/ MEDIA STATEMENT / This content is not written by Creamer Media, but is a supplied media statement.
FICO’s Adam Davies is an experienced fraud, security, and financial crimes expert, with global expertise gained from undertaking consulting assignments in over 80 countries over the last 23 years.
There is no doubting the ingenuity of fraudsters. And there’s no questioning their opportunistic nature. A recent survey, Fraud in the wake of COVID-19: Benchmarking Report, was done by the Association of Certified Fraud Examiners (ACFE), showed some worrying statistics. The report pointed out that, as of May 2020, 68% of survey respondents had already experienced or observed an increase in fraud levels, with one-quarter saying the observed increase has been significant.
Scammers have also been masquerading as the Public Investment Corporation, South African Revenue Service as well as provincial and national health departments, sending messages, links, and corrupted attachments via emails. According to SARS, the fraudulent messages were aimed at enticing unsuspecting taxpayers to part with personal information such bank account details.
Of course, the opportunistic nature of fraudsters is only matched by their constant adaptation to stay ahead of security measures. In particular, they leverage current social environments to gain access to credentials and funds. And there is no doubt that the Covud-19 world in which we’re living has provided a particularly ripe seam for fraudsters to mine.
As markets take their first, unsteady steps out of the lockdown, criminals know the social setting is ripe for theft. Businesses have had to shut their doors for months, families are surviving on lower incomes and the full financial implications may not even be completely clear. All these concerns combine to create an environment of financial uncertainty and pressure which means, now more than ever, companies and individuals must be vigilant to protect themselves from fraud.
One of the first steps in protection is understanding the process criminals undergo. Adam Davies, senior director of Fraud & Financial Crime Solutions at FICO, outlines the social engineering lifecycle and how to break it.
Harvesting the information
Hackers want valuable data assets, such as such as usernames and passwords, identity documents, date of birth, knowledge-based information and payment details. This information can be obtained in one point of contact, such as by an email, or a phone call, or gathered from multiple contact points with the individual.
Sometimes the consumer is duped into installing data-gathering malware by clicking on a link, or they may provide confidential information to a person pretending to represent a legitimate business or bank. For instance, CIFAS recently highlighted a scam where members of the public in Scotland received calls from fraudsters claiming to be local police officers investigating reports that they had been seen not wearing a protective face mask.
Selling the data
Once harvested, the data is sold, often on the dark web. The value of the data varies; for example, a complete digital identity is worth more than a partial one and platinum credit cards will fetch a higher price than standard cards.
Exploit the victim
Criminals are now either in the position to start their attack, or they may need to manipulate the victim more to get the final pieces of data. When the fraudster has enough data, they use it to socially engineer employees, defeat channel authentication controls, or apply for new products or services.
Execute the fraud
Fraudsters need to move quickly to access customer accounts, or apply for products before the victim realises there’s a problem. To maximise their return on investment, fraudsters may take funds from several accounts owned by the victim. In the case of identity theft, they may manipulate data to create multiple slightly varied versions of the same identity to increase the number of accounts they can open.
The strategic focus to break the cycle:
With so many different types of fraud, it can be difficult to identify where to concentrate efforts to prevent it. Many organisations focus on authentication while others look to customer-level controls.
Here are the key aspects to help prioritise:
At risk customers: Identify customers who are most likely to be at risk. Customers new to your bank, or who are new to banking online, may not be fully aware of how your communications work. Especially vulnerable are customers that have a good relationship with their bank, as they will trust the communications. High net worth individuals and customers that have multiple accounts with the same institution also tend to be targets as there is the potential for larger gains.
At risk job roles in a business: Some job roles attract a higher risk than others — in general, the more access someone has to data, the higher the risk. For instance, a manager will have far more privileges and access to sensitive information than an agent or someone in a lower role.
At risk employees: New hires, temporary staff, off-shore call centres, and partners/agencies tend to be more at risk than other employees. This risk is particularly pertinent in today’s climate, where organisations are quickly training employees on things they have not done before and are often throwing them into crisis level workloads. Furthermore, offshore call centres are being used to ramp up capacity.
Customer level controls: The fraudster will take over an account at the customer level, so there needs to be control measures in place that span channels and products. Many institutions now manage risk in silos, where authentication decisions are made independent of account maintenance or transaction-level monitoring. Convergence in these areas is imperative in controlling account takeover risk.
Companies should also give their customers the ability to control their accounts with a variety of transactional restrictions, account access controls and change notifications.
Awareness and training: As well as being trained to deliver warm, empathetic experiences to customers, employees should also be trained to help educate customers on how the institution will communicate with them at this time. This enables customers to better distinguish legitimate communication from that of the fraudsters.