Fraudsters proved in 2008 that they are increasingly tenacious and sophisticated in their fraud schemes. Phishing and malware continued to be popular methods for acquiring online account and personal information. … While it is clear that accounts are being compromised in great numbers, financial institutions must also deal with the myriad resulting schemes to steal victims' money. The schemes vary, but share a common theme of using the online channel for an initial, critical component of an overall scheme. We have seen numerous ways that account information has been used, including:
Indeed, check ACH and other types of "offline" fraud seem to be on the increase in the last several months, but these cross-channel schemes frequently have undetected online account takeover at their root. Institutions rarely have the resources to piece together the overall fraud scheme. We're hearing a lot of reports about cybercriminals taking advantage of the economic crisis and upheaval in the financial industry. What are you seeing so far?
Cybercriminals are certainly finding new ways to steal sensitive data and exploit consumer confusion around the banking meltdown. The Federal Trade Commission recently published examples of phishing scams that attempt to capitalize on the turmoil in the financial services industry by asking consumers to "update, validate, or confirm" account information. Consumers are more likely to provide information to these scammers because they look like they're coming from financial institutions that are part of the recent bank consolidation, so it appears credible. Fraudsters are also exploiting consumers' increased interest in new job opportunities as unemployment rates skyrocket, leading consumers to bogus sites that promise new job offers or "work from home" opportunities where the victim becomes an unwitting mule in a fraud scheme, typically using their legitimate online banking account to transfer money around. Is the recession affecting financial institutions' security budgets and/or antifraud efforts?
While overall budgets have declined, we have not seen a decrease in security and antifraud investments. Fraud will continue to remain a problem that financial institutions need to address, especially as criminals get more desperate and savvy in the current economic climate.
Phishing scams, malware and identity theft are all trending upwards in volume and sophistication that will only get worse in 2009, forcing all financial institutions to be more diligent in the ongoing fight against fraud. Moreover, as more large-scale bank mergers are announced and the ones already in motion begin to finalize, fraudsters will be lurking in the shadows, eager to capitalize on the confusion and uncertainty that comes with industry consolidation. Consumers will be distracted by the economy, and their misguided attempts at frugality will lead to poor decisions. For example, many consumers will let their antivirus protection expire to save $50, jeopardizing the safety of the broader online ecosystem in the process. With the economy in flux for the foreseeable future, banks and consumers must be made more aware of the dangers of online fraud and take action to protect themselves accordingly. What compliance issues do you think will be priorities for your customers next year?
Just as SOX emerged from the previous major economic downturn, I predict that Washington will begin issuing more regulations for financial institutions in particular. Increased regulation in the financial sector is inevitable, given the economic crisis was in a large part, borne of deregulated activities. In addition, Obama's administration will likely make some regulatory changes that will impact the financial institutions and their vendors and service providers.
One particular compliance issue that our customers will be prioritizing is the Red Flag regulations, which calls for the "establishment of an Identity Theft Prevention Program that is appropriate to the size and complexity of each organization," and is required of any financial institution. The Nov. 1, 2008 deadline has passed, but compliance will be an ongoing and evolving concern.