Criminals are increasingly sophisticated in how they compromise data, and are deploying new tactics across the social engineering lifecycle. Detecting financial crimes often requires collating together all the pieces of the jigsaw.
Fraudsters buy compromised data (credentials, ID documents, personally identifiable information or payment details). Ultimately, they use it to manipulate both your customers and employees to commit fraud. Sometimes, fraudsters don’t have all of the pieces of the puzzle together, so they often further manipulate your employees, systems and customers in order to get the full suite of assets they need to commit a fraud.
So how do you keep your company and customers safe? It helps to understand the social engineering lifecycle.
The Social Engineering Lifecycle
While employees are focusing on providing empathetic customer service to clients, bad actors are executing effective strategies to harvest and sell data as well as manipulate processes, systems and people with the aim of committing a financial crime.
First off, hackers target individuals, businesses, and governments in order to compromise valuable data assets. This can include credentials, such as usernames and passwords, identity documents, knowledge-based information and payment details. This data can be harvested in one compromise or stitched together in multiple breaches.
Widespread attacks can target the unsuspecting consumer, tricking them into deploying malware by clicking on a link or providing confidential information to bad actors pretending to represent a legitimate business or bank. We have seen an increasing amount of businesses, industries and government databases breached, with numbers often in the millions and sometimes hundreds of millions of records.
Once harvested, the data is sold. Typically, the information is sold on the dark web, with different kinds of data attracting different values. For example, a complete digital identity is worth more than a partial one, and platinum credit cards are worth more than standard cards.
Depending on the completeness of the digital identity, criminals are either in the position to start their attack, or they may need to further manipulate the victim or employee to try to get the final pieces of the puzzle together. When the fraudster has enough data, they use it to socially engineer employees, defeat channel authentication controls, or apply for new products or services.
Fraudsters are in a race to try to access customer accounts or apply for products before the victim realizes there’s a problem. Fraudsters try to maximize their return on investment through various strategies. Sometimes they target multiple accounts owned by that victim. Other times, if they are using the identity to apply for services, they take one set of data and manipulate it to create multiple slightly varied versions of the same identity to expand the number of accounts they can open.
Generally, speed is their focus. Fraudsters have to have a way to extract funds as quickly as possible. With the rapid global adoption of both digital originations and real-time payment capabilities, we need to be mindful of where fraud trends are heading.
Strategic Areas to Focus On
On a recent webinar, The Rise of Scams – Mitigating the Manipulation of your Customers and Employees during Times of Crisis, we learned that to combat fraud most people are focusing their efforts on authentication, while 25% are focusing on customer-level controls. With there being so many factors, it can be difficult to identify where to concentrate efforts.
Here are the key aspects to think about to help prioritize:
1. Customers at Risk
Customers that are new to your bank or are new to banking online are especially vulnerable, as are customers that have the best relationship with you. Customers that have multiple accounts with one institution as well as high net worth individuals have the most to lose and will tend to be targeted by fraudsters.
2. Job Roles at Risk
Consider various job roles and the process that each oversees. Risk is elevated with the more access a position has. For instance, a manager will have more privileges than an agent, and thus fraudsters are more likely to escalate interactions to more senior roles.
3. Employees at Risk
New hires and temporary staff are most at risk. Organizations are quickly training them on things they have not done before and are immediately throwing them into crisis level workloads. Offshore call centers that are being used to ramp up capacity can also fall victim to this.
4. Customer-Level Controls
Fraudsters take over an account at the customer level, so financial institutions need to have the ability to define control measures that span across channels and across products. Today, many institutions manage risk in silos, where authentication decisions are made independent of account maintenance or transaction-level monitoring. Convergence in these areas is imperative in controlling account takeover risk. Additionally, companies should give customers the ability to control their accounts with a variety of transactional restrictions, account access controls and change notifications.
5. Awareness and Training
Employees should be trained to deliver warm, empathetic experiences to customers, but they should also know to help educate customers on how the institution will communicate with them at this time, enabling customers to better distinguish legitimate communication from illegitimate.
If you’re looking for additional information, including tactics that you can immediately implement, watch the replay of my webinar where I share 5 things to do.
What else are you doing to fight fraud? Let me know on Twitter @fraudadvisor.