What changes in financial institution fraud management will 2015 bring? Will the call center continue to be the weakest link in the fraud-prevention chain? How will the explosion of smart phones, mobile banking applications, and mobile remote deposit capture impact fraudster behavior? Last, will fraud attempts, losses, recoveries, and prevention expenses in the financial industry remain as opaque as they are today? We may not be able to answer these questions completely and accurately until 2016, but focusing on these issues now, while the crystal ball is cloudy, provides valuable time to plan and work effectively to mitigate these challenges. Here are some of my forecasts for the coming year in fraud.
Card fraud: Expect a continued increase in the frequency and severity of card mass compromise data breaches. Ahead of the liability shift, fraudsters will continue to speed up their efforts to steal data (magstripe & PIN) while they can still be used in counterfeit card fraud. The fraudsters will likely come to realize the additional value of stealing personally identifying information (PII) and continue to diversify by selling PII to data brokers as a way to continue to make money as the value of the card data decreases with the roll out of EMV. Now is the time to ensure that your point of compromise and card-not present fraud detection methods are up-to-date and ready for prime time.
[For more on trends to watch in 2015, check out: 3 Compliance Trends Community Banks Should Watch in 2015.]
Deposit account fraud: Traditional deposit account fraud will continue its downward trend this year. But expect increases in remote deposit capture losses as fraudsters continue to probe to find vulnerabilities in this new delivery system -- especially Mobile RDC. The newer delivery channels RDC, MRDC, P2P, kiosk banking, and even image-enabled ATM’s will continue to be probed for weaknesses and methods to mutate old fraud methods. Fraudsters will experiment with new methods of duplicate deposits -- a branch or ATM deposit followed by a mobile remote deposit, for example -- and will investigate new multiple-item mobile remote deposit capture applications.
Fraudsters will also determine back-office vulnerabilities by attacking them, using methods like forcing deposit corrections in order to get quicker funds availability. Last and not least, there will be pressure from the market to reduce the controls, limits, and product restrictions imposed on legitimate mobile remote deposit customers. It is not the time to assume that historically low losses from mobile and RDC delivery channels are inherent to the channels or that they can be maintained without active efforts to improve analysis and detection.
Wire transfer fraud: Deeper and more prevalent wire transfer fraud schemes will prosper, where the fraudster mimics the historical transaction patterns of the victim’s account. Wire transfers of the same or very similar amounts, along with the same timing and frequency, will become more prevalent in fraud schemes. Fraudsters will continue to manipulate unsuspecting victims by spoofing internal wire requests that fit existing patterns. Now is the time to extend wire transfer monitoring to include proactive customer contact and confirmations on new beneficiaries and new accounts for existing beneficiaries.
Call center fraud: As mass data compromises of card details and personally identifying information increase and EMV cards become more prevalent, fraudsters will continue to increase their social engineering attacks on the financial institution’s call centers. This increasing prevalence of social engineering attacks on call centers will support fraudsters' need for more involved cross-channel fraud schemes. Now is the time to evaluate and invest in voice biometric systems that identify fraudsters as well as authenticate legitimate customers.
Mobile banking fraud: The smart phone, along with new and existing smart phone applications, will be further probed and attacked. Attacks on the smart phones will target the information in the phone and the information the phone can access. Additionally, the new payments systems using smart phones will be hit with malware attacks on the devices and the apps they are running. You thought protecting card transaction data at merchants was difficult? Try protecting mobile phone data.
Fraud loss reporting: Financial institution fraud reporting will continue to lack the transparency sufficient to facilitate a relevant and organized response to all the attacks on financial institutions individually as well as across the financial industry as a whole. The current focus on separated delivery channels will continue to cloud financial institution decision-making and at an industry level result in ineffective risk management.
Happy New Year. The year 2015 should create a fun yet challenging ride for those of us working to manage fraud and financial crime in our institutions.
Wesley Wilhelm (Wes) has more than 30 years of experience in banking and consulting to the financial services industry, with extensive knowledge of fraud management, payments, and retail banking technology and operations. He has held numerous management positions in risk and ... View Full Bio