For many of us, fraud and money laundering have hit overdrive. I cannot remember a year where fraud specifically is talked about in the media all the time. Turn on the TV and watch any news organization, and you’ll hear about instant payments fraud, check fraud, postal carriers being robbed at gunpoint, card fraud, and scams, daily. So, let’s talk about where we’re heading going into 2023.
In the past, many financial institutions (FIs) used to divide the types of fraud into two categories: fraud and scams. Usually, when categorized as fraud, it was because the FIs would consider those to be the claims they were liable to reimburse. On the other hand, scams were when accountholders were duped, conned, trickled, hoodwinked, etc. FIs used to pass the liability to the consumer themselves for falling prey in those scenarios. All this changed in June 2021, when the Consumer Finance Protection Bureau (CFPB) came out with a new interpretation of Reg E.
In the related FAQ (Frequently Asked Questions) they released, they targeted two things outright with examples: pin number on the back of the card and username and password on a sticky note. The new interpretation says that if the customer is scammed into giving out credentials or pin numbers, and if the customer did not directly benefit from the stolen money, these instances are covered under Reg E. For the first time, the liability fell to the FI to repay. Then in December 2021, the CFPB further clarified that P2P (person-to-person) transactions are covered under Reg E as well. This was a direct reaction to the rise in instant payments fraud and all the media attention.
I had the opportunity to be invited to a social media chat with several people that are in the fraud business. Our chats focused on the mindset of fraudsters, and the two chat participants remained anonymous with online handles. What I learned from them is they were both in their 20s and are making around $150k a month, combined, in scamming people out of their money. It was a brag for them that they make more money than 95% of the U.S. population.
One thing I really took note of was the following quote: “Fraudsters usually fall into two categories … You have one group that couldn’t care less about the victims they defraud. It is all about the money. To them, it is like a business and how they pay their bills. They clock in and out like you and I do. Then there is another group of fraudsters that have sympathy for the victims. These fraudsters are also about money, putting food on the table and a roof over their heads, but they do not want to step over victims to get it. They want to fleece large greedy corporations and banks to be the ultimate loss takers. They will attack people when they have good confidence that a bank or company would make the victim whole.” Wow, that was a revelation for me. I assumed something like that to be happening, but they confirmed it for me. Why is that important, you ask? It is because the first type of fraudster mentioned will already be targeting your accountholders and committing fraud against them. However, the second type of fraudster is now entering the financial fraud sector because in their eyes they are “giving it to the man.” They have that Robin Hood mentality knowing that some of these rule changes have now passed the liability from consumer to the FI.
Of course, that is not the only driver of the rise in scams. You also have all the data breaches. Consumers’ confidential information is becoming public. Fraudsters realize that big data is their key in targeted crimes against consumers. Let’s hit some of the big breaches over the last 10 years: Target, Joann Fabrics, Heartland, Facebook, T-Mobile, etc. What fraudsters realized is if they continue to buy these datasets from the data breaches on the dark web, they can use simply excel or databases to combine and create customer profiles. They use things like email addresses, phone numbers, DOB, and social security numbers to link data from one breach to another – building detailed customer profiles so thoroughly that they can spear phish many people directly.
I will give you an example of what happened to a close friend of mine. To save her from the heartburn of me sharing her story, I will call her Mrs. Jane Doe. The fraudster had built a surprisingly good customer profile on her. They knew her name, address, DOB, and that she was a customer of Bank of America from the BIN number of her debit card that was in a breach. They also knew from the data breaches she used the same username at various places and that she had a few variations of passwords. On the 2nd of the month, a few months back, she got a call, and the caller ID said it was “Bank of America,” so she answered. Here is the transcript of the conversation:
Caller: May I speak to Mrs. Doe?
Mrs. Doe: This is she, what can I do for you today?
Caller: I am Michael Johnson from the fraud team at Bank of America. To confirm I am the bank, you live on 123 Main St, DOB of 01/28/1978. Is this correct?
Mrs. Doe: That is correct.
Caller: I am sorry to inform you that you had $3,500 go out via Zelle. We noticed it after the fact and have disabled your account at this time.
Mrs. Doe: Oh S@#$ I just paid my mortgage and car and now those will bounce, what can I do?
Caller: Just to confirm I am speaking to Mrs. Doe I will send a 6-digit code to your phone. It will be from the same number Bank of America has sent any previous codes from. Once you get it, let me know.
Mrs. Doe: I got it. Ready for it? It is 251896.
Caller: Thank you for that. Please stop at any branch location to fill out the fraud paperwork. They will be able to help you with your mortgage and car payment. I am sorry again for what has happened.
The caller then hung up before Mrs. Doe could say anything else.
As you can see, Mrs. Doe was a spear phishing target. The fraudster knew her information, fabricated a story that the fraud already occurred, spoofed the Bank of America number, had her username and password and knew that he would get prompted for the log-in token. When she read him the multi-factor authorization token, the fraudster got into her account and transferred the money out instantly. He also told her the account had been suspending, trying to make sure she did not look at her Bank of America app. However, if she had stopped and looked at her account before she gave the caller the token, she would have realized that the money was still in her account. Luckily, she became skeptical once the caller hung up so quickly. She called me, and I was able to help her with the next steps she needed to take.
Do you know the #1 industry for data breaches and ransomware? Most people immediately think it’s FIs, but it is actually healthcare. Fraudsters have realized that healthcare data is a treasure trove. Most FIs’ data is relative to only adults; however, healthcare data also has information on children. That is more sheer volume of data, and more volume equals higher dollar amounts they can fetch on the market.
Identity theft is broken down into two main categories for most people: the fraudster taking over an existing identity or a fraudster creating a new synthetic identity.
For regular identity theft, some of the hardest targeted areas are unemployment and now financial aid. Estimates through April 2022 have unemployment fraud now at $45 billion (yes, with a “B”)! Some states have adapted and put more emphasis on fraud. However, others are stuck in red tape. States fight the same types of budgetary constraints as most companies and FIs when it comes to fighting fraud.
We will continue to see an uptick in financial aid fraud. Fraudsters create fraudulent applications using other people’s IDs, enrolling them in college with forged transcripts, and then taking out student loans and free government money. Once the money shows up, the fraudster moves on, never enrolling, never being that actual person. Then when the school tries to collect, they find the real person and discover they never applied for anything.
This has fueled the next wave in student loan fraud. If you google “Student Loan Forgiveness Program,” you will find 20 to 30 different sites for student loan forgiveness. They are either fraudulent websites or a company trying to get your business by impersonating the real program. There is a plethora of text messages going out trying to scare people to act now, using a fraudulent link, or be left out of the reimbursement. Fraudsters strive in these situations, getting the consumer to hand over all their information so they can commit fraud using those identities.
The second form of ID theft is synthetic. That is when a fraudster steals someone’s social security number and creates an entirely new profile. We are starting to see the numbers rise every year. The Identity Theft Resource Center claims that the records of 1.3 million children (about the population of New Hampshire) are stolen each year. That is 1.3 million opportunities to create a new synthetic ID, because minors would not have a credit report yet. They create bogus identities and then use them to open accounts, auto loans, and mortgages.
I talked to an FI not too long ago and they told me the story of a synthetic ID they found too late at their institution. The person spent six years building this synthetic identity. They started with cash-funded credit cards, then opened a checking account and savings account. Then over time, they opened other credit cards, two auto loans, and a mortgage. The same way they created the bogus ID that sat under all this, they created bogus companies like auto dealerships, appraisal companies, and even employment companies, etc. The goal was when they got to about $500,000 from the bank, they busted out everything. Since the ID was synthetic and not a real person, all that money was gone.
Starting to See Cyberattacks and Fraud Happen Simultaneously
There is a saying in football that “the best defense is a good offense.” Fraudsters and cybercriminals have found that working together by going on offense with multiple vectors at the same time is a better way to exploit FIs more effectively. By attacking one way, the FI becomes preoccupied with that attack vector, leaving themselves more exposed from the other vectors.
Think of it this way: when your FI gets hit with ransomware, what normally happens? Every institution I have ever talked with says, “it’s all hands-on deck” in response to an attack. With all the meetings, conversations, and long hours all directed at the ransomware and getting the FI back to where it needs to be, that is when the fraudsters start attacking too.
We are starting to see an uptick in coordinated attacks, especially at FIs. We’ve heard stories of an institution being in the middle of fighting a ransomware attack when they start seeing an increase in digital take over fraud, scams and check fraud. Fraudsters then portray themselves as being the cybersecurity team at the institution, saying that to get their online system back up and running they require a username and password. In another instance, suddenly 15 to 20 fraudulent cashiers’ checks were randomly deposited by accountholders of the institution not knowing they were counterfeit. Unfortunately, this is an unfair match up – the fraudsters and cybercriminals obviously have a leg up on the institution and they know it.
With scams, identity theft, and coordinated cyber and fraud attacks on the rise, your institution needs to be on high alert at all times. There are two separate ways of looking at fraud prevention. For those of you that use software to do that, unfortunately, many of the software systems in the market have not adapted to the changing landscape of fraud. It is too expensive and/or takes too much time to make some major changes in some of the software systems available today. For that reason, you need to think creatively as you think of fraud in the future. Do you need to look at some new systems on the market? Do you need to create new processes internally? A hard re-examination of where you are and where you need to be in the next two to three years as fraud fighters is absolutely necessary. Be truthful, do not hide anything, do not skip anything – look at it all and figure out how you can get better.
Do you have a fraud committee/strategy group at your institution? If you do not, you need to form one ASAP. I cannot tell you how many times I walked into an institution and they have a digital committee and loan committee, but no fraud committee or strategy. The most common response on why they do not is: “They get in the way by making us jump through more hoops.” That is the old way of thinking and should not be the thought process going forward. The goal of the fraud committee is to talk through new services and products as a part of the rollout. Let your colleagues know where some of the weak spots are and where you need additional processes to help mitigate those weaknesses. A good fraud committee will not stifle delivering more services and products, but will be teammates along the way helping you be as secure as you can. It is a balancing act between risk vs. reward, and you must be open-minded both ways. Way too many times these processes were created after the institution suffered a large loss. That is too little too late.
So take a step back and evaluate the innovative solutions and resources available to your institution to help fight fraud and cyberattacks. This should be a crucial component of your strategic priorities.