By Karen Epper HoffmanAs the COVID-19 pandemic swelled in the past year, forcing millions of Americans to stay locked down, work from home, and often lose their jobs, financial fraudsters have found a fertile playground, working their ploys against both banks and their desperate, isolated customers.
According to financial institutions and federal agencies, since COVID-19 began, fraud attempts have as much as tripled, with a wide variety of new scams emerging that prey on those who have been financially been hit hard by the pandemic and subsequent closures and shutdowns, people who have become isolated, as well as good Samaritans who want to be helpful to those in crisis. Indeed, the pandemic has provided a greenfield opportunity for cyber criminals, who are playing to bank customers’ concerns about job loss, financial health and community safety.
Kathleen Darroch, SVP and security business partner manager for PNC Bank, says much of the fraud perpetrated in the past year has been related to “stimulus packages, unemployment [payments], scammers texting or emailing [with the promise of receiving]a payment sooner.” All of these changes are forcing bank employees (and customers) to “adjust” during this pandemic, she adds. Elderly customers, more apt to suffer in the face of this virus and typically more isolated from other people, are being targeted by cyber criminals, says Darroch.
Chris McCulloch, SVP and corporate fraud and physical security manager for St. Louis-based Enterprise Bank and Trust, says that her $9.1 billion-asset bank has upped the ante on fraud mitigation, with more customer and employee education, and by adding more verification services to insure better security. “We continuously educate our client-facing staff so that they can help spot possible fraud,” she says, adding that Enterprise offers business customers positive-pay service for checks and ACH.
“With the onset of the pandemic and largely on account of so many employees working and conducting business from home, I have seen an uptick in wire transfer fraud scams,” says Andrew R. Lee, partner in Jones Walker’s litigation practice group. “These usually begin with social-engineering cyber breaches, [such as] phishing emails that allow hackers into a bank- or customer-employee’s email.” In this scenario, Lee says that the hacker gains access to the user’s email system, discovers a routine or special wire transaction, and then redirects the destination institution for the wired funds.
“The banking industry has long been a primary target for cybercriminals,” says William Shortt, director of cyber security and M&A advisory at Aon. “Cybercriminals are looking for money and personal information. There is always increased cyber risk when institutions undergo operational changes. Employees are no longer sitting in offices together.” Any lack of communication between employees is an opportunity for hackers to exploit, and “COVID-19 was the perfect storm,” he adds.
Phishing attacks, long the gateway drug of cybercrime, have multiplied manifold since the onset of the pandemic last March. Phishing attacks have increased over 667 percent, according to KnowBe4, says Mark Scholl, principal at the consultancy Wipfli. Currently, he estimates that nine out of 10 data breaches involve email scams, and “ransomware has increased seven-fold [in the first half of 2020] with more sophisticated and destructive malware, and with higher ransom payment demands.”
Fighting the new threats
The pandemic has changed the way bank employees operate and the way bank customers transact. Controls that relied on face-to-face engagement—such as a supervisor keeping tabs on employees in the office or a bank teller verifying someone’s identity by comparing their ID photo to the person standing in front of them—have been rendered obsolete. Now with remote work, banks have less control of the physical environment, which could introduce new data privacy and security risks, according to James Ruotolo, senior manager of fraud risk mitigation and analytics at Grant Thornton.
“Fraud actors have seized on the confusion and wave of stimulus funds resulting from the pandemic and subsequent pandemic relief provided by the government to commit frauds of all kinds. Unemployment insurance fraud, small business loan fraud, and business email compromise have all grown dramatically over the past 11 months—all while banks still address the same fraud threats that existed before the pandemic,” says Ruotolo.
But the response to this increasingly dangerous landscape has not been simple, or necessarily straight-forward—for many banks it is a daily grind of simply providing more and more layers of education, authentication, observation and mitigation. “Since fraud attempts have risen in the past year, we have added additional steps to further protect our clients,” McCulloch says.
“Banks are also seeing the proceeds of these crimes funneled through their institutions via mule accounts.” One area the U.S. Department of Justice identified an uptick in fraud activity is elder financial exploitation, due to the isolation individuals have experienced as a result of the pandemic, points out Sepideh Rowland, managing director and head of outsourced financial crimes risk management for K2 Integrity.
Rene Perez, financial crimes consultant for Jack Henry and Associates adds that “the pandemic, subsequent lockdown and remote working have created a disastrous playground for fraudsters. Overnight, the number of card-not-present versus card present transactions skyrocketed as consumer behavior shifted from in-store to primarily online, rendering most fraud models completely ineffective.”
Adding further complexity to the mix, unemployment officials around the country who were accustomed to processing a few hundred unemployment claims a week were tasked, in some parts of the country, with processing thousands of claims per day—and mostly doing it in a new work from home format—something many staffers have never done before. “This new remote environment removed a lot of the human checks and balances.”
Karen Epper Hoffman is a frequent contributor on technology and security topics to the ABA Banking Journal.