Where many Americans have seen a crisis, fraudsters have seen the COVID-19 pandemic as an opportunity. Whether it’s posing as a government agency to gather personal information, deceiving loyal e-commerce customers with fake offers, or taking advantage of employees ordered to maximize retention by acting with empathy, the impunity of bad actors appears limitless.
Unfortunately, the conditions driving these scams aren’t going away anytime soon: With unemployment at record levels, consumers require financial relief. As the number of COVID-19 cases are once again spiking across the U.S., many people remain afraid to leave their homes and are shopping online.And even when employed, many consumers are working fewer hours and receiving reduced salaries. Financial institutions must continue to ensure employees are sensitive to their customer’s challenges.
At the same time, in this new normal, financial institutions must step up their game when it comes to risk management: protecting their employees and customers from fraudsters. Here are four strategies that outline what banks can do:
1. Understand Who Your High-Risk Customers Are
Whether your organization is implementing or updating its risk management process, it helps to remember how fraudsters target their victims in the first place. There are two key methods: buying compromised data (credentials, ID documents, personally identifiable information, or payment details, usually obtained through data breaches) and social engineering. Many fraudsters will use the first to improve their chances with the second, using the personal information they have on hand to elicit more information. For example, by sending users a message claiming to be from a named family member, friend, or colleague that requests a money transfer right away.
Who are the customers most susceptible to social engineering? So often our minds turn to stereotypes: the elderly customer inexperienced with digital platforms or the young student new to banking. The truth is vulnerable customers can be any age and have any background. In the above example, the student may indeed be high risk, but so is any new customer who is banking for the first time. Also vulnerable: customers new to a given channel – say, an average consumer who has traditionally visited the branch near their office and is now conducting their business online.
One segment of customers at high risk, however, are those who hold the longest relationships with your organization. Consider the fraudster’s mindset: Who is the more valuable target, a customer who’s just registered a credit card or checking account with you, or a customer who’s registered a credit card, checking account, savings account, 401K, home equity line of credit, and a loan for their car? The customers who have the best relationships with you are the ones most likely to lose everything to a successful fraudster, because their livelihood is so closely tied with yours. These are customers you need to protect. I’ll explain how below.
2. Identify High-Risk Employees and Partners
Of course your newest hires, temporary staff, and the offshore call centres your organization enlisted to address the influx of COVID-19-related calls are a significant risk. They’re new to the roles and being trained in jobs they haven’t done before. They are also asked to scale quickly and manage complex customer issues.
Your business partners represent a risk as well: Many a company has fallen victim to a data breach connected to vendors and resellers who had access to many of their systems and in many cases conducted business on their behalf.
But it’s your c-suite that may be at greatest risk: After all, the more access an executive has within your organization, up to and including the CEO, the more valuable they are as a target. A fraudster who socially engineers a branch manager gains access to more sensitive information than if they mislead a call center agent. In one recent example, a criminal impersonated the leader of a UK-based energy firm using voice-generating AI software and convinced a chief executive to wire the equivalent of $243,000.
To avoid a similar situation, your organization should consider the likelihood of each employee and partner’s vulnerability to fraudsters and the potential damage they could cause if compromised. The next step is then implementing the right risk management process – parts of it customer-facing, others behind the scenes.
3. Implement Customer-Level Controls
Financial institutions must be able to define control measures that cross channels and products. One obstacle is that many institutions manage risk in silos, which means authentication decisions are made independently of account maintenance or transaction-level monitoring. Combining these processes into one system is an essential step in implementing a risk management process and reducing account takeover risk: Fraudsters follow multiple paths, and the sooner your organization can hinder each one, the safer its information will be.
After combining data and authentication processes into a single platform, your organization should give its customers the ability to protect their accounts with a variety of transactional restrictions, access controls, and change notifications. Fraudsters take over accounts at the customer level, not a product or a channel level, so your customers need the ability to define control measures that span multiple platforms and products just as much as you do. Otherwise your chain will have a weak link, and that’s where fraudsters will target your customers.
Giving your customers access to security features provides your organization with new methods of monitoring risk as well; for example, if a customer who previously used multi-factor authentication deactivates it on their phone and requests a transfer of $500 to an outside account, they may be the victim of social engineering.
4. Train Employees to Recognize Risk
COVID-19 is not disappearing anytime soon; employees should still be trained to deliver warm, empathetic experiences to your customers. However, they should also know how to educate customers about the ways your organization will communicate with them, helping them better distinguish legitimate communication from scams.
Your employees should be trained to identify the risks associated with their job. Call center agents might not be management, but fraudsters can still glean a great deal of information from them. More importantly, they’re your first – and most visible, and affordable – line of risk management.
Consider what I call the “pyramid of non-compliance.” At the top is intentional noncompliance – fraudsters. Below that is opportunistic noncompliance – people who attempt to take advantage of momentary errors such a malfunctioning ATM.
The majority of potential risks flagged, however, will come from the bottom of the pyramid: Accidental non-compliance, stemming from employees who were not trained correctly or neglected to follow certain procedures, or customers who forgot the login process or their passwords.
Flagging them doesn’t carry the same sense of gravitas as identifying a genuinely risky transaction associated with a rogue customer or employee, but false positives represent an opportunity of their own. They’re a chance to better educate employees and customers about fraud, to thank them for their service or business, to show empathy for their present situation and help them understand why, during a crisis, they will see more, not fewer scams.
Perfect not only your ability to distinguish between genuine fraud and false positives, but your response to the latter, and you’ll reap the greatest benefit of risk management: employee and customer loyalty.
Liz Lasher is Vice President of Fraud, Financial Crime and Cyber Risk with analytics software developer and credit scoring company FICO.