By Julie KnudsonThey say the one constant is change, and the fraud landscape proves it to be true nearly every day. The cat-and-mouse game between criminals and banks is one of continuous evolution. Security teams deploy new technologies to prevent fraud, and soon after the fraudsters find new ways to carry out their schemes. Fraud continues to become more digitally oriented—and more targeted.
Business e-mail compromise a right-now problem
Traditional fraud still happens, but the immediate nature of our cyber-everything world is upping the stakes. Business e-mail compromise, through which a fraudster poses as an executive or even a customer in an attempt to get a bank employee to inadvertently release money or something else of value, is one scheme that relies heavily on today’s instant communications. “Click on this link right away, I need this,” says Sepideh Behram, CAFP, principal VP and Bank Secrecy Act and sanctions officer at Burke and Herbert Bank in Alexandria, Va., describing one of the most common BEC approaches. “It’s that sense of urgency that gets built up in communications.”
Complicating matters is that criminals are becoming more adept at conducting due diligence on bank executives and employees. Senior leaders are often quick to announce important business trips—potentially involving multiple high-ranking team members or travel outside the country—on social media. “Someone is mining that data somewhere,” Behram warns. Something as seemingly innocuous as posting photos from a conference can give criminals enough information to quickly research the bank’s operations, fill in a few blanks, and compose a BEC attack that leverages professional connections or business-related events.
Phishers get savvier
Akin to BEC scams, phishing scams continue to be popular—tried, true and still successful. “Their end target hasn’t changed much,” says Ian Breeze, director of strategy development at Cyxtera Technologies, which ABA endorses for anti-phishing and digital threat protection. “They’re still going after money or some other kind of reward.” But these schemes are no longer run by the “Nigerian prince” you might have heard from in the 1990s. Today’s phishers have better grammar, enviable attention to detail and a sophisticated network of phony websites to make them harder to catch.
With more consumers navigating the Internet on a mobile device, Breeze says, “the phishers are using this and changing their attacks.” Because their pursuers—security teams from banks and law enforcement agencies—typically use laptops or desktop computers to hunt them down, phishers can easily distinguish between prey and predator. “They’ll set up the phishing website to only register on mobile phones so it’s harder to find,” Breeze explains. Or the site may only show up the first time a potential victim visits, or appear only to visitors whose geolocation data matches the scammer’s preference. “As a phisher I can play with how to best market my websites to get a higher proportion of victims,” Breeze says. Just as banks use online marketing tools to connect with customers, fraudsters now use them to find victims.
Fraudsters target vulnerable populations
Technology can also be an effective tool in the hands of a fraudster intent on victimizing society’s more vulnerable demographics. “We have an aging population and people are living much longer, so elder abuse is on the rise,” says Tanweer Ansari, CRCM, who is SVP, chief compliance officer and BSA/Community Reinvestment Act officer at First National Bank of Long Island in Glen Head, N.Y. Between strangers looking to make a quick buck and caregivers—whether they’re family members or paid providers—a wide variety of attackers are preying on the elderly. “That population is very vulnerable, so we need to look out for that,” Ansari says.
Human trafficking is another fraud area Ansari says is on the rise. Though typically thought of as a decidedly non-U.S. problem, human traffickers are everywhere and they’re running rampant under the radar. “It’s the exploitation of individuals for monetary gain,” Ansari says, adding it could be anything from escort services to child labor to forced enslavement. “That whole area is on the rise and I think there’s a lot of fraud that’s tied with it.”
Card compromise: Skipping the chip
When it comes to fraud, “you plug one hole and it pops up somewhere else,” says Canh Tran, co-founder and CEO of Rippleshot, which ABA endorses for its automated card compromise detection platform. So goes the story of card compromise, where the shift to EMV strengthened the security picture at the point of sale but made card-not-present transactions a nearly irresistible fallback for crooks. The result? “Online fraud has gone up,” Tran says. Additionally, staggered compliance dates in the EMV liability shift schedule gave fraudsters some less secure avenues to exploit and extra time to find the weakest links.
The implementation of EMV technology made point-of-sale terminals problematic for skimmers and other card compromise schemes, so most of them went somewhere else. “A lot of merchants were pressured to go to chip readers, but gas stations had a reprieve from the networks until 2020,” Tran explains. The issue quickly became so concentrated that banks and media outlets now routinely remind customers to be mindful about where they gas up and to pick a pump that’s in the clerk’s line of site. Though card compromise isn’t a new problem, fraudsters are getting better at aggregating all the consumer information they steal, and Tran says banks need to have more holistic systems to stop them. “Right now they’re segregated, but they need to find a fraud solution platform that’s somewhat integrated and works across AML, card compromise, and other fraud areas in a way that makes it more efficient.”
Synthetic identities are more than the sum of their parts
The rise of synthetic identities is another risk that’s rising. “There have been data breaches where they’re taking massive amounts of personally identifiable information from banks, and criminals are able to piece together pieces of information from different parties,” explains Ryan Rasske, CERP, CAFP, ABA’s SVP responsible for serving bankers in risk and compliance areas. One victim’s name and social security number may be paired with someone else’s address and another person’s phone number, for example. “All of it is real data and all of it will potentially check out when scanned against systems, but the real person won’t really know it’s happening because they’re only a third of the identity that’s created,” Rasske says.
What’s particularly worrisome about this new method of compromising the systems used to validate identities at account opening is that it’s working. Technology, though potentially able to spot these jumbles of authentic data, may actually be making fraudsters’ jobs easier when it comes to using synthetic identities to set up new accounts or conduct account takeovers. “Financial institutions are finding better, faster ways of doing things but sometimes the operational piece lags behind,” Rasske says.
Simply put, customers prioritize convenience. Any friction could push them to look elsewhere for products and services. Rasske says that payments and other transactions “happen so fast today that by the time you realize there are operational deficiencies, who knows how many transactions were processed.” If other banks have the same operational weaknesses—and the same internal silos that hamper information sharing across departments—the lack of effective controls against synthetic identities will continue to be magnified across the industry.
JULIE KNUDSON is a frequent ABA Banking Journal contributor.