The List: Ten resources for identifying and stopping the varieties of fraud
It’s hard enough to keep up with the new threats and sophistication of today’s fraudsters. It’s widely agreed that the best prevention is awareness, technology, data and solid leadership. Information isn’t a safeguard as such, but it can help to see what experts in the field are focused on and how they would stop attacks in their place. With that in mind here’s a list of ten resources to check out. Note: Some of these resources are gated and will require a form fill. We’ve kept those to a minimum and identified that status with each entry here.
As Layoffs Continue, the Potential for Insider Fraud Is Growing. Are You Ready?
Format; HTML, ungated
This piece in Corporate Compliance Insights provides another angle on insider fraud and works in some tips and advice about detection and prevention. Key Quote: “Social engineering frauds, such as identity theft, account takeovers or a rash of fraudulent checks written against a specific account all could be entangled with some form of insider fraud. Businesses need to have data loss prevention measures in place on email, web uploads, USB ports and other areas where people might exfiltrate data. Flagging and proactively blocking these is critical to stopping data loss and detecting suspicious activity from employees who, for example, may never need to email anyone externally or access 150 customer accounts in a normal day.”
Invoice Verification Slows Pace of Real-Time Business Payments Fraud
Format: HTML; Partially gated
Electronic invoicing is often lauded for its efficiency and accuracy. It also serves as a hedge against B2B payments fraud as this report from PYMNTS.com shows. Key quote: “Although fraud prevention has many components, invoice verification capabilities stand out as essential in the context of faster payments. Verification ensures businesses send payments and sensitive banking information to legitimate actors, not criminals. This is crucial because invoice fraud is common and costly: Between December 2021 and February 2022, this fraud type accounted for 55% of the money lost to scams by Barclays SMB clients, according to the bank. Companies should utilize technology that places verification and authentication front and center to protect themselves.”
FBI: Business Email Compromise
Format: HTML; Ungated
How serious is business email compromise (BEC)? Serious enough for the FBI to dedicate substantial content and investigative resources. This page is notable for the way it portrays the problem to consumers, but it also has fascinating details about how it works and how criminals get caught. Key quote from an investigation: “A related cyber-attack arm of the scheme involved the creation of email addresses mimicking, but differing slightly from, legitimate email addresses of supervisory employees of various victim companies, of vendors that did business with those victim companies, of mortgage lenders and brokers that dealt with individual victims in connection with real estate purchases, and of advisors and accountants who performed financial services for their clients. Conspirators sent emails from these addresses to several victims, which appeared to request the payment of legitimate invoices or debts owed by the victims, but in actuality deceived the victims into transferring funds by wire into the bogus bank accounts.”
Social Engineering: Definition & 6 Attack Types
Format: HTML; Ungated
Business email compromise can be a subset of the broader category of social engineering fraud. This guide does a good job of putting all the different types – from phishing to CEO Fraud – in one place. Key quote: “We all know about the attacker who leverages their technical expertise to infiltrate protected computer systems and compromise sensitive data. This type of malicious actor ends up in the news all the time. But they’re not the only ones making headlines. So too are “social engineers,” individuals who use phone calls and other media to exploit human psychology and trick people into handing over access to the organization’s sensitive information. Social engineering is a term that encompasses a broad spectrum of malicious activity.”
Format: HTML; Partially gated
With all the different kinds of fraud on the scene and the increasing sophistication of fraudsters enterprise case management can serve as a guiding infrastructure for keeping detection and investigation within a coherent system. That system is enterprise case management, defined by Bottomline as “a single, powerful application that provides an enterprise-wide alert and case management system for creating and managing alerts, cases of suspicious activity and support for Suspicious Activity Report (SAR) filings.” ECM at its best will integrate with existing corporate systems to collect and manage all data relevant for financial crime compliance, improving accuracy and efficiency.
This resource page includes solution data sheets as well as white papers. Key quote: “Most financial institutions’ case management tools across their enterprise have not kept pace with the rate of change … Investigators are trying to fight sophisticated criminals with technology that is the equivalent of having one hand behind their back, while financial institutions are trying to satisfy their customers and protect their business interests with tools that are not fully up to those tasks, either. The key to this struggle lies in the segmented structure of the teams and tools that financial institutions have in place to fight criminal activity. While different types of financial crimes have begun to converge, most organizations still have their analysts addressing specific crimes instead of specific customers without a consolidated view across the FI.”
Real-Time Guide to Real-Time Payments
Format: HTML; Ungated
This white paper serves as an excellent primer to real-time payments but more importantly it addresses the issue of fraud head-on. Key quote: “Advances in fraud detection software, including machine learning and behavioral analytics, do make unusual urgent requests and fake invoices easier to spot — in real time — but some governments are considering legislation to ensure more support for victims. For example, in the U.K., frameworks like Confirmation of Payee have been rolled out to check account details instantly against the name of the account holder and help prevent cases of authorized push payment fraud.”
Confirmation of Payee Is Now Open For Business
Format: Podcast; Ungated
And speaking of Confirmation of Payee (CoP), this podcast does double-duty: it unpacks the concept and then imparts some valuable advice on how to put it to work for businesses in the UK. Key quote: “What businesses needed is the ability to verify accounts at the point where the data is captured while the customer is still engaged with them so they can fix any errors straight away. That’s where Confirmation of Payee for Business fits. It’s a simple API that can be embedded into processes to verify account details at the point where they're entered. That might be a phone app, an internet page, a call center or even face-to-face in a store.”
How to Protect Your Business from Check Fraud
Form: HTML; Ungated
Any business payments network worth its salt will not tolerate any level of fraud – digital or paper. Paper checks are still a force in the business payments space and they too are subject to theft and vulnerable to fraud. This resource from Fifth Third Bank contains the details on how it works and provides seven ways to stop it. Key quote: “Given their ease of use, businesses will continue to use checks for the foreseeable future. Therefore, minimizing losses requires a willingness to use checks coupled with mechanisms to detect fraud as soon as it arises. Common check fraud includes the forging of signatures or endorsements, the alteration of payee names and dollar amounts, and the creation of counterfeit checks. Like other forms of financial crime, perpetrators look for companies that lack the people, processes and technology to prevent losses.”
Format: PDF, gated
Completing our insider fraud triad, this white paper looks at insider fraud by vertical. Spoiler alert: Healthcare tops the list of risky environments. Key quote: “Among the levers at the cybersecurity practitioner’s disposal to reduce risk are security posture and the data management of records; our study found that substantial improvements to security posture and reductions of records at risk can reduce losses by 60 percent and event probability by 67 percent, and these levers can jointly reduce overall event exposure by 88 percent.”
Format: PDF, Gated
This annual report from the Ponemon Institute contains the usual coverage of breaches and why they happen, with an emphasis on the cost for specific threat vectors. This year’s version goes heavy on the impact of hybrid work. Key quote: “When remote working was a factor in causing the breach, costs were an average of nearly USD 1 million greater than in breaches where remote working wasn’t a factor — USD 4.99 million versus USD 4.02 million. Remote work-related breaches cost on average about USD 600,000 more compared to the global average.”
