When bank cybersecurity squads crack down on account takeover scams, the fraudsters move on to attack the call center. When banks bolster their defenses against phishing schemes, the bad actors turn to social engineering swindles. It’s an endless game of whack-a-mole.
“Fraudsters always look for the weakest link,” says Ash Khan, head of enterprise fraud management at BMO, the Toronto-based bank with $773.5 billion in assets.
Khan says a common new scam involves cryptocurrencies: Customers send large amounts of money to fraudsters who have duped them into thinking that they can invest that money in crypto and generate large returns. And weeks or months later, when victims realize no big payday is coming, “it’s difficult, if not impossible, for us to recover the money.”
The government’s financial response to the COVID-19 pandemic has exacerbated the fraud landscape, according to Mary Ann Miller, vice president of client experience for Prove, a digital-identity provider to financial services organizations and other industries.
“Many organized criminals took advantage of the unemployment insurance relief system and the Paycheck Protection Program distribution,” says Miller. “As a consequence, you see a whole new generation of skilled bad actors who continue to exploit the banking system.”
In such an unsettled environment, Miller recommends that banks and credit unions do an intensive risk assessment of their onboarding processes. “Look at what you are doing in your digital channels when onboarding your new customers. Look hard at your identity authentication and fraud process. And look at the tools that can establish whether the actual, genuine consumer is the person presenting their information.”
P.J. Rohall, a fraud subject matter expert at Featurespace, a provider of enterprise financial crime prevention software, says identifying a customer acting out of character in real time is essential to outwitting fraudsters.
Rohall says the fastest-growing cybercrime is social engineering fraud – hackers manipulating their victims into giving them access to their accounts or sharing confidential data.
“Most people don’t think they are vulnerable,” Rohall says. “Basically, fraudsters are hacking your brain as opposed to hacking your computer. They don’t need to take over your account with stolen login information if they can get you to do it yourself.”
David Vergara, head of security product marketing for OneSpan, a cybersecurity technology firm, says financial institutions are locked in an arms race with cybercriminals.
“Look at what’s going on in the bot space and the ability to run these automated programs along with some advanced machine learning,” Vergara says. “The cybercriminals and hackers have access to that as well. They are evolving just as fast as the banks.”
Despite the marvels of artificial intelligence and machine learning, and the promise they possess to thwart the bad actors, cybersecurity often boils down to three factors: people, passwords and apps.
“Consumers are the biggest part of this problem,” he says. “Ninety percent say passwords are effective in securing accounts. There is a certain level of consumer comfort with the password. But it’s time to move away from passwords, because there is no such thing as a strong password.” Cracking passwords is easy, thanks to the enormous computing power and tools at cybercriminals’ disposal, he adds.
Apps are vulnerable because many financial institutions lack the resources and the skill sets to get the right level of security baked into the app, Vergara says. “Their agile development and turnaround times are so fast that mobile apps become a target for hackers.”
Greater adoption of multifactor authentication, including biometrics such as facial recognition and fingerprints, mitigates risk. But measures to fraud-proof the digital customer experience don’t have to be onerous.
“Today, you can have your cake and eat it, too,” Vergara says. “You don’t have to give up anything on the user experience side when you’re deploying the right security. The technology exists to dynamically apply precise security for every single login and every transaction. That’s the Holy Grail. You’re looking at exactly what that user is trying to do and leveraging an informed risk decision.”
Edmund Lawler is a BAI contributing writer.
Explore ways to stem the growth of banking-related fraud in our latest Executive Report, “Banks are pushing back against the surge in fraud.”