How can financial services firms best identify and combat fraud?
Fraud, both from within and outside company walls, is increasingly battering businesses across the world. And as technology continues to evolve the way all businesses work, so too are a host of new threats coming to the fore.
The 2019/20 Global Fraud and Risk Report by risk consultancy Kroll highlights a “broadening of the risk landscape”, finding that 39% of global firms were “significantly affected” by leaks of internal information, 28% by external fraud and 27% by internal fraud.
Fraud in financial services
Financial services businesses didn’t escape the rise in attacks, particularly from the cyber world and social media.
The 2019 report revealed that financial services companies had experienced above-average levels of data theft – 31% compared with 29% among all global firms – suggesting they were a prime target for criminals looking to steal sensitive and valuable information through email and voice phishing scams.
There was also higher than average adversarial social media activity including fraudulent attacks. Overall, 35% of financial services firms said they had been significantly affected by external fraud incidents over the past 12 months, and 25% by internal fraud.
So how can companies best recognise fraudulent activity and fight back against the perpetrators?
Identifying a threat
When it comes to cyber-fraud threats, these typically include systems being affected by malware and ransomware, where the attacker’s intent is to steal client data, intellectual property, passwords or information about payments and customers’ financial details (and, in the case of ransomware, charging a fee for the data to be restored). Employees are also at risk of clicking on phishing scam emails or answering phone calls where a fraudster will pretend to be a supplier or customer.
Business email compromise is another common threat. This is where an attacker poses as an ordinary employee, supplier, customer or even chief executive, in order to secure payments into a bogus account.
Other examples include criminals copying names, logos and addresses, and creating lookalike websites of asset management firms; and hackers breaking into brokerage firms to make fraudulent trades.
These attackers can be from organised criminal gangs or just from inside your own business, looking to steal details to sell on for financial gain.
James Richardson, head of market development for cyber-fraud and risk management at Bottomline Technologies, commented: “The perception of fraud risk is also often [that it is] external. There needs to be a more balanced view because there are very real internal threats.”
There are key signs to be alert to when seeking to combat insider fraud, says Lynne Beaton, operational fraud manager at the Royal Bank of Scotland. “Insider fraud often starts with small amounts of money being taken by a member of the workforce. Be alert to employees having financial difficulties; who display changes in their behaviour, lifestyle or performance; employees who are reluctant to take holidays or a new member of staff who resigns shortly after joining. Also pay attention if customers complain about missing documents or if there are suppliers who insist on dealing with the same employee.”
Tackling shortcomings
However, financial services firms can be hampered in their response to such threats.
According to Kroll, they are least likely to have confidence in the effectiveness of their cyber-security detection mechanisms compared with other sectors. Over a quarter felt that their cyber-risk mechanisms were ineffective.
When it comes to cyber threats, companies should look at requiring two-step authentication for actions such as sending payments or changing account details, using technology to detect unusual activity, or educating employees about known threats.
“Fraud is a highly customised and lucrative business. The types of attack will change daily and you have to detect and adapt to them. You have to be ready”
James Richardson, head of market development for cyber-fraud and risk management, Bottomline Technologies
“There can be gaps in the technology, people and processes, but everyone needs to know they are responsible for helping to detect incidents,” says Richardson.
“When it comes to security of payments, you need to look at whether it is the right volume and the right beneficiary to ensure verification. Are there any suspicious attempts to get into the payments system or unusual activity around it? Criminals can often access a system but then wait for months before attacking. Is there evidence of someone logging on and then off 10 times over a five-month period which looks strange? Transaction monitoring tools and behaviour analytics can help in these cases.”
Furnishing your employees with the necessary knowledge to identify and avoid an attack is key to an effective defence, Beaton adds: “Your people are the frontline defence against fraud. Protect your company by having regular fraud and cybercrime awareness training and refreshers for all staff so they know what to look for.”
It is also important to properly prepare for a worst-case scenario, says Beaton: “Formulate a plan that's right for your business, and can be tailored to any type of attack, for contacting customers, clients and suppliers. This means anyone who needs to know that your network has been compromised. It’s a good idea to rehearse this, so that staff know how to respond and what they are responsible for should a fraud occur.”
Supporting whistleblowers
Ethics reporting systems or employee codes of conduct are also more prevalent. Indeed, according to the 2019 Kroll report, 10% of fraud incidents in financial services firms were discovered by whistleblowers.
“The ability of employees to feel that they can raise concerns without any repercussions through a clear whistleblowing policy has all changed for the positive,” says Howard Cooper, managing director in Kroll’s Business Intelligence and Investigations practice.
But more needs to be done. The Kroll report said only 60% of financial services business leaders felt their firm’s whistleblowing programme was an effective method of detecting risks. This was 6 percentage points below the global average.
Firms must promote a healthy compliance culture which has buy-in from staff at every level, says Rob Brown, founder of consultancy Compliance.gg. “The policies and procedures must be stress-tested. The risk appetite statement must reflect the compliance culture and it must be demonstrable. All findings must be assessed by the board.”
Brown adds that financial services firms must understand the rationale of the business conducted by their clients and the part played by the firm in the overall operations of their clients.
“If this is missing, the firm leaves itself unguarded and open to be used as a conduit for fraudulent activities,” he says. “Fraud isn’t an accident; it’s a deliberate action and is seldom perpetrated alone. The phrase ‘know your client’ is at the heart of combating fraud. It is not only crucial at take-on stage but must be regularly monitored through the regulatory requirement of risk-based periodic reviews.”
Richardson says firms must act as the number and nature of fraudulent attacks will keep growing and changing. “If your defences are vulnerable then you will be hit more frequently,” he says.
“Fraud is a highly customised and lucrative business. The types of attack will change daily and you have to detect and adapt to them. You have to be ready.”