Fraud continues to cause problems for banks and their customers. Some of the most troublesome scams have been causing issues for years, while others are new or have a new twist. The following discussion reviews some of the current fraud trends and offers concrete steps financial institutions can take to protect themselves and their customers.

1. Require Multi-Factor Authentication

Most security relies on sensitive data being secured with a username (often an email address) and a password. When ransomware groups exfiltrate usernames, passwords and other data and post it on the dark web, this information can be harvested and used by hacking groups to target financial accounts with credential stuffing attacks. With the sheer amount of information on the dark web, usernames and passwords aren’t hard to find.

Attackers may obtain further information via social media to provide help desks or answer password reset questions, including details such as someone’s first school, first pet or the last four digits of their Social Security number.

Multi-factor authentication (MFA) provides an extra layer of protection for sensitive data beyond login credentials and security questions.

The National Institute of Science and Technology (NIST) defines MFA as:

An authentication system that requires more than one distinct authentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or a combination of authenticators that provide different factors. The three authentication factors are: something you know, something you have, and something you are.¹

It is worth noting that not all forms of MFA offer the same level of security. MFA delivered via SMS text message or email is convenient, but less secure than using authenticator apps like Microsoft Authenticator, Google Authenticator, Duo or similar applications. Texts and emails can be intercepted. Strong, out-of-band MFA solutions are recommended to enhance the security of financial accounts.

The volume of information available to threat actors is significant. One effective security measure for financial institutions is mandating MFA on all customer accounts. However, some financial institutions offering online services still do not require MFA. There are regulations designed to enforce MFA, such as the New York State Department of Financial Services’ cybersecurity regulation (23 NYCRR 500); however, adoption remains variable, particularly among institutions serving smaller or older client bases. Concerns persist about whether requiring MFA will encourage customers to migrate to other banks or financial organizations. Still, the resources spent preventing fraud or misdirected funds may exceed the costs associated with lost opportunities.

2. Educate Customers on Social Engineering Scams

Social engineering has existed for a long time; as long as there have been secrets, people have attempted to use social tactics to obtain them. A well-known hacker once stated that it is often simpler to manipulate individuals than to circumvent technological safeguards, suggesting that advanced technology can be compromised through effective social engineering techniques. Hackers rely on users not being aware of the latest scams, so it’s essential to repeat warnings loudly and often.

Practitioners of social engineering have developed various methods and schemes. One common scam involves fraudulent phone calls appearing to be from a bank, using spoofed numbers to imitate legitimate bank contacts. The caller may be familiar with standard login procedures and request sensitive information such as usernames, passwords and multi-factor authentication codes. These calls often begin with alarming claims (e.g., an account balance being transferred out), which are meant to concern the recipient enough that they will readily share additional details needed for account access.

Warning your customers through notices on login screens, paper statements, SMS messages or emails can be an easy way to offer timely reminders about sharing personal information. A simple warning, such as “never share this code with others,” may go a long way.

3. Monitor Dormant Accounts

Money mules and fraudsters often open accounts with minimal initial deposits, then leave them inactive while attempting to compromise other accounts or engage in phishing and social engineering schemes. Dormant accounts can be readily identified and monitored for signs of fraudulent activity. Restrictions can be implemented to prevent these accounts from initiating or receiving wire transfers or ACH transactions or from utilizing remote deposit services.

A major national bank has adopted a policy to automatically freeze dormant or infrequently used accounts that receive significant transfers or deposits. The assets in such accounts remain frozen until internal investigations confirm that the funds are not associated with fraudulent activity or scams.

4. Look Out for Your Customers

Investment scams can cost both clients and banks a significant amount of time and money. Multiple lawsuits have been filed against financial institutions after a customer transferred funds for an investment that later proved to be fraudulent. Plaintiffs often claim that banks are in the best position to identify potential scams and should warn their customers accordingly.

Financial institutions are required to address and defend against these lawsuits when they arise. Asking appropriate questions, particularly when assisting elderly customers, may help prevent investment scams and benefit both the bank and its clients. Smaller banks are uniquely positioned to identify romance scams targeting older customers, whether by noticing atypical transactions or communicating with the customer’s family.

5. Require Electronic Statement Delivery

Mail theft has been a longstanding issue dating back to the days of the Pony Express. During the late 1800s, intercepting stagecoaches carrying mail was a common crime. Notably, Charles “Black Bart” Boles, also known as the “Gentleman Bandit,” robbed at least 28 Wells Fargo stagecoaches in California and Oregon between 1875 and 1883. Mail was seen as an attractive target due to limited law enforcement, ease of access and the potential to find checks, bearer bonds, cash, jewelry and other assets.

This risk persists today for individuals who send or receive checks through the United States Postal Service. Bank statements can disclose sensitive details, including line-of-credit balances, account numbers and bank routing numbers. Such information can facilitate the creation of fraudulent checks and lead to unauthorized withdrawals.

One prevalent contemporary scheme involves stealing account statements from mailboxes and producing counterfeit checks, which are then deposited remotely, often in locations distant from the original account holder. The greater the distance between the account holder and the depositor, the more challenging it becomes for local law enforcement to pursue an investigation.

To mitigate these risks, organizations should consider requiring customers to enroll in electronic statement delivery, thereby more tightly controlling the distribution and receipt of sensitive documents. Additionally, limiting the amount of information included on statements can reduce the value of any data obtained by unauthorized parties.

Conclusion

Protecting financial accounts from scams and fraud requires vigilance from both banks and their customers. By implementing proactive policies and encouraging secure practices, banks can help reduce the risks associated with dormant accounts and intercepted statements. Customers should also stay informed and utilize electronic banking options whenever possible to safeguard their information.

Ultimately, a partnership between financial institutions and their clients is essential in the ongoing effort to combat financial crime.