The Post-Pandemic Fraud War: How to Play Offense

By James Ruotolo

It’s no secret that fraud has increased during the COVID-19 pandemic, and it is becoming more frequent and harder to detect. In fact, research conducted by Grant Thornton and the Association of Certified Fraud Examiners indicates that more than half of organizations saw an uptick in fraud since the onset of the pandemic. Worse yet, a whopping 71 percent believe that fraud will increase over the course of the next year. Unfortunately, this isn’t surprising. Various pandemic stimulus programs like the Paycheck Protection Program and Economic Injury Disaster Loans have been targeted by fraud actors time and again, and a whole new generation of fraud actors have whet their appetites on the gateway drug of pandemic-related fraud.

This article originally appeared as the cover story in the January/February 2022 issue of ABA Bank Compliance magazine.
Financial Institutions especially have not been spared from this recent uptick in fraud activity. In fact, bank compliance professionals have had to deal with a variety of distinctive challenges over the past two years. The dramatic change in consumer behavior brought on by pandemic restrictions made fraud detection models based on prior customer behavior less effective. And while there has been an understandable focus on pandemic-related schemes, traditional fraud attempts didn’t go away. Those traditional fraud attempts still had to be addressed even as banks were processing a high volume of PPP loans. These issues are made even more challenging by a transition to remote work and—more recently—staffing shortages.

Specifically, the vast amount of fraud perpetrated against government programs signals some sobering trends for banks. There is a significant uptick in fraud perpetrated by nation states, organized criminal networks and opportunistic individuals alike. And as mentioned above, the wave of pandemic stimulus frauds is likely to usher in a new generation of fraud actors who will soon turn their attention to more traditional targets when the pandemic benefit programs expire. In other words, fraud risk in 2022 will be even higher for most FIs than it has been in the past, and compliance officers must prepare for the shifting grounds that may lead to new regulation.

While this may seem like dire news, all is not lost. This situation is a good reminder that fraud is not a static problem: Fraud is constantly evolving, and organizations must adapt with it in order to remain vigilant. What can we do to protect our FIs from this increased fraud risk? Here are six specific recommendations to bolster your fraud risk posture.

Enhance your fraud risk assessment

Many FIs see a fraud risk assessment merely as an annual compliance exercise. However, a more thorough assessment may help dramatically increase your anti-fraud protections. This is a great opportunity to reevaluate how you conduct fraud risk assessments and spend some time creating a fraud risk map that tracks the new and emerging risks you expect to face over the coming months. It also gives you a chance to anticipate and enact necessary changes to your institution’s compliance program.

Substantial changes in a product mix, business process, regulatory environment, or a major change in external environmental or market factors are all triggers to conduct an updated fraud risk assessment. It is equally important to reconsider how business processes are operating in the current environment, such as how remote or hybrid work arrangements may change the way existing controls are executed. Many FIs rely heavily on questionnaire responses for their fraud risk assessments in order to solicit subjective estimates of the likelihood and severity of particular fraud risks. While this approach is useful, it is incomplete.

Consider adding interviews with key stakeholders and conducting cross-functional workshops to calibrate those scores and add context to the metrics. Don’t have the bandwidth to tackle this all at once? Consider doing a deeper dive on a specific high-risk area and then rotate those areas each time you refresh your assessment. This approach provides broad enterprise coverage while also giving you an opportunity to conduct a more detailed assessment for the areas of highest risk.

Think like a fraudster

One of the easiest ways to enhance the quality of a fraud risk assessment is to make sure that all likely fraud risks are identified. Since each FI is unique, you should not rely solely on industry standard schemes—or only those that have been observed so far. It is beneficial to spend some energy on ideation of new or emerging possible fraud schemes. In other words, your best defense is a good offense. One way to accomplish this is to ask colleagues from across your institution to think about potential loopholes in business processes and controls. Ask them, “In what clever ways do you think someone might be able to commit fraud against our institution?” By doing this, you are not just looking for existing fraud, but you are proactively seeking ways fraudsters may commit future fraud. Cybersecurity majors in college learn how to protect systems by learning how to hack them. These individuals are trained to think like the enemy.

In doing so at your bank, consider both internal and external fraud threats. Think about the different kinds of fraud actors: opportunists, hackers, organized criminal gangs, state-sponsored attackers, or revenge-focused former employees, to name a few.

As you discover new schemes, add those to a fraud risk map and track the specific actors and entry points they might use. This will help identify any gaps that might benefit from additional anti-fraud controls going forward. Some organizations may wonder if this approach inadvertently increases fraud risk by giving people new ideas about how to commit fraud. The reality is that adversaries are already thinking about these things and the value obtained from being more proactive far outweighs any incremental fraud risk from ideating new fraud schemes.

Improve collaboration between cybersecurity and fraud teams

As fraud risks are increasingly enabled by technology, FIs need to improve communication between internal silos—especially between cybersecurity and fraud teams. After all, information silos are major inhibitors to effective fraud mitigation. Cyber-enabled fraud schemes run the risk of falling between the cracks if collaboration is lacking or there is confusion over roles and responsibilities. If there is a data breach that results in stolen credentials, that is a cybersecurity issue. If those stolen credentials are used in an account takeover scheme to steal funds, that is a fraud issue. But these areas obviously overlap, and it can be confusing to determine where the responsibility begins and ends.

Use this opportunity to develop a more formal communication channel with your partners in other critical areas of your FI and consider leveraging the same case management systems to more quickly discover and share relevant information. You can also offer staff members the opportunity to do a temporary rotation with another team to better learn their procedures and methodologies. This way, they can return to your team better-informed and having made strong relationships with key contacts in another group. This resource-sharing approach has the added value of bringing diversity of thought into the operation.

Monitor fraud threat intelligence

The pandemic has highlighted the fact that fraud actors are sharing intelligence in real time. In order to stay proactive, FIs must constantly monitor external fraud threat intelligence for indicators of compromise and take action to mitigate new and emerging threats. Dark web chat rooms are buzzing with hourly updates on how to circumvent new fraud controls being rolled out by government agencies over the last year. Cybersecurity teams often use cyber threat intelligence to inform their programs.

This same methodology can be applied to support anti-fraud programs. Skilled anti-fraud teams can similarly use threat intelligence services to scan the dark web and find critical information that will inform their anti-fraud efforts and allow them to be more agile in addressing the latest scams. In addition to monitoring for card dumps and other stolen credentials, threat intelligence should include information about any changes in the types of fraud attempts or new methods that are being discussed in dark web channels.

This leading information will not eliminate security risks, but it will give anti-fraud professionals a slight proactive advantage and help them become more secure. Some banks may have the right resources and training to do this monitoring themselves, but for those that might need additional support, there are vendors that specialize in fraud threat intelligence with the right expertise and personas to covertly monitor dark web channels and provide the most accurate and up-to-date information.

Upgrade your fraud management tools

FIs now face a two-fold challenge. First, they need to adapt and monitor their anti-fraud technologies and systems to deal with the traditional fraud attempts they have always seen. Secondly, they need to simultaneously react to the new wave of fraud brought on by the pandemic and its aftermath.

By now, it’s likely that your bank has made updates to your fraud detection models. This is a good time to evaluate how easy that process was. Is your system readily adaptable to the next major fraud threat, or do you need to explore an upgrade or replacement? The “fraudtech” marketplace is very active with startup and legacy technology vendors and data providers introducing new offerings. Have you evaluated this landscape, and do you have the right tools to combine these solutions in the most effective way? This is a great time to do a market scan and benchmark your current capabilities against the available offerings in the market. Grant Thornton and ACFE research indicates that 38 percent of organizations increased their budget for anti-fraud technology in 2021. Even if you are not able to take on a large technology project in the near term, it’s wise to keep a pulse on market offerings and plot a multi-year roadmap so you don’t find yourself lagging behind the industry and becoming a soft target.

Upgrade your identity verification solutions

Another lesson from recent pandemic fraud scams is that identity crime is skyrocketing. Identity theft and synthetic identity fraud played a major role in pandemic benefit program frauds. With access to these stolen or newly created identities—and data breaches continuing unabated—fraud rings will look for new ways to leverage those credentials.

Banks should expect an uptick in identity-driven fraud activity over the next few years. There is also a rise in the availability of low-cost automated bots that give fraud actors unprecedented scale and an ability to more efficiently thwart two-factor authentication. Increasingly, fraud actors are using these bots as a form of robotic process automation to help them automate social engineering attempts in order to retrieve one-time passcodes from unsuspecting customers. While this has been happening by phone via traditional social engineering scams, the bots leverage robocalls to dramatically expand the scale and improve the efficiency with which fraud actors can target a banking institution and its customers.

There are new solutions in the fraudtech space that may help address this problem. For example, the Social Security Administration has rolled out the Electronic Consent Based Verification Service (eCBSV) specifically to help thwart synthetic identity crime. Several vendors also offer identity proofing technologies that work in real time to help verify identity while limiting the friction such steps add to an application or transaction process. This is the time to evaluate your risk for identity crime and update your identity verification and authentication technologies over the coming months to help ease into the new normal of business operations.

In short, the pandemic has created many new challenges and changed the fraud risk landscape—perhaps permanently. It has also provided a training ground for a new generation of fraud attackers. Upon the sunset of lucrative government-funded pandemic benefit programs, well-trained fraudsters will soon turn their attention to financial services targets. Now is the time to make sure your fraud risk management program is up to the task of protecting your bank from the coming wave of fraud activity.

James Ruotolo is a senior manager in the fraud and financial crimes practice at Grant Thornton. He is a certified fraud examiner, the co-inventor of two patented fraud detection models, and a frequent author and speaker on fraud risk management.