Financial institutions (FIs) are no strangers to financial crime, with fraudsters continually targeting them and their customers for money and data.
Studies have shown that more than half of all banks recover less than 25 percent of related losses, and FIs have reported a 59 percent growth in fraud value and a 61 percent increase in fraud volume since 2015.
These increases are only accelerating during the COVID-19 pandemic as fraudsters take advantage of the uncertainties and economic stresses that have made bank customers less vigilant against their schemes. The Federal Trade Commission (FTC) has received 18,235 reports of virus-centric scams since the beginning of the year, and these incidents have resulted in more than $13.4 million in losses. These numbers are expected to rise as the pandemic spreads because fraudsters see any disruptions to normal operations as opportunities.
“What we’re seeing is an ugly underbelly of people who take things like the coronavirus, which is having an enormous impact on the world, and saying, ‘Hey, what a great time to try to scam people,’” Debbie Gould, chief security officer at PNC Financial Services, noted in a recent interview with PYMNTS. “Whenever there’s a societal disruption, there are bad guys out there trying to take advantage of people.”
These financial crimes are perpetrated using various techniques, and no one-size-fits-all defense can block them all. Banks must instead leverage multilayered defenses that harness employee and customer education, ironclad verification and artificial intelligence (AI)-enhanced fraud detection systems to keep customers’ money and personal data safe.
Understanding the Scope of Financial Crimes
Financial crimes against FIs stem from several sources, Gould explained, and perpetrators have numerous goals. Combatting attacks thus requires that banks examine bad actors as well as their objectives to ensure the right countermeasures are deployed.
“We look at what we call ‘threat actors’ — which can be anything from nation states to individual cybercriminals to [bank] insiders — and then we look at what the threat objective is,” she said. “It can be traditional fraud — looking for money — or [these actors] could be looking to disrupt money movement and affect the U.S. financial ecosystem at large.”
The ongoing pandemic has exacerbated all fraud types from all sources, Gould added. Cybercriminals are constantly on the lookout for opportunities to exploit vulnerabilities, and the outbreak is making bank customers feel more vulnerable than ever.
“People are looking for answers and relief, [but that means] they become unaware of the red flags that signal potential scams, and that can lead to dangerous situations,” she said. “People are one click away from a malware download or credential phishing [website]. I got an email just recently that said that my Social Security number had been frozen and to click ‘this link’ to unfreeze it.”
No single defense mechanism can protect bank customers from such a diverse array of criminal tactics, though. Banks must therefore deploy fraud defense systems that leverage multiple security measures to make sure fraudsters who breach one layer will be stopped by the next, Gould explained.
Multistage Fraud Defense
Employee and customer education is the first defense banks should leverage to prevent attacks, she said. Almost 65 percent of incidents involve bad actors stealing login credentials to gain account access, and phishing schemes often trick credential owners into unwittingly surrendering their details. Training individuals to spot these attempts can help stop financial crimes at the source.
“We have to make sure that we’re identifying those [phishing websites] and either blocking our employees’ access to those sites or educating customers to not visit them,” Gould said. “We tell them, ‘This is what it’s going to look like, this is what you should be on the lookout for and this is how you should respond.’”
Employee and customer slipups happen, and sometimes hackers arrive at banks’ websites armed with the verification information necessary to log into customers’ accounts and clean them out. Banks must take steps so these bad actors cannot access customers’ accounts solely with such credentials, Gould noted, meaning more secure verification efforts are essential.
“There are three primary factors of good authentication: something you know, like a password; something you have, like a [code sent to your] phone; and something you are, like a biometric,” she explained. “Requiring at least two of these gives you something that’s secure but not hugely inconvenient to our customers.”
Banks should also leverage AI-enhanced platforms that harness behavioral and digital information to detect fraudsters who enter their systems, Gould added. The former consists of data like customer locations, with the software flagging users who had previously used their credit cards only in specific states but then recorded transactions in another country without notifying their banks of their travel plans, for example. Digital information meanwhile consists of activities recorded by users’ devices.
“When you type in your username and password, are you typing it in at a human cadence or is it being automatically entered?” Gould asked. “Is your device actually moving [to where the transaction is] or is it bolted to a wall [at a single location] and being leveraged for malintent?”
This type of multilayered defense approach is currently effective at stopping fraudsters, Gould noted, but it will not be successful forever. Bad actors are innovating faster than banks can come up with new techniques, meaning cutting-edge security methods tend not to be relevant for long.
“Every advancement we make has a shelf life before [fraudsters] figure it out,” she explained. “I wish there were one silver bullet for this, but as long as there’s a notion of value [in stealing bank customers’ money], there will always be frauds and scams.”
The COVID-19 pandemic will pass, but the threat of financial crime existed long before the outbreak and will continue long after. FIs have learned that fraudsters will exploit any sort of crisis — no matter how widespread or dire — if there is a profit to be made. Banks thus must continually anticipate threats and develop countermeasures before bad actors can leverage new techniques.