In a new 3-part blog series, we look at the current state of technology around detecting and preventing fraudulent behavior within financial institutions
Fraud is massively on the rise, and this represents a challenge to those who work to safeguard the financial system and ensure that bad actors are not finding their way into a relationship with a financial institution or defrauding existing consumers.
But how bad is fraud really? One anecdotal demonstration that fraud is really a problem can be seen in that the fraud hotlines of many large financial services companies gives routing options based on fraud type — for check fraud, press 1; for ID theft, press 2… . If an organizational structure is needed to categorize a financial institution’s response to fraud, it clearly shows the severity of this situation.
There are three main sources to categorize and quantify fraud: data from industry observers, like the ID Theft Resource Center; data and reports from affected consumers, like the Consumer Sentinel Network maintained by the U.S. Federal Trade Commission; and data from the banking industry that files suspicious activity reports (SARs). With the triangulation of data from three sources it is possible to quantify fraud trends and assess their severity to both consumers and the financial institutions who serve them.
Numbers from the ID Theft Resource Center, which reports on data compromises and breaches, show an alarming trend: attacks against financial services companies jumped by more than two-thirds over the last year, making that sector the most compromised industry for the first time ever, a position that was traditionally held by healthcare companies. Overall, in the first six months of this year, more than 1 billion people have been impacted by multiple breaches, many of them being affected multiple times.
A similar picture arises from data coming from the FTC’s Consumer Sentinel Network, which took in more than 5 million reports, with almost half (48%) of them being fraud related. For the first time, reported fraud topped $10 billion in losses, and it is estimated that the total losses from unreported fraud might be equally large. Imposter Scams were another major source of fraud reported by Consumer Sentinel, with more than 800,000 reports and a median loss of $900 per incident. However, it is the Investment Scam category that has the highest average loss with $7,760 per incident.
Not every technology can detect and prevent all the multiple fraud types that legions of fraudsters unleash on organizations and customers.
The third data point to consider are SARs, which are filed by financial institutions and corporations alike, and surpassed 4 million reports for the first time last year. Check fraud tops the list here, followed by the financial exploitation of elders through a variety of scams including social engineering.
Not every fraud type has the same impact within an organization. At the same time, not every technology can detect and prevent all the multiple fraud types that legions of fraudsters unleash on organizations and customers. The challenge is to obtain a comprehensive picture of the respective technological fundamentals of each fraud type and then create detection and prevention strategies that addresses the fraud and prioritizes the response based on the highest negative organizational impact. Conducting a Fraud Risk Assessment (FRA) is the typical strategy that financial institutions often undertake, and FRAs normally include both internal and external fraud. However, it may be more important today, given the explosion of external fraud out there, that institutions focus on their efforts to detect and deter external fraud to a greater extent.
A good way to develop an external fraud detection and prevention strategy is by segmenting fraud between primary attacks against the financial institution and primary attacks against customers of the financial institution.
Attacks against consumers: The sophistication of social fraud engineers
One of the main types of attacks against consumers are social engineering scams which come in a variety of forms and facets. It is important to understand that social engineering scams exist in such variety that a one solution fits all approach to prevention will not be effective. Among the main social engineering types of frauds affecting consumers are:
Credential and personal information harvesting (or using phishing, spearphishing, vishing and smishing tactics) — Phishing is a cyberattack in which attackers send fraudulent emails that appear to come from reputable sources in order to steal sensitive information like login credentials and credit card numbers. Spearphishing is a more targeted form of phishing in which attackers customize their messages to a specific individual or specific individuals within an organization, making it more convincing. Vishing (voice phishing) involves phone calls by which attackers impersonate legitimate entities to extract personal information. Smishing (SMS phishing) uses text messages to trick individuals into providing personal information or clicking on malicious links.
Social engineering scams — Real-time social engineering scams involve attackers manipulating victims into performing actions or releasing confidential information. These scams often involve impersonating trusted entities, such as bank officials or tech support, and creating a sense of urgency to prompt immediate action.
Remote access tools (RATs) — RAT attacks involve fraudsters using software to gain unauthorized access to a victim’s computer, sort of the digital equivalent of a home invasion. In these attacks, fraudsters often pose as IT support personnel and convince the victim to install a RAT, which then allows the attacker to control the victim’s computer remotely. The purpose is to steal sensitive information, monitor user activity, and even manipulate files and settings on the victim’s computer.
Authorized push payment (APP) scams — APP scams involve fraudsters tricking victims into authorizing payments to accounts controlled by the fraudsters. These scams are often carried out in real-time, making it difficult to detect and reverse the fraudulent transactions. APP scams can take various forms, such as impersonation scams in which the attacker pretends to be a trusted entity, or romance scams in which the attacker builds a relationship with the victim and then requests money. The real-time nature of these transactions also can leave little time for victims or financial institutions to intervene.
Attacks against the financial institution: Rise of the BOTs
Synthetic IDs, BOT attacks, and stolen identities are frauds that primarily affect financial institutions. While synthetic ID fraud uses parts of an individual’s personally identifiable information, defrauding that individual and potentially affecting their credit score, it is primarily an attack against a financial institution.
Malware and BOT attacks use malicious software to infect devices and turn them into bots that can be remotely controlled. This infection typically comes in the form of a virus, adware, or a computer worm. These attacks are designed to access customer accounts and infiltrate the systems of financial institutions.
A typical computer virus can replicate itself, spread to other computers, and is programmed to damage a computer by deleting files, reformatting the hard disk, or using up computer memory. Worms are malware that execute independently and can spread to other systems or by email. Adware, on the other hand, may include malicious code that displays ads when a customer is connected to the internet.
In the next part in our 3-part blog series, we will evaluate current and emerging technological capabilities to detect and prevent these frauds from occurring.
