Account Takeover and the Cost of Online Line Fraud
According to the Internet Crime Complaint Center, online fraud cost unsuspecting Americans $559.7 million in 2009. Account takeover and identity theft schemes are perpetrated daily via the online channel.
Deconstructing the Copiah Bank Employee Fraud Case
It didn’t take Lindsay Welch long to figure out how to commit fraud. During a 20 month period, Lindsay used her position as a bookkeeper at Copiah Bank to steal over $250,000. First, she adjusted her home equity line of credit with the bank from $15,000 to $350,000. Next, she withdrew over $250,000 from the line and deposited the funds in various accounts at the bank. From there, Lindsay enjoyed the fruits of her labor which included buying four cars with these stolen funds.
Working backwards from how the money left the bank, consider the following facts:
- Red Flag #1 - Funds were withdrawn from Lindsay’s account to pay for four cars. It is not clear over what period the cars were purchased, however, purchasing four cars within a 20 month period is certainly unusual.
- Red Flag #2 - To pay for the cars, Lindsay “fueled” her account with stolen funds from her HELOC. It is not clear from the information available on the case whether Lindsay transferred $250,000 in one or multiple deposits. From my experience, I would strongly suspect that Lindsay made multiple withdrawals from the line of credit to avoid raising suspicion.
- Red flag #3 - Lindsay increased the credit limit on her own home equity line of credit from $15,000 to $350,000. An increase from $15,000 to $350,000 is significant, regardless of the fact that the account belonged to the bank’s bookkeeper.
With these red flags identified, what can your bank learn from this fraud case? Here are some suggestions:
- Segregate employee accounts, both DDA and loan accounts for additional scrutiny (preferably using a robust set of predefined fraud rules)
- Pay very close attention to HELOC credit increases associated with employee accounts
- Monitor all intra bank transfers associated with employee accounts closely
- Consider whether or not an employee’s average account balance is consistent with their compensation. This analysis can be complicated if the employee has joint accounts, however, it still worthwhile conducting
- Limit an employee’s ability via policy, procedure and technology to adjust credit limits on their own loan accounts
I do know that some banks no longer identify, or flag employee accounts therefore making a review of employee accounts more difficult to conduct (but certainly not impossible). From my experience, employees often use their accounts to commit fraud. Whether they think that no one is watching, or they are more comfortable using an account they can access frequently is immaterial. What is clear is that you must monitor your employee’s account activity. It’s really that simple.
Bank Fraud Goes Retro
The folks over at the ABA are probably too polite to say “I told you so”, so I’ll do it for them. In the 2009 Deposit Account Fraud Survey, they showed that the threat of organized fraud ring attempts was the largest perceived threat to banks with over $50 billion in assets. In addition, they said that mid-sized institutions were likely just as likely to be targets of rings but were less aware of the problem posed to their particular bank.
Last week a doozy of a fraud case came to light. Russian hackers broke into three websites that specialize in archiving checks online. What were the thieves after? With the archived checks, the fraudsters had all the information they would need to create a counterfeit – the account number, the bank routing number, the name on the account and even the signature. Armed with this information they created thousands of checks on over 1,000 accounts for a whopping total of over $9 million. Most of the checks were for amounts of around $3,000 to fly under the fraud detection rules banks have in place. This is truly a 2010 twist on a scheme that has been around for decades.
Kudos to the ABA for publishing a great report on Deposit Fraud. Much of the media attention today is focused on online fraud but the majority of losses on DDA accounts are still through check fraud. $1 billion and counting. Seems like everything old will be new again.
Internet Savvy Criminals and Check Fraud
On July 22nd, the LA Times reported the story of a massive check-counterfeiting scam by a crime ring with ties to Russia. This was the online equivalent of stealing a check out of the mail. The $9 million check fraud scheme was elevated as mainstream news by Network World, the Associated Press and other news outlets. Is check fraud under control? Is check fraud a big enough problem now that it deserves more attention?
Check fraud is still seen as a relatively low-tech crime and most financial institution have budgets; often significant that can range from tens of thousands to hundreds of millions of dollars budgeted each year to cover these losses. In 2009, the ABA reported that check fraud losses now exceed $1 billion dollars a year. Now Internet savvy criminals are finding very creative ways to utilize the online banking channel to commit check fraud. I’m sure several fraud managers out there are not surprised by this at all.
The online and mobile banking channels create revenue opportunities for financial institutions, but these revenue streams also come with increased risks. Just look at ACH fraud, losses have sky rocketed in the past few years in part due to the online payment channel. For many banks addressing this problem is a focal point, as ACH and wire fraud often impacts commercial business accounts, and the losses can be quite substantial. In addition, as losses climb they may exceed the annual budgeted expense, and there is the cost of law suits including damage to the institution’s reputation and brand.
As fee income is impacted by the new regulatory changes reducing operational costs such as fraud loss has a direct impact to the financial institutions bottom line.
Is it time for to rethink your approach to enterprise fraud management?
Why Is The ROI Curve The Right Curve To Look At?
In my earlier post I talked about the ROI curve for deposit fraud. Now we’ll discuss why this is the right curve to look at. Well, for starters it tells a story and illustrates answers to important questions. Using our original graph, I’m going share a couple of these stories.
A Look at Fraud Prevention and the ROI Curve
What’s the of point fraud prevention? Perhaps the simplest answer is that it pays by recovering losses (costs) to the organization. This article discusses the importance of understanding power of enterprise fraud management analytics and the return on investment of your organization’s fraud mitigation efforts.
Have you hugged your risk managers today?
Risk management is enjoying a lot of attention these days. And I don’t just mean the person at your institution that holds the title of Chief Risk Officer or the equivalent. I mean everyone that thinks like a risk manager, that asks the tough questions, “How will this new product/service/payment channel impact the risk profile of this institution? I’d argue that one illustration of how shoddy risk management impacts financial institutions is the graph below.
One Year later – A Veteran’s Perspective
Tim Brady discusses what has changed over the past year in fighting and preventing fraud. He comments that as banks lose more of their ability to generate fee income, it is becoming more apparent that they need to ‘rethink fraud’ and its impact on the bottom line.
Can Your System Adapt to Changing Fraud Schemes?
Many instances of fraud do follow predictable patterns that are relatively easy to detect and prevent. However, it is the fraud that is “below the radar” (aka not detected by the bank’s fraud rules) that is of concern.This article discusses how fraud systems need to be flexible to respond to the rapidly changing nature of fraud schemes today.
Knowing When to Stop
This article discusses the issue of false positives, the accuracy of fraud detection systems, and the question: when dealt a queue of fraud alerts for review, how do you know when to stop?
Subscribe via Email
Most Popular
Most Recent
