That's the overall message from the Faces of Fraud: Fighting Back survey, whose results have just been released in an Executive Summary by Information Security Media Group. The results, which include responses from more than 230 financial leaders and security officers at financial organizations of all sizes, reveal keen insights into the fraud landscape.
Among the survey's top findings:
- Credit and debit card fraud ranks No. 1 among current forms of fraud, with 81 percent of respondents saying they have been impacted by payment card incidents this year. Check fraud comes in second, with 63 percent saying it remains a problem.
- Phishing and vishing-related fraud comes in third, getting 48 percent of the respondents' votes. Interestingly, only 20 percent of respondents say they are prepared to fight and prevent phishing and vishing attacks.
- Cross-channel fraud detection is not being widely implemented, with 55 percent saying they continue to rely on manual fraud detection techniques. Only 26 percent have a plan or team in place for cross-channel fraud detection; and 63 percent collectively say they either have no cross-channel plan or team, are working on a plan or team, or simply don't know.
- And 76 percent of respondents first learn of fraud incidents only when their customers and members notify them.
- To reduce vulnerability to fraud, 63 percent say they have improved customer and employee awareness through education, 40 percent say they have invested in new technology and 17 percent say they have increased their budgets and/or staff.
- In 2011, 34 percent of respondents say they will increase budgetary investments and/or personnel to improve fraud prevention.
Reactions to the Results"Many institutions only know about fraud when they get notified by the customer, and that is not indicative of an industry that is really trying to address the problem," says George Tubin, a senior research director for TowerGroup, focusing on delivery channels and financial security.
Tubin's perspective is not isolated. His is one of a handful of opinions solicited in response to the Faces of Fraud survey results.
Matthew Speare, senior vice president of information technology for Buffalo, N.Y.-based M & T Bank Corp., says fraud detection at banks and credit unions is still evolving.
"It's still an afterthought," Speare says during a panel discussion included in the Faces of Fraud Survey Results webinar. "No one seems to have been able to have made a lot of traction, and no one seems to be doing a lot to detect multichannel fraud."
But Speare is quick to point out factors that have contributed to banks' and credit unions' stagnation in multichannel detection. "What we see is that as organizations get larger, you get more and more siloed," he says. "It's an incredible challenge, especially if you scale over time, to get the full view of your customer and all of their transactions."
Fraud Awareness: 'It's Pretty Sad'Others who reviewed the survey's results are less lenient, saying it's time for banking institutions to catch up. Avivah Litan, a distinguished analyst and vice president at Gartner, says banks and credit unions have for years continued to face the same fraud issues and rely on the same detection methods. "It seems fraud detection is really getting short-changed," she says. "It also says there is a lot of fraud they are never detecting."
With more than three-quarters of the survey's respondents saying they learn about fraud when customers notify them, Litan says, "I see that year after year, and it's pretty sad." It's clear cross-channel fraud is a problem, yet continues to fly under the radar. "There's not enough money being spent on cross-channel fraud detection, and that is disappointing to me," she says. "So much emphasis is being put on education for consumers and employees, but they aren't investing in technology."
Tower's Tubin says many small to mid-sized financial institutions simply don't believe cross-channel fraud is a problem. According to the survey, 39 percent say cross-channel fraud accounts for less than 10 percent of all fraud incidents. "Institutions have a hard time determining when cross-channel fraud actually occurs," Tubin says. "When they do see fraud, they see the end result, such as check fraud, and they classify it as a fraud that occurred that way," rather than working their way back to follow the fraud trail.
Criminals are exploiting that inability on the part of institutions to link channels. "They recognize that an institution typically works in a siloed environment," Tubin says. But banks and credit unions are not poised to change that siloed environment anytime soon. According to the survey's findings, 27 percent do not even have teams or defined plans dedicated to cross-channel fraud detection. Mike Urban, senior director of fraud solutions for FICO, which provides data analytics and fraud-detection systems, says none of that is so surprising. "The advancements and investments institutions are making are taking place on the card-fraud side," says Urban, who also analyzed results during the Faces of Fraud survey webinar. "I was not surprised that institutions felt they were most covered on the card fraud and AML (anti-money laundering) sides," he says. "That's where most of the investments go."
More Integration NeededWithout cross-channel integration, however, and a so-called 360 view, Urban says account takeovers could be hitting several accounts simultaneously and going completely unnoticed. "Fraud detection needs to be in real-time, across channels, even in batch processing," he says. Analytics and efficient rules engines, which tie analytics and customer behavior scores to an action, are the only ways to effectively fight fraud.
But getting that kind of integrated view is not so doable in practice, says M & T's Speare. Most financial institutions are nowhere close to having readily available real-time customer/member analytics and data. Innovations have been made for some channels, such as the ATM, through best-of-breed systems and architecture from third-party vendors, he says. But those innovative architectures have to connect to existing infrastructures, which are often "extremely old, so you're forced to have something that is not close to real-time."
What institutions can do, Speare says, is dedicate teams to review fraud statistics from disparate channels. A manual process, but "probably the closest we are going to get for a while."
Manual Detection: A Bright Spot for ACH?According to the survey, most institutions, 55 percent, do rely on manual reports for fraud detection. Only 16 percent say they use tools to detect cross-channel patterns. Most disturbing for experts who reviewed the results: 40 percent say current anti-fraud technologies fail to detect cross-channel patterns.
That's a red flag, Tubin says. "Manual processes, going forward, are not going to hit the mark, he says. "Neural-net detection is important," and 33 percent of respondents say they do plan to invest in neural fraud detection. That kind of integrated detection, which relies on adaptive analytics to pick up subtle anomalies and patterns, will allow institutions to detect "something that might be missed otherwise," Tubin says.
While manual detection is not ideal, the results could reveal a relative bright spot for ACH-fraud detection, Litan says. "Maybe the numbers are not so bad," she says. "More than half say they have invested in internal monitoring for ACH-fraud detection, which could be manual or automated, depending on how they read the question." According to the survey, 53 percent have increased internal monitoring of ACH transactions and 18 percent are using out-of-band authentication.
But Tubin points to a larger problem: Most institutions don't see ACH fraud as posing a great threat. Only 37 percent say they were impacted by ACH and wire fraud in 2010. Credit and debit, check, and phishing and vishing attacks were deemed more prevalent and threatening. "Institutions do not see ACH and wire fraud as being a big issue because they don't pay for the loss," Tubin says.
Investments in ACH-fraud detection are increasing, especially at larger institutions. But a shift in attitude, Tubin says, among banks and credit unions will ultimately be the best catalyst for change. "The survey indicates the institutions are just not taking it seriously," he says. "The traditional attitude between the institution and its (commercial) customer is one of equals. As long as the institution is putting a reasonable effort toward decreasing fraud, the onus is put back on the customer to fight the fraud; and in today's environment, that is really not fair."
Institutions Favor EducationAcross the board, 76 percent of respondents say customer and employee education is the best way to fight fraud. But industry analysts beg to differ. "They are relying too much on customer education and manual processes, rather than on automated fraud-detection processes and workflow," Litan says. "You need to spend money to save money."
While Tubin agrees banking institutions must focus on customer and employee education, it appears to be relied upon too much for fraud detection. "Employee education is absolutely necessary," he says. "But because of the sheer volume of transactions and the move to electronic transactions, we have to invest in more technology for fraud detection. We have to do more."
Institutions are expected to invest more heavily in measures to cut fraud in 2011, with 34 percent of respondents saying they will increase fraud-prevention budgets and/or personnel. That's good news, Litan says.
"There is much more demand for enterprise fraud management than there ever has been," she says. "I also think the banks want to cut down on the number of vendors they work with, so they want to consolidate their fraud operations. I'm sure they want the budget to invest in more, but they just can't get the budget," she says. "Financially, they're struggling."