More people than ever are becoming aware of the impact of data breaches and the resulting fraud. But what about the rest of the fraud types: internal fraud, account takeover, elder abuse and even the old generic scam?
As the Association of Certified Fraud Examiners (ACFE) marks Fraud Awareness Week starting Nov. 17, it's a good time note that merchants, issuers and payment companies have a unique opportunity compel consumers to take action and be mindful of their role in the fight against fraud. And they are engaged. In a recent Aite/ACI survey, 77% of customers want to be engaged, and responsive to a fraud alert from their banks.
So the industry will find new and innovative ways to deliver risk-based contact strategies to consumers, and it's great at doing that. But so are the bad guys, and this is the current problem.
Consider this. How many times were you phished last week? A dozen? Two? Heres my inventory: I had at least three: multiple phone calls to gain remote access to my computer and the regular you won a cruise silliness. I have a half dozen phishing emails; some were quite spectacular Twitter-bait, Facebook-bait, shipping-bait, even a new one impersonating my favorite Sunday paper subscription. All day long I find various other forms of click-bait all over the internet. A look in my junk mail file shows another six items waiting for my unfortunate navigation. I had one SMSish (SMS phish) when I woke up this morning claiming to be from the phone company. Last week, I got a very distressing phone call from someone who claimed they received a photo from my number regarding a recently deceased relative, seeking to fleece me.
Really sick stuff is out there, and as a guy who is focused on security and fraud, I wonder how much of it is spear phishing and how much is just the generic spam. Nevertheless, they will try everything, and stopping them is unfortunately out of the question. The problem is a modern day hydra, and this cat and mouse game will continue. But lets not throw our hands up and lose focus; we can manage our way through this. Heres some additional perspective on the steps that ACFE offers us as their recommendations to improve fraud awareness from a corporate perspective:
Develop a Policy. This goes beyond the regular card and normal 3rd person financial crimes that are usually discussed in this blog. This puts ownership for all financial irregularities and sets a framework in place, setting up the business to understand responsibilities and accountability. Yes, it is that simple, and the ACFE even offers a basic template; but I wonder how many actually can find their institutions fraud policy if they are up to the task? Pro tip: Check with the Internal Audit team, theyll be pleased you did.
Perform a Fraud Check-up. Popularly known as a risk review, this is a practice that is performed annually in the AML space, and naturally we should do it in the fraud space, to be sure that our plans are effective and controls are maintained. This operational review, with testing, is a great way to prepare for the busy holiday fraud-spending season (so, this has already been done, right?).
Establish an Anti-Fraud hotline. Where should your customers/employees/third parties call when there is a fraud event? How should this be monitored and/or conducted as a service? Are there third parties who can accommodate this, anonymously and in alignment with your fraud policy and incident plan?
Last, use your anti-fraud resources.
So how does the phishing bit from before tie into all of this? Well, it serves us as an example for what we are constantly bombarded with, at all levels really, and that we do need to have well concerted defense strategies to manage an increasingly cross-channel sophisticated fraudster. Internal fraud and account takeover frequently start with the simple phish. With the recommended policies and necessary preventative and detective-tested control structures in place, on the front and back end, we know weve got the layers that are ready to manage the risk even if eventually a customer does take the bait.
I always suggest to clients the following tips to pass along to consumers:
Always tell your customersthrough multiple channelswhat the methods of contact will be, from what channel (i.e. mobile alert, phone call, e-mail, other) as well as what will (and will not) be asked of them! This simple method of clarification has helped many of my clients navigate their way through phishing events and minimize losses.
Be up front and transparent with the issues that are affecting their customer experience.
Customers are your first line of defense, so arming them with the expectations you have for their behavior, respective to your policies and systems, is more critical then you may initially estimate.
Seth Ruden is a senior fraud consultant for ACI Worldwide.