Fraud and financial crime management is changing. The COVID-19 pandemic has shifted the cyber threat landscape. Fraud controls now have to adapt to a new working environment, and your risk and compliance team is facing resourcing pressure and operational strain. What changes do you need to make to stay on top of the changing crime patterns?
Are you aware of your cyber threat landscape?
While the volume of cyber threats has remained broadly constant during the COVID-19 pandemic, there has been a pivot towards phishing scams and malware that use COVID-19 as a lure. Often, phishing emails can capture personal data and financial information from unsuspecting retail and banking customers and your employees, by masquerading as:
- Providers of information about vaccines, medical supplies such as masks and ventilators, and short-supply commodities like hand sanitizers.
- Portals to apply for payment of government assistance during the economic shutdown.
- Downloads for technology solutions in high demand, such as video conferencing platforms.
- Critical updates for enterprise collaboration solutions and consumer social media applications.
- IT service providers that take payment to provide tech support services.
What impact does it have on rates of fraud?
While COVID-19 phishing scams have increased in volume during the pandemic, payment volumes themselves have decreased during the lockdown. Reported losses are through known modus operandi (phishing, smishing, etc.), which most banks can identify. In the UK, there has been an overall reduction in reported fraud cases to the government’s Action Fraud unit (-18%), which may in part be due to changes in customer behavior. As a result, the overall impact on financial institutions' fraud losses has been unexpectedly moderate so far. During the initial reaction phase of the pandemic, large retail banks have not reported a spike in fraud losses.
However, the moderate impact on fraud losses may be temporary. Lockdown measures have forced customers, financial institutions, fraudsters and organized crime alike to be creative, rethinking their operations and adapting to the new reality. The cyber-enabled fraud threat remains high and organizations should keep an eye out for emerging threats.
Have you recalibrated your fraud controls?
For retail banks, social distancing and lockdown measures have had a dramatic effect on customers’ behavior, in turn, impacting fraud controls. For example, sport betting payments, which often trigger risk flags, have decreased due to the cancellation of sports matches.
At the same time, there has been a large increase in customers taking up online and mobile banking globally (a 400% increase in one country).
In the UK, the influx of new first-time online shoppers has triggered false positive alerts in systems configured for much lower volumes. In some instances, payments flagged as “unusual” were canceled by fraud systems, often depriving vulnerable customers of necessities.
In response to this, banks have had to relax some fraud controls to allow some customers access to cash, or enable them to add third parties to their card.
As organizations enter the resilience phase, and lockdowns are still enforced to varying degrees, some preventative and detective fraud controls need to be recalibrated to minimize ‘noise’ and limit false positives. This recalibration will reduce the unnecessary work for fraud and internal information security teams.
Changes to consumer-facing fraud controls will often be mirrored by employee-focused insider threat controls, with risk flags relating to working habits, working hours and internal access controls having to adapt to the new working conditions.
How are you recording cyber and fraud risk?
The COVID-19 pandemic is driving extraordinary changes in the way organizations work with customers and employees. Security and fraud controls are often an afterthought when changes are implemented quickly. It’s important to have qualitative fraud management information to monitor the situation and remain within the organization's fraud risk appetite.
Beyond the primary function of maintaining good practices for customers and employees, risk and compliance teams will need to be prepared to answer questions from financial regulators.
Organizations need to retain evidence that they’re continuing to monitor and mitigate cyber and fraud risk, that their controls are fit for purpose, and that they’re addressing gaps in controls caused by the pandemic.
Are your people under pressure?
Operational challenges plague cyber and fraud risk and compliance teams in both consumer-facing and internal settings.
The surge in lending activities due to economic downturn, and pressure to service customers quickly without the opportunity of face to face checks, can increase instances of fraud and financial crime. The specific risks that such lending exposes the organization to are: fake/synthetic identity fraud, first party fraud, mule and money laundering activities.
These risks are compounded when fraud teams are drafted in to help manage the dramatic increase in customer disputes claims and borrowing products, leaving potential fraud controls unattended or under-resourced.
In this space, the pandemic presents both a need and an opportunity to look into new technologies that can facilitate remote ID verification using machine learning, in the same way, some challenger banks are now performing through their respective mobile applications.
During the resilience phase of COVID-19, liquidity challenges are driving significant cost reductions. Dissatisfaction or financial difficulties among employees due to redundancies and pay reductions may also raise the risk of insider financial crime and abuse of privileged access to finance systems, just as the risk increases for your customers. Pay attention to the mood in your company; be creative in ways to gauge staff attitude and mental health; look after your teams and make sure they’re being heard.
Are you prepared for the new reality?
While some aspects of the COVID-19 pandemic are temporary, the transformation driven by necessity will result in permanent changes to customer transaction patterns and internal operating procedures, including digital transformation.
As your business starts to recover from COVID-19, think about which new fraud and cyber controls should be retained, which old fraud and cyber controls should be retired and look for opportunities to innovate and update how cyber, fraud and compliance activities operate.
Integrating cyber and fraud processes, across both consumer and enterprise environments, will be a critical part of your “New Reality” strategy and will help to form an efficient approach to long term management of cyber and financial crime, insider threat and fraud.
For a more granular lens on the key second line fraud and cyber considerations during COVID-19, please see our piece on critical questions in cyber and fraud compliance.
If you have any questions or would like additional advice, please contact us.