The good news in the world of fighting fraud and cybercrime is that, by the numbers, the battle against the thieves has been shown to be tipping toward the white hats. As GIACT EVP David Barnhardt noted in a recent conversation with Karen Webster, overall fraud dropped 15 percent between 2017 and 2018. That’s good news, he noted, and a good indication that industries like banking have made real progress in fortifying themselves against attacks better than they have historically.
But, as is often the case with good news in the ongoing war against cybercrime, it is a lot more limited and qualified than it appears at first glance. The overall dollars lost to fraud declined some in that time period, but not much. When the going gets tough in one channel, Barnhardt told Webster, the fraudsters just get going to a new one where the security is less sophisticated and less fortified against attack.
“If you look at where the big gains are for fraudsters, it is in industries that historically have not had a problem — suddenly they are seeing double, triple and even quadruple instances of fraud,” he said.
And while those fraud increases are across the board, Barnhardt said, they are emerging particularly quickly with new account fraud, where banks are suddenly finding themselves trying to fend off a type of attack they had never considered before it started showing up, and often.
Balancing Protection and Ease
As companies across the board are increasingly moving online and expanding their service offerings, he said, they now have to worry about being a target for fraud, whether they have been targeted historically or not. The proper risk controls have to be there, or “you will certainly become very popular in the fraud community.”
And the targets can be pretty inventive — and pretty scary.
Take home equity lines of credit as an example. Online processing systems have been a blessing to ultimate customers, Barnhardt noted, in that they’ve taken what used to be a messy, lumpy process of applying for a HELOC product and streamlined it into a quick and easy way to access funds. That blessing, however, is a curse in the hands of a fraudster with ill-gotten data — hackers can fool the system and take out a home equity line of credit on a consumer’s home without their knowledge.
That sort of scenario occurs in many rapidly digitizing arenas. Auto lending is frequently becoming a target, as is student lending.
“In a lot of these industries, the fraud operators are branching out and finding less-fortified places,” Barnhardt said. “And if it is an easy process, you can grab $40,000 in one click — the payments are getting bigger and the targets are getting easier.”
The problem is that while businesses are avidly racing to provide the fastest, easiest experience for customers on the front end, they aren’t doing the concurrent work on the back end to thoroughly screen for fraud. That is creating a huge opportunity for fraudsters, who can easily exploit gaps in the back-end verification systems. Why work hard extracting less value from a bank-issued card when there is a fraudulent mortgage refinance a few clicks away?
The industry needs to get it together, Barnhardt said, and make sure these gaps are closed.
And it shouldn’t be a one-sided effort, he noted: Consumers should also be in the game by monitoring their credit reports. Barnhardt pointed out that consumers have shown limited interest in being their own advocates — that’s proven by the relatively few who signed on for credit monitoring after the Equifax breach. That means, at least in the near term, businesses across the vertical spectrum need to be thinking about how to fortify their customer relationships, end-to-end.
The Ongoing Relationship
As Barnhardt noted, firms of all kinds need to lock down onboarding as they are considering hardening their back end against fraudsters — even as they are constantly pushing to make that process smoother and more friction-free on the front end.
At the start of the process, Barnhardt suggests asking, “Are they who they say they are? Can you find digital DNA for that customer? Can you verify all the payment information, authenticate with their bank and make sure all of the information coming in actually matches?”
And that is only the start of the process, which is now an ongoing series of check-ins and re-checks to ensure all of the associated data still makes sense. Even if this is a two-year or six-year customer with whom the business has no issues, when there is a request to change something on the account like contact information, that should trigger a whole verification process to make sure account takeover fraud is not underway.
Ultimately, Barnhardt noted, it is a matter of looking at all the entry and exit points in a relationship and pinpointing (and fortifying) the areas of vulnerability. That is notably obvious in banking and financial services — a fraudster who gets added as an authorized card user on a checking account can quickly wreak all kinds of financial havoc, and banks have spent the last decade hardening their systems in myriad ways. But, Barnhardt told Webster, while the effects aren’t always equally dramatic, a fraudster breaking into any kind of consumer or business account is not a good thing.
“Anytime you are providing a good or a service, if you aren’t doing these steps, it can create risk for a consumer,” Barnhardt stated. “This really applies to any industry. FIs are in the mix, but any business — both B2B and B2C — really needs a water-tight process. They must not only provide a world-class experience, but also protect themselves and their consumers from losses.”