Unsecured banking systems can be remarkably easy to exploit.
Just imagine a banking call center, where employees process payments on behalf of customers every day. Before the world changed in early 2020, call center supervisors could control and sign off on employee access to customers’ information and money. When that work went remote, though, unprepared supervisors lost some of those controls, and unscrupulous employees had access to move customer funds into fraudulent accounts.
Or imagine a bank that flags big, five-figure-plus customer deposits. This is common practice because a bank’s sales team can build lists around these accounts to target these customers with additional services and financial products. But an IT contractor can also get access to that list of high-value customers — along with their account details and contact information — then sell that list to the highest bidder.
Instances of insider fraud are on the rise, along with the costs and complexity of those attacks. The PwC Global Economic Crime and Fraud Survey 2020 found that 37 percent of fraud that affects businesses is committed by internal perpetrators. PwC expects that number to rise as subsequent surveys more fully reflect recent changes to work arrangements.
In this article, Featurespace Fraud Expert Alex Robison explores what insider fraud looks like, why banks struggle to catch it, and what they can do to monitor and prevent this kind of fraud.
Let’s get specific about what ‘insider fraud’ means.
Insider fraud describes a broad set of actions perpetrated by a broad group of people:
- The person committing that fraud could be an employee, a former employee, a contractor or even a business associate.
- The fraud itself can be malicious, or it can be from the carelessness, or the negligence of the person involved.
In each case, the person committing the fraud has a good understanding of the organization’s processes, controls, security practices, data, and computer systems. This allows that person to steal or compromise confidential and commercially valuable information. It also allows that person to sabotage the company’s computer systems.
This is what makes insider fraud so complex. Each of those potential actors has their own levels of access, each of the systems they use have their own vulnerabilities, and each person has their own motives for committing fraud.
Why are organizations struggling to catch this kind of fraud?
There are three ways to stop people from doing something you don’t want them to:
- You can explain to them why they shouldn’t do that thing.
- You can restrict their access.
- You can monitor their behavior for indications that they are about to do the thing you don’t want them to do.
Parents of toddlers understand this. When a 2-year-old learns to walk, the family’s entire home becomes one big threat landscape.
You cannot reason with a 2-year-old, so threat management means restricting access and/or monitoring behaviors. The parents quickly learn to listen for things like the unauthorized opening of the silverware drawer in the kitchen. Eventually, however, many parents decide to install a baby gate in the kitchen’s doorway because monitoring the child’s behavior is exhausting.
Most insider fraud prevention tools and processes follow the baby gate method of prevention. In banking, organizations tend to have a variety of siloed systems that restrict access to specific users. Sometimes, this gets unwieldy: The call center uses one system, headquarters another, the various banking branches yet another. Baby gates everywhere.
Here’s where the complexity of insider fraud itself piles onto the problem. A bank can have hundreds or thousands of employees and partners, each with their own means and motives for committing fraud. Very quickly, those banks discover that preventing insider fraud is too complex for simple solutions.
That means banks must deploy the other methods of fraud prevention: communication and monitoring. For monitoring to work, though, banks have to be able to see and track what everyone in the organization is doing. Manually monitoring a workforce would be beyond exhausting, in the same way it would be for the toddler’s parents to always be listening for the silverware drawer.
With machine learning, however, this kind of monitoring is not only possible but incredibly effective at identifying fraud in complex working environments.
What can banks do to monitor and prevent insider fraud?
Banks need to have certain key controls in their fraud risk management frameworks. Those controls include:
- Onboarding controls. All employees, contractors and partners who access any banking systems must get vetted.
- Access controls. Each person’s system access and capabilities should be limited to what’s necessary for their roles.
- Continuous risk assessment. This helps the organization understand the likelihood and impact of fraud.
- Education and awareness. Employees and other users need to understand the risks and consequences of fraud.
- Intelligence sharing. This lets disparate teams work together to get a shared understanding of the threat landscape.
These are the restricting access and communication methods of prevention. A monitoring tool powered by machine learning can then backstop all of these controls by building individual behavior profiles of all users. Those profiles allow us to model what good, characteristic employee behavior looks like. We can then compare anomalies or suspicious behavior against that benchmark.
Let’s use a call center again as an example. In most call centers, agents don’t control the calls they are connected to. As such, an agent’s log of inbound phone numbers will be statistically random. Behavioral data could confirm this. And so, it would be unlikely that the same number calls the same agent multiple times in a day.
Now, imagine a day in which the same call center agent fields five or six phone calls from the same number. If this were to happen, a machine learning based monitoring solution could flag that anomalous activity and alert that agent’s supervisor. The bank’s investigators could then follow up to see whether this was in fact normal activity.
It’s akin to ears pricking up when the silverware drawer flies open. Very few banks have the resources to monitor such a situation manually — that would involve someone tracking call logs in real-time — but automated deep behavioral learning techniques can.
This is what enables organizations to be proactive in preventing internal fraud. By monitoring things like anomalous employee behavior, banks fortify their existing tools for catching insider fraud. As the scope and scale of insider fraud grows, banks that embrace these proactive approaches to fraud prevention will be better protected against insider threats.