2024 Global Digital Shopping index

Ransomware Attacks Spotlight Need for FIs to Gauge Third-Party Risk 

The fraudsters grow ever-wilier, the attacks more brazen.

And effective.

A blog post this week from the Atlanta Federal Reserve noted that “at least” 60 credit unions were “knocked out of commission” by ransomware attacks towards the end of the year.

Those CUs had all been tied to the same third-party service provider, and the impact was significant, as it kept 100,000 CU members from accessing their digital accounts.

For three weeks.

The attacks come against the backdrop where last year, as the Office of Financial Research found in its annual report to Congress,  the percentage of financial firms affected by ransomware rose to 87% in 2023, up from 79% in 2022.

In the report “The State of Fraud and Financial Crime in the U.S.,” a collaboration between PYMNTS Intelligence and Hawk AI, we found that for U.S. banks with at least $5 billion in assets, total losses due to fraudulent transactions added up to more than $1.3 billion in 2023, nearly doubling the $767 million lost in 2022.

Impersonators Scams

Impersonator scams have been gaining ground, and bad actors can of course impersonate third-party vendors — incentivizing unwitting employees at financial institutions (FIs) to make payments to the criminals’ fraudulent accounts. Data from the Fed’s Fraud Classifier model found that authorized fraud — involving the manipulation of FIs workers — represents about 12% of fraudulent transactions, meaning that the average FI lost nearly half a million dollars due to those scams annually.

The data also show some proactivity on the part of these same FIs to use advanced technology to beat back the waves of attacks. A full two-thirds of FIs use machine learning (ML) and artificial intelligence (AI) to combat fraud, up from 34% in 2022. The decision not to use those technologies can be a costly one, as our data also found that 34% of FIs that had decided not to use AI and ML had been beset by increased fraud rates. Roughly 22% of FIs not using these technologies experienced bank tech-support impersonation scams, which gives one window into how trust in third parties can be co-opted in ways that wind up costing the FI money, and no small hit to its reputation when there’s a breach.

As for third-party risk, as more banks ink pacts with FinTechs and other providers of technology, data, products and services, joint guidance from the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued last year contended that FIs must monitor that risk on a continuing basis (and there are 17 items to address governing third-party relationships). 

In an interview with PYMNTS, Michael Berman, CEO of Ncontracts, said that “the number of [vendor] agreements have exploded — and the challenges have exploded.” 

AI, through the use of large language models, can help parse the contracts, ensure they are in compliance, and that risk and contingencies are addressed.