Why does it always seem as though fraudsters are one step ahead? No matter what preventative controls we put in place to prevent or detect fraud, somehow, they find a way to circumvent them. The issue is really a culmination of things. 

Unless a threat actor is backed by a nation state and targeting a specific bank, the likelihood of hacking a bank’s network is pretty slim. That’s why they go straight for the weakest link, the users. Business Email Compromise (BEC) is one of the fastest growing frauds. Using social engineering, fraudsters manipulate people into initiating payments, making it difficult for banks to detect. Since the customer is the one that initiated the payment, the online banking logs will show the right IP address, etc. Even if a bank catches anomalous behavior and believes it’s fraud, in most instances the customer confirms that they authorized the payment and approves its release. By the time they realize it was a scam, it’s usually too late to recover the funds.

In other social engineering attacks where fraudsters pose as someone from Amazon, Microsoft, or other companies, customers are instructed on what to say to the bank. The customer lies about the purpose of the money movement or the recipient, authorizing the payment and making it difficult for banks to stop this type of fraud. Phishing emails use an element of social engineering as well. The goal is to trick the user into clicking on a link or opening an attachment that would then either release malware or direct them to a site in hopes of harvesting credentials. The emails look as though they are coming from a legitimate source, and sometimes are coming from known contacts who have been compromised.

What all of these have in common is the human element. Fraudsters are banking on the fact that they will catch someone off guard, create some panic, and obtain the money, proprietary information, or the credentials they need. The best defense with these types of attacks is education. Not only must we train our own employees, but our customers as well. Do they have procedures to perform call backs? Do they require dual control? Do they perform phishing simulations on their own employees? Helping them understand the risk and to better mitigate that risk is the best way of preventing these types of attacks.

" Fraudsters are banking on the fact that they will catch someone off guard, create some panic, and obtain the money, proprietary information, or the credentials they need "

So, is the rise in fraud just due to the exploitation of human vulnerability? I think it can also be attributed to the ease of certain frauds as well. Many thought checks would be obsolete by now. Although we continue to see a decline in overall check writing, check fraud continues to climb. It’s easy and lowtech, making it attractive to bad actors. In fact, many banks are reporting they’ve seen a surge in check fraud in the recent months. It may not be as high-tech as a ransomware attack, but this oldie has stood the test of time. The lack of digital information also makes it difficult for banks to write detections unless using some sort of Optical Character Recognition (“OCR”). Commercial clients can optimize Positive Payee, especially with Payee Match. However, consumers don’t have a similar product offering. Their best bet is to set up alerts and monitor account activity closely.

Another factor is the lack of information sharing. There are legal restrictions around sharing personally identifying information. Banks can share some information by using the 314b process, however, there isn’t a good framework to utilize the information that is shared. The American Bankers Association is working on a project to try and automate some of this information sharing, but it will likely be months or years before it’s readily available and banks are able to utilize that information in any meaningful way.

Lastly, I believe red tape and the inability to move nimbly contributes to fraud increases. Financial Institutions are bound by regulation and bureaucracy. To make a change, it requires lengthy approval processes, oversight from various committees and review from compliance and risk. Conversely, we’re dealing with criminals who are not held to those standards. Bad actors can adapt quickly and require no such approval to change up their attack vectors or techniques, making them adaptive and allowing them to be creative in their approach.

The threat landscape is constantly changing. It’s important to be aware of existing threats, techniques used to avoid detection, and the industry’s shortcomings. Together, we can continue to fight the good fight, and perhaps find our own creative solutions to combat fraud. I encourage everyone to be open to sharing information, what has worked and what hasn’t, and remember that we’re all on the same side.