Post-Pandemic Fraud: Be Proactive, Not Reactive
- The pandemic has created a definite uptick in fraud
- Rather than reactive, FIs should be PROACTIVE in their approach to combatting fraud
- It's time to "think like a fraudster"
James Ruotolo, a senior manager in the fraud and financial crimes practice at Grant Thornton, contributed a valuable article to ABA Bank Compliance magazine which discusses ways in which potential fraud victims can turn the tables and actually "play offense" against the fraudsters.
While this may seem like dire news, all is not lost. This situation is a good reminder that fraud is not a static problem: Fraud is constantly evolving, and organizations must adapt with it in order to remain vigilant. What can we do to protect our FIs from this increased fraud risk? Here are six specific recommendations to bolster your fraud risk posture.
An interesting observation Mr. Ruotolo makes is that pandemic stimulus frauds are likely to "usher in a new generation of fraud actors" who will use newfound techniques on more traditional targets when the pandemic benefit programs cease -- making 2022 fraud risk even higher for most FIs than in the past. Mr. Ruotolo notes that "compliance officers must prepare for the shifting grounds that may lead to new regulation."
Financial Institutions especially have not been spared from this recent uptick in fraud activity. In fact, bank compliance professionals have had to deal with a variety of distinctive challenges over the past two years. The dramatic change in consumer behavior brought on by pandemic restrictions made fraud detection models based on prior customer behavior less effective. And while there has been an understandable focus on pandemic-related schemes, traditional fraud attempts didn’t go away. Those traditional fraud attempts still had to be addressed even as banks were processing a high volume of PPP loans. These issues are made even more challenging by a transition to remote work and—more recently—staffing shortages.
Six Ways to Prepare for Fraud
In the article, Mr. Ruotolo provides readers with six specific recommendations:
Risk assessment should be more than an annual compliance exercise.
This is a great opportunity to reevaluate how you conduct fraud risk assessments and spend some time creating a fraud risk map that tracks the new and emerging risks you expect to face over the coming months. It also gives you a chance to anticipate and enact necessary changes to your institution’s compliance program.
Ask colleagues from across your institution to think about potential loopholes in business processes and controls. Ask them, “In what clever ways do you think someone might be able to commit fraud against our institution?” By doing this, you are not just looking for existing fraud, but you are proactively seeking ways fraudsters may commit future fraud. Cybersecurity majors in college learn how to protect systems by learning how to hack them. These individuals are trained to think like the enemy.
Mr. Routolo suggests creating a fraud risk map to track the specific actors and entry points they might use. Would this approach inadvertently increases fraud risk by giving people new ideas about how to commit fraud?
The reality is that adversaries are already thinking about these things and the value obtained from being more proactive far outweighs any incremental fraud risk from ideating new fraud schemes.
In other words: avoid "internal silos" and make sure information is freely shared.
Use this opportunity to develop a more formal communication channel with your partners in other critical areas of your FI and consider leveraging the same case management systems to more quickly discover and share relevant information. You can also offer staff members the opportunity to do a temporary rotation with another team to better learn their procedures and methodologies.
As we've noted in a previous post, sometimes you have to go to the source -- dark web chat rooms, for instance. These clandestine communication channels are "buzzing with hourly updates on how to circumvent new fraud controls being rolled out by government agencies over the last year."
This same methodology can be applied to support anti-fraud programs. Skilled anti-fraud teams can similarly use threat intelligence services to scan the dark web and find critical information that will inform their anti-fraud efforts and allow them to be more agile in addressing the latest scams. In addition to monitoring for card dumps and other stolen credentials, threat intelligence should include information about any changes in the types of fraud attempts or new methods that are being discussed in dark web channels.
Mr. Routolo identifies this as "a great time to do a market scan and benchmark your current capabilities against the available offerings in the market."
Grant Thornton and ACFE research indicates that 38 percent of organizations increased their budget for anti-fraud technology in 2021. Even if you are not able to take on a large technology project in the near term, it’s wise to keep a pulse on market offerings and plot a multi-year roadmap so you don’t find yourself lagging behind the industry and becoming a soft target.
We've learned from recent pandemic fraud scams that identity crime is skyrocketing.
Banks should expect an uptick in identity-driven fraud activity over the next few years. There is also a rise in the availability of low-cost automated bots that give fraud actors unprecedented scale and an ability to more efficiently thwart two-factor authentication. Increasingly, fraud actors are using these bots as a form of robotic process automation to help them automate social engineering attempts in order to retrieve one-time passcodes from unsuspecting customers. While this has been happening by phone via traditional social engineering scams, the bots leverage robocalls to dramatically expand the scale and improve the efficiency with which fraud actors can target a banking institution and its customers.
Be Proactive, Not Reactive
Mr. Ruotolo notes that "fraud is not a static problem: fraud is constantly evolving, and organizations must adapt with it in order to remain vigilant." Financial institutions cannot remain stagnant; they should always have an eye to updating their policies, procedures, and especially their technologies.
When assessing the industry, the evidence and data make it clear that check fraud is still prevalent and the most vulnerable payments channel. FIs need to continue to evaluate their internal processes regarding how they handle check fraud and what measures are in place to detect fraudulent checks. Many FIs are still utilizing manual review as part of their process, but these fraud analysts are inundated with thousands of false positives which require enormous resources to review and clear.
This is where FIs can take advantage of technology to enhance their fraud detection capabilities. Deploying image-forensics AI for Check Stock Validation (CSV-AI), Automated Signature Verification (ASV-AI), and Alteration Detection is an effective method for fraud detection, as the technology is able to interrogate the attributes of the check images and -- through hundreds of tests -- identify which checks are suspect and subsequently sent to fraud analysts. The technology is able to quickly process thousands of checks -- significantly reducing the number of checks needing review by fraud analysts.
As FIs continue to expand their fraud capabilities in 2022 and beyond, it's more important than ever to incorporate innovative technologies to bring the fight to the fraudsters.