New data on digital fraud trends
ISMG, Longitude and Javelin research reveals what keeps security teams awake at night – and what they’re doing about it
By Ellen Joyner Roberson, CFE, Global Marketing Principal, SAS Security Intelligence Practice
Addressing the risks of convenience
Financial services firms and government agencies are evolving to meet our expectations for timeliness and convenience. Now they need to evolve how they protect themselves from the associated risks. As connectivity trends shift, so do fraud trends. For example:
- New EMV chip cards make it technically unfeasible to counterfeit credit and debit cards. The downside: Fraudsters have had to switch tactics, driving a 130 percent increase in new credit card account fraud from 2014 to 2015, according to Javelin research in 2016 Digital Channel Threat Report: Derisking Convenience.
- In 2015, 70 percent of new checking accounts and 80 percent of credit card accounts were opened digitally, Javelin found – a great convenience for customers. Similarly, in most states it’s easy to apply online for food assistance, health care coverage or Medicaid programs. The downside: The faceless nature of those digital interactions makes them prime to exploit, with help from static information from massive data breaches.
Few organizations are fully prepared for this changing fraud landscape, according to research by Information Security Media Group (ISMG). In Faces of Fraud: The Analytics Approach to Fraud Prevention, ISMG reported that only 34 percent of survey respondents have high confidence in their organization’s ability to detect and prevent fraud before it causes serious harm.
Sixteen percent of respondents said their anti-fraud tools and team just can’t keep pace with evolving fraud schemes. Three-quarters of them rated their anti-fraud control as only average or above average. And 37 percent said it’s usually customers who detect the fraud, not the agency or institution.
Why have traditional fraud prevention approaches fallen short? According to ISMG survey respondents, it’s because today’s fraud schemes are too sophisticated and evolve too quickly (56 percent), customers and/or partners fall for socially engineered schemes (56 percent), and so do employees (52 percent).
A trilogy of rising risks
Organizations that have not evolved their fraud defenses with the times have felt the pain in several ways.
Mounting monetary losses. According to ISMG, 41 percent of respondents have seen an increase in fraud incidents, and they are not very speedy about addressing them. More than half of respondents (52 percent) say it takes days or weeks to uncover the fraud; 15 percent don’t even know.
Sanctions and fines from regulators. Nearly one in five respondents in a survey of 120 banks say they have been fined by regulators or law enforcement in the past three years, according to Longitude Research in Combating Financial Crime: The Increasing Importance of Financial Crimes Intelligence Units in Banking. The hit is significant; 22 percent of these banks have been fined $1 billion or more.
Tarnished reputations. “Loss of reputation is a higher priority for many banks than limiting actual losses, but it is the most difficult loss to measure,” said a senior fraud and financial crimes executive interviewed by Longitude Research. In the ISMG survey, 31 percent of respondents said fraud has caused customers to close their accounts and take their business elsewhere.
What is being done – or should be?
All three research studies – from Javelin, ISMG and Longitude – found hopeful news in fraud trends as well. Financial institutions and government agencies are fighting back with stronger investigative teams, better analytical tools and more skilled staff.
Action Step: Establish a strong financial crimes investigation unit (FCIU).
Banks are stepping up their investment in FCIUs. In addition to putting more focus on financial crimes, FCIUs enable banks to collect, share and disseminate intelligence across borders, business lines and silos of risk, where ordinarily that intelligence is not shared.
According to Longitude Research on the banking industry: “The FCIU is a relatively new concept that has gained traction since the global financial crisis.” It’s encouraging to see that 82 percent of the banks surveyed have set up an FCIU or are planning to. Of these banks, 98 percent say their FCIU is a top corporate priority.
There’s still work to be done. Just 11 percent of banks say they have fully established FCIUs across all geographies and divisions. Nearly half (49 percent) said they will have a fully established FCIU within three years.
Action Step: Invest in advanced analytics.
One way leading organizations work to keep pace with fraud schemes is through advanced analytics, such as predictive models, link analysis, machine learning and anomaly detection. These technologies supplement the basic conditional logic and business rules that are commonly used today.
Few organizations are there yet. While 74 percent of respondents to the ISMG survey have implemented fraud detection and transaction monitoring systems, a closer look suggests that these technologies may be rudimentary.
More than half (54 percent) are not currently deploying advanced data and analytics tools such as behavioral analytics, predictive analytics and social media analysis (19 percent have no plans to); 45 percent said their current systems allow for only limited analytics; and 43 percent said they can’t get a consolidated view of customer activity across the enterprise. So it’s no surprise that nearly one-third of respondents say their organizations lack the technology capacity to properly detect and respond to fraud.
On the bright side, 26 percent say their organizations will invest in big data analytics. Longitude Research confirms this trend; 87 percent of respondents cited big data analytics as the leading technology tool for their bank’s FCIU. Other popular analytics tools include advanced search and discovery (80 percent), machine learning (70 percent) and unstructured data mining (70 percent).
According to The Forrester Wave™: Enterprise Fraud Management Q1 2016, machine learning is one of the key factors that “now dictate which providers lead the pack.” Investments here will undoubtedly help resolve some of the current deficiencies in fraud detection.
Action Step: Build the skills to use those analytics tools.
A bright new analytics platform won’t deliver on its promise if the users don’t have the training to use them well. Data science is the new, hot discipline, and organizations need to invest in data scientists internally or contract with third-party experts.
Where do you find them? The skills gap is real. In the ISMG study, 42 percent of respondents said their organizations lack the staff expertise – particularly data scientists who can manage the tools.
“It’s one thing to find quantitative scientists, but it’s difficult to find quantitative scientists who understand a certain government sector or commercial banking,” said David Stewart, Director of Financial Crimes Solutions at SAS. Longitude research confirms it: 71 percent of respondents report having difficulty hiring specialized talent for their FCIUs – and it’s even more difficult for small or fast-growing banks.
It’s not because they’re not looking. When they seek to hire staff members, 85 percent of banks look to existing cybersecurity professionals; 84 percent search software companies; 61 percent tap universities; and 50 percent look to the government intelligence community.
They are scouring diverse sources, but demand for analytics talent is so great that good candidates are hard to find and harder to land. Looking to boost expertise from the inside, 94 percent say combating financial crime is a top training priority, according to Longitude.
The war on fraud is gaining momentum, muscle and money
There are challenges and barriers in the war on fraud. ISMG found that two-thirds of respondents still grapple with technical constraints such as controls in different parts of the organization that don’t talk to one another. Forty-two percent don’t want to add anything that might impede the customer experience. Fair enough. Customers might say they want protections, but in practice they take their business where it’s most convenient.
Striking the delicate balance between the organization’s security and customer convenience will require a resilient and adaptable anti-fraud solution with robust analytics, backed by well-trained personnel in a well-established FCIU.
The good news is that the executive support is there, which means the dollars are there; 98 percent of respondents to the ISMG survey said they expect to see a steady or growing budget for fraud prevention in the coming year. These new funds will be invested primarily in new anti-fraud tools (65 percent) and staff training (61 percent).
Read the full reports from Javelin, ISMG and Longitude for more on fraud trends for financial and government organizations, their current security controls and gaps, and where they plan their biggest anti-fraud investments for 2017.