10 Ways To Fight Digital Theft & Fraud
IBM touts holistic approach to cybersecurity, counter-fraud, and compliance efforts. Bankers, security experts, and a former White House CIO offer proactive advice.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt458be247e2f79f7f/64cb57763f312398bb6dbe12/Cybercrime-and-fraud-facts.jpg?width=700&auto=webp&quality=80&disable=upscale)
The best way to thwart digital theft and fraud is to use a holistic, connected approach that takes advantage of the latest technologies and applies advanced analytics to vast data sets. It's an approach IBM touted at a mid-March event in New York where it brought together more than 100 security, compliance, and risk-management professionals.
IBM promoted new software and services designed to support this approach. Experts, including a former White House CIO and executives from banks, insurance companies, security firms, and government agencies, offered tips and best practices for moving beyond security, fraud, compliance, and risk silos. The stakes are higher than ever, with increasingly sophisticated and global digital criminals now responsible for some $3.5 trillion in losses each year, according the Association of Certified Fraud Examiners.
The most important advice is to break out of departmental silos. It's not that you should consolidate separate departments that address, for example, cybersecurity, fraud, and anti-money-laundering compliance efforts. But these separate groups should collaborate, with shared data, measures, goals, and coordinated incentives.
"If you start sharing information and thinking through processes across that data, it will help you to bust out of those silos," said Theresa Payton, who served as White House CIO from 2006 to 2008. Payton cited two organizations that created working teams across physical security, cybersecurity, anti-money-laundering, fraud, and risk departments. Collaboration helped one of these organizations, a defense contractor, spot a shell company posing as a supplier. As a result, the firm avoided a $500,000 wire transfer tied to a falsified purchase order, according to Payton.
Once you can span silos and share data, the next step is to apply advanced analytics to spot crime. Last year Atlanta-based SunTrust Bank was able to work across departments, pool information, and apply big data analyses to foil a sophisticated deposit-fraud scheme.
"These fraudsters knew more about our bank than some of our own people knew about how we post money to accounts," said speaker Aaron Glover, a senior analyst at SunTrust. "We discovered that we could work better together by establishing protocols for information sharing across anti-money-laundering, corporate security, and the fraud unit."
The upshot was that SunTrust was able to pool a variety of data sets, develop deep analyses to uncover the fraud patterns, and institute procedural changes to thwart the fraudulent deposits. "As a result we were able to save $5.8 million within one year," Glover said.
The New York State Department of Taxation and Finance uses advanced analytics and case-management capabilities -- core components of the Counter Fraud Management Software that IBM introduced -- to thwart $350 million in fraudulent tax refunds per year. Internal auditors who recovered an average of $500,000 per auditor per year a few years ago are now recovering $2.5 million per year due to case-management workflow automation and analytics that flag suspicious returns, said Nonie Manion, the department's executive deputy commissioner.
Other steps experts suggest include identifying and prioritizing the assets you must protect, holding "doomsday" drills to determine how departments will handle an incident, reviewing security policies and procedures with all employees, and working with law-enforcement and security groups to get ahead of cybercrime and fraud schemes. Read on for practical tips and technology advice that your teams can put into practice.
All security, fraud, risk, and compliance departments and initiatives within your organization should be aligned and connected, sharing reports on the latest security incidents and fraud attempts. Criminal activities are often connected. Denial-of-service cyber-attacks, for example, are sometimes used by criminals as a diversionary tactic as they attempt to infiltrate and steal data from corporate backend systems. Stolen data is then used to perpetrate fraud. Money stolen through fraud is invariably laundered through otherwise legitimate accounts and transactions. Working together lets you see the bigger picture of interrelated activities.
"Fraudsters can potentially hide in plain sight within the data, especially if the data is not interconnected or you're not taking an analytical approach," said Bob Griffin, VP, Counter Fraud Solutions at IBM. "By combining the data, it's possible to spot early-indicator events and interrelated activities that you would not spot looking at data in isolation."
The New York State Office of Medicaid has lots of separate departments, admits Medicaid inspector general James Cox, but by organizing oversight teams along business lines the agency has eliminated overlapping efforts and aligned activities. "The silos haven't gone away, but it has been a very successful program that has helped us detect abuse and fraud much more quickly," Cox said.
Once cybersecurity, transaction-security, fraud, and risk-and-compliance teams are collaborating, the next step is to institute shared measures, goals, and incentive-compensation plans.
"What gets measured gets done, so do you incent people to interact with each other and pursue shared goals?" asked Theresa Payton, former White House CIO and now CEO of risk, fraud, and security firm Fortalice. "If the fraud team reaches its goals, but anti-money-laundering doesn't, should the fraud team get bonuses? Yes, but they should also have shared goals."
Former White House CIO Theresa Payton, above, advises corporations and agencies to identify their POTUS- (President of the US) and VP-level priorities. It might be customer information, intellectual property, or financial transaction security.
"There are a lot of critical assets, but all constituents should meet to determine the top-two assets that must be protected from a fraud perspective," said Payton, now CEO of security and risk firm Fortalice.
Corporate communications or marketing people might be the best choice to run such a meeting, Payton advises, as departmental bosses are likely to try to sway the assessment. A clearer understanding of the top priorities will help you budget time, talent, and technology investments accordingly.
Just as security, fraud, risk, and governance teams should work together, so too should their technologies, advises IBM. The vendor has acquired multiple security technologies in recent years, including SRD entity analytics, i2 social-network and geospatial-analysis tools, and Trusteer malware protection and endpoint management systems. The new IBM Counter Fraud Management Software integrates these formerly separate technologies to support a coordinated, cross-enterprise approach.
IBM says existing security, fraud, risk, and compliance tools and systems can be tied in to its counter-fraud platform. Uniting components include advanced analytics and reporting from SPSS and Cognos, and business rules, alerting, and case-management technologies from iLog, FileNet, and IBM Business Process Manager. "We're bringing everything together so we can help our clients move from being reactive to being proactive," said Bob Griffin, IBM's VP of Counter Fraud Solutions.
The New York State Department of Taxation and Finance is using analytics and case-management technologies from IBM to help thwart $350 million in fraudulent tax refunds per year. Auditors who used to recover an average of $500,000 per year, per auditor are now recovering $2.5 million per year with the aid of automated workflows and analytics that flag suspicious returns, according to Nonie Manion, the department's executive deputy commissioner.
Data are the most valuable assets in the fight against fraud, yet many organizations leave valuable information untapped in production database tables, according to Aaron Glover, above, senior analyst at SunTrust Bank.
"What we need to be doing, through a chief data officer or data custodian role, is putting this asset into a useful, consumable form on which you can build fraud-risk models and perform link analysis so you spot the bad actors," said Glover.
Last year SunTrust used advanced analytics to uncover a sophisticated scheme in the Atlanta metro area tied to a 200% increase in deposit-fraud losses at the bank. A data-analysis breakthrough brought a $5.8 million reduction in deposit fraud in one year.
It's not enough to implement technologies. You have to walk through plausible security scenarios and do disaster drills in order to be prepared.
Communication and response plans should be in place before your most important assets are compromised, said Theresa Payton of Fortalice. Lay out the chain of command, escalation plans, action options, key contacts, and recovery steps. Develop media communications plans and consider scenarios in which you may be uncertain as to whether, say, data was accidentally exposed or intentionally stolen.
IBM's Smarter Counter Fraud Center of Competency provides industry-specific consulting services that will identify a client's program strengths and weaknesses, and design and implement strategies for detecting, responding to, and investigating fraud.
Security and fraud prevention aren't just for related departments. Companies should review security policies and procedures with all employees on an annual basis. Topics might include the applications that are acceptable to use and various types of data covered by confidentiality and privacy agreements and laws. Go over safe download, email, thumb-drive, mobile-device, and device-retirement practices.
Make sure your organization has clear and consistently enforced policies on patching operating systems and software, the use of passwords and timeout features, data encryption, data-sharing, and system access among partners and suppliers.
Target's recent data breach was traced back to a third-party contractor that unintentionally opened a pathway for malware that was exploited to steal credit card data, according to John O'Neill, SVP of fraud investigations at Bank of America. "You have to consider what data and systems your vendors have access to," he said.
Don't wait for an incident before you get acquainted with law enforcement and security groups. Regional FBI offices and national and global security organizations can tip you off on emerging and active threats that may have infiltrated your enterprise without your knowledge.
Fraudsters are taking advantage of every advance in technology, so it's incumbent upon businesses and government agencies to band together to fight cybercrime, said Maria Vello, CEO of the National Cyber-Forensics and Training Alliance (NCFTA). The NCFTA has collected 12 years' worth of data on malware and cybercrime, and it works with law enforcement and security organizations in the US, Australia, Canada, Korea, and Japan to spot new forms of malware, data theft, and fraud. The nonprofit shares this insight with members to thwart attacks. It also helps build legal cases against perpetrators.
IBM shares data with security professionals through IBM X-Force, a team that offers quarterly updates on malware and phishing attacks and trends. Last week IBM introduced IBM Red Cell, which will share similar intelligence on fraud.
Look beyond the silos within your own organization and consult with organizations in other industries, advises Jim O'Neill, senior VP of fraud investigations at Bank of America. Bank accounts, for instance, are routinely used by criminals as a destination for deposits tied to fake auto auction sites and falsified tax refund requests. But banks don't have all the data needed to spot this activity within their four walls.
"Without a complete picture, you're guessing, so you need to work with other companies to complete the picture," said O'Neill.
Telecom companies, Internet access providers, and email providers, for instance, hold the data on phishing scams aimed at defrauding bank customers. Banks and other organizations have to cross organizational boundaries, perhaps with the aid of law enforcement or security organizations, in order to forge alliances.
It's possible to lock down business activities so tightly you can virtually eliminate theft and fraud, but you'll ruin the customer experience in the process. Banks, insurance companies, and government agencies want to make it as easy as possible to open accounts, obtain policies, file claims, and secure justified returns and benefits.
"Competitive banking has brought us online account-opening and mobile-deposit options that used to require a branch or ATM visit," said Aaron Glover of SunTrust. These new options have introduced new opportunities for fraud, "but we don't want that to affect the way we do business with honest customers."
Businesses such as car dealerships and money transmitters that have higher instances of fraud deserve and get extra scrutiny, said Glover, while customers with ordinary customer profiles can open accounts and start depositing and withdrawing money entirely online.
It's possible to lock down business activities so tightly you can virtually eliminate theft and fraud, but you'll ruin the customer experience in the process. Banks, insurance companies, and government agencies want to make it as easy as possible to open accounts, obtain policies, file claims, and secure justified returns and benefits.
"Competitive banking has brought us online account-opening and mobile-deposit options that used to require a branch or ATM visit," said Aaron Glover of SunTrust. These new options have introduced new opportunities for fraud, "but we don't want that to affect the way we do business with honest customers."
Businesses such as car dealerships and money transmitters that have higher instances of fraud deserve and get extra scrutiny, said Glover, while customers with ordinary customer profiles can open accounts and start depositing and withdrawing money entirely online.
-
About the Author(s)
You May Also Like