Fraudsters are copying customer behavior to fool safeguards

Banking-related fraud cases have soared during the COVID-19 pandemic.

David Schneiderman and Andrew Corbett from NICE Actimize join us to discuss to discuss the types of fraud that have become a huge customer-security challenge, and how banks and credit unions can fight back.

A few takeaways from our conversation:

  • Fraudsters’ most potent strategy during the pandemic is when they imitate the behavior of the financial customers they are pretending to be.
  • Banks are making more of an effort to insert themselves into digital-banking sessions to offer more fraud protection, but without degrading customer experience.
  • In 2022, NICE Actimize expects to see more device duplication by overseas-based fraud rings and more targeting of real-time payments.

Subscribe to the BAI Banking Strategies podcast:

Apple Podcasts     Spotify    Google Podcasts    Amazon Music

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

By clicking the Subscribe button, you acknowledge that you have read our Privacy Policy and Terms of Use and agree to be bound by them.

Below is a full transcript of my interview with David Schneiderman and Andrew Corbett.

So, Andrew, to tee up this conversation about fraud trends and how best for banks and credit unions and their customers, their members, to keep from getting taken in by fraudsters, could you start with a little background about NICE Actimize and what the company does in fraud detection and prevention.

CORBETT: To set the table, Actimize has been a major player in the financial crime and compliance industry for about two decades. The real privilege that me and David get to enjoy every day is we had to have conversations with banks, community credit unions, fintechs. So as a result, we really get pretty well up to date on the emerging fraud trends, the latest things that regulators are looking for from a compliance perspective, and it kind of just helps us keep our finger on the pulse of what’s going on.

Okay, so now that we’ve established the bona fides, tell us about the big themes fraud-wise that you’re seeing from both of your vantage points – the big lessons that you’ve learned over the past year and a half or so during the pandemic. I’m particularly interested in anything new or different in the kinds of fraud you’re seeing, or how clever or brazen the fraudsters are going about their business. David, maybe you could start…

SCHNEIDERMAN: One of the things that I’ve noticed in talking with customers, as Andrew mentioned, is a lot of the trends are not necessarily brand new schemes, but variants on tried and true existing fraud methods. When you think about something like unemployment benefit scams – what are they really doing there? A lot of times they’re leveraging known approaches to breaching accounts and/or gaining access through the unsuspecting user so they can leverage their account for moving money for receiving those payments and ultimately moving it very quickly out once they’ve hit the account. So a lot of different trends around, whether it’s romance scams, whether it’s social engineering scams, they’re all still very prevalent. Just leveraging the pandemic is sort of the new way of leveraging them. Andrew, what do you think?

CORBETT: Yeah, oftentimes the perspective I have on this is, if 2020 was the year of creation, 2021 is the year of evolution when it comes to these fraud trends, because I completely agree with what David said. If  you take something like unemployment benefits, it’s new in the sense that it’s taking an existing typology like account takeover, and instead of having somebody take over your account and send money out, somebody’s taking over your account and moving in, and they’re having money sent from various locations to that account that have never sent you money before. And, as a result, what we’ve seen this year is, “OK, that’s kind of the beachhead that they’ve established.” Now, fraudsters are starting to get more into the non-monetary side – so device duplication, VPN duping, really being able to control the access part of the fraud triangle, right. Fraud is incentive, access and opportunity, and over the last few years, there’s unprecedented incentive. There’s a lot of first-time fraud going on for people who are very desperate, and we really can’t control that as an industry. But if we can control access, we can limit opportunity. So the biggest conversation that we’ve had over the last two years, and it happens every day, is just being able to visualize account takeover, being able to contextualize non-monetary risk, and then also just build a foundation for monetary risk, because if we understand that account takeover has occurred, then inherently, there’s going to be more risk in the transactions to follow.

SCHNEIDERMAN: I think you brought up a good point, Andrew, particularly around leveraging technology. We know that criminals are smart people, right? And it’s not that victims are not smart – it’s just that all the different techniques that they leverage to dupe people into doing either (a) something they wouldn’t normally do or (b) giving up their credentials and allowing a criminal to do something that they wouldn’t normally do. But the criminals do have one thing in the back of their mind, at least from my perspective, and it’s that the more they can look like a bank’s customer or credit union’s member, the better chance they have of getting away with whatever they’re going to try to do. And so it goes back to something Andrew just mentioned about spoofing IP addresses and leveraging VPNs and device spoofing. All these different techniques are to try to get through undetected, and they’re doing a much better job of it in recent years in that aspect as well.

Andrew, you mentioned account takeover conversations that you’ve been having with clients and prospects. What are other front-of-mind concerns that you’ve been able to detect from banks and credit unions these days?

CORBETT: Well, piggybacking on what David was saying, the thing that all of the sophisticated fraud typologies that have emerged over the last 18 months have in common is that, at the core, their success rate depends on how well they can mimic behavior of the customers they’re pretending to be. So when we get into something like unemployment benefits or if we translate that into P2P fraud, the whole point of that typology is “I need to escape detection as long as I can and then bust out with a real-time payment, whether it’s a wire or a P2P transaction.” And whether I’m building that flow through ACH or check, the fact of the matter is that, once a bank understands or credit union understands that this is a foreign agent, it’s not their customer, the clock starts. So everything about fraud design and the way that they create these typologies and make, unfortunately, a lot of money off of them is about pushing that deadline off as far as possible. How long can we escape detection? So if you look at something like unemployment benefits, if you look at something like P2P fraud or the social engineering scams that Dave was talking about – and business email compromise is another big one – the main battle is over how long does it take to visualize account takeover? How long does it take to understand the access that’s been granted so we can limit that window of opportunity?

Banks tend to be slow-moving entities. Change doesn’t typically come at a rapid pace. So, David, given the imperatives around fraud, how receptive are you finding your client banks and credit unions to the idea that they do need to move faster? And are you seeing clear signs that they are, in fact, kicking it up a gear?

SCHNEIDERMAN: Yeah, I think, in general, they are because all that we’ve been talking about, you also have to layer in the fact that payments are getting more and more expedited. Many banks are conservative, yet they are moving down the path with various types of real-time payments, whether it’s Zelle, whether it’s RTP, moving into various types of payment technologies. And so with that, they know there’s inherent risk and their ability to, as Andrew put it, be out in front of the fraud and understand where timing is of the essence. The faster you can identify fraud, the better you can limit your exposure, and that’s definitely a big trend. You look at all these financial institutions that are going down the path of these new payments – they have to have in mind the fact that they’re introducing risk that they haven’t had to deal with before. So I think they more and more get that, and they’re more open to enhancing their prevention capabilities. A lot of banks have detection capabilities after the fact, but now more and more they’re looking into prevention. The ability to intervene in a payment, the ability to interdict in a session in real time, is becoming more and more the standard and the norm.

Fraud, scams, other criminal attacks – this is a common affliction for banking institutions, but the institutions tend to view themselves as standalone entities, as individual fortresses, if you will. They’re all facing the same basic risks from the criminal bands out there, right? So how much, if any benefit would be gained by rethinking their protection efforts to more of a “we’re all in this together” kind of thing. Andrew, what do you think on that?

CORBETT: I think there’s certainly something to be said about being up to date and having that ability to leverage shared insight and shared experiences. But the thing that makes fraud different from AML is it’s very specific to geography, and it’s very specific to time. Temporally, this is a very strange time that we’re living in over the last 18 months. So a lot of the things that consortium approach may have told us five years ago have been changed. So I think it’s a two-step process. I think. It’s just like with a solution. You want all the data you can possibly have so you can use your analytics – the same thing about kind of getting that shared intelligence from a consortium method. So give me everything that’s going on, let me really understand the state of the industry, but the second thing that I have to be able to do is I have to make it specific to my data and my consumer base. So you have to be able to test it on your data before you move it into a production environment. So the consortium method is really important, and it’s good to have that shared data. But there also needs to be a background of understanding how this is going to impact your sphere of influence before you go live with it.

SCHNEIDERMAN: I would agree. There’s kind of a number of pillars, I guess you could say, when it comes to fraud prevention, and information sharing certainly has some value. Knowing your customers and what you should expect from your members each and every time they are accessing their accounts, when they are initiating payments – that’s really important education. Getting the word out to your customers and your members about these different types of schemes is probably one of the more difficult challenges for financial institutions. They will post things on their websites, they might send notifications via email, getting people to kind of read and understand what the challenges are. That’s another big piece of the puzzle, but it always comes back to behavior, in my humble opinion, being the source of truth. And if you have customers that are doing things you don’t expect them to do, those are things you really want to investigate. Sometimes that consortium data can help you with that, but other times, it may not be there in time.

I’m wondering how you’re thinking about the prospect of open banking. More control by the consumer over their specific data, the land rush that we’re almost certainly going to see as fintechs and card issuers and others try to stake claims to various pieces of the data troves now held by banks. Andrew, how do you see this playing out fraud potential-wise and fraud prevention-wise as more entities gain access to customer data.

CORBETT: Yeah, I definitely think it’s the future. I think it makes a lot of sense for both the consumer and then also the businesses that will be offering it. Like any advancement in any discipline, it’s all going to come back down to fundamentals. So how are we at being able to control access and opportunity? How can we visualize account takeover? How can we understand behavior, which will be critical when you’re communicating across multiple access points, and then kind of backtracking to the question that David answered earlier, I think technology is going to be a massive part of that. But the other thing that we have to keep in mind is that technology is not the only weapon that the good guys have. We also have, and David correct me if I’m wrong here, but like every institution I talk to, between three or four analysts, there’s 35 years of experience. We have an industry full of people who are very specialized and know what they’re doing. And there is a reason that in finance, of all industries, we’re not using bots for investigation. We’re using people because people are really, really good at it. And there’s a lot of time on task, and there’s a lot of pattern recognition in every one of these organizations. And you better believe that, when we go to open banking, those people are going to have a place in that because it’s going to become critical to being able to isolate fraud typologies before they spread to an entire platform, especially if you have multiple access points. And the other thing that we have to keep in mind for open banking is it will almost be entirely non-monetary in terms of how fraud is conducted. The only part of it that will be monetary is the last part. Understanding behavior ,mimicking behavior, spreading across the entire platform, spending months, maybe even years, understanding behavior for customers, and then striking will be the MO. So when you have somebody who’s setting up tents on your side of the street, you got to get them before they’re finished.

David, let’s talk a bit about balancing the needs of security with the wants of customer experience. Super tight security is possible in banking, but at a cost of making it a less pleasurable experience. How do you think about that balance? And do you see the demarcation line between the two moving as tech gets better?

SCHNEIDERMAN: I don’t know if we coined the phrase or not, but we use it fairly frequently, and it’s called “friction right.” And what we mean by that is financial institutions have to kind of walk the line between security and customer or member experience. They put these, in particular, digital channels and expedited payments in the hands of their customers and members because that’s what they’re demanding. But at the same time, they sometimes have to figure out ways to protect them from themselves, and going back to different financial institutions – whether it’s a community bank or regional bank or credit union, whether they’re up in the Pacific Northwest or down in Florida – they always have their own sort of unique demographics that they have to deal with. And that really means that they have to cater their potential solutions and their approach and their strategies, taking that into consideration. What we’ve seen a lot of, I would say the last probably two years, is this desire for financial institutions to insert themselves into digital banking sessions and/or payments processing without overly impacting the experience. They want that convenience to be just that – a convenience – and I don’t want the customer to have to jump through too many hoops. But at the same time, there’s going to be certain circumstances where I’ve got to jump in there and figure out is this legitimate or not. So I think that’s definitely an area where we’ve seen quite a bit of expansion, particularly with the more real-time approaches to their fraud prevention capabilities.

So, guys, let’s wrap this up here. 2022 will soon be upon us. So I want to ask each of you for a brief forecast, a brief prediction on a trend that you see arising, or something that’s taking on more importance in the coming year that pertains to fraud activity or fraud fighting technology or something else related to fraud. Your imagination, no limits there. Go ahead, Andrew.

CORBETT: Yeah, so for me, it’s device duplication. This is going to be another example of just an evolution, because what we’ve seen is people in non-extradition countries with tablets in their lap running six phones at the same time, duplicating devices, duplicating geolocation, VPN information. It’s very impressive, sophisticated and expensive stuff. And the only way that you can find something like that is if you understand every single piece of the behavior, because currently, the way that that’s being fought is the corner that they’re cutting – they have multiple phones on those tablets, and they’re not changing the OS’s because they want to run multiple phones at the same time. So we can at least see that this iPhone that’s been here for a year has now got a different OS. They’re using an Android tablet OS. Very unlikely device duplication. But what I’m interested in seeing in the future here is, like David said, it’s a game of leapfrog. So once they deal with that challenge, what’s the next piece of it? It’s so, so important to be able to understand as much as you can from all of your vendors, get as much data as you can, and make sure that you have a way of understanding if those behaviors change, because that’s really our only indication for some of these really sophisticated and subtle fraud typologies that I’m pretty sure we’re going to see in the new year.

SCHNEIDERMAN: So for me, I think it revolves around the faster payments that we’re seeing more and more as more and more financial institutions are adopting real-time payments, whether it’s Zelle, whether it’s RTP. I’ve seen a lot of discussion and movement toward payment hubs some of the providers out there are now starting to offer. All these things revolve around providing that added convenience. The digital transformation that we’ve seen over the last probably four to five years has really been in full swing. And with these expedited payments, we now have additional risk that’s being added into the equation. So that would be one of the things that I’d be looking for in 2022 as more and more financial institutions adopt faster and faster payments, what they’ll be doing to ensure that they’re protecting their customers and members and their assets.

David Schneiderman, senior solutions consultant and Andrew Corbett, senior sales consultant at NICE Actimize, thanks again for joining us on the BAI Banking Strategy podcast.

CORBETT: Thank you for having us.

SCHNEIDERMAN: Yes. Thank you very much.

Terry Badger is the managing editor at BAI.