Financial crime is a constant worry for all financial institutions (FIs). A recent study found that more than one-quarter of malware attacks in 2019 targeted FIs, with hackers seeking banks’ and customers’ funds as well as personal data like account numbers, PINs, addresses and payment card information. Such crimes are on the rise, too, with a 212 percent year-over-year increase in compromised credit cards in 2019 and a 129 percent jump in leaked credentials.
Fraudsters often work together to conduct their schemes and share in the spoils, and dark web marketplaces are rife with tools and tutorials that allow budding bad actors to learn the tricks of the trade. One study found that phishing scam tutorials can be purchased for as little as $25 each, for example, while templates for websites that trick users into entering personal information are sold for $3 apiece. Fraudsters using these relatively simple tools stole $1.7 billion in business email compromise (BEC) attacks last year.
This bonhomie and cooperation among fraudsters requires equal — if not more — collaboration among FIs to curb the rising tide of cybercrime. The following Deep Dive examines how bad actors team up to attack FIs and why banks should form alliances and share collective intelligence to counter their mutual threats.
Fraudsters Work Together
Fraud techniques have grown more sophisticated and diverse over time. Using false identities is one of the most popular methods fraudsters employ to attack banks, as doing so enables bad actors to impersonate customers and withdraw funds from their accounts without their knowledge. Other identity fraudsters apply for bank accounts under assumed names with the intention of using these new accounts for money laundering or other illicit ends. There were more than 651,000 reports of identity theft in 2019, with 23 percent of fraud cases resulting in stolen funds. More than $1.9 billion was lost in these incidents, an increase of $293 million from the previous year.
Many identity fraud cases originate from organized online crime rings in which fraudsters buy, sell and trade stolen identities. One recent study found that more than 10,000 such groups exist in the U.S., and some operate far differently than the stereotypical networks of hackers connecting in chat rooms. One such operation consisted of five Florida family members who filed at least 130 fake applications over a three-year period, for example, using more than eight stolen Social Security numbers and 11 stolen birth dates in the process.
Another cybercriminal ring — thought to be the largest card fraud organization in U.S. history — was busted for credit card fraud in early 2017. Fraudsters in the group leveraged more than 7,000 false identities to steal at least $200 million from thousands of credit card accounts, using the credentials to apply for cards and credit lines they had no intention of repaying and racking up millions of dollars in illicit purchases. Some New Jersey businesses were complicit in the scheme, too, allowing hackers to make fake purchases using their point-of-sale (POS) systems so they could improve their credit scores and apply for larger lines of credit.
These incidents illustrate how much of a threat fraudsters can pose when they work together toward common goals. The FIs they victimize must also team up to fight back, lest they be overwhelmed by the sheer number of fraudsters angling to exploit them.
The Enemy Of My Enemy Is My Friend
Banks often struggle to fight fraud, as bad actors’ techniques can evolve faster than FIs can develop countermeasures. FIs’ solutions too often work only once, and fraudsters can also reuse techniques that are stopped by one bank to attack another FI without the same security measures. This means banks must band together to share fraud prevention techniques and insights about potential threats to avoid falling victim to attacks that other banks have successfully stopped.
Several organizations are geared toward sharing intelligence and fighting fraud tactics. The Credit Industry Fraud Avoidance System (CIFAS) was founded in the U.K in 1988, for example, and from 2005 to 2010, it reported preventing a total of £4.2 billion ($5.3 billion) in fraud. Its members say they have collectively saved £268 in potential fraud losses for every £1 spent in membership fees. Another group, the U.S.-based Financial Services Information Sharing and Analysis Center, oversaw a 36 percent drop in account takeover attacks in a single year between 2009 and 2010.
The U.S. has several similar industry organizations committed to protecting their members from financial crime. One such group is Early Warning Services (EWS), which is co-owned by several major FIs, including Bank of America, Capital One, JPMorgan Chase, U.S. Bank and Wells Fargo. It maintains a data exchange system that allows its members to pool their collective intelligence and collaborate on fraud prevention initiatives.
Financial crime is a team effort, both for the fraudsters looking to rip off banks and the FIs trying to protect themselves. Fraud will likely never be completely thwarted, but FIs and technology providers can team up to stem the tide and make the problem far more manageable.