When the global pandemic ends, banks should anticipate that the rate of fraud will likely have grown faster than at any other point in history. In some cases, losses could be material; losses to individuals and smaller commercial customers could be devastating. Moreover, fraud will not decrease when infection rates go down, because cyber criminals will be wielding new tactics and techniques against organizations that are more vulnerable than ever, thanks to greatly expanded attack surfaces.
These dangers are not new. But they are newly urgent. In 2019, the FBI’s Internet Crime Report warned that fraud accounted for more than $3.5 billion, of which $1.77 billion was from business email compromise (BEC). As the pandemic expanded across the globe in April, the Federal Bureau of Investigation (FBI) warned that cyber threat actors were using “uncertainty surrounding the COVID-19 pandemic to further their efforts.”
Business email compromise is a tough one
It’s difficult for businesses and banks to prevent because it attacks the weakest link in the payment system, people, by convincing them they must ‘do the right thing’ quickly. This may include quickly convincing people they have to get payments out ‘immediately’ or lose a critical service or product in their supply chain. Add the urgency of the pandemic, with many people working longer hours on less-secure systems, to the huge payments issued by governments to banks aimed at providing critical funding to people and businesses, and you have a recipe for fraud disaster.
We can do better
The first order of business is breaking down silos that exist between banks, regulators, and other government agencies at the federal and local levels. For decades, banks and regulators have mirrored each other in organizational design by having fraud teams that are separate from their information security teams.
For example, banks have compliance divisions that handle the Know Your Customer (KYC), Anti-Money Laundering (AML), and Identity Theft Red Flag aspects of fraud. Regulators also maintain these same divisions. Separate from these compliance divisions, banks maintain information security teams that identify, assess and attempt to prevent cyber-attacks. For their part, regulators have separate information technology (IT) policy divisions that offer compliance guidance, along with IT examiners who oversee IT risk and information security. While the separate teams in banks are doing an admirable job separately, they could be more effective if they worked together.
The lesson is that silos and lack of communication make it harder for banks to prevent fraud and, conversely, easier for cyber criminals to attack. These teams should share tools and information.
The lesson is that silos and lack of communication make it harder for banks to prevent fraud and, conversely, easier for cyber criminals to attack.
Progress on the horizon
Some banks are building Cyber Fusion Centers and Cyber Fraud Prevention divisions, bringing cybersecurity and fraud professionals together to identify threat patterns and common tactics, techniques and procedures used to process fraudulent payments. This is a good starting point for banks to prevent fraudulent payments. Looking outside the banks, local governments need new processes to help officials identify and prevent cyber criminals from obtaining business licenses for the shell corporations they need to commit fraud.
That will be a good start, but we should act more holistically and move even quickly, because faster payment systems mean it will be even more difficult to prevent or retrieve a fraudulent payment once it is submitted.
In the meantime, criminals are making away with billions of dollars, taking advantage of people during one of the lowest points in history. That’s just wrong. So, let’s get to work stopping them.