Skip to content

Fraud Countdown – ‘Tis the season

Fraud Awareness Week

As a certified card-carrying member of the ACFE, and this being their “Fraud Awareness Week”, it’s clear that more people than ever are becoming aware of the impact of data breaches and the resulting fraud. But what about the rest of the fraud types: internal fraud, account takeover, elder abuse and even the old generic scam?

We have a unique opportunity here, in this season, to be able to compel our customers (consumers) to take action and be mindful of their role in the fight against fraud. And they are engaged. In a recent Aite/ACI survey, 77% of customers want to be engaged, and responsive to a fraud alert from their banks. Even better, bank customers frequently trust their banks to do the right thing respectful of fraud management, as does the U.S. President (as noted in my last blog post). So great, we will find new and innovative ways to deliver risk-based contact strategies to consumers, and we’re doing great at that. So are the bad guys, and this is the current problem I have.

Consider this. How many times were you phished last week? A dozen? Two? Here’s my inventory: I had at least three vishes; multiple phone calls to gain remote access to my computer and the regular “you won a cruise” silliness. I have a half dozen phishing emails; some were quite spectacular…Twitter-bait, Facebook-bait, shipping-bait, even a new one impersonating my favorite Sunday paper subscription. All day long I find various other forms of click-bait all over the internet. A look in my junk mail file shows another six items waiting for my unfortunate navigation. I had one SMSish (SMS phish) when I woke up this morning claiming to be from the phone company. Last week, I got a very distressing phone call from someone who claimed they received a photo from my number regarding a recently deceased relative, seeking to fleece me.

Really sick stuff is out there, and as a guy who is focused on security and fraud, I wonder how much of it is spear phishing and how much is just the generic spam. Nevertheless, they will try everything, and stopping them is unfortunately out of the question. The problem is a modern day hydra, and this cat and mouse game will continue. But let’s not throw our hands up and lose focus; we can manage our way through this. Here’s some additional perspective on the steps that ACFE offers us as their recommendations to improve fraud awareness from a corporate perspective:

  • Develop a Policy. This goes beyond the regular card and normal 3rd person financial crimes that are usually discussed in this blog. This puts ownership for all financial irregularities and sets a framework in place, setting up the business to understand responsibilities and accountability. Yes, it is that simple, and the ACFE even offers a basic template; but I wonder how many actually can find their institution’s fraud policy if they are up to the task? Pro tip: Check with the Internal Audit team, they’ll be pleased you did.
  • Perform a Fraud Check-up: Popularly known as a risk review, this is a practice that is performed annually in the AML space, and naturally we should do it in the fraud space, to be sure that our plans are effective and controls are maintained. This operational review, with testing, is a great way to prepare for the busy holiday fraud-spending season (so, this has already been done, right?). If this is something you may have not done, allow me to offer my services as a CFE, and the scorecard again is provided by the Association in template form.
  • Establish an Anti-Fraud hotline: Where should your customers/employees/3rd parties call when there is a fraud event? How should this be monitored and/or conducted as a service? Are there 3rd parties who can accommodate this, anonymously and in alignment with your fraud policy and incident plan? Why, yes.   
  • Last, use your anti-fraud resources (e.g. transaction monitoring, behavioral profiling, layered fraud protection, etc).

So how does the phishing bit from before tie into all of this? Well, it serves us as an example for what we are constantly bombarded with, at all levels really, and that we do need to have well concerted defense strategies to manage an increasingly cross-channel sophisticated fraudster. Internal fraud and account takeover frequently start with the simple phish. With the recommended policies and necessary preventative and detective-tested control structures in place, on the front and back end, we know we’ve got the layers that are ready to manage the risk even if eventually a customer does take the bait.

I always suggest to clients (and other interested parties) the following consumer awareness tips:

  1. Always tell your customers—through multiple channels—what the methods of contact will be, from what channel (i.e. mobile alert, phone call, e-mail, other) as well as what will (and will not) be asked of them! This simple method of clarification has helped many of my clients navigate their way through phishing events and minimize losses.  
  2. Be up front and transparent with the issues that are affecting their customer experience.
  3. Customers are your first line of defense, so arming them with the expectations you have for their behavior, respective to your policies and systems, is more critical then you may initially estimate.