In the first half of 2017, there were 791 data breaches. That's the highest number ever in a six-month period and a 29% increase over the same time period the previous year. Bank fraud is getting worse, and it's constantly changing. Hackers, thieves, and scammers are nimble by nature, and they're always looking for innovative ways to get past the latest fraud prevention techniques.
It's not just an increase in volume—breaches are also getting more severe. In 2016, four of the five biggest breaches of all time occurred. Two Yahoo! breaches, a MySpace breach, and a LinkedIn breach affected a combined total of 1.96 billion people. That's over a quarter of the world in just four breaches.
To protect themselves, consumers and financial professionals need to be just as nimble as the thieves. They have to constantly watch for new threats, assess their protection strategies, and embrace new practices. Unfortunately, this can be challenging in an environment where there are so many myths about bank fraud. Here are the seven most pervasive myths and the truth behind them.
Myth #1 All Fraud Gets Reported
The numbers only tell part of the story. Banks have a general habit of underreporting and even denying the amount of fraud they encounter. In addition to impacting their customers, fraud is a reputational risk for banks. Some banks may naturally downplay fraud to safeguard their image, but it’s still a reality.
Fraud represents a certain percentage of all banks costs, and in general, banks have a choice. They can spend money upfront protecting against fraud, or they can wait until it happens and spend a lot more cleaning up the mess. As a consumer, you need financial institutions that focus their resources on prevention, not loss recovery.
Myth #2: Losing Little Bits of Data Doesn't Matter
Consumers often think that if they just lose a bit of data such as their zip code, a single account number, or even a social security number that they are safe, but that's not the case. Thieves buy, sell, and trade data on the dark web. If a consumer loses a bit of data here and another bit of data there, the scammers will share what they have until they have enough data to cause damage.
Banks also need to understand this fact. When a breach happens, financial institutions cannot assume that the hackers only got a small amount of information. They need to be poised and ready for the other shoe to drop. A data breach today turns into bank fraud tomorrow.
To protect their clients, their employees and themselves, banks are required by law to offer credit monitoring services, and should also consider identity theft and fraud protection services after a breach. Even if they just lost a single piece of datum, they still need to offer these protections, but beyond that, they need to recognize that preventative measures are essential in the age of big data.
Myth #3 Hackers Who Want Money Only Target Bank Accounts
Ultimately, the majority of hackers want money, but that doesn't mean they always start the process by targeting a bank account. In fact, only 5.8% of data breaches occur in the banking and credit sector. That's a jump from 3.6% last year, but it still means that only one out of every twenty or so breaches occur in the banking sector.
Some people assume this means that these hackers don't want money, but that isn't the case. Often, hackers start in areas that are less secure and then, use that information to access bank accounts, open lines of credit, or file fraudulent tax returns.
To illustrate, look at the recent breach of VerticalScope, a Canadian tech company. Hackers took 45 million passwords from over 1,100 sites. A lot of people use the same username and password for their bank account as they do for forums, email accounts, social media pages, and other sites, and once hackers have that information, they often try to break into bank accounts. To protect themselves, consumers need to vary their passwords and do due diligence on the security of the sites they use, even when those sites aren't directly linked to their finances.
Myth #4 Check Fraud Is Over
Although paper check use is quickly declining, paper check fraud still exists. According to the Federal Trade Commission, the most common types of check fraud are as follows:
- The Foreign Lottery Scam — The "winner" gets a check from a foreign lottery, but first, they have to wire funds to the lottery commissioner to pay for taxes or fees. After they wire the funds, the lottery check bounces, and there's no trace of the wire recipient.
- Bad Check as Payment for a For-Sale Item — In this scam, the seller receives a paper check written for more than the amount of the item they are selling. The buyer will ask for the difference back and may even offer an amount for the seller’s troubles. The seller sends the change from the sale to buyer, and by the time the check bounces, the "buyer" has disappeared.
- Secret Shopper — The victim gets hired as a secret shopper to review a wire transfer service. The secret shopper receives a check and instructions on where to wire the funds. Again, the check bounces, the wired money is gone forever, and the secret shopper "job" was all part of the scam.
Check fraud affects both consumers and financial institutions. To fight fraud, banks need internal controls. They need to do due diligence on the identity of the check writer and the account holder, but they also need consistent protocols on cashing and crediting checks. Automated processes can help, even comparing signatures electronically to automatically spot forgeries and check stocks that don’t match what the customer has been using previously.
This automation can help banks stay ahead of the curve and avoid losses due to the strict federal guidelines on how long banks can take to credit checks. To protect their bottom lines, banks also need to educate their clients about prospective scams. Education can be key for both the consumer and the bank.
Myth #5 ACH Transfers Are Impervious to Fraud
In addition to paper check fraud, there's also a lot of ACH fraud. The Automated Clearing House (ACH) is the intermediary area where all electronic funds transfer (EFT) transactions sit until they clear, and contrary to opinion, ACH transactions are certainly not impervious to fraud.
Employees of companies often steal ACH payment details and direct payments to their own accounts. There are also spear phishing scams. This is where a scammer sends an email to the payer of an organization. The payer opens the email and follows a link to an infected site. Through that site, the scammer steals the payer's credentials and writes numerous ACH checks.
According to the FBI, small and medium-size businesses, court systems, school districts, and other public institutions are the most likely to be affected by ACH spear phishing attacks. In fact, from Oct 2012 to May 2016, scammers attempted to steal over $5.3 billion through "business compromise emails" with these types of attacks. In the second half of 2016, the number of cases where senior executives received fraudulent emails requesting information, doubled from 22,143 to 40,203, but security experts say that's probably only 20% of what's really happening. Generally, these targets have accounts at local community banks and credit unions, and that underscores the need for these small institutions to protect themselves as well.
To safeguard themselves, banks can use debit filters that automatically return all ACH items unless they have been pre-authorized. Banks can also require extra information from the account holders. Instead of only requiring an account number and a routing number for an ACH transaction, banks may want to require a company ID, an individual ID number, or other identifying details. They can also opt to put the controls in the hands of their clients. Bank customers should be able to set limits on dollar amounts, numbers of transactions, or other details, and if those criteria don't match, that should trigger a manual review. Unfortunately, only some banks are offering these protections to their clients.
Myth #6 EMV Chips Stopped Credit Card Fraud
In the last few years, most Americans have noticed a change to their credit cards—new cards all tend to have a "chip". Europay, Mastercard, and Visa (EMV) is a computer chip used to authenticate chip-card transactions. In 2015, US banks had to switch to EMV chips or accept liability for fraudulent transactions. Since then, fraud with cards has fallen by more than half from $3.62 billion to $1.77 billion.
That's a remarkable shift in such a short period of time, but scammers always look for the path of least resistance, and with the rise of the chip, they shifted their focus to not-in-person transactions. While card-present fraud was cut in half, fraud with card-not-present transactions was projected to double from $3.1 billion to $6.4 billion from 2015 to 2018.
Numbers aside, in many cases, consumers feel like card security is too tight. In particular, there are cases where card issuers sense fraud and shut down a card, but all the transactions are legitimate. This is frustrating for consumers, but being overzealous on security makes sense for card issuers. Of the 400,000 cases of ID theft in 2017, 33% involved credit card fraud, and it’s important for banks to protect themselves. However, they also need to find a balance. Credit card use should be easy for consumers, while simultaneously having safeguards in place to reduce e-commerce fraud.
Myth #7 You Just Need to Figure Out Fraud Once
Consumers, business owners, and managers of financial institutions often assume that they only need to learn about fraud once. As long as they understand the basics, they're safe. Sadly, that doesn't work because scams don't stay the same from year to year. To protect their bottom line, banks and businesses need to constantly do risk assessment and posture analysis.
Even the newest, seemingly most secure technology can be hacked. For example, take what happened when HSBC rolled out voice recognition for phone banking. It was the best and newest in bank security, but a reporter hacked the system with his fraternal twin brother's voice. Even though it took an astounding eight attempts, no internal controls kicked in to stop him. These are the kind of events banks need to safeguard against.
Consumers also need to keep learning. Scammers are constantly changing the game, and flexibility is key to protection. Consumers should focus on establishing relationships with financial institutions and companies that they truly trust with their data. On the flip side of the coin, banks also need relationships with tech partners who are interested in keeping them and their customers safe, and to offset the cost, banks should leverage their fraud spend in their marketing. In the age of big data, everyone needs to be more cautious, because fraud isn't going away. It's just changing.
Written by Stan Jaslar
Read more posts by Stan Jaslar