What is the Banking Bill S.2155?
In the Banking industry, change is inevitable. In fact, the Senate has recently passed S.2155 which...
Fraudsters never rest; they just keep changing their game. That means you can’t afford to rest, either. Since the pandemic began, online and mobile banking have become far more prevalent, creating a new high-tech playing field for fraud. What worked this year to prevent theft at your financial institution may not be sufficient in 2023 and beyond.
As always, before you can solve a problem, you have to define it clearly. Begin by answering these questions: What is your fraud prevention strategy right now? What are your high-risk transactions? Conduct a risk assessment to discover any weak points in your security.
Knowing how thieves operate can also help you fight them. Once they have access to accounts, they move money fast by using wire transfers, P2P transactions, or ACH, for example. Make sure your risk assessment includes an examination of security on these kinds of transactions as well as on new account applications.
The speed of electronic banking means a great deal of money can be moved before fraud is detected, so prevention is the only way to win. In order to stay ahead, you need to be proactive. But how can you be sure your strategies will work in this fast-changing digital banking environment?
Here are 17 ways your financial institution can boost your online banking security to prevent fraud.
For more information on these 17 points, read on.
The emergence of new scams doesn’t mean the old ones are gone. Some people will still try to use the tried-and-true methods of stealing from banks. If you haven’t already done so, implement fraud prevention for empty-envelope deposit scams, forged and fraudulent documents, forged checks, fraudulent loan applications, and wire transfer fraud.
If your bank still uses envelopes for ATM deposits, you can prevent empty-envelope deposit fraud by installing a “smart ATM” that doesn’t accept envelopes. The ATM scans checks and cash deposited. You can also require a waiting period after an ATM deposit before the customer can withdraw cash from a deposit.
Although it’s not new, wire transfer fraud is increasing. According to the American Land Title Association (ALTA), “Title insurance professionals reported cybercriminals attempted to trick employees to wire funds to a fraudulent account in a third of all real estate and mortgage transactions.” Training and education prevented most of these fraud attempts from succeeding.
Preventing wire transfer fraud can be done by training your employees on how to verify the authenticity of wire requests. In the article mentioned above, ALTA gives a checklist for how to verify outgoing wire transfer requests. One way is to make a phone call to the number listed on the account to verify that the account owner made the wire transfer request. For large amounts, it's especially important to use more than one method of verification.
While phishing and social engineering schemes have been around for a few years, they’re still a huge problem.
In fact, fraud management provider Outseer’s 2022 report states that as much as “75% of fraudulent online banking payments activity (based on $ value) originates from trusted accounts on trusted devices,” which means that customers have been duped into making these payments.
Phishing counts on people not paying attention to small details in fake emails or texts, and thieves are getting better at making them look genuine.
The best way to prevent phishing attacks from hooking victims is to teach people what to look for and to always be wary before clicking on a link in an email or a text. After the initial training, follow up with frequent reminders. People are often in a hurry when replying to email and need to be warned often to keep the danger top of mind. You may also want to include a warning like this one with emails sent from all external email addresses: “CAUTION: This email originated from outside our organization. Think before you click!”
Social engineering scammers use fear and other emotional tactics to trick people. Again, education is one key to preventing this kind of fraud. Make sure your employees and customers know they should never give any personal information to a stranger, no matter how they present themselves and no matter how urgent it seems. Legitimate companies won’t ask for such information over the phone or by email.
Another way to prevent fraud is to use sophisticated software that monitors transactions. Companies like Outseer and NICE Actimize use AI and machine learning to detect unusual activity on accounts and thus possible fraud. Make sure your online and mobile banking provider has such third parties incorporated into their system.
Although it’s time-consuming, someone at your institution should also be monitoring reports manually, looking for suspicious activity, such as the number of failed attempts when trying to log into the account. The fraud monitoring systems mentioned above only monitor the fraudsters’ activity once they’ve gotten into the user’s account, so manually reviewing reports is a way to stop fraudsters from getting into the account to begin with.
Involve your customers in fraud prevention by alerting them whenever unusual activity occurs on their account. You can ask them to opt-in or just automatically alert them when, for example, a charge on their credit card originates in a location far from their home. Because electronic fraud is so pervasive now, you may even want to offer an alert for customers any time their card is charged.
You may want to require a waiting period before a customer can use a new account. If the account has been opened with stolen credentials, most thieves won’t wait; they’ll move on to easier targets. If you explain the reason for the waiting period, legitimate customers are more likely to appreciate the precaution and see it as a way your bank is keeping their money safe.
You can also determine the automatic timeout period for online access and set maximum limits on high-risk transactions.
In the past, it’s been advised or required to change passwords often. However, recent data suggests that frequently changing your passwords doesn’t help prevent fraud. In fact, people who frequently change their passwords are more likely to keep a physical record or note in their phone with all their passwords written down so they don’t forget. This is bad practice, and such records can more easily be stolen. Now, most fraud-prevention specialists advise people to use longer, more complex passwords or even memorable passphrases that contain more than one word rather than frequently changing their passwords.
Two-factor authentication or challenge questions make fraud difficult, even with stolen credentials. You can require these at login and when trying to perform high-risk transactions. Various methods of two-factor authentication exist. Consider ease of use for legitimate customers when you decide what to offer.
Whenever a software provider creates a patch or an updated version, install it as soon as possible. In many cases, these newer versions contain fixes that close a vulnerability in the older version.
In case someone at your institution does fall for a phishing or social engineering attack and downloads infected code, applications that defend against malware can be your first line of defense. Most of these applications aren’t expensive, and they can save your bank countless hours and dollars by blocking the malware and alerting you to the attack.
Unfortunately, sometimes attacks can come from within your institution. Besides conducting background checks on potential employees, you can keep an eye on employee conduct on the job. For example, you can require IT admins to sign in using their own credentials, monitor employees, and require employees to log out when they leave their workstations.
Whether they are individuals or businesses, new customers opening accounts should always be run through an OFAC check to verify their validity. You also need to run OFAC checks regularly against your entire name and address database. With the right digital system in place, you can remove old customer information from the system. This will ensure that there are no orphaned names left on the data files. It should make setting up new customers and retrieving customer information faster and easier.
13. Conduct penetration tests.
A penetration test is a test performed by hired hackers who try to breach your security. Penetration tests identify exploitable vulnerabilities in your system’s defense. These vulnerabilities could include in-person attempts, social engineering attacks, remote network attacks, and other methods of hacking. Penetration tests can also give your IT team practice in responding to threats.
You should conduct penetration tests at regular intervals and in the following situations:
Credential stuffing, the automated use of stolen login credentials, is an increasing problem. Thieves can buy stolen login credentials on the Dark Web and use it to perform mass attempts to break into accounts. One tool to combat credential stuffing is ReCAPTCHA, a free service from Google that ensures login attempts are coming from human sources.
Everyone at your institution must store all private information about accounts on a network with strong firewalls and other security measures that prevent bad actors from accessing the information. In addition, no private information should ever leave your bank on removable storage devices, laptops, or by any other means.
Unencrypted public Wi-Fi connections are an open invitation to hackers. Anyone who knows how can easily tap into information being shared via an unencrypted network. They can steal information like account numbers or login credentials as well as inject malware into a device connected to the public Wi-Fi network.
As infamous security breaches like that of Equifax in 2017 have demonstrated, even large, trusted institutions can be hacked. You need strong encryption on your customers’ information to add an extra layer of protection.
Encryption ensures that even stolen information can’t be used because it must be decrypted first. Encryption is the basic building block of data security.
Fraud is a problem that never dies—it just evolves. Use the 17 strategies above to assess your current risk, strengthen your cybersecurity, educate your employees and customers, and invest in the right systems and software. These steps will help you stay ahead in the race against financial fraud.