Inside a Major Bank Fraud: How Businesses Can Avoid Getting Conned

By: | August 12, 2019

Gregory W. Bangs is senior vice president, crime regional leader for North America at AXA XL, a division of AXA XL. Over the last 30 years, he’s been underwriting insurance and developing new products in the U.S., UK, Hong Kong and France. He can be reached at [email protected].

A large regional bank recently announced that an incident involving fraudulent transfers of funds may cost it up to $220 million. Living in the digital age, the first thought that might come to mind is a cyber attack. But that’s not what happened, according to the bank.

The incident that could cost the bank hundreds of millions of dollars was neither a cyber attack nor a data breach; it was a fraud perpetrated by a payroll company customer.

Although an investigation is continuing, details the bank disclosed indicate the customer deposited checks and requested more than $200 million in transfers to accounts at other banks. After making the transfers, the bank discovered that the deposited checks bounced — they had been drawn from accounts with insufficient funds.

Wait a second, could it have been an honest mistake? After all, it’s quite common for people to lose sight of their account balances and accidentally make overdrafts. However, the bank had reason to believe the depositor knew those checks would bounce. That is bank fraud, and unfortunately it remains a costly problem for financial institutions.

The bank in this case has filed a civil fraud lawsuit against the customer as well as several other financial institutions, seeking to recover the money, which will take time to sort out. It’s also possible the bank had taken out Check Kiting Fraud insurance that would potentially reimburse some of the loss.

This is a common extension to a financial institution bond insurance policy. These bonds typically cover a broad range of fraud exposures, including risks such as employee dishonesty, computer systems fraud, forgery, fraudulent transfer instructions and fraudulent impersonation, which is also known as social engineering fraud.

Social engineering is one of the biggest risks financial institutions face today.

In the meantime, it’s worth reviewing some ways businesses can fall victim to con artists and how to mitigate those risks.

Old Tune, New Riffs

Con artists all play a similar song, with a few variations, to trick individuals and businesses into parting with their money. Some riffs on this tune are quite sophisticated. Here are several examples of social engineering:

Impersonation. In this type of scam, a criminal may impersonate a client, vendor or even an executive.

What makes these scams work is the knowledge the criminal has acquired, sometimes by phishing or outright hacking. If a request to transfer funds or divert payments to a different bank account sounds plausible, the person receiving the request might proceed.

For banks, social engineering also can lead to account takeover, in which a criminal impersonates a depositor using the bank customer’s information to withdraw or transfer funds.

The key to mitigating these risks is to verify details and check existing records and not take the requester’s words — or contact information — at face value.

Overpayments. This kind of scam tends to target professional services firms, which receive overpayments by phony but official-looking checks.

A fraudster typically asks the firm to deduct the cost of their services and send back the remaining funds. When the request is urgent, the requester may persuade the firm to send the payment before the original check clears.

And because the check was fake to begin with, the firm loses twice: it won’t get compensated for whatever services it delivered, and it has paid out its own funds to someone who generally disappears.

Combating this crime is a matter of knowing the client, waiting until a check clears or verifying the check with the issuing institution first.

Take a Bite Out of Crime

It’s not yet clear whether social engineering was involved or if bank employees were complicit in the recent bank fraud.

Regardless, it’s important for businesses to protect themselves from crime. Criminals throughout history have learned to adapt their tactics, but businesses can stay ahead of those efforts by applying the following tools:

People. Training employees to recognize potential frauds and to consistently follow verification protocols regardless of who is initiating the transaction is a critical step. Such training should occur regularly, for all employees.

Processes. Criminals are adept at exploiting exceptions. In fact, social engineering works because it persuades people to do things they otherwise wouldn’t do. Create a convenient way to log suspicious activity and escalate it to the appropriate decision makers, without exception.

Technology. Solutions that make computer systems and financial institutions more secure are getting better all the time. Finding and implementing the right technology can go a long way toward identifying and preventing crime.

The threat of social engineering and bank fraud are likely to continue. Strong risk management remains the best weapon for businesses to avoid getting conned. &

More from Risk & Insurance