New Cyber Risks in Financial Institutions Can Be Solved by Communication


When the COVID-19 pandemic hit, many industries ground to a halt. In response, governments around the world approved unprecedented amounts of money to be sent to individual citizens and businesses to prop them up until they were able to reopen and go back to work. As funds were being transferred at break-neck speed, financial institutions were asked to help distribute and manage this money. At the same time, opportunistic fraudsters and cybercriminals pounced on the chaos.

In the panel session, “Emerging Fraud Risks and Trends in Financial Institutions,” at the 32nd Annual ACFE Global Fraud Conference, anti-fraud leaders in some of the top banks around the world weighed in on how the pandemic affected the fraud that financial institutions saw and the best tactics to fight some of those risks.

When the U.S. Congress passed the Paycheck Protection Program (PPP), they set it up for banks to accept applications and distribute the funds. That influx of money created a new set of fraud schemes banks needed to be aware of. “PPP may be over, but we have the lasting effect of that,” said panel moderator Terri Luttrell, the compliance and engagement director at Abrigo. Paul Benda, the vice president for operational risk and cybersecurity at the American Bankers Association, said their member banks saw a large shift in the types of fraud they saw as a result of stimulus programs.

“Talking with our bankers, they actually saw a decrease in bank-focused fraud over the pandemic and we think that is because it was such a target-rich environment for some of those stimulus funds, the CARES Act, unemployment insurance fraud … the states were just trying to shovel money out there,” Benda said. “It was a big change, and I don’t think people had quite realized what the changed rules meant in terms of the ability to do fraud.”

With fraudsters shifting their attention from institutions to individuals, the panelists all reported seeing a rise in identity theft. “Identity theft in general continues to evolve and be of concern … the extent of it is significant,” said Robert Clarke, the managing director and global head of investigations at Citi security and investigative services. “I think awareness is critical. Educating customers and keeping them up to date, keeping their sense of vigilance up is vital.”

Some fraudsters rushed to set up fraudulent websites purporting to email people who signed up with updates about vaccines or testing, but the sites really harvested personally identifiable information (PII) from the victims. “They quickly adopted the COVID-19 spear phishing or phishing sites and they really exploited the anxiety and the fear around the pandemic,” said Caitlin Dolan, a vice president in the cybersecurity intelligence group at JPMorgan Chase & Co. “The pace at which cybercriminals can adapt to this type of climate, it’s important to keep pace with that from a threat intelligence perspective.”

In addition to the general chaos driving fraud victims to letting down their guards and willingly share information, the shift to working from home meant that millions of employees now had to access their organizations’ networks from less secure environments in their homes. “In 2020 there were over 1.5 million new remote desktop protocol devices that were introduced to the internet’s ecosystem. A lot of companies had to quickly adopt a fully remote workforce,” said Dolan. “Throughout the middle of 2020, you then saw a lot of cybercriminal actors use the pandemic as an opportunity to deliver ransomware.”

With stolen PII, fraudsters are able to build synthetic identities, which the panelists said became a rising issue with financial institutions. Fraudsters might take a social security number from an infant and pair that with a fake name and address to then apply for a bank account or stimulus funds. “It’s so difficult to detect synthetic ID fraud because it’s able to bypass rudimentary controls,” explained Dolan. Benda said the smaller member banks in his group often don’t have the tools to identify and track synthetic identity theft the way larger banks do. “Being able to have flags that at least tell you to investigate that account opening more deeply is really important … it gets really complex really quickly.”

Despite the challenging environment financial institutions face in fighting fraud, the best way to fight schemes like synthetic identity, ransomware and others is through communication. In many organizations, the cybersecurity team is in a separate silo from the anti-fraud staff. The panelists agreed that mentality is a mistake if organizations want to prevent and detect fraud — especially with so many fraud threats becoming cyber-based as a result of the pandemic. “The intersection here is key to having a holistic program,” said Dolan. “So many times, I can’t stress this enough, there’s so much overlap between what’s going on with fraudulent activity and cybercrime.”