pandemic relief programs experiencing fraud, which unfortunately demonstrated how easy it can be for fraudsters to exploit these programs. There continues to be an ongoing threat of fraud by organized groups that are well-funded with a clear agenda to defraud both people and organizations. In 2022, the industry saw data breaches, an increase in stolen mail with checks and sophisticated approaches to victimize clients through email, phone and text. Based on what financial institutions experienced in 2022, the attack rates are not showing any signs of slowing down.

2. First-party fraud is perceived as the most prevalent type of attack.
Certainly, this phenom could be influenced by the current state of the economy, but it can also reflect how organizations are classifying their fraud cases. If a fraudster opens a new account with a stolen identity and then commits fraud, the financial institution may not be aware this is a stolen identity and classify the case as first-party when it is actually second or third-party fraud.

3. 99% of respondents made changes to their policies and controls for fraud prevention in light of the evolving fraud landscape.
Financial institutions recognized policies that may have worked historically might not be sufficient to respond appropriately to the current fraud landscape. In order to continue mitigating and closing the gap on fraud, executives at banks and other organizations will need to evolve their policies and controls with the ecosystem and require a cadence of ongoing review.

4. 71% of respondents have increased their spending on fraud prevention year-over-year.
This response is a direct reflection of the increase in fraud year-over-year. Financial institution executives recognize the need to continue investing in fraud prevention. Investments should include layering multiple levels of defense while also keeping abreast of where the fraud is shifting, so financial institutions can make the appropriate adjustments.

5. 59% of companies are looking into, or are already using, an identity decisioning platform (IDP).
Not only are companies revisiting their policies and controls related to identity decisioning, they are also increasingly investing in a dedicated platform for it. An IDP can provide a holistic view into an identity for both fraud and know your customer compliance while ensuring the financial institution meets compliance requirements. Implementing an IDP also provides an opportunity for banks reevaluate their current solutions and workflow in production to determine if it is still a best-in-class solution for them. Firms can then establish a plan that increases their efficiency through automated decisions and leveraging a multi-pronged approach for multiple layers of defense.

Fraud rates continue to remain elevated in the financial services space; in response, organizations are appropriately investing in technology and tools to help them move at the pace of fraud so that they can prevent fraud as they grow without taking on additional risk.

To read the full State of Fraud Benchmark Report, click here.

Detect and Prevent Check Fraud in Real Time

Financial institutions are engaged in a never-ending battle to stay a step ahead of fraudsters that are clever and nimble enough to continuously exploit their organization or system weaknesses.

Many banks focus on combating digital fraud given the rapid digital developments in the financial services industry. However, fraudsters continue to leverage digital and physical channels to commit check fraud. In fact, checks serve as the payment method most impacted by fraud activity; 66% of payments professionals reported check fraud activity in 2020, according to the 2021 Association for Financial Professionals Payments Fraud and Control Survey.

Banks encounter check fraud in many ways, including counterfeits, forgeries, alterations, serial numbers, stop payments and check kiting. Technological advances have made it easier for fraudsters to create realistic counterfeit and fictitious checks, as well as false identification that can be used to defraud financial institutions nationwide.

Digital banking provides customers with many conveniences but also leaves banks vulnerable to risk. Perpetrators are no longer required to show their faces at physical branches or ATMs to deposit fake checks. However, 49% of fraud occurs in over-the-counter transactions, according to a recent ABA Deposit Account Fraud Survey Report.

Fortunately for financial institutions, there are three key tools they can use to combat check fraud.

The first is leveraging transaction analysis, which is the process of examining bank transactions to look for unusual and suspicious activity or other issues. This key component scrutinizes debits and credits contained in deposits and withdrawals to identify suspicious items, such as duplicate check numbers and out-of-range check numbers and amounts. It also applies tests at the account and entity level, measuring things such as account velocity, account volume and deposits or withdrawals of unusual amounts.

The second tool is check stock validation, which analyzes presented check images against historical reference check images to authenticate the check stock. This can help institutions identify counterfeit in-clearing and over-the-counter checks quicker and more effectively. accurately and reliably than visual inspections. Check stock verification leverages technology to spot aberrations that the human eye cannot detect. It also reduces the number of manual verifications and decreases false positives through digital check image analysis. This improves the check fraud detection process and alleviates the burden on in-house anti-fraud teams.

A third tool is signature verification, which uses machine learning algorithms and sophisticated decision trees to provide a detailed analysis of check signatures. This results in efficient evaluation of suspect in-clearing and over-the-counter checks and increased confidence levels for acceptance and return decisions.

Banks can improve on their ability to detect fraud by combining software innovations such as decision tree/multiple variable analysis, image analysis and machine learning predictive analytics. Data topology, which is a way to classify and manage real-world data scenarios, will increase over time, which allows banks to include contextual information and negative historical analytics. In turn, these outcomes detect transactional fraud and suspicious activity, reducing false negatives and enabling a financial institution to make better and faster fraud-related decisions.

Automation software performs fraud risk scoring on deposits and withdrawals, using specific detection algorithms for each type of check such as on-us, transit, treasury checks and local government checks. The software applies transaction and image analysis on each item in the deposit, along with a configurable scorecard that calculates the risk for the parties involved in the transaction. Today, software can analyze more than 60 parameters covering the conductor, beneficiary, issuing account, and items to produce a single fraud score. This calculated fraud score provides the bank with an appropriate interdiction message — including a hold recommendation that gives the bank the option to accept the deposit, covering the fraud and other collectability risks by holding the fund.

Fraudsters become more innovative every year, targeting vulnerable victims to execute their plans and schemes. Even though check use is increasingly uncommon, fraudsters still utilize checks as a convenient medium to exploit banks and their customers. But banks can mitigate risk and reduce fraud loss efficiently. Used together, tools like transaction analysis, check stock validation and signature verification enable banks to prevent check fraud. Providing a safer banking experience protects the financial institution from fraudulent risks, strengthens the customer experience and earns trust.

Ways to Fight Back Against BIN Attacks, Card Fraud

Credit card fraud has steadily increased over the past five years, according to the Federal Trade Commission. Reports of credit card fraud peaked at more than 118,000 reports in the second quarter of 2022. As e-commerce continues to gain traction with consumers and retailers alike, there is a growing number of fraudsters that target customers’ credit cards using their bank identification number (BIN).

BIN attacks occur when fraudsters run the first six digits of a credit card, which are specific to each card-issuing bank, through sophisticated software to methodically produce the remaining numbers, CCVs and expiration dates. They then test to determine which cards are active. These days, fraudsters are capable of developing programs that assess hundreds of card numbers a minute, making detection harder for both fraud systems and consumers.

BIN attacks are a major headache for banks that get stuck with both the financial and operating costs resulting from fraudulent charges. But it may take some time for compromised cards to get monetized, giving banks some leeway to avert more damage.

Compromised cards harvested from BIN attacks can cause significant fraud losses for banks, in the form of accumulating chargebacks, call centers and re-issuance expenses. Adding fuel to the fire, the ensuing cardholder disruption and friction can further damage a bank’s reputation and lead to losses in debit interchange revenues.

Banks are still at risk in the wake of a BIN attack, and should continue monitoring for suspicious activity by reviewing electronic transaction trails for important data like time stamps, geolocation and IP addresses. However, these corrective and protective measures can require costly resources that many banks cannot afford. When an institution comes under attack from fraudsters, manual and purely consultative solutions are a start but must do more.

Bolstering Against BIN Attacks
Luckily, there are efficient ways that banks can fight back against the fraudsters. Here are several tips on proactive monitoring strategies to stop or limit damage from BIN attacks and other card fraud.

  1. Randomize card account numbers and expiration dates.
  2. Set up card transaction limits and velocity rules.
  3. Think about placing risk controls and transaction limits in foreign countries. BIN attacks from tested transactions often originate outside the U.S. Banks should pay close attention to countries that appear in FinCEN advisories.
  4. Implement decision rules to bar transactions from fraudulent merchants to hinder card testing. Analyzing transaction data for suspicious patterns can reveal card testing. If for a legitimate merchant reaches a transaction threshold, the bank can include a rule to monitor transaction velocity per hour and restrict transactions when further investigation is necessary.
  5. Automate the monitoring of BINs and transactions with a system to mitigate and act against fraudulent credit card activity. This system should automatically identify whether your bank is a victim of a BIN attack, including repeated low-value transactions, high decline rates and a high volume of CCV errors.
  6. Take advantage of automated network surveillance to pinpoint both legitimate and fraudulent merchants involved in BIN attacks. This gives banks an opportunity to obstruct additional BIN attacks if other fraudulent merchants are caught during this process.
  7. Work with your vendor to deploy fraudster-level tools and strategies to detect and prevent BIN attacks. Vendors can offer a wide variety of solutions, including fraud score, compromise card detection, merchant type, merchant category code (MCC), geography, zip codes and device ID, among others.

Preventative measures that can immediately interrupt BIN attacks paired with automated monitoring and surveillance gives banks a way to stay ahead of suspicious activity and effectively identify compromised cards. Mitigation may not stop BIN attacks completely, but it can reduce the resulting financial and operating costs while reinforcing the bank’s fraud department resiliency against BIN attacks.

10 Fraud Prevention Tips to Help Protect Your Institution

According to a recent study, organizations lose 5% of revenue to fraud each year — a staggering statistic. In an effort to help institutions decrease this percentage, here are 10 fraud prevention tips.

1. Confidential Hotline
This is the single most cost-effective anti-fraud action an institution can take. Tips via hotlines are the No. 1 way that frauds are detected, according to the ACFE 2020 Report to the Nations; most tips come from employees. We encourage banks to set up a confidential hotline operated by a third party and advertise it internally to all of their employees.

2. Fraud Awareness Training
Awareness training for employees can result in shorter duration for prospective fraudulent activities and lower losses. Institution-wide awareness is critical: Turn your employees and managers into fraud detectors and take advantage of all those eyes and ears.

3. Vendor Controls
Vendor fraud is very common because of the large number of payments going out to different companies and entities. Every company has vendors/suppliers, so it’s an easy place to perpetrate fraud. Some items to consider:

    • New vendor selection:
      1. Who can select?
      2. How are they selected?
    • Due diligence on new vendors:
      1. Is the vendor real?
      2. Is their pricing reasonable?
      3. Is the vendor related to an employee?
    • Periodically reassess vendor relationships.
    • Reduce or eliminate conflicts of interest.

4. Implement Good HR Practices
Conducting checks on candidates before they walk in the door can go a long way in preventing fraud. Additionally, having exit interviews can be a very useful tool in finding out about fraud, waste and abuse in your institution. Without the interview, exiting employees may not bother to tell you what they know.

5. Implement Mandatory Vacations
You know those employees who never take a vacation day, and if they do, they check in the whole time? It may not be because they are super dedicated. Many problems are identified during perpetrator vacations, because someone must fill in for them and perform their duties. Implementing mandatory vacations or job rotations can help identify fraudulent activities.

6. Credit Card, Expense Reimbursement Policies
Purchase and credit cards are a very common and convenient tool for committing fraud. Closely monitoring with strong controls in place is essential to reducing the risk of this type of fraud. Start with a clearly defined policy on what is and is not acceptable. Card use for “business purposes” is not good enough.

    • What types for expenses do you really want to be paying?
    • What types of expenses are not acceptable?
    • What documentation is required?

7. Fraud Risk Assessment
Similar to going to the doctor for a checkup, banks should conduct a fraud risk assessment annually or biannually. The bank changes, and with those changes come different risks. A periodic fraud risk assessment can help adapt to those changes, allow executives to understand their institution’s fraud risks and focus their efforts. This assessment should be performed by someone who looks at fraud issues on a regular basis.

8. Segregation of Duties
This can be difficult for small or growing institutions that have controls that have not kept pace with their growth. Segregating duties is not a new concept, but it’s just as critical today as any time in the past.

A few places to focus on:

      • A/P access to signed checks.
      • A/P clerks who can set up vendors.
      • Payroll clerks who can set up new employees.

9. Code of Conduct
These can seem like “soft” controls, but it is critical that an institution has these in place so employees cannot claim “ignorance” that what they were doing was wrong. Policies to consider implementing include:

    • Anti-fraud policy.
    • Conflict of interest policy.
    • Policy related to gifts and gratuities.

10. Create the Right Culture
Culture is a critical component to fraud prevention. If leadership demands and displays integrity and transparency, it typically permeates through an institution.

    • Tone is set at the top: Management must “walk the walk.”
    • Create a positive workplace environment.
    • Establish a culture of honesty and high ethics.
    • Put an emphasis on doing the right thing.

Decades of experience have taught us that even if a bank implements all the tips above, it could still become a fraud victim. Fraudsters are infinitely creative with their schemes; detecting or preventing those schemes is a never-ending task. But when taken together, these top 10 tips can still go a long way in helping your institution mitigate its fraud risk.

This article is for general information purposes only and is not to be considered as legal advice. This information was written by qualified, experienced BKD professionals, but applying this information to your particular situation requires careful consideration of your specific facts and circumstances. Consult your BKD advisor or legal counsel before acting on any matter covered in this update.

Is Amazon Go Safe from Mobile Fraud?


mobile-fraud.png

With the introduction of Amazon’s new brick and mortar grocery store, Amazon Go, standing in line to pay at the cashier is a thing of the past. At Amazon Go stores, the customer’s mobile phone detects what items they have placed in their basket, and simply bills their account when they exit the store using a sensor. This is a massive shift in the way commerce is experienced. Despite the novelty in innovation, with the prevalence of identity theft, mobile fraud and credit card phishing, Amazon Go needs to provide consumers the assurance that this new, innovative payment experience is safe and secure.

Here’s how the new Amazon Go stores could impact the security of credit cards in existing Amazon accounts, as well as the potential impact of “invisible payments” on the banking industry, and what Amazon Go will likely do to enhance fraud prevention and mobile payment security.

Securing Existing Amazon Accounts
If you look at the total number of existing Amazon users, the platform has roughly 1 billion total credit cards on file. That’s a potentially huge security concern for Amazon Go, since fraudsters will likely try to phish those accounts. Those seeking to commit fraud in an Amazon Go store are more likely to sign up for a new Amazon account with a stolen credit card, since it is easier than penetrating Amazon’s existing security network. Rodger Desai, CEO of Payfone, illustrates this point:

“Whenever you buy something online, merchants and their processors look at where you’re sending the goods. When fraudsters change the “Ship To” from the address your bank has on file, it’s a clear signal that something may be amiss and requires further vetting. With Amazon Go, those traditional warning signals go out the window. So I can just login as “you,” walk out with stuff, and bill it to you. I think it further exacerbates a very weak identity authentication system. This is true for omni-commerce in general. Buying online and picking up in-store has the same new vulnerabilities.”

Amazon Go will need to utilize various methods to prevent mobile fraud. Technologies are being developed that analyze how people walk and hold their phone as they move in and out of the payment gate. After establishing a baseline for each customer, the software can then spot potential abnormalities as people exit the store and alert as potential fraud.

The Future of Invisible Payments
Amazon Go is attempting to set a standard for invisible payments that could then be applied to different industries and scenarios. What banks need to recognize is that there’s an underserved demographic of people for whom every second of the day is precious. A parent who would rather spend time with their children than wait in a grocery line, or a student who could squeeze in a visit to the gym if they didn’t spend so much time shopping. While the internet saves consumers money by giving them access to price comparisons, invisible payments (like the Amazon Go model) via mobile save people time.

It’s worth noting that invisible payment adoption probably won’t be equally distributed across the board; the older generation might not see that much use for it and prefer the perceived security of paying at the cashier. It is the younger demographic, and on-the-go professionals, who will be the most impacted by invisible payment technology moving forward. The key, Desai emphasizes, is establishing trust with the consumer and being “very conscious of how you’re supporting them” despite the risk that can accompany this payment experience.

Fraud Prevention & Mobile Security
A major security issue will be the provisioning of new accounts, where people might purchase a stolen credit card number on a black market website, then set up a new Amazon Go account on a burner phone to make purchases.

It remains to be seen how Amazon Go will cope specifically with this challenge, but there is an opportunity for banks and fintech companies to play a role in both identity fraud and mobile intelligence. Purchases made on phone numbers and/or devices that have only existed for a couple of days might trigger a fraud alert, for instance. It will be this familiarity with consumer purchase tendencies, and established track records with phone numbers and devices, that Amazon Go will likely use to detect fraud. At the end of the day, verifying mobile identity will be the critical authentication factor for Amazon Go.