As you think of the suspense-filled spy movies in which the hero must defuse a bomb to save the city, you can hear the familiar “tick, tick, tick” of the bomb’s time clock. With ninja-like precision the hero cuts the yellow wire, or maybe the red wire, just in time to stop the clock, neutralize the bomb, and save the day. The rush of adrenaline, the intensive focus, and the danger seem to only last for a few seconds; then it is all over and everything is safe.
Fraud is as dangerous for the banking industry. Fraud losses cost the financial and retail industry more than $200 billion annually. Industry experts indicate these losses will only increase as criminals and fraudsters become more sophisticated in their approach.
So how can you understand fraud trends and deal with them?
This overview of the issue of fraud for financial services executives will benefit everyone in the organization as bankers unite against fraud.
Top Fraud Threats
The Financial Crimes Enforcement Network (FinCEN) provides information on the filing of suspicious activity reports (SARs). It reported more than 1.2 million SARs were filed by financial institutions in 2009 and many were attributed to suspected fraud. Consumers, merchants, and banking institutions are impacted by fraud, which can result in identity theft, account take-over, and financial loss.
The leading fraud threats include structured query language (SQL) injections, skimming, phishing, and employee fraud. Additional threats include authentication attacks, organized crime, and authorized user fraud. Another example of skimming may involve cashiers or other employees who gain access to customers’ credit or debit cards. The employee will use a small skimming device and simply swipe cards through the skimmer and receive a fee from the fraudsters for his or her participation. The data collected may then be used to compromise the card accounts.
Phishing, Vishing, & Smishing
Phishing is used by criminals to acquire usernames, passwords, and credit card details from victims by pretending to be a trusted bank or credit card company. Once they obtain client data, fraudsters may spoof the caller ID and contact the bank, credit union, or credit card company to perform account takeover fraud. In addition to traditional phishing, fraudsters are now also using vishing (voicemail phishing) and smishing (SMS or text phishing). Recently phishing has seen a significant increase in targeting social networking sites such as Facebook and Twitter.
Employee Fraud
Many perceive the bank employee as the most dangerous threat to banks. Celent, an industry research firm, recently estimated that “internal bank fraud accounts for 60% of cases involving a data breach or theft of funds.”[1] Employee fraud is generally driven by a desperate need for money and easy access to customer and corporate data.”
Authentication Attacks
Recent threats include man-in-the-browser attacks that overcome dedicated token authentication and call-forwarding that trumps phone-base authentication or transaction verification. According to industry research firm Gartner, “This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions such as those from business and private banking accounts
One of the most significant risks is an insider with malicious intent. According to one industry expert this method is “difficult to detect, and almost impossible to defend against.
Employee fraud can include account takeovers, ID theft, journal entry fraud, and policy violations such as incentive fraud, policy overrides, and self-dealing. Former employees can also pose a threat, particularly if there is a lag in the removal of their access rights.
Organized Crime
Various cyber crime units have identified both domestic and international organized crime organizations that use fraud to fund their organizations. These groups may use money mules to move the money and they have teams of hackers, developers, and programmers all focused on fraud opportunities. While there are still rogue individual criminals, there appears to be a movement towards criminal enterprises. In some cases fraudsters actually have their own operations and technology centers and may outsource their call center functions.
Authorized User Fraud
Authorized user fraud occurs when low-risk customers “rent” their pristine high credit card limit and solid payment history to other customers seeking to increase their credit scores. The high-risk consumer “renter” pays a fee to a third-party to be listed as an authorized user on the low-risk customer’s credit-line. The renter does not receive access to the actual credit, but the trade line shows up on their credit report within one or two months. This practice has also been called credit boosting or piggybacking. The primary benefit to the renter is a significantly increased credit score, which can assist with credit approval and preferred pricing. [2]
There is a significant fraud risk with authorized user abuse if the renter is able to gain access to the account or have new credit cards issued in their name. After all, as an authorized user the renter can charge the card to the limit without recourse. The low-risk customer has no indemnity from the lender because the renter is indeed an authorized user.
While a two-factor authentication has been considered a best practice for some time, industry security experts warn it may not be enough.
Payments Fraud
There are many varieties of deposit fraud including “on-us” fraud, deposit fraud, check kiting, and wire fraud. It is staggering, but consider for a moment that industry check-related losses were an estimated $1.024 billion in 2008.
On-Us Fraud
On-us fraud includes fraudulent checks such as alterations, counterfeits, and forgery. Altered checks occur when a criminal changes a valid check to erase the name of the payee or the amount to create a “blank check.” New information can be added in handwriting or with a printer. Counterfeit checks are either false checks drawn on valid accounts or valid checks presented with fraudulent identification. Forgery is a valid check signed by someone other than an authorized party. Many banks have processes in place for signature verification on certain check amounts to assist in limiting forgery losses.
Deposit Fraud
This can include new account scams and account taken-over. Deposit fraud is usually tied with debit card fraud. Fraudsters will take advantage of funds availability, follow a pattern for a period of time until funds availability is relaxed, and then walk away with funds. Some examples include deposit of a check from an account that has been closed or does not exist or the deposit of a check into a foreign ATM. Fraudsters often understand bank processes and policies which makes deposit fraud more difficult to combat.
Check Kiting
The purpose of check kiting is to temporarily inflate a checking account balance to allow checks that would have otherwise bounced to clear. Check kiting often involves writing checks from multiple accounts to take advantage of the float time. This is the time created between when the check is deposited and when it is settled or clears its account.
The Check Clearing for the 21st Century Act (Check 21) reduced the amount of time it takes for checks to clear the banking system. Since many checks are now exchanged electronically this also reduces the float period. While Check 21 may not have eliminated check kiting it appears that fraudsters must be more diligent to ensure checks are moving between accounts at a quick enough pace to conceal the fraud. In addition, kiting schemes are now also using other payment methods such as Home Equity Line of Credit (HELOC), wire transfer, and ACH to further confuse detection.
Wire Fraud
Generally wire fraud is facilitated through a wire transfer service like Western Union or Moneygram. Fraudsters attempt to trick individuals to send payments via wire with the hope or promise of a quick payoff. The real reason wire transfers are preferred by fraudsters is that payments are irreversible, untraceable and identification is often not required. A wire transfer can be made from one bank account to another or via cash.
ACH Fraud
NACHA, the electronics payment association, estimates more than 25 million ACH transactions in 2010. Many of these transactions will be point-of-sale check conversions by large merchants. There are three main types of ACH fraud. The first is when merchants charge fraudulent amounts via legitimate ACH networks to customer checking accounts. These are usually done in batches and following the fraud the merchant disappears. The second type of ACH fraud is payroll fraud. Criminals steal banking information for businesses and login to their payroll processing systems and direct all the money to the fraudster.
The third type of ACH fraud is ACH kiting which is similar to check kiting but the amounts are significantly larger. For example, a bogus charity may send out increasingly larger aggregate amounts via ACH day after day much like a pyramid type scam ($100,000, $150,000, $200,000). As ACH transactions are returned the bogus charity has a large credit balance and the credits continue to come faster than the returns.
Conclusion
Some firms only worry about fraud once it exceeds a certain level. One industry executive mentioned that at his bank fraud was only deemed an “issue” when fraud exceeded 1% of average outstanding balances. Perhaps in some ways there is an acceptable or expected level of fraud. We admit there is no way to eliminate all fraud.
Ultimately there is a trade-off between safety and the customer experience. For example, with funds availability most banks feel they need to give next day funds availability to their customers. So as long as banks provide next day funds availability there will be an opportunity for fraud. The only way to totally prevent fraud is to place holds on all items until you have the funds. But this is not practical. Ultimately it comes down to policy, process, and people with technology as an enabler.
Technologies can assist in protecting financial institutions, particularly as they deploy cross-channel solutions. There are also processes and policies that can minimize risks. However, one of the biggest opportunities to reduce fraud is the “people” factor. One bank executive shared “The fastest route to realizing fraud savings is through the operations team.” Some banks focus on technology projects but forget they could save money just by adding operations staff members.
One global problem that continues to exist is that sometimes customers are tricked into giving up their confidential information. New fraud tactics will continue to develop and as the criminal get smarter the bankers must follow suit. Consider your organization and ask yourself the following key questions:
Have we quantified the fraud losses by product area as well as enterprise-wide? Do we have product fraud silos or an integrated enterprise fraud focus?
Are we leveraging our employees to help us identify and prevent fraud?
Have we analyzed our business processes and policies to identify potential pitfalls as well as process improvement benefits?
How would we respond to a significant breach and what are we doing today to avoid this type of scenario?
As you hear the tick, tick, tick of fraud it is important to act promptly and invest wisely to protect your bank from fraudsters. Criminals will continue to attack, so be prepared.
Brian King is president at Wisemar, Inc. His experience includes product development, marketing and strategic planning.
[1] Celent, “Internal Fraud: Big Brother Needs New Glasses,” October 2008.
[2
