Anti-Fraud Redefined: Protecting Financial Services in a World of Deception

Perry Clark, Jordan Kuperschmid, Brad Schaltenbrand
Ankura
Contact
LinkedIn
Facebook
X
Send
Embed

Ankura

Fraud is no longer a peripheral threat; it is an endemic and rapidly evolving challenge for financial institutions. As the digital landscape expands, so do the opportunities for sophisticated criminals, creating constant and escalating pressure on financial services companies. The sheer scale of staggering, global losses from payment fraud alone are projected to exceed $50 billion annually.[1] This is not just a direct financial hit; for every $1 lost to fraud, financial institutions in North America spend an average of $4.41 in remediation costs, which includes legal fees, investigation, and recovery expenses.[2] This is a fundamental risk to customer trust, brand reputation, and the financial stability of the entire sector.

Fraud has sharply increased over the past year due to economic uncertainty and advancements in artificial intelligence (AI) and machine learning (ML).

The Financial Services Fraud Landscape: A Multifaceted Threat

The financial services sector faces a diverse and interconnected array of threats. While traditional fraud schemes persist, new, technology-enabled risks are emerging at an alarming pace. The following table provides a detailed look at the modern fraud landscape, organized by the specific sector most impacted, beginning with threats that are agnostic (relevant across the entire financial services ecosystem) and then detailing risks specific to banking, insurance, and wealth management.

Industry

                                                    Fraud Example

Financial Services Industry Agnostic

 Account Takeover (ATO): Criminals gain unauthorized access to a victim's financial accounts by using stolen login credentials. This can happen through credential stuffing — where they test lists of leaked usernames and passwords from other data breaches to see if they work on a new site — or through phishing. Once in control of the account, they can transfer funds, make purchases, or apply for new credit in the victim's name. It is important to note that this is not only done by unknown criminal actors but sometimes by known family members, such as a child or spouse.
Payment Redirection: This is a form of business email compromise (BEC) where a criminal “spoofs” an email to appear as a trusted business partner or employee. The fraudster sends an urgent request, such as “Hey, our system is down today, can you redirect the wire, payroll file, etc. to HERE.” These types of scams should be confirmed with out-of-band communication, such as a phone call to a validated number. Bank account verification vendor tools can be used to validate the association of a person with a specific account. Payment portals could also be used as an alternative to prevent this type of fraud. There has been an uptick in the targeting of commercial clients — particularly among organizations that received COVID-19 related Paycheck Protection Program (PPP) loans.
Social Engineering: This category includes scams like phishing (deceptive emails), smishing (fraudulent text messages), and vishing (scams conducted over the phone). Fraudsters exploit human psychology through these deceptive communications to trick victims into revealing sensitive information. These tactics create a false sense of urgency or authority to bypass a person's judgment and gain access to their accounts. A particularly advanced tactic is "dual spoofing," where a fraudster spoofs the bank's number to get customer information, then spoofs the customer's number to call the bank and gain account access.
Sales Fraud: This form of fraud has the potential to occur when financial representatives or agents receive incentive compensation for selling products to customers. Without adequate controls, such arrangements could possibly result in overselling, selling non-suitable items, premium diversion, or misclassifying sales to hit goals and prices, among other forms.
Internal Fraud: Employees engaging in fraudulent activity can be a risk for any organization. Examples include embezzlement, where an employee steals funds from the company, or data theft, where an insider sells customer information to external criminals, which can then be used to facilitate other types of fraud. Activity in the procurement area, such as fake vendor invoices or inflated submissions, is another example of this type of fraud.
Card-Not-Present (CNP): This type of fraud involves criminals using stolen credit or debit card details to make online or phone purchases without the physical card. It is a pervasive threat that affects financial institutions, merchants, and payment processors, with the availability of stolen data on the dark web further amplifying the risk.
Technological Risks: This encompasses several threats, including cyberattacks (malware and ransomware), data breaches, and AI-driven fraud. Criminals use advanced technology to attack financial systems, steal vast amounts of data, or leverage AI to create highly sophisticated, personalized scams at scale.

Banking

 Synthetic Identity Fraud: This often targets the credit system. A criminal might create a “Frankenstein” identity by combining a real Social Security number (SSN) with a fake name, address, and date of birth. They use this new identity to open a bank account, apply for a credit card, and build a credit history over time with small, legitimate-looking transactions. Once the credit limit is high enough, the fraudster maxes out the cards and disappears, leaving no one to pursue as the identity is a fabrication.
Real-Time Payment: Criminals take advantage of instant payment systems to commit fraud, as the speed and irreversibility of transactions make it difficult to recover stolen funds.
Credit Bust Outs: A fraudster opens a legitimate line of credit, rapidly maximizes the available balance, and then defaults on the entire debt, often after transferring the funds out of the country.
Credit Washing: A scammer falsely claims identity theft to credit bureaus, forcing legitimate, negative credit items to be removed from the victim's report, thereby artificially “cleaning” the credit profile to qualify for new loans or accounts.
Straw Buyer Schemes: An individual with a good credit history — the “straw buyer” — applies for a mortgage on behalf of another person who would not qualify, often for a property that is overvalued. The fraudulent mortgage is then approved, and the actual buyer defaults on the loan, leaving the financial institution with a massive loss.

   Insurance

 Property & Casualty Fraud: A common example of “soft fraud” is inflated claims. For instance, a homeowner with hail damage to their roof might claim a total loss and receive a payout for a complete roof replacement, but then only perform a minor, low-cost repair. An example of “hard fraud” is arson for profit — when a property owner deliberately burns down an insured building to file a claim for the total loss of the structure and its contents. 
Auto Insurance Repairs: This type of fraud can occur on repairs due to shoddy work, the use of aftermarket parts, side deals, and the inclusion of damage not related to the claim.
Staged Accidents: This is an example of “hard fraud” in which criminals intentionally cause a collision. Common tactics include “swoop and squat” where a car quickly cuts in front of a victim's vehicle and slams on the brakes, forcing a rear-end collision or a “jump-in,” when a fraudster who was not in the vehicle at the time of an accident, later claims to have been injured in order to collect a payout.
"Owner Give-Up": This is when a vehicle owner falsely reports their car as stolen or damaged to get an insurance payout. This often happens when the owner can no longer afford the car or needs to get rid of a vehicle with expensive mechanical problems.
Rate Evasion: People commit this type of “soft fraud” by lying on their insurance applications to qualify for a lower premium. This can involve misrepresenting the primary driver, a vehicle's garaging location, or the number of miles driven annually. This type of fraud is widespread and costs the industry billions.

 

 

Wealth Management

 Authorized Push Payment (APP): A classic example of this is a “pig butchering” scam. A fraudster, often using a fake persona on a dating app or social media, builds a long-term relationship with a victim. Over time, they convince the victim to “invest” in a fake cryptocurrency platform. The victim is told to transfer large sums of money to what they believe is an investment account, but in reality, they are directly sending the funds to the fraudster. Because the customer authorized the fund transfer, it's not a traditional hack, making it difficult to recover the funds.
Ponzi Schemes: This is a classic investment fraud. The most infamous example is Bernie Madoff, who promised investors high, consistent returns. Instead of actually investing the money, he used funds from new investors to pay “returns” to earlier investors. The scheme collapses when the flow of new money stops and there is not enough to pay out investors who want to withdraw their funds.
Elder Financial Exploitation: This is a growing concern. A wealth manager, or even a family member, might convince an elderly client to give power of attorney or change a will, then misappropriate their funds. For example, a fraudulent “advisor” might move a client's life savings into high-risk, illiquid investments that generate high commissions for the advisor but are completely inappropriate for the client's risk.

The Evolving Regulatory and Standards Landscape

The regulatory environment is struggling to keep pace with the speed of fraudulent innovation. While no single, overarching anti-fraud regulation exists, a patchwork of laws and standards provides an important framework.

  • Anti-Money Laundering (AML) and Know Your Customer (KYC): Regulations like the U.S. Bank Secrecy Act (BSA) and global standards from the Financial Action Task Force (FATF) are foundational. They mandate customer identity verification and suspicious activity monitoring, which are critical first lines of defense against many types of fraud.
  • Data Protection Regulations: The General Data Protection Regulation (GDPR) and similar laws are crucial. The link between data breaches and fraud is undeniable, making robust data protection a key pillar of any anti-fraud strategy.
  • Key Standards:
    • The Payment Card Industry Data Security Standard (PCI DSS) provides a roadmap for securing credit card information.
    • For a broader approach to program design, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Fraud Risk Management Guide offers a principled framework encompassing governance, risk assessment, control activities, and monitoring.

The Critical Components of a Leading Anti-Fraud Program

A truly effective anti-fraud program is not merely a collection of tools; it is a strategic capability built on a foundation of strong governance, advanced technology, and a culture of vigilance. Important considerations for a holistic anti-fraud program include:

  1. Strong Governance and Culture: Fraud prevention should be a "tone at the top" priority. This includes a clear mandate from senior leadership, a dedicated and appropriately-resourced fraud team, and a culture that encourages employees to be active participants in fraud detection. Risk assessments are non-negotiable to identify vulnerabilities and emerging threats. Critically, fraud risk increasingly overlaps with money laundering, sanctions evasion, cyber-enabled identity theft and broader conduct risks. Regulators expect financial institutions to adopt integrated models that combine fraud, AML, sanctions, and customer behavior analytics, rather than treating them as separate and reactive risk domains. By merging fraud-detection data with AML insights, institutions can identify relevant patterns earlier, reduce fragmented investigations, and create a more unified intelligence view of customer behavior across the lifecycle.
  2. Advanced Technology and Data Analytics: Appropriately leveraging data analytics elevates your program. Examples might include:
    • Active Monitoring: Using technologies such as AI and ML to rapidly analyze transactions, identifying anomalies and patterns indicative of fraud.
    • Behavioral Biometrics: Incorporating user behavior patterns, devices, and network data to produce risk scores as triggers, rather than just relying on simple location or spending profiles.
    • Enhanced Authentication: Looking beyond passwords to multi-factor authentication (MFA) and biometric solutions; this may include methods beyond single message service (SMS) and one-time PINs such as passkeys and device-based push notifications.
    • Ecosystem Integration: Leveraging fintechs and third parties for broader data coverage, including integrating risk data across systems.
    • Fraud Detection Systems: Utilizing enhanced fraud scoring and network analysis to accelerate the identification of fraudulent activity before it can cause harm.
  3. Robust Processes and Controls: Technology is only as good as the processes that support it. Anti-fraud programs should consider:
    • Rigorous KYC and Customer Due Diligence (CDD): Ongoing monitoring of customer transactions and activity to detect suspicious behavior.
    • Incident Response Plan: A clear, well-rehearsed plan for addressing fraud incidents, including protocols for reporting, investigation, and recovery.
    • Employee Training and Awareness: Training programs designed to equip employees with the knowledge to spot red flags and the authority to report them.
    • Special Investigation Units (SIUs): Having a well-oiled SIU can be a strong asset. Automated flags can identify suspects and create referrals for a human-in-the-loop review, which may be conducted by the SIU.

Kicking the Tires on Your Program: A Call to Action

The time to act is now. To build a resilient anti-fraud program, financial institutions should perform a candid self-assessment. Consider the following:

  • Strategy and Governance: Is your anti-fraud program integrated into your overall business strategy? Are roles and responsibilities clearly defined?
  • Risk Assessment: Do you have a clear understanding of your specific fraud risk exposures and your tolerance for that risk?
  • Technology and Data: Are you appropriately leveraging technologies such as AI and ML? Is your data infrastructure capable of supporting real-time analytics?
  • Metrics and Reporting: Are you measuring the effectiveness of your program? Are you capturing the full benefit of your anti-fraud efforts, including avoided losses and improved customer trust?

By identifying potential gaps between your current state and your target state, you can develop a clear, properly resourced roadmap for building a leading anti-fraud program. When evaluating cost/benefit, consider this an investment in your company's future, a proactive measure to protect your customers, your reputation, and your bottom line. In an increasingly digital world, the ability to build and maintain trust is the ultimate competitive advantage, and a leading anti-fraud program is the cornerstone of that trust.


 Notes:

[1] https://b2b.mastercard.com/news-and-insights/blog/ecommerce-fraud-trends-and-statistics-merchants-need-to-know-in-2024/

[2] Every Dollar Lost to a Fraudster Costs North America’s Financial Institutions $4.41 According to LexisNexis True Cost of Fraud Study from LexisNexis Risk Solutions

Written by:

Ankura
Ankura
Contact
more
less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Ankura on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide