A-Z of banking fraud
Use the table of contents below to navigate through the page:
Quantum of fraud
The scale of fraud committed against banks is hard to determine precisely because many cases go unreported. However, information from within the industry suggests that:
A – Access
B – Big Data
C – Complexity
Complexity represents probably the most important source of vulnerability that banks suffer in attempting to detect and prevent fraud. As banking has become increasingly dependent on technology – and in the absence of a countervailing strategy – the systems that banks depend on to deliver their services have multiplied and grown much more complex.
The effect of this process of increasing complexity has been to create more opportunities for fraudsters to gain access to critical systems, while at the same time making it harder for banks to have a clear overview of all the activity taking place on their systems.
Complexity in bank systems can be seen in the growing number of channels through which banks now deliver their services, including websites and online banking platforms, mobile apps and social networks. All these channels represent a new set of opportunities for fraudsters to gain access to the bank’s information system. Banks’ IT has become more complex as new information systems are implemented on top of older systems, building up layers of technology that do not necessarily link together and so make it much more difficult to gain a unified view of operations. As mainframes have given way to network computing, critical systems have also become more distributed: today even a relatively small institution will have multiple databases running on different servers that are accessible to a large number of staff. Complex and highly distributed IT systems such as these are difficult to police and present more opportunities for fraudsters to gain entry. Modernising the legacy systems on which many banks still depend can also increase their ability to detect fraud, a factor that is often overlooked.
Technology and complexity
From online banking platforms to mobile apps and social networks, a growing number of new channels makes it harder for banks to have a clear overview of all the activity taking place on their systems.
D – Data theft
Although most people might think of fraud as the act of carrying out illicit transactions, data theft plays a very important role in facilitating the crime and is an area of great concern for banks and their regulators. Banks hold very large quantities of sensitive data on their customers and confidentiality is a basic expectation of any bank customer. Theft of confidential data is therefore damaging to a bank’s reputation, even if there is no direct financial loss as a consequence. Data thefts can occur as a result of outsiders gaining access to information systems, but are just as likely to result from internal breaches carried out by staff with high levels of access, such as database and systems administrators. There is a thriving black market on the internet in stolen customer information, including online bank and credit card details.
In the most famous recent example of a large data theft, computer specialist Herve Falciani stole the details of 24,000 private banking clients from a branch in Geneva while working on an IT project in 2007. He subsequently passed the stolen files to French tax authorities. In this instance, the data theft did not facilitate fraud against the bank or its customers, although it did produce a strong response from the bank’s regulators because of the serious breach of client confidentiality that resulted. In recent years financial regulators have stepped up pressure on banks to improve their controls around data security and to provide greater protection of clients’ confidentiality. The Swiss regulator, FINMA, has published new rules on the security of client identifying data.
E- External fraud
External fraud, in which an outsider manages to penetrate the bank’s data security and access sensitive information or carry out fraudulent transactions, can be achieved in a variety of ways. Poor password security, for example, might allow a fraudster to gain access to the bank’s information systems without the need for sophisticated computer hacking. However, much of the fraud carried out by outsiders in fact depends on help and collusion from employees, who may have been paid relatively small sums of money to facilitate the crime.
For example, as mobile banking has grown in popularity, mobile phones have become an accepted way for banks to authenticate a user’s identity without them being present. This opens up a new potential vulnerability in the bank’s controls that can easily be exploited by an external fraudster colluding with a bank employee who has access to the bank’s customer relationship management database. In order to carry out the fraud, the employee temporarily changes a customer’s mobile phone number on the bank’s database to the number the fraudster will use. The external accomplice then calls the bank’s helpline and resets the customer’s account password, using the mobile number now showing on the bank’s database to validate his or her identity. Once the account has been raided, the bank employee changes the mobile number shown on the database back to the correct one and the fraud is complete.
This again shows how easily a database administrator can make changes to a customer’s information without creating an alert suggesting that controls have been breached.
H – Hacking
Hacking covers a huge variety of techniques used to find weakness in an organisation’s IT security and so gain illicit access to computer systems for a range of reasons including fraud and data theft. At its simplest, hacking may involve nothing more than attempting to guess passwords, an approach that is more likely to succeed against organisations with poor controls on password security and those that do not demand users change their password regularly.
Hacking can also involve attempts to induce users to divulge their account information using email-based “phishing” attacks, or even fraudulent telephone calls that purport to come from the user’s bank or financial services provider. Approaches such as these may simply involve gaining access to the victim’s account in order to steal money but they can also provide the means to commit more intricate “identity theft”, in which an individual’s personal details are used to set up false accounts that are then used to obtain credit or make fraudulent purchases.
More sophisticated, technology-based types of hacking may involve attempts to introduce malicious software into the target organisation’s computer systems, for example via email attachments, in order to capture sensitive information or to enable hackers to find a route into the system. The risks to cyber-security that hackers now pose have prompted the US ratings agency Standard & Poor’s to warn in September 2015 that its credit ratings for banks will in future take into account the quality and strength of their IT security systems and procedures. “We view weak cyber security as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades,” the agency said.
Hacking and how it’s done
Covers techniques used to gain access to a bank’s IT system with a view to carrying out fraud or data theft. Both sides are constantly at work: hackers devising new methods and software vendors finding ways to block the attacks.
Standard & Poor’s has warned that its credit ratings for banks will in future take into account the quality and strength of their IT security systems
I – Internal fraud
Internal fraud is the most common way for banks to suffer losses. Estimates vary, but PwC’s Global Economic Crime survey for 2014 suggests that 56% of fraud is carried out by employees, though this encompasses a wider range of sectors than just banking. Others put the insiders’ share of fraud cases within banking as high as 70%.
Employee fraud takes place at all levels of organisations. Survey data reported by the Economist Intelligence Unit show that among organisations that had suffered a fraud where the perpetrator was known, in 32% of cases the leading figure was a middle or senior manager while in 42% of cases it was a junior employee. In many cases involving banks, internal frauds will involve collusion between at least two individuals in order to circumvent the bank’s controls, in particular the four eyes principle that is meant to ensure that one person carries out an operation while a second validates it. Employees with user privileges that give them high levels of access to the bank’s IT systems, such as systems and database administrators, are particularly well placed to commit or facilitate fraud within banks and are often able to remove evidence of their actions from the system.
Fraud experts suggest that the process of carrying out a fraud usually takes place over a long period and will often start with an “exploration” of the bank’s IT systems to see what the individual’s access rights will allow them to do. They may look for a dormant account that will allow them to operate undetected or begin making small, temporary changes to the information on the system, such as a phone number, to see whether and how quickly they are detected. Criminologist Janet Goldstraw-White suggests that individuals who discover vulnerabilities in their employer’s IT systems and control can feel “seduced” into committing fraud. “When they find out how easy this is, and get away with it, they often keep repeating the offence,” she writes.
Learn more: Read our blog post on how “Machine learning can stamp out internal banking fraud”
L – Libor
The illegal manipulation of libor, the key market interest-rate benchmark, came to public attention in June 2012 when Barclays announced a settlement with US authorities worth $453m as recompense for its traders’ involvement in the fraud. Libor – the London Interbank Offered Rate – is calculated daily on the basis of submissions by major banks and is meant to show the rate at which those banks are able to borrow from each other. This
benchmark is used globally to calculate the price of up to $3.5 trillion of financial products, both wholesale and retail, ranging from complex derivative contracts to consumer mortgages and loans.
After the scandal broke it emerged that traders at a range of banks were colluding via private messaging systems to agree the interest rates that they would submit for the daily calculation of Libor, which at the time was carried out by the British Bankers’ Association.
Submitting slightly higher or lower figures could have a direct impact on the banks’ profits via their trading activities, and therefore influence the profits and bonus entitlements of individual traders. For example, in a US class-action lawsuit filed in 2012, the plaintiffs alleged that banks colluded to ensure Libor increased on the first day of each month – the date on which new payment amounts on variable-rate mortgages were calculated, based n that day’s Libor fix. Moreover, during the financial crisis, banks were able to mask the extent of their financial difficulties by colluding to depress Libor artificially, thereby giving the appearance that they could borrow more cheaply than was in fact the case.
Major banks have paid billions of dollars so far to settle cases related to Libor manipulation around the world, particularly in the US and UK, while some including UBS have received immunity for revealing details of the “Libor cartel” to prosecutors. In April 2015, Deutsche Bank paid US and UK authorities $2.5bn, the largest Libor settlement so far.
M – Mobile
N – Near-Real Time
One of the greatest challenges to the effective use of big data analytics in detecting fraud is the time required to process the vast volumes of information involved. To be most effective, fraud systems need to be capable of near-real time processing so that potentially fraudulent patterns of activity on the bank’s IT systems can be detected rapidly and addressed.
Many banks currently run algorithms designed to detect fraud on the data in their core banking systems. The problem with this approach is that the data processing involved places a heavy load on the core banking system and will therefore tend to degrade its performance.
As a consequence, the algorithms cannot be run very frequently, leading to a lower level of anti-fraud protection. By contrast, using a more modern anti-fraud system that extracts the necessary data from the core banking system and analyses it in near-real time allows a much more proactive approach to fraud detection and prevention, as well as avoiding a negative impact on system performance.
O – Oversight
Oversight of user activity lies at the heart of effective fraud detection and deterrence. It is based on the ability to detect activities that either breach internal controls, resulting in a “red flag” alert, or to identify patterns of activity that do not in themselves breach controls but that taken together indicate the possibility of fraudulent activity. In both cases, effective monitoring of the use of the bank’s technology systems by thousands of individuals and interpreting their behaviour is the key to effective fraud detection and reporting.
Where employees in particularly sensitive jobs are concerned, specialist systems can be put in place to provide an added level of assurance in areas where banks have potentially serious vulnerabilities. In particular, specially designed systems are available to monitor the activities of systems administrators and database administrators on the bank’s IT platform and reduce the risk of frauds carried out by system users with very high access privileges.
The critical role that technology now plays in anti-fraud oversight has also brought about big changes in the way that banks’ internal auditors need to operate and the skills they require to do their jobs. Auditors are frequently drawn from the operational side of the bank and may therefore lack detailed knowledge of how the bank’s IT systems work and their potential vulnerabilities. Specialist IT auditors have therefore become a vital part of banks’ armoury against fraud and provide essential support for the work of the internal audit team.
P – Profiling
In cases where fraudulent activity does not involve a violation of any of the bank’s internal controls – and therefore does not trigger a red flag alert on its security systems – Profiling offers one of the most effective counter-measures. This aspect of big data analytics is akin to machine learning, in that the anti-fraud system will analyse large bodies of data over time in order to establish patterns relating to particular accounts and customers that reflect their normal behaviour.
In a simple example, this might involve payments into an account on a particular day of the month from a regular source such as an employer, withdrawals from ATM machines within a typical geographical area and purchases of a typical average size from a range of offline and online sources. By assembling data of this sort over a period, the system can create a notional profile of that customer or account against which to evaluate and query transactions that appear to fall outside of the recognised parameters.
These might involve an ATM withdrawal or card payment in a different country, a transaction of an unusual size or one that takes place at an unexpected time of day. In an investment banking context, profiling of the net positions and trading activity of a group of traders might enable a bank to identify whether any of them shows a pattern of activity that differs from colleagues working in the same team. Ultimately, the ability to create profiles in this way will enable anti-fraud systems to carry out ongoing predictive analysis of user behaviour and transaction patterns as they occur in order to give early warning of suspect activities.
U – U.B.A.
User behaviour analytics (UBA) is a fast-emerging area of fraud detection within
banks. It is based upon big data analysis and requires the ability to assess very large volumes of data from multiple sources within the bank’s IT systems. This is analysed at the level of individual users and banks also seek to identify links between users and entities on the system. Once the UBA system has been configured to reflect the working practices of an institution and has established a baseline for its users’ typical behaviour, it is able to identify anomalous examples, whether carried out by insiders or external intruders, and flag them for further investigation.
This area of fraud detection is still developing and to date has varied significantly from one provider to another. The important trends in this market include the level and extent of data analysis that the bank is required to carry out internally. More advanced UBA systems now include large suites of so-called “canned analytics”, meaning that the system provides information to the bank in a readily useable form, for example via dashboards. Banks therefore do not require their own data scientists in order to make proper use of it. UBA providers are also increasingly providing these systems as a service, whereby the provider’s staff carry out analysis and forward reports of anomalous activity to the customer.
V – Volume
One of the biggest challenges that any bank faces today in attempting to detect and
counteract fraud is the vastly increased volume of digital traffic that its systems have to handle each day. As banking becomes increasingly digital rather than cash-based and the market penetration of financial products from mortgages to credit cards increases, the volume of transactions that must be processed electronically through the bank’s IT systems each day – which can already number 20m or more for a large organisation – will continue to climb.
Until relatively recently, many banking operations were still processed manually on paper, which made the checking and verification process slower but less vulnerable to abuse. However, the increase in digital transaction volumes has made this approach untenable. Instead, banks have been forced to automate as many routine processes as possible to accommodate high volumes of digital transactions.
This inevitably means that most transactions will no longer undergo any human checking, enabling fraudulent activity to slip through the bank’s systems provided it does not contravene any internal controls. This also increase the risk of “false positives” – legitimate transactions that trigger a fraud alert and require staff time in order to confirm they are not a threat. A well-structured and well-monitored system of controls is therefore vital in enabling huge volumes of transactions to be processed safely. But as the speed and quality of Big Data Analysis rapidly improves, sophisticated fraud detection systems are also becoming central to the effort to detect and prevent frauds hidden among the millions of operations that take place every day.
Alongside the continuing increase in digital transaction volumes, the growing adoption of mobile banking is pushing up the number of customer queries that bank systems must deal with because mobile customers tend to check their balance and recent transactions much more frequently than people banking via other channels. Recent estimates by the British Bankers’ Association suggested that UK customers would access their accounts via mobile banking 895m times in 2015, rising to 2.3bn in 2020. This will not necessarily result in a higher overall volume of transactions, but it will undoubtedly place additional burdens on the bank’s IT infrastructure.
Y – Youth
In the past two decades the rapid spread of the digital economy has exponentially increased the quantities of data that organisations generate and with it the challenges of maximising the value of these vast pools of information. In January 2009, Hal Varian, Google’s chief economist, told McKinsey Quarterly: “I keep saying the sexy job in the next 10 years will be statisticians…The ability to take data – to be able to understand it, to process it, to extract value from it, to visualise it, to communicate it – that’s going to be a hugely important skill in the next decades.” Anti-fraud technologies that depend on these crucial skills are still in their youth – many were developed only in the past few years and in many cases banks have only recently begun pilot projects that use modern techniques such as big data analytics. There is much further to go before these technologies become a routine part of how banks operate day-to-day: in early 2014, the technology market analyst Gartner said that just 8% of large, global companies had adopted big data analytics for at least one security or fraud detection use case. It forecast that the proportion would increase to one-in-four by 2016.
These new technologies are developing quickly, which brings both opportunities and challenges for organisations that want to take advantage of them. On one hand, the rapid evolution of systems will require banks to adapt and update their controls frequently and undertake continuous training to stay abreast of technological developments and the evolution of techniques for committing fraud. On the other, as anti-fraud systems evolve they are continuing to improve. Increased processing power is enabling them to become faster and more intelligent, and the quality and user-friendliness of the analysis they provide to security staff are improving, making them easier to use. Banking is becoming ever more dominated by digital technologies and as this process continues, technology will inevitably
be an indispensable weapon in the constant fight against fraud.
Z – Zero day
The battle between institutions and fraudsters resembles an arms race. Technology developers are at work on both sides: hackers creating new ways to penetrate IT systems to steal information and carry out fraudulent transactions, while software vendors work to block these attacks and discover new vulnerabilities in their programs before the hackers do.
Occasionally, hackers succeed in exploiting holes in the software systems that organisations use before IT security staff become aware of the weakness. These are known as zero day attacks and refer to the taking advantage of a previously unknown software flaw. There have been zero day attacks on widely used pieces of software including PC and Mac operating systems and web browsers. Software vendors release thousands of security patches to plug the holes that are discovered in their code, but in some cases they are discovered only when people suffer an attack.
It can take years for a zero day attack to be discovered. The Red October malware went undiscovered for five years, during which time it was used to steal information from governments, embassies, energy companies and nuclear installations in 39 countries. It was uncovered in October 2012 by the Russian security company Kapersky Labs. The creators planted the malware in Microsoft Word and Excel documents that were sent to target recipients by email.
However, although these security breaches are a cause for concern, technology continues to develop quickly and the security that surrounds the IT systems that form the critical infrastructure of banking is becoming stronger all the time. Major advances in areas such as big data analytics and real-time monitoring mean that unauthorised activities can be detected and dealt with more quickly than in the past, and the arrival of predictive analytics promises to increase the strength of the defences that banks can rely on still further. The ability of technology to provide effective protection against fraud has never been greater than it is today – and it is improving all the time.
The soon to be future
Oversight of user activity lies at the heart of fraud detection and deterrence.
Trust will remain key, but technology to track criminal behaviour is ever improving – just as new rules are unveiled to further regulate the industry.