Like other financial organisations, intermediaries are increasingly vulnerable as external fraud attempts become more sophisticated. But there are simple ways to protect yourself and to learn about how to do so.
Staying ahead in the fraudster race
When it comes to fraud, criminals are upping their game. In the near future, they will have the capability to mimic the voice or manipulate the face of a trusted colleague or superior, for instance, to instruct someone to make a payment to a criminal’s bank account.
Cyber fraud is becoming increasingly common and sophisticated, says Bernhard Hofer Holle, Bank Julius Baer’s Global Head Fraud Prevention and Detection. “There’s been a pick-up in cybercrime for the last couple of years, with criminals using various themes to manipulate their victims such as cryptocurrencies, investment fraud and payment fraud.”
As fraud prevention and detection techniques improve, criminals innovate and adapt. Voice mimicking or video manipulation software, so-called deepfakes, is just one example of criminals’ mounting cunning. At a simpler level, email phishing attacks or attempted payment fraud attempts used to come with misspelt subject lines or email addresses, whereas now they look like the real thing.
What’s more, fraudsters are learning to avoid large organisations that have specialist fraud prevention and detection capabilities. Instead, they might target victims with lower levels of security and awareness, like third-party providers or relationship managers at small to medium-sized firms, such as financial intermediaries.
“From an operational point of view, we see the attacks coming in waves,” notes Stephanie Gareis, Risk Manager, Central Risk Management Intermediaries at Bank Julius Baer. “You can surely say that fraudsters are getting more sophisticated, hacking email accounts and using them to deceive the relationship manager and make him process a payment to an external party. It used to be simple to detect clumsy forgeries a few years ago, but they look perfect today. This has increased exposure and fraud risk for the bank and intermediaries alike.”
Cybercrime as a service
Cybercrime is now a service; everything needed to be able to conduct fraud can be bought or rented on the dark web. Hofer Holle explains: “It’s not necessarily always a criminal organisation. Those less tech-savvy wanting to engage in fraud are able to buy crime as a service. There’s also evidence that on occasion the perpetrators are nation states with the specialists and resources to launch sophisticated advanced persistent threat attacks, for example.
“It can be particularly difficult for the authorities to catch the criminals,” he adds. “The main issue is that fraudsters are operating over different jurisdictions, where the victim is in one country, while the servers used, the defrauded money and money mules, the corresponding banks and the fraudster himself are in others.”
Information for intermediaries
When it comes to detecting fraud, intermediaries should be aware of the red flags. Almost all successful fraud attempts are the result of human error. Normally fraud attacks start with a suspicious call, an SMS, chat communication or e-mail containing a link, or a combination of the above. Fraudsters lure their victims in with appealing stories and hope for a human error. You might be asked to push on a link to download malware, to make a payment or settle an invoice. Therefore, awareness is key!
There are a number of sources of information about what to look out for. Julius Baer’s fraud awareness web pages describe key risks, the fraudsters’ latest techniques and recommendations to avoid becoming a victim. Finally, the Association of Certified Fraud Examiners’ website has an open-source Fraud Awareness Training Benchmarking Report that allows firms to assess their alertness.
At the end of the day, it’s wise to check every unusual internal and external instruction. “When intermediaries are contacted from within or outside their organisations with a request for payment or other instruction, they should consider it closely, put it in context – does it make sense, is it plausible?” says Gareis. “Then contact the initiator of the instruction, validate it, especially if it comes via a digital channel. Think before you act.”