This post was substantially updated from the one originally published July 19, 2019.
Fraud threat overview: Cybercrime results in unprecedented losses
Protect your financial institution from cybercrime
With cybercrime constantly evolving, what can businesses and financial institutions do to prevent fraud? These measures can help.
Would you like other articles like this in your inbox?
Cybercrime is a threat to businesses and institutions of all sizes and is at the forefront of the minds of those in the fraud prevention field. Cybercrime is broadly defined by the Financial Crimes Enforcement Network (FinCEN) as any illegal activity that involves a computer, another digital device, or a computer network, such as fraud, theft, or distribution of child pornography. As evidenced by recent attacks on the nation's fuel and food supplies, ransomware is a particularly acute concern. Criminals increasingly use sophisticated attacks to target various sectors, including government, finance, education, energy, and health care.
According to 2021 statistics compiled by the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3), over 847,376 cybercrime complaints were made to the FBI with hard dollar losses of over $6.9 billion, a 7% increase over 2020. Ransomware, business email compromise (BEC) schemes, and the illicit use of cryptocurrency are among the top incidents reported.
The 2021 breakdown by monetary fraud losses is as follows:
Business email compromise
Confidence fraud/romance schemes
Personal data breach
Here is a deeper look into the definitions of each of these popular means of fraud:
- Business email compromise (BEC) is a sophisticated scam targeting businesses that regularly perform wire transfer payments. Through extensive research, criminals obtain information (often through phishing or social engineering) and build profiles of senior executives in an organization. They study how the executive corresponds via email, observe nuances to ensure their fraudulent emails appear authentic, and email an employee a convincing request to transfer funds. BEC email is often sent when the executive is out of the office, making it difficult for employees to verify the email is credible.
- Investment fraud has been familiar to the financial world for some time. Brokers and investment advisors prey on new investors, often the elderly, to invest their life savings in unsuitable or speculative high-risk investments. Popular scams such as pyramid schemes and Ponzi schemes have promised sky-high returns quickly, only to have the duped investors lose millions of dollars when the schemes collapse.
- Confidence fraud/romance fraud is an attempt to defraud a person or group of persons after gaining confidence and trust. An example of this type of fraud would be the "sweetheart scam," where an internet or in-person love interest convinces the victim to send funds as a loan or a means to be together, only to become the victim of a loss of money, embarrassment, and a broken heart.
- A personal data breach is a leak/spill of personal data released from a secure location to an untrusted environment. This can happen when users unwittingly give criminals their information while registering for a new product or service. Another type of personal data breach is a security incident in which an individual's sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an unauthorized individual.
- Real estate/rental fraud occurs when someone claiming to be a property manager tries to rent a property that doesn't exist or isn't their rental property. Scammers collect an application fee, security deposit, or even rent before the victim discovers it is a scam. With real estate fraud, a purchase transaction email from a scammer perpetrating to be the title company requesting payment for a property purchase can cause the victim to wire millions of dollars, only to find out later that it did not go to the title company.
The 2021 publication of the FinCEN priorities lists both cybercrime and fraud as part of the eight national security and illicit finance threats that the U.S. currently faces. FinCEN has issued several recent advisories for these common fraud types, including cybercrime, ransomware, imposter scams, and money mule schemes. Each advisory lists red flags that are important to be understood by FinCrime professionals during suspicious activity monitoring and investigations.
Fraud using cryptocurrencies, such as Bitcoin, Ethereum, Litecoin, or Ripple, continues to rise, with a total reported loss in 2021 of more than $1.6 billion. Although there are many legitimate uses of cryptocurrency, this payment source's perceived anonymity makes it a favorite among criminals. Cryptocurrency, particularly Monero, is becoming the preferred payment method for SIM swaps, tech support fraud, employment schemes, romance scams, and even some auction fraud. Cryptocurrency is also a common avenue for investment scams, where losses can reach hundreds of thousands of dollars per victim, not to mention the emotional toll and embarrassment of those who fall prey to these scams.
How can a financial institution’s BSA and fraud professionals prevent these types of fraud? A good first defense is investing in fraud monitoring software that detects specific fraud in their clients' accounts, such as account takeover, ACH, new account, kiting, debit card, and check card fraud.
In addition, an institution (and industry professionals) should follow these tips from the FBI:
- Keep the firewall turned on: A firewall helps protect computers from hackers who might try to gain access in order to delete information or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
- Install or update antivirus software: Antivirus software is designed to prevent malicious software programs from embedding on a computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users' knowledge. Most types of antivirus software can be set up to update automatically.
- Install or update antispyware technology: Spyware is just what it sounds like—software that is secretly installed on your computer to let others peer into activity on the computer. Some spyware collects information about people without their consent or produces unwanted pop-up ads on a web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at a local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases, these products may be fake and contain spyware or other malicious code.
- Keep the operating system up to date: Computer operating systems are periodically updated to stay in tune with technology requirements and fix security holes. Install the updates to ensure each computer has the latest protection.
- Be careful what is downloaded: Carelessly downloading email attachments can circumvent even the most vigilant antivirus software. Never open an email attachment from someone you do not know and be wary of forwarded attachments, even from friends. They may have unwittingly advanced malicious code.
- Confirm that any unusual email is from the stated party: If a person receives an unusual request, such as to send money on behalf of their workplace or institution, confirm with a phone call or personal visit that the sender is valid. Don't let yourself be caught in a business compromise email scam.
- Turn off the computer: With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being "always on" renders computers more susceptible to cybercrime. Turning the computer off severs an attacker's connection via spyware or a botnet that employs a computer's resources to reach out to other unwitting users.
- Train, train, train: Cybercrime staff training is routine for many financial institutions annually, but if an institution has not implemented practical training, it is time to do so. Test the staff on occasion and remind those who click on links or answer phony emails what they have learned in training.
Cybercrime may continue to rise within the corporate and private worlds, but with these tips for prevention and detection, financial institutions can stay a step ahead and prevent fraud. Be proactive by attending training, reading articles, and staying abreast of the newest trends.