Brian King, Wisemar, Inc.
As you think of the suspense-filled spy movies in which the hero must defuse a bomb to save the city, you can hear the familiar “tick, tick, tick” of the bomb’s time clock. With ninja like precision the hero cuts the yellow wire, or maybe the red wire, just in time to stop the clock, neutralize the bomb, and save the day. The rush of adrenaline, the intensive focus, and the danger seem to only last for a few seconds; then it is all over and everything is safe.
In the banking industry we have a similar threat called fraud. Fraud losses cost the financial and retail industry more than $200 billion annually. Industry experts indicate these losses will only increase as criminals and fraudsters become more sophisticated in their approach. So how can you understand fraud trends and deal with them?
This document is intended to be a high-level overview of the issue of fraud for financial services executives and will benefit everyone in the organization as bankers unite against fraud. An overview will be provided of some of the top fraud threats and how those threats impact bank product areas including:
· Deposit Fraud (Check, Wire & Automated Clearing House (ACH))
· Lending Fraud
· Card Fraud (Debit, Credit, Merchant)
Suggested best practices may give insights on some ways you may protect your firm.
Top Fraud Threats
The Financial Crimes Enforcement Network (FinCEN) provides information on the filing of suspicious activity reports (SARs). A recent report indicated that over 1.2 million SARs were filed by financial institutions in 2009 and many were attributed to suspected fraud.
Consumers, merchants, and banking institutions are impacted by fraud which can result in identity theft, account take-over, and financial loss. The leading fraud threats include malware attacks, structured query language (SQL) injections, skimming, phishing, and employee fraud. Additional threats include authentication attacks, organized crime, and authorized user fraud.
Malware includes attacks on individual consumers as well as commercial banking accounts. According to industry security vendor RSA “the rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008.”
Malware includes worms, botnets, trojan downloads, and adware. While initially malware was designed to crash or damage the computer, the focus today is to collect and transmit financial data. New forms of malware escape detection, and are often designed around the vulnerabilities in various software programs.
SQL infections are a popular way to take over websites by entering SQL code into login fields or website browser address fields. This allows criminals to takeover control of the website or system database. A recent study titled Verizon Business Data Breach found that SQL attacks were attributed to 79 percent of the breached records. The Heartland Payment Systems breach which impacted an estimated 130 million credit and debit card accounts was done using an SQL injection.
With SQL injections and malware, the fraudsters attack computers and steal data. More advanced criminals intentionally erase files that might detect intrusion and install malware to avoid detection by anti-virus software.
An increasingly popular crime allows fraudsters to steal card data by placing electronic skimming devices over automated teller machines (ATMs) or fuel pumps card slots to steal card data as the card is swiped. These devices have typically been placed outside of ATMs or gas pumps; however, some new variations are hidden inside the pumps making them transparent to consumers. Skimming devices may transmit data wirelessly which eliminates the risk of retrieving the devices.
Another example of skimming may involve cashiers or other employees who gain access to customers’ credit or debit cards. The employee will use a small skimming device and simply swipe cards through the skimmer and receive a fee from the fraudsters for his or her participation. The data collected may then be used to compromise the card accounts.
Phishing, Vishing, & Smishing
Phishing is used by criminals to acquire usernames, passwords, and credit card details from victims by pretending to be a trusted bank or credit card company. Once they obtain client data, fraudsters may spoof the caller ID and contact the bank, credit union, or credit card company to perform account takeover fraud. In addition to traditional phishing, fraudsters are now also using vishing (voicemail phishing) and smishing (SMS or text phishing). Recently phishing has seen a significant increase in targeting social networking sites such as Facebook and Twitter.
Many perceive the bank employee as the most dangerous threat to banks. Celent, an industry research firm, recently estimated that “internal bank fraud accounts for 60% of cases involving a data breach or theft of funds.” Employee fraud is generally driven by a desperate need for money and easy access to customer and corporate data.
Employee fraud can include account takeovers, ID theft, journal entry fraud, and policy violations such as incentive fraud, policy overrides, and self-dealing. Former employees can also pose a threat, particularly if there is a lag in the removal of their access rights. One of the most significant risks is an insider with malicious intent. According to one industry expert this method is “difficult to detect, and almost impossible to defend against.”
While a two-factor authentication has been considered a best-practice for some time, industry security experts warn it may not be enough. Recent threats include man-in-the-browser attacks that overcome dedicated token authentication and call-forwarding that trumps phone-base authentication or transaction verification. According to industry research firm Gartner, “This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions such as those from business and private banking accounts.”
Various cyber crime units have identified both domestic and international organized crime organizations that use fraud to fund their organizations. These groups may use money mules to move the money and they have teams of hackers, developers, and programmers all focused on fraud opportunities. While there are still rogue individual criminals, there appears to be a movement towards criminal enterprises. In some cases fraudsters actually have their own operations and technology centers and may outsource their call center functions.
Authorized User Fraud
Authorized user fraud occurs when low-risk customers “rent” their pristine high credit card limit and solid payment history to other customers seeking to increase their credit scores. The high-risk consumer “renter” pays a fee to a third-party to be listed as an authorized user on the low-risk customer’s credit-line. The renter does not receive access to the actual credit, but the trade line shows up on their credit report within one or two months. This practice has also been called credit boosting or piggybacking. The primary benefit to the renter is a significantly increased credit score which can assist with credit approval and preferred pricing. 
There is a significant fraud risk with authorized user abuse if the renter is able to gain access to the account or have new credit cards issued in their name. After all, as an authorized user the renter can charge the card to the limit without recourse. The low-risk customer has no indemnity from the lender because the renter is indeed an authorized user.
There are many varieties of deposit fraud including “on-us” fraud, deposit fraud, check kiting, and wire fraud. It is staggering, but consider for a moment that industry check-related losses were an estimated $1.024 billion in 2008.
On-us fraud includes fraudulent checks such as alterations, counterfeits, and forgery. Altered checks occur when a criminal changes a valid check to erase the name of the payee or the amount to create a “blank check.” New information can be added in handwriting or with a printer. Counterfeit checks are either false checks drawn on valid accounts or valid checks presented with fraudulent identification. Forgery is a valid check signed by someone other than an authorized party. Many banks have processes in place for signature verification on certain check amounts to assist in limiting forgery losses.
This can include new account scams and account taken-over. Deposit fraud is usually tied with debit card fraud. Fraudsters will take advantage of funds availability, follow a pattern for a period of time until funds availability is relaxed, and then walk away with funds. Some examples include deposit of a check from an account that has been closed or does not exist or the deposit of a check into a foreign ATM. Fraudsters often understand bank processes and policies which makes deposit fraud more difficult to combat.
The purpose of check kiting is to temporarily inflate a checking account balance to allow checks that would have otherwise bounced to clear. Check kiting often involves writing checks from multiple accounts to take advantage of the float time. This is the time created between when the check is deposited and when it is settled or clears its account.
The Check Clearing for the 21st Century Act (Check 21) reduced the amount of time it takes for checks to clear the banking system. Since many checks are now exchanged electronically this also reduces the float period. While Check 21 may not have eliminated check kiting it appears that fraudsters must be more diligent to ensure checks are moving between accounts at a quick enough pace to conceal the fraud. In addition, kiting schemes are now also using other payment methods such as Home Equity Line of Credit (HELOC), wire transfer, and ACH to further confuse detection.
Generally wire fraud is facilitated through a wire
transfer service like
NACHA, the electronics payment association, estimates more than 25 million ACH transactions in 2010. Many of these transactions will be point-of-sale check conversions by large merchants. There are three main types of ACH fraud. The first is when merchants charge fraudulent amounts via legitimate ACH networks to customer checking accounts. These are usually done in batches and following the fraud the merchant disappears. The second type of ACH fraud is payroll fraud. Criminals steal banking information for businesses and login to their payroll processing systems and direct all the money to the fraudster.
The third type of ACH fraud is ACH kiting which is similar to check kiting but the amounts are significantly larger. For example, a bogus charity may send out increasingly larger aggregate amounts via ACH day after day much like a pyramid type scam ($100,000, $150,000, $200,000). As ACH transactions are returned the bogus charity has a large credit balance and the credits continue to come faster than the returns.
Lending fraud includes new originations and account transactions for lines of credit, collateral, and various types of mortgage-related fraud. The fraud applies to all types of lending including consumer, mortgage, small business, and commercial. There is some debate in the industry regarding lending fraud. Some question whether these are criminal losses or just credit losses that would have been taken anyway based on the deteriorating market. For both positions the losses are real and understanding the contributing factors may help organizations better manage risk.
One recent trend is synthetic applications which use real data from multiple individuals to create a synthetic (fake) identity. Since parts of the identity are real these are much more difficult to detect and deter.
Mortgage loan fraud is the most predominant type of fraud based on SAR filings. The SARs reported that scams target homeowners who are seriously delinquent on their mortgage and promise them false solutions to prevent foreclosure.
The fraudster tells the homeowner to sign a quitclaim deed and the mortgage will be paid. The promise is generally that the homeowner can continue living in the home paying rent and buy back the property once their financial situation improves. However, the fraudster often records the quitclaim deed and sells the property. The purchasers are often straw buyers who misrepresent employment or income information to deceive the new lender. Similar fraudulent activities may include flipping, short sales, appraisal fraud, and investment scams. Participants in these criminal transactions can include appraisers, lenders, realtors, loan officers, title companies, settlement agents, and borrowers.
Advance Fee Scams
In this scenario fraudsters tell homeowners they can save their home but require an advance fee for their services. They typically promise to negotiate a loan modification to prevent foreclosure. Other activities include fraudulent lien releases or meaningless legal documents for the borrower to send to the lender. Often there are no services provided and the con artists simply pocket the money.
Consumer Lending Fraud
While mortgage fraud is a hot topic, there are also risks with consumer lending. This is true for both home equity lending as well as non-real estate lending. For example, a customer fills out a lending application and may indicate a false income. There are also ongoing risks with products such as a home equity line of credit which may have credit availability far greater than the consumer’s typical bank checking account. Fraudsters may have easy access to this credit line via checks or a card.
Business Lending Fraud
Small business and commercial business owners or principals may falsify loan or line of credit documentation and provide fictitious balance sheets and income statements. In some cases these have not been reviewed by a CPA or they may simply forge the CPA signature. For businesses that have receivables, the firm could claim excessive receivables or inflate inventory levels which may be difficult to validate.
Card Fraud (Debit, Credit, Merchant)
Research firm TowerGroup estimated 2009 US branded total credit card losses from abuse and fraud of $10 billion. Because of the transaction oriented nature of the card, new risks continue to emerge.
Various card-related trends were shared earlier in this document including skimming and authorized user fraud. Card fraud can also include account take-over, counterfeit, lost or stolen, and “on vacation, send me another card” scams. Merchant fraud typically consists of merchant acquirers that buy existing businesses, open business cards, and claim fraud. They may then simply buy another business to restart the process. Fraudsters are very organized and have individual consumers who typically collude in these types of scams.
Industry Best Practices
While fraud can seem almost overwhelming, there is hope. By leveraging industry best practices banks can help predict, identify, and respond to fraud in a timely manner.
Banks can benefit by combining all financial crimes detection and case management into one unit. This will allow the comprehensive knowledge and capabilities to proactively address threats across all products, channels, payment types, and geographies. Once a criminal has customer credentials they will attempt to access funds via multiple channels. With an enterprise fraud approach the firm can identify this risk and take action across channels to minimize the impact. Many enterprise fraud solutions will provide fraud detection, alert notification, and case management capabilities.
Some best practices for enterprise fraud detection include:
· Real-time monitoring and incident alerts
· Alert linking with automated risk analysis
· Neural networks that “learn” new trends
· Predictive analytics to limit false positives
· Workflows that extend process and control beyond fraud management.
Balancing the process of real-time fraud detection and avoiding the denial of legitimate customer transactions is a challenge. When bank fraud is detected after the fact, it is too late since the losses are already realized. Rules can help automate some of the processes and reduce human intervention, but rules based systems alone are not adequate. Real-time or near real-time statistical models are required to dissect large numbers of variables. As more information and data is captured the system can be dynamically updated based on the appropriate model. These systems can actually get smarter over time as they have the ability to store patterns and learn from examples.
Statistical models provide increased protection, but industry experts suggest that the human capability to detect anomalies is unmatched. This can be particularly helpful in identifying new fraud schemes. Internal processes must be established that make fraud prevention everyone’s job. This approach will leverage human intuition to identify potential fraudulent events and situations. In addition, employees can assist with customer contact strategies, particularly if payments are denied or delayed.
Business Process Management
Firms need Business Process Management (BPM) to allow for process design and enterprise-wide visibility. According to Josh Ablett, industry financial crimes expert and president of Adelia Risk Consulting, “a surprising amount of fraud is preventable through automation and statistical analysis.”
While technology can automate and streamline, often firms want the technology vendor to bring them “rules.” Generally, the rules one bank implements should only be used as a starting point for another bank. The bank must focus on their specific products, customers, and access channels to determine fraud root causes. For example, some of the most effective models for detecting card fraud focus are risky vendors and risky locations. However, what good are those rules and patterns if the vendors and locations are out-of-footprint for your bank?
Regulatory requirements such as the Fair and Accurate Credit Transactions (FACT Act or FACTA) and specifically the Red Flags Rule are intended to protect customers against identity theft. These regulations are continually evolving, and adherence is not optional. Organizations are also required to file SARs as appropriate. To comply with these ever-changing regulations and others select a partner that provides maximum flexibility and automated solutions to keep you compliant.
Some firms only worry about fraud once it exceeds a certain level. One industry executive mentioned that at his bank fraud was only deemed an “issue” when fraud exceeded 1% of average outstanding balances. Perhaps in some ways there is an acceptable or expected level of fraud. We admit there is no way to eliminate all fraud.
Ultimately there is a trade-off between safety and the customer experience. For example, with funds availability most banks feel they need to give next day funds availability to their customers. So as long as banks provide next day funds availability there will be an opportunity for fraud. The only way to totally prevent fraud is to place holds on all items until you have the funds. But this is not practical. Ultimately it comes down to policy, process, and people with technology as an enabler.
Technologies can assist in protecting financial institutions, particularly as they deploy cross-channel solutions. There are also processes and policies that can minimize risks. However, one of the biggest opportunities to reduce fraud is the “people” factor. One bank executive shared “The fastest route to realizing fraud savings is through the operations team.” Some banks focus on technology projects but forget they could save money just by adding operations staff members.
One global problem that continues to exist is that sometimes customers are tricked into giving up their confidential information. New fraud tactics will continue to develop and as the criminal get smarter the bankers must follow suit. Consider your organization and ask yourself the following key questions:
o Have we quantified the fraud losses by product area as well as enterprise-wide?
o Do we have product fraud silos or an integrated enterprise fraud focus?
o Are we leveraging our employees to help us identify and prevent fraud?
o Have we analyzed our business processes and policies to identify potential pitfalls as well as process improvement benefits?
o How would we respond to a significant breach and what are we doing today to avoid this type of scenario?
As you hear the tick, tick, tick of fraud it is important to act promptly and invest wisely to protect your bank from fraudsters. Criminals will continue to attack, so be prepared.
Wisemar is a management consulting firm providing dynamic solutions for the alignment of people, processes, products, and technology. The firm specializes in helping financial services clients through business process improvement, change management, and corporate strategy engagements. Wisemar was founded based on one simple principle – “client satisfaction.”
leverages experienced senior consultants with a structured engagement process
to deliver consistent positive results for clients. Wisemar executives and consultants have
worked with the majority of the top 50
For more information, please visit www.wisemar.com or contact us at 704-503-6008.
 FirstData, “Fraud Trends in 2010: Top Threats From a Growing Underground Economy.” April 2010.
 “FinCEN Releases 14th SAR Activity Review-By the Numbers.” Financial Crimes Enforcement Network, 23 June, 2010.
 Kitten, Tracy, “2010’s Top Fraud Trends,” bankinfosecurity.com, 15 June, 2010.
 Patricia Hurtado and Linda Handler, “Computer Hacker Gonzalez to Admit Guilt, Forfeit $1.65 Million,” Bloomberg.com, 29 August 2009.
 Wolfe, Daniel, “Security Watch,” American Banker, 28 July, 2010.
 Celent, “Internal Fraud: Big Brother Needs New Glasses,” October 2008.
 McGlasson, Linda, “Top 8 Security Threats of 2010.” bankinfosecurity.com, 21 December 2009.
 Wolfe, Daniel, “Security Watch,” American Banker, 28 July, 2010.
 McGlasson, Linda, “Top 8 Security Threats of 2010.” bankinfosecurity.com, 21 December 2009.
 “2009 Deposit Account Fraud Survey Report,” American Bankers Association, November 2009.
 McGlasson, Linda, “Top Trends in ACH Fraud,” bankinfosecurity.com, 18 May 2009.
 “Mortgage Loan Fraud: Loan Modification and Foreclosure Rescue Scams,” Financial Crimes Enforcement Network, May 2010.
 “Issuer Credit Card Losses - Credit Loss or Fraud Loss?” Payment News, April 2009.
 Nelsestuen, Rodney, “Fraud Management: Covering the Basics, Extending the Value,” TowerGroup, November 2006