Facing up to fraud

Earlier in the year, Jonathon Edgley managed to catch up with the extremely busy Shirley Inscoe, who, along with her role as Senior Vice President for Loss Management at Wachovia, is also heading up the BITS fraud reduction steering committee in the fight against fraud. Here are Shirley’s thoughts on a number of issues they touched upon.

The major problems faced by financial institutions
The first thing I would say is external data breaches are a major problem, especially those that include customer information like their social security numbers, address, account information.

Another huge problem is the insider threat of employees who might deliberately or unintentionally leak data concerning customers and their accounts outside the walls of the institution.

The vulnerability of financial institutions
I don’t think that we are more vulnerable than other industries. I think that due to the nature of our business it is critical that we really excel in protecting our own systems; we scrutinize our employees behavior; and protect our clients accounts. So, because of the nature of our business I think we are a more likely target, but I don’t believe we’re more vulnerable in any other way.

Leading the fight against fraud
Yes, I do believe we are. I believe we have focused on this as you said partially out of necessity, but also clearly because of the nature of our business it is something we have to focus on.

I believe we’ve done a really good job in terms of firewalls, monitoring our systems and the activity of the people who do try to break through those systems, managing the patches we get from the vendors, and working together with the industry.

The ‘next generation’ of attacks
If you look at the data breaches that have occurred in the past, they really haven’t been as a result of hackers, and I’m talking about financial institutions. They resulted from a lost tape that was being shipped from one place to another, or an employee who has sold information outside the institution. It really hasn’t been as a result of someone hacking into the institution.

You ask who’s winning the battle. The thing about information security and information security threats is that they’re always evolving. In that way it’s just like fraud, and what we’re seeing is that there is a next generation of attacks. The threats are becoming more organized, they’re international in nature, many of our attacks are coming from overseas. So I believe we are experiencing the next generation and it will continue to evolve.

The impetus then is for us to continue to be vigilant, to be proactive and to make sure we are prepared as possible for those new types of threats.

Thinking of the future
I think we always try to be proactive, and just as there are a variety of threats there are a variety of solutions. The key is for us to fit the appropriate solution to the situation at hand, for example, I mentioned earlier that in the past there have been situations at various institutions where employees have sold data. So one solution the industry has come up with is a new database we are creating that will keep someone who has committed that type of crime in a financial institution from going to another institution.

Furthermore, there are security tokens, there’s software on the market, there are a lot of different solutions, we just have to make sure that we are fitting the appropriate solution to the relevant problem.

Keeping problems ‘in house’
First of all I want to assure you that while we do not talk as openly to the public about what’s happened, we do talk and work together as an industry. We do share information about our experiences, we share best practices with one another, and we develop solutions as an industry – much of that work is coordinated via BITS (see sidebar).

Placating customer concerns
I think this is an excellent point and really made me think and what struck me is that as an industry we have not communicated proactively to our customers what we are doing to protect them and their accounts.

There are a number of reasons for that, for example, we don’t want to communicate too openly because the fraudsters out there and the people trying to get through our firewalls will be better educated about what were doing. I think we’ve not yet found the balance between the communication and the education we need to give to our customer base and the public at large. So I think that’s something as an industry we need to work on.

 

Working together
By Jonathon Edgley

The major point I took from our discussion was the message Shirley was relaying about the work the industry is doing together.

It seems that many, myself included, see financial services institutions as a closed book and individualistic in nature – not wishing to discuss any failures for fear of the business reprisal/embarrassment. It would seem however that this assumption is inaccurate, a point Shirley makes clear when she talks about the role BITS plays in the industry.

Specifically, BITS is a nonprofit, CEO-driven financial service industry consortium made up of 100 of the largest financial institutions in the US and has done a great deal in the fraud prevention arena. Shirley heads up the BITS fraud reduction steering committee, and is in a great position to provide some valuable insight into how the industry is dealing with the major issue of phishing.

“BITS has facilitated the sharing of successful strategies for reducing threats, they’ve produced guidelines to assist financial institutions, they’ve worked with vendors to urge them to meet a higher duty of care and they’ve pressed the regulatory community and federal institutions to establish and maintain incentives for improvement. They continue to do a tremendous amount of work in this arena,” she asserts.

“Earlier you mentioned the e-mails that people get, these e-mails that we call phishing, are a tremendous problem for financial institutions. When they first started out they were poorly worded, there would be bad grammar and misspelled words, and they were pretty obviously fake. Frankly, they’ve evolved and become much more sophisticated and it’s more difficult to realize they’re not from the financial institution they claim to be from. At BITS, the fraud reduction steering committee work together to create what we call the BITS phishing network. This is a searchable database that financial institutions contribute information to, it can be searched for phishing incident and response experience, it also has contact with law enforcement agencies, foreign governmental agencies, and also ISD web administrators. This is really important because one of the main things a financial institution wants to do as soon as they’re aware of a phishing episode is to get that site shut down as quickly as possible. So BITS has helped us work with the ISP administrators to educate them and help us work more effectively with them to get these sites shut down when we’re aware of the problem.

“These are the kinds of things that we as an industry have worked with BITS to achieve – there are a number of those. Again, we haven’t really publicized them outside our industry.”

And, making reference to my point earlier, it’s not just an inter industry collaboration, as work is now done across different sectors. “A lot of that is done with law enforcement because we are the two sides of the transaction. For example, if somebody is conducting fraudulent sales on eBay or buying products listed on eBay fraudulently, they’ll often wire the funds into the bank, or at least tell the consumer they are wiring the funds or sending a check. It then turns out to be a fraudulent transaction and the consumer is out, not only their product but also their money, as such, we often do work with eBay and many other companies involved in the fraud that took place.

 

Inscoe on Phishing

Believe it or not, I receive the phishing e-mails myself! As a banker I look at that e-mail that purports to be from a financial institution and I think to myself, why on earth would a financial institution reach out to a consumer and ask them for an account number; we are their bank, we know their account number. But, believe it or not people continue to fall for these and respond to them, so I think your earlier point about better communication and better education is one that we need to take seriously. We do have information on our website, and the first thing we tell our consumers as we try to educate them is if there is any doubt in your mind that an e-mail is from us, call us. Verify it’s from us because nine times out of 10 it won’t be, certainly if it’s asking for account details.

On the one hand we don’t want to lose e-mail as a communication channel to our customers, but on the other hand it is something we do need to do a lot more education on.

We do have a Wachovia security and protection newsletter that’s issued once a season to employees and on Wachovia.com so anyone who goes to our website can access it. We also have a phishing update that’s included in the newsletter that keeps people up to date with any news and tips. We have had such a positive response to that it’s been overwhelming. People are hungry for education.

The other thing is that we really do encourage people to do online banking because if there ever is a fraudulent transaction on one of their accounts the sooner they report it to us the better we are able to help them shut it down – and online baking assists in achieving this.