Over the last decade, I have spent the majority of my time focused on strategic planning for fraud prevention and fraud program enhancements. During this time, I have met and spoken with countless financial and law enforcement professionals who are facing the challenges of ever-changing fraud environments. Due to the nature of fraud, my programs had to be ever-changing as well. I have taken the time to identify the most reoccurring themes I have seen throughout my travels and wanted to share them with you.
1. Reactive Programs
Arguably, the most common and troubling mistake is that the majority of the anti-fraud programs I have reviewed over the course of ten years are entirely reactive. This means they are following the fraud trends and respond to threats as they see them in their environment. The problem with this approach is obvious: you must see fraud to detect fraud. I have found that it is much more valuable to identify and measure risk both within your environment and outside of it. By measuring risk you identify your exposure, and by understanding your exposure you can identify both your strengths and weaknesses as a program.
When you identify the most likely place for fraud to occur you can focus your efforts to strengthen those gaps within your security layers and proactively prevent exploitations of those weaknesses. However, your program shouldn’t stop there; when fraud is confined we tend to believe it is controlled, but I would suggest that that is not always the case. Controlling fraud is a perception of your effectiveness to mitigate it, not control it. One factor that is always hard to quantify is how much fraud have you redirected or avoided by having strong controls vs. how much of a target you are for fraud. When the attacks stop or slow down, you need to understand why. Are your tools that much more effective? Did the bad guys move on to weaker and easier targets, or has fraud moved into a blind spot where you have lost the ability to see it? As a program manager, you should constantly be testing your environment and exploring new and innovative ways to mitigate fraud as it relates to emerging and unknown threats.
Additionally, you can learn a lot by recognizing what is happening in the cybercrime world, finding what is gaining popularity in the underground forums, and then putting together a strategy to assess the risk of and combat those threats to ensure that you are somewhat capable of mitigating them. When you see another institution in the news related to a breach or a large fraud event, do you ask yourself “Could that happen to us?” If so, consider that part of the problem. If your program is not already prepared for such an event then take some time to learn from others, but consider why you had not prepared for that kind of event already. Why did it take something newsworthy to identify a potential problem? Why couldn’t your team anticipate that exploitation or exposure? More often than not, institutions are more focused on stopping what they know is happening, and less focused on what could happen. Unfortunately, this approach works in favor of the criminal.
2. Fraud Losses
The second most common mistake I see is the focus on fraud losses, the numbers game. I believe this is a result of how we are told to view fraud by vendors who sell us fraud solutions. As most of us know, many fraud solutions focus on monetary values as it relates to measuring risk, which in some cases is a valid perspective. However, doing so means the solution will disregard risk associated to low monetary values, leaving an open exposure that goes unchecked. Most institutions are only looking at the riskiest transactions, limiting their view and increasing risk exposure instead of reducing it. This is what we have come to call “death by a thousand paper cuts”. These tools only measure risk as it relates to individual events, and then try to compound risk by putting more than one condition on the event. Whenever you rely on triggering events based on specific criteria, you have also determined the work-around strategy for the criminal. It then becomes only a matter of time for them to explore your changes and find out what it takes to bypass them.
Additionally, when only reviewing monetary values, many low value transactions can occur in a very short amount of time, effectively draining accounts without any notifications to the institution. When this happens often enough, institutions find themselves having to manage or create additional controls to measure velocity of events and accumulated amounts over time, while continuing to set limits on what is and is not assessed by placing requirements to trigger the assessment. This is due to the poor performance of the tools and the sheer volume of transactions that fall into those ranges.
3. Poor Analysis
Another very common reoccurring theme with fraud programs deals with the amount of analysis performed. When fraud tools miss a fraud event, an analysis is performed to determine the reason why it was missed and some sort of corrective action is put in place to make adjustments and prevent it from happening again. This is an effective process and should be done for every event. However, this process should be extended to all events captured, as this will give you the ability to identify what stopped the fraud as well as what is working. Why is this so important? Because this is exactly what the criminal is doing to identify gaps within your controls, performing a root cause analysis whenever they fail to steal from you. They do this so they can come back and exploit the very solution that you have previously tuned to stop them.
4. Improper Classifications of Fraud
Have you experienced fraud without a monetary loss? Most likely you have, but more importantly, do you categorize it as such? Account exploration is a leading indicator of fraud that seeks to “normalize” account activity in order to accumulate account specific information such as names, addresses, phone numbers, e-mail addresses, etc. Usually when a criminal purchases account-related user names and passwords, they also purchase a short file with this information in it. This information is gathered via reconnaissance through channels such as social media to be used for online and phone verifications, or to minimize the chances of failing out-of-wallet questions and challenges with future logins or risk-assessed activity. If we are not measuring the occurrence of this type of activity, we are not properly identifying exposures in our programs. It is important to realize that fraud is not synonymous with loss, and your program strength and exposure ratings should reflect that.