Banks are using a cybersecurity tactic to crack down on check fraud | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

After a significant spike in check fraud in 2022, banks are grasping for ways to mitigate their risk. Solutions like positive pay help reduce the threat for business checks. On the consumer side, banks have opportunities to use threat intelligence and fake check detection.

In 2022, depository institutions sent 501,000 suspicious activity reports related to mail fraud to the Financial Crimes Enforcement Network, which is just over double the number of reports made in 2021. Depository institutions generated 192,000 such reports in the first four months of this year, which is 11% higher than the same period last year.

This trend has lasted over the long term. Since 2014, reports of check fraud have increased fivefold. During the same period, consumers sent fewer checks, but they have become more valuable and more of a target for fraudsters.

According to data released in April by the Federal Reserve, consumers moved $27 trillion via checks in both 2012 and 2021. That figure fluctuated only slightly, up to $29 trillion, in the intervening years. At the same time, consumers sent 43% fewer checks in 2021 than they did in 2012.

Small financial institutions have complained that larger rivals tend to push costs of check fraud onto them by drawing out the process of getting repaid for bad checks. Indeed, check fraud tends to yield losses for banks rather than consumers because of consumer protections established by Regulation CC. But fake checks do also hurt consumers at times.

The American Bankers Association warns consumers against fake check schemes in which a fraudster sends a consumer a check then asks for the money back. This can happen when a fraudster overpays for an item sold online then asks for a refund, or they tell the victim that they won a prize but need to send back taxes and fees.

In both cases, the consumer unwittingly deposits a bad check into their own account, and even if it clears, the bank usually reverses the deposit once it discovers the check was fraudulent. That leaves the consumer trying to recover any money they sent to the fraudster.

The spike in check fraud is akin to the spike in benefits fraud that took place at the beginning of the pandemic, according to Al Pascual, senior principal and enterprise solutions lead at TransUnion.

“You had all these people who had never committed fraud before all of a sudden learning how easy it is to commit fraud.” Pascual said. “Well, now we see that in check fraud.”

One driver of this rise in check fraud is the proliferation of remote deposit capture, which has cut out the need for a fraudster to confront a human or ATM in the act of depositing a fraudulent check.

A more recent trend driving check fraud up is fraudsters taking to Telegram to recruit people to join their schemes. Primarily, that has meant recruiting and offering the services of check walkers — people who can deposit fraudulent checks on the behalf of a fraudster.

As with most scams and fraud, educating consumers about risks and red flags related to these schemes is a must. The American Bankers Association suggests consumers use alternative payment methods such as e-checks or ACH to pay bills, follow up with check recipients when mailing checks and drop mailed checks directly with a Postal Service worker rather than a drop box.

That education also applies to warning people — particularly young customers — who might potentially get involved with check walking, Pascual said, as they might falsely believe it is a low-risk crime.

“You have actual bank customers who are increasingly becoming complicit in a crime, and it’s largely due to lack of awareness,” Pascual said. “The two things that sell best are sex and money, and unfortunately, without proper education, young people are gonna make a lot of mistakes.”

There are plenty of challenges for banks to address besides educating consumers, some of them technological — for example, adequately sensing signs of alteration in checks deposited to an ATM. But, he said, there’s also the tactic of doing threat intelligence on check fraud schemes.

Threat intelligence refers to the tactic of gathering and working with information about a given threat to provide the necessary context for decision-making processes, according to a definition from the National Institute of Standards and Technology. In practice, that can involve monitoring a certain ransomware campaign to identify trends in victims or reverse engineering malware to understand how it works.

Applied to check fraud, threat intelligence could involve monitoring Telegram and other communication channels where fraudsters exchange criminal goods and services, according to Pascual. It could also include analyzing check deposits found to be fraudulent, including images of fraudulent checks, data associated with remote capture deposits and physical branches or ATMs used in these schemes.

Banks can use this information to assign risk levels to instances of check deposits and, instead of allowing a check to be remotely captured or cashed at an ATM, requiring the customer to bring it into a branch.

Another strategy financial institutions can employ is requiring customers to notify banks before they send a large check. Banks employ this strategy, known as positive pay, with business customers by matching a company’s issued check with the check presented for payment. The dollar amount, check number and account number must all match, or the check is flagged and sent back to the issuer for review.

However, according to Rob Rendell, global head of fraud strategy and prevention at NICE Actimize, few to zero banks are considering this kind of system as it would create additional burdens for consumers who already enjoy protections against check fraud.

Rendell suggested that any kind of positive pay system for consumers — such as a requirement that the consumer notify the bank prior to any large payment via check — could be balanced with check-related entitlements or benefits given back to the consumer, such as notifications of check payments made against their account.

While banks can push some of the costs of check fraud onto businesses to incentivize them to use positive pay, the same does not apply to consumers. As such, while both consumers and businesses get their checks stolen, the banks pay a lot more for the losses of consumer checks due to Regulation CC.

Banks have not been alone in fighting this scourge. Bad checks tend to come out of the mail. In particular, blue mail drop boxes maintained by the United States Postal Service are hot targets for criminals looking to obtain checks they can wash and alter.

That makes the keys to these drop boxes valuable, turning USPS workers into targets of threats and insider wrongdoing. The USPS has responded with a technological solution, securing mailboxes by replacing locks accessed using arrow keys with electronic locks.


Click Here For The Original Source.

National Cyber Security