For the majority of financial institutions, the past year has seen the most rapid digital transformation in their histories — and in many cases, the driving forces behind those changes are here to stay. Even as local branches reopen, habits acquired during the pandemic are sticking, as customers continue to transact more online: “One bank’s public investor filing says that 75 percent of their servicing transactions are now digital in the wake of the pandemic,” according to Julie Conroy, research director at Aite Group. And for many financial services employees, the period of remote work that began in the spring is continuing with no clear end in sight.
The acceleration of financial institutions’ digital transformations is an overall positive development, but it doesn’t come without risks. Rapid changes to established technologies and processes may leave vulnerabilities that bad actors can take advantage of. To support a streamlined, consistent digital customer experience while also ensuring security, your organization may need additional layers of protection.
Fraud prevention during a pandemic
Preventing fraud is a significant challenge for financial institutions, especially as transactions increasingly move online. According to 2020 NuData research, one in three finance login attempts on average are malicious, representing a significant proportion of the average financial institution’s digital traffic. Some institutions have seen even greater percentages of malicious login transactions.
Even when those login attempts are unsuccessful, they hurt your bottom line by raising operational costs. You’re paying for more bandwidth, more servers, more licensing fees to run software on those servers, more space in a data center, more power — and so on — all to process transactions that have zero value to the consumers’ accounts that are being accessed, and negative value for your company. For many companies, these expenses run into the double-digit millions of dollars per year, or more. By getting top-of-funnel fraud attacks under control, you could realize broader cost savings than you’d expect.
Unfortunately, the pandemic has also made fraud prevention more challenging for many financial institutions. With many offices closed and travel restricted, good users log in from fewer locations on fewer different devices, making them easier to identify at first sight and differentiate from fraudsters. But financial customers have also changed their habits in sometimes unpredictable ways. They complete different types of transactions and transact more frequently, at different times of day, compared to before the pandemic. These behavioral changes thwart some financial institutions’ existing fraud risk models, increasing false positives while still letting fraud through. All at a time when targeted financial fraud malware is on the rise, allowing cyber criminals to attempt access to consumer accounts from the actual machine and internet connection that is normally used to transact.
At the same time, cybercriminals are adopting ever more sophisticated tactics to circumvent financial institutions’ defenses. According to NuData research from the first half of 2020, 96 percent of attacks against financial institutions imitate human behavior, making them harder to distinguish from “good” traffic. For example, many cybercriminals bypass bot-blocking challenges such as CAPTCHAs by routing them through human farms — essentially call centers for fraudsters — where they are solved by human workers who process 100+ such transactions each hour. Financial institutions should be prepared to counter these types of sophisticated attacks at scale, without sacrificing digital customer experience.
The importance of operational security
Remote work is another aspect of financial institutions’ rapid digital transformation during the pandemic that may increase some types of fraud risk. Many cyberthreats start at home — for example, when a personal device on the home network gets infected with malware, that can be an entry point to infect a corporate asset on the same network. If an attacker gains access to internal systems via an employee device, the consequences can be severe. It’s increasingly common for the initial attacker to sell such access to a third party, who then exploits the breach to compromise user data or perform any number of malicious actions.
Social engineering attacks are also a pressing concern. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a joint statement on an increase in voice phishing, or “vishing,” attacks during the pandemic. In these attacks, a cybercriminal calls an employee of the target organization and impersonates a colleague to gain access to the employee’s VPN account. These sorts of issues are more likely when employees aren’t sitting in offices. It’s easy to tell if a colleague’s not really on the phone with you when you can see them at their desk — less so when you’re both working remotely. In this context, operational security is becoming more important in the effort to secure financial institutions against fraud.
Six steps to stronger cybersecurity
A streamlined, consistent customer experience is of utmost importance in an online setting: 22 percent of consumers left their credit or debit card issuer because of a poor experience. When shoring up your cybersecurity protections, prioritize solutions — both internal and external — that enable an uninterrupted customer journey. Here are a few ways to tighten security without adding too much friction.
Tighten permissions for administrative users. Lessen the risk of internal fraud or data leakage by reducing the amount of sensitive information that employees can access, for example by anonymizing personally identifiable information (PII). Behavioral analytics tools (see #5 below) can also help identify anomalous behaviors, such as an employee accessing datasets that aren’t necessary for their work.
Use a VPN to enable access to internal tools. This is a best practice when people are working from home networks — which are generally less secure than networks at the operational center. Forcing all traffic from a remote worker’s PC through the VPN reduces the attack surface on the remote device and allows centralized traffic and behavior monitoring systems to protect the organization.
Employ a bot detection tool. While bot detection is often construed as a protection for customer accounts, it helps protect employee accounts, too. Make sure bot detection solutions are deployed wherever automated attacks are a concern.
Don’t underestimate device recognition tools. The technology behind device recognition might be a decade old, but it’s still a valid tool to prime the rest of your risk framework. There are also some device recognition solutions on the market that extend the lifespan of this technology by making it possible to recognize devices even if their software and cookies change over weeks and months.
Use behavioral analytics and passive biometrics to continuously validate identity. A worker at a human farm cutting and pasting stolen personal information from a spreadsheet doesn’t interact with an online form the same way as a “good” user who is inputting their own information they know by heart. And your trusted employee doesn’t use a mouse quite the same way as their roommate who’s borrowing their computer. Understanding baseline behavioral and passive biometric signatures for employees and customers lets you quickly flag anomalies that call into question who’s actually sitting in front of the screen, even if they have all the right credentials.
Educate both employees and customers. In any system of cyber defenses, humans are usually the weakest link. Strengthen this link by teaching both customers and employees to look out for threats in their everyday environment, especially social engineering attacks. On the employee side, while it's important to educate call center workers who may be more focused on delivering great customer experience than social engineering threats, all employees are potentially at risk of inbound attacks via email, phone and SMS.
The strongest cyber defenses are multi-layered. If accelerating your digital transformation efforts during Covid-19 didn’t leave time to add the necessary protections, now is a good time to start catching up. By setting up infrastructure to make remote work more secure, educating employees and customers about cyber threats and using advanced tools to continuously validate user identity, you can make your new normal more secure — without sacrificing customer experience.
Robert Capps, VP of Market Innovation, NuData Security