ABA Banking Journal
By Monica C. Meinert
For payments fraud professionals, fighting fraud can seem like a marathon with a finish line that keeps moving further and further away. Traditional methods of fraud—like phishing, business email compromise, wire scams and check fraud—are still in play and growing more targeted and sophisticated. But technology is also giving rise to all-new types of fraud the industry hasn’t seen before.
Data loss fuels the fraud cycle
The overarching themes shaping today’s fraud landscape are “digital, automated and scalable,” according to Mary Ann Miller, senior director at NICE Actimize, a company that provides fraud prevention, anti-money laundering and risk management solutions to the financial industry.
Driving these increasingly complex attacks is the lucrative prospect of credential collection. Today, consumer credentials have become valuable commodities that can be sold for profit on the dark web, Miller explains. The desire for credential collection is evident in the recent uptick in scalable attacks targeting login pages, advanced botnet attacks and “peeking events,” where fraudsters “peek” at consumer accounts, check balances and then sell high-value consumer data.
Another up-and-coming fraud tactic involves the creation of “synthetic IDs” where fraudsters splice together stolen information from multiple consumers to create new customers that don’t actually exist. Using these newly fashioned identities, fraudsters can open new bank accounts or lines of credit and obtain driver’s licenses or passports.
There’s also phone porting, where fraudsters hijack a consumers’ mobile phone number by contacting the telephone company and porting the number over to a new device. With just a few pieces of personal information (like a Social Security number, date of birth or address), fraudsters can take control of the consumer’s phone and game multifactor authentication systems, gaining access to bank accounts, cloud accounts and other secured accounts.
It’s not just individual actors
Fraud today is not just being conducted by shady criminals operating from a dark corner of the internet. Over the past few years, nation-states have emerged as a critical cyber threat, engaging in state-sponsored hacking targeting the U.S. economy and critical infrastructure sectors.
“The velocity of risk is increasing. We’re facing increasing levels of systemic risk,” notes Reid Sawyer, SVP for credit, political and security risk at JLT Specialty, an insurance brokerage and risk management firm. “Within hours of U.S. [policy] action, foreign intelligence services can start to target the financial sector.”
Taken together, the fraud landscape has evolved to the point where Sawyer characterizes it as “crime as a service.” “The democratization of cyber attacks, the ability to lease tools to attack institutions means that I don’t have to have the technical skill points, I just have to understand where to find the right tool to launch against you,” he explains.
‘Trust is the victim’
Banks are responsible for safeguarding massive amounts of customer data, with varying degrees of value and sensitivity level. And as fraud tactics continue to evolve, keeping it safe is becoming increasingly difficult.
“From the technical side, [the data is] sitting across endpoints, it’s in hybrid cloud servers, it’s sitting everywhere in your organizations to the point where your CISOs would probably tell you that they can’t track the amount of data the organizations have,” Sawyer says. Yet, at the same time, banks are being held increasingly more accountable for the security of that data.
When banks fail to prevent fraud, ultimately what suffers is the trust relationship they share with their customers. “The victim of this is the trust proposition you have,” adds Sawyer. “It drives us back to: are we measuring what matters?” And the answer to that question is: not necessarily.
“When the CISOs report up to the board, they’re really reporting on vulnerabilities. They’re describing: how tall is my fence? What’s my cyber maturity? What are my defenses? That doesn’t describe risk.”
From ‘failsafe’ to ‘safe to fail’
The reality is that most companies at some point will be confronted with some type of data breach. For banks, that means acknowledging the fact that it’s not a question of “if” but “when” and planning accordingly. “We need to shift the mentality from ‘we cannot fail’ to ‘how can we fail safely?’” says Sawyer.
He urges bankers to take a second look at how they’re measuring and monitoring risk and reporting up to the board and senior management. “It’s understanding, where is it that it’s going to have balance sheet impacts? Does a breach in Q2 create a liquidity event for me in Q3?”
And when it comes to communicating that information up the chain, “if we can’t take our nomenclature and describe it in plain English, we really fail,” Miller says. Fraud professionals must understand “what are the threats and put them in key terms that executives can understand.”
Finally, she notes that customer service plays a role in fraud mitigation as well. “As financial institutions, our job is really taking an unfortunate fraud event and turning it into a loyalty building event. We know [breaches] are happening, we know that they’re continuing to scale up and be daily occurrences. But what we can do is making sure we’re reacting to and protecting our customers.”
