The digital era has ushered in a new world where anything online is vulnerable at any given time, which is why bank security professionals are constantly in the trenches defending their institutions against increasingly sophisticated threats.
“(Combatting fraud) used to be as simple as training your tellers on how to get good ID,” says Laura Schaeffer, director of operations and technology at National Bank of Arizona. “Now, there are so many different ways that fraud could occur, that it’s just not that simple. It’s a much more complex task than it was in the past.”
Fraudsters have become great impersonators, as they increasingly use sophisticated social engineering techniques to commit acts of fraud, Schaeffer says.
Email-based fraud against its customers is the most common type of malicious activity Schaeffer deals with, but bank executives have been targeted, too.
“Bank executives are not exempt from receiving some of these emails,” Schaeffer says. No one is.
Banks are combatting fraud in a variety of ways. Debit and credit cards have largely been transitioned to chip cards as a way to prevent credit card skimmers from stealing precious bank data off of the antiquated magnetic strip.
Often, you’ll need two-factor authentication to access accounts. Most of us have received emails about how someone accessed your bank account from an unfamiliar device. And some banks immediately notify you about any purchases made with your account if they seem abnormal.
Your inbox is a scary place
Business email breaches, dubbed the “$5 billion scam,” have risen so much that the Federal Bureau of Investigation released a public service announcement about these types of scams in May.
Michael Cocanower, founder and president of itSynergy, a Phoenix-based IT consulting firm, says these scams can be as simple as receiving a fake email informing you that your account has been compromised and it’s time to change your password. The email then directs you to a web page that looks like your bank’s web page, but it’s just a front to obtain your information.
The emails can be more sophisticated. Scammers who have already gained access to an email account of someone you trust, say the president of your company, can do serious damage.
Once inside an email account, hackers will analyze and study how the owner of the compromised account writes email messages. Once the hacker has that down, they’ll send an email, written just as your firm’s president would.
The hackers could then ask for a W-2 for an employee or ask the CFO to transfer company funds to an account.
“The bad guys are observing communication patterns and they can really make those emails seem legit,” Cocanower says.
Regulations and other measures
Banks are heavily regulated, which is why bank customers are often the target of fraud, Cocanower says.
Bank fraud is a quicker way to make a buck for hackers because they don’t have to go through the extra steps that are involved with identity theft, such as applying for new credit cards.
“With bank fraud, if I can fraudulently convince you to wire transfer me some money, then there’s a very direct, fast financial benefit,” Cocanower says. “And I think that’s what makes bank fraud appealing to the bad guys.”
Regulatory efforts to get banks to combat fraud started after the 9/11 terror attacks when the Patriot Act was passed with portions that made banks beef up their anti-money laundering and know-your-customer efforts, says James Kaplan, senior banking lawyer and partner at Quarles & Brady.
Efforts against cyber-based threats started to kick off after the Great Recession, Kaplan notes, as online banking became increasingly used. Banks have been deploying a wide range of technology-based efforts to combat fraud and protect their customers, he says.
Banks have been installing firewalls, designing their systems in a way where — if it’s hacked — hackers won’t have access to the entire network, among other tools.
Banks like JPMorgan Chase Bank utilize 128-bit encryption to protect customer information. Its mobile apps are designed in a way to protect the identity and information of users, by even disabling some of the application features when downloaded onto a jailbroken device, which can often be an access point for hackers.
Kaplan believes most banks today have proper cybersecurity measures in place to combat fraud.
“Banks read the newspapers, they see what the dangers are,” Kaplan says. “They see, given the nature of their business, they’re most at risk.”
What can be done?
When a customer of National Bank of Arizona is the victim of fraud, the bank will work with both the customer and law enforcement to report the incident, Schaeffer says. The bank also works with the Federal Trade Commission on reporting cyber fraud.
Like with other forms of cybercrime, fighting bank fraud is a preventative game. Cocanower says picking up the phone to make sure emails are legit is one of the best tools you can use to fight fraud.
And for those IT teams out there, keeping software up to date with the latest patches is crucial, Cocanower says. Once those patch notes are released, they’re basically a how-to guide on hacking old software, he adds.
Many cybersecurity experts believe that there will never be a one-fix solution to prevent cyber-based fraud and attacks, but one thing is certain: despite the threats, bank customers have embraced technology and there is no going back.
“Technology will continue to result in significant changes to the financial services industry,” says Neal Crapo, Southwest division manager for Wells Fargo. “The customer expectations of banking products changes as technology provides new capabilities.”
Along with new capabilities come new risks. Which experts say banks are prepared to defuse.
