Published March 8, 2021
Much like pirates on the high seas, digital bandits will stop at nothing to gain access to the things you hold dear. They’ll do just about anything to steal your personal information, including private medical records and banking passwords. And once that privacy has been violated, your financial control can be severely compromised. You’re left open to identity theft, credit card fraud, ecommerce fraud and a host of other personal calamities.
Unlike the pirates of yore, today’s digital buccaneers don't initiate plunders by blasting cannonballs at wooden masts—they are slick and sophisticated. And, as the payments industry has evolved, the methods of fraudsters have evolved with it.
Payment is faster, machines are more adaptable, and regulations have changed with the technology. A more complicated system brings with it more angles to be exploited. So fraud prevention and data security demand ever more vigilance.
In today’s world, data bandit wannabes are around every corner—real and virtual. That means a data breach is not only possible, it’s probable and it can easily destroy your company and threaten customers’ finances and livelihoods. A data breach happens when someone’s sensitive and confidential information is taken by an unauthorized individual. It can also happen when someone mistakenly enters bank account information into a fraudulent webpage linked in a phishing email.
And like any robbery, on the high seas or the vast landscape of the internet, the larger the haul the more attractive the target. Companies like Google and Amazon, and many others hold financial information on behalf of thousands or millions of people. And the more records there are to be stolen, the bigger the resulting payout with the potential of it being sold on a large scale on the dark web.
There are five forms of data breaches in the modern world, including:
1. Physical theft may seem a bit old-school, but it’s still a threat. Think back to the example of the thief stealing a file cabinet. In the case of data theft, a crook might just steal a hard drive and leave the premises. It could even involve physically plugging a recording device into a computer network to directly copy business files.
2. Cyberattacks, on the other hand, can be done remotely. An attacker simply needs a sufficiently advanced computer and an arsenal of hacking tools. These tools include the likes of backdoors, nonexistent websites, keyloggers, trojans and viruses designed to deceive the user into clicking an infected link and unknowingly downloading intrusive and malicious programs on a computer system. A cyber-attacker might even intercept data as it is transmitted over an unsecure network. The Cost of Data Breach Study by IBM reports that cyberattacks represent 48 percent of data breaches.
3. Human error is an inevitable fraud risk. For example, an employee who writes a sensitive password on a napkin and absent-mindedly throws it into a public wastebasket opens up the door to a fraudster finding and benefiting from that information. The only way to reduce human error is to educate people so they understand all the ways thieves can steal their information.
4. Insider threats are insidious vectors of data breaches. A disloyal employee with access to your network may be tempted to sell sensitive data to a hostile organization. In many cases, a large number of users have excessive access to a company’s records. And a more complicated system can represent a multitude of opportunities for fraudsters to find sensitive information companies needs to keep hidden.
5. Ransomware is running rampant. The FBI reports that there are over 4,000 ransomware attacks on any given day. Ransomware allows an attacker to control your data, supposedly leaving it alone as long as demands are met. Living in fear of identity fraud is no picnic, and if an attacker can usurp control over data, he can also steal it or destroy it.
Just as you would guard your valuables from a real-life pirate, it is important to protect yourself and your customers against the threats you cannot see. Sensitive information must be guarded and your firm is obligated to remain watchful for signs of potential fraud.
When protecting treasures online, it’s important to consider all of the potential areas where a digital marauder could access your information. Fraud prevention and fraud management comes down to making data and credit card information harder to access by limiting opportunities for it to be taken.
That deterrence starts with the people who handle that data every day. Unfortunately, employee fraud is a constant blight on the efforts of financial services. In fact, employees may very well be data security’s greatest vulnerability. The people operating a system inherently have access to and control over it. That means the hiring process is crucial for preventing undesirables from gaining access to a position of financial trust. In a CareerBuilder survey, 75% of hiring managers reported finding lies on a candidate’s resume. A thorough background check goes a long way in revealing a potential employee’s character. A background check should include:
The old expression about preventing crimes of opportunity stands the test of time. Encouraging employees to enroll in direct deposit, for example, means payroll is automated with algorithms, thereby eliminating the need for manual data entry. When fewer people have their hands in the distribution of funds, there is less opportunity to alter a distribution in any one individual’s favor. Enrolling individuals in direct deposit is a relatively easy sell because employees get instant and convenient access to their paychecks.
The next level of security is heightened scrutiny of any department directly involved with payroll and account information. Access to a company’s cash flow enables someone to put a hand in the proverbial till. According to the Association of Certified Fraud Examiners, approximately 77% of fraud came from departments such as accounting, customer service, executive and upper management, finance, operations, purchasing and sales. A wise executive will keep all of those departments monitored and verified.
Monitoring employee behavior can allow an employer to detect fraudulent activity at an early stage. For example, an employee might work long hours or even return to the workplace when others aren’t around. Or they might intentionally turn down help from co-workers who would have made their tasks easier. Those sorts of behaviors may be warning signs that they’re trying to keep their actions away from prying eyes. Other clues are probing and unusual questions about the payroll system. An employee might be processing a high volume of voids with a low rate of transactions in an effort to confuse a cursory investigation. And when employees abruptly resign or abandon their job, they may be doing it to make a hasty getaway.
Company credit cards are also a big risk factor, so controlling transactions made on the company’s behalf is an important step in fraud prevention. Setting up a system with a commercial credit card company will keep all transactions on the same bill, thus removing the burden of dealing with individual employee invoices or charge accounts.
In the digital world, potential bandits are always devising new ways to gain access, and sloppy email practices are the equivalent of dropping a digital gangplank and inviting them aboard. That’s why it’s important to be on the lookout for suspicious customer email addresses. Usually, a customer’s name and the email address will match up (i.e. Jack Reynolds will often be something like firstname.lastname@example.org rather than email@example.com). Fraudsters often set up email accounts with obsolete domains like juno.com, gmx.com, inbox.com, outlook.com or yahoo.com. They might even use nonexistent domains. So, if the customer’s email address seems unusual, that’s a red flag to potentially fraudulent intent.
Your potential customer’s IP address is another tipoff. Look for a history of fraudulent transactions from the IP address in question or its geographic area. Keep an eye out for a sizeable distance between the IP and the shipping or billing address. If the IP is located in a completely different region from the shipping location or the customer’s location, it’s definitely time to take a hard look at any related transactions.
Transaction details can also provide a wealth of clues into the legitimacy of a transaction. You might see an atypically high number of transactions in a brief period of time. This is a widely recognized sign of a card attack, especially if the transactions are of the same amount or card brand. If multiple transactions go through on different card numbers with the same bank identification number, that bank might be host to a series of compromised cards. A transaction from a country outside your typical demographic should also be regarded as suspicious, particularly if the transaction is for an abnormally large amount. Prepaid gift cards can be hard to trace while corporate cards usually carry some direct accountability. Double down on those suspicions if the same customer’s name keeps appearing on multiple cards.
Prevention really is the best medicine. If you question a customer transaction or employee activity, act on that concern. That might mean doing a little investigative work. A simple phone call to a customer can confirm transaction details and make both parties feel safer. You might also be able to verify email and phone information through third-party sites. If contact information comes back as invalid, that usually means the transaction is indeed fraudulent. And if an employee is behaving oddly or if you notice digital discrepancies, act quickly and decisively to get the answers you need.
Knowledge is power and knowing the signs of fraudulent activity provides the toughest layer of cybersecurity. While financial institutions are well-incentivized to keep an eye out on their end, you must devise your own fraud strategy to protect your business. Internal security controls can help reduce losses by keeping your data from being hijacked. And that means smoother sailing for you and your business.