The REST of the Online Banking Fraud Story

Yesterday, Bloomberg posted a lengthy article – Hackers Take $1 Billion a Year from Company Accounts Banks Won’t Indemnify – highlighting the serious problem of online banking fraud attacks against small and medium sized businesses (SMBs). I’m pleased this is getting more mainstream attention, but anyone reading this blog will know this is not a new problem. In fact, we’re just about at the two-year anniversary of the first alarm bells ringing on the corporate account takeover problem.

The article pretty thoroughly covers the commercial account fraud ecosystem and the devastating results of fraud.  But while it nicely admires the problem, it fails to point out that there are solutions within the reach of every bank and credit union, and that many are equipping themselves to proactively stop these attacks.  And they are doing so successfully and affordably.

A rapidly growing number of national and community banks and credit unions are using ACH fraud detection, our anomaly detection and transaction monitoring solution, to identify account takeover and stop the very fraudulent wire and ACH transfers described in this article. These institutions consistently detect and stop fraud, spend less than an FTE to investigate high-risk accounts, and receive high praise from their account holders when they make a call to discuss suspicious activity. It took many of these institutions less then a week to deploy the solution on a wide variety of online banking platforms, and it costs them less then one average ACH or wire fraud.

As I discussed in my last blog post the FFIEC recently updated its guidance on Internet Banking security. They too agree that the threat has grown too great, criminals can defeat existing controls, and this is an issue banks must tackle. They are now expecting all institutions to have the capability to detect and respond to anomalous behavior.

We had an interesting call from one of our customers today that highlighted the difference between banks that are equipped to solve the problem and those that are not.  Our customer, lets call them Bank A, used Guardian Analytics’ ACH Fraud Detection to proactively detect an account compromise for one of their accounts. Our solution alerted Bank A to suspicious activity in the account and they quickly notified the account holder. This all happened before a fraudulent money transfer was even attempted.  While discussing the situation, the account holder mentioned that they had also an account at a different institution, Bank B, which is not a user of Guardian Analytics’ ACH Fraud Detection.  When the account holder checked their account at Bank B, they found an unauthorized wire transfer and a significant amount of $$$ missing from their account.

Bank B now is faced with 1) spending time to attempt claw back the money, 2) trying to explain why they were not able to stop a fraud that Bank A could and 3) a potential customer loss.  Customer churn is a common outcome of these attacks – our 2011 Business Banking Trust Study reports that 43 percent of SMBs take their banking business to another institution following a fraud attack. Despite the title of the article, nobody wins when a commercial account is raided.

This real-world scenario shows that with the right protections in place, money can be safe in the bank. And it can be safe at large banks, midsize banks and small banks.  Businesses don’t need to run to the large institutions, they should just work with banks that have the right security.
By this time next year, if institutions meet the updated layered security expectations set forth in the guidance, the story should be very different. Instead of focusing on the villains and victims, we’ll be hearing stories of the heroes who stopped the criminals in their tracks.