top of page
  • Writer's pictureDevon Harris

The Perils of Relying on Data and Assumptions: How Ignorance Can Lead to Fraud

Recent instances of fraud have highlighted the risks of relying solely on data for verifying customer identity. This approach can leave businesses vulnerable to fraud perpetrated by both external actors and internal employees acting with malicious intent.


Last month, scammers targeted members of credit unions in Nevada by posing as customer service representatives and tricking them into disclosing personally identifying information (PII) and financial details. The fraudsters used phishing texts and emails, as well as phone calls, to make their claims appear legitimate and believable. They even used the credit union's trademarks to mimic the genuine online design. Once they obtained the PII, the criminals exploited it to commit a range of financial fraud.


The threat of internal fraud is also a growing concern. Even companies with robust security measures in place can fall victim to malicious activity from within. In May 2022, the largest credit union in the US, Navy Federal Credit Union (NFCU), suffered from financial crimes committed by its own employees. Two former NFCU employees in Florida stole almost $100,000 and attempted to steal an additional $165k by taking unauthorized screenshots of member accounts. They used this information to gain access to the accounts and transfer funds to another NFCU member account controlled by a "money mule" associated with one of the co-conspirators. As many as 32 Navy Federal member accounts were compromised in this case.

The Importance of Strong Identity Authentication

As an organization, it is important to educate customers about fraudulent activity and the importance of protecting their personally identifying information (PII). However, given the numerous database breaches in recent years, it is also necessary to assume that all PII is potentially accessible to criminals through the DarkWeb. It is crucial for businesses to have strong measures in place to authenticate identity and prevent fraud.


While it is important to educate the public on the tactics used by fraudsters, it is also necessary to recognize that fraud is constantly evolving and that businesses must be vigilant in protecting against it. The consequences of failing to do so can be severe, including direct financial losses, indirect costs, investigation costs, and reputational damage. If customers lose confidence in a company's ability to protect their money and personal information, they may turn to competitors. It is therefore essential for businesses to have robust measures in place to authenticate identity and prevent fraud.

Dangers of Prioritizing Speed and Convenience Over Security

Fraudsters often exploit the busy and fast-paced nature of businesses that prioritize speed and convenience over security. This was the case in the 2011 Wells Fargo account fraud scandal, in which the bank's focus on process and transaction speed led to errors and enabled internal fraud. Bankers at Wells Fargo were under pressure to meet aggressive quotas, and as a result, created millions of fraudulent accounts on behalf of clients without their consent. The company faced fines and legal action as a result of this illegal activity, and the consequences continued to be felt years later.


In another example, a fraudster named Henry Perez gained access to and control of cellular service provider accounts by verifying personal data, and then charged hundreds of thousands of dollars worth of iPhones to the genuine account holders. This was made possible by a process and culture that prioritized speed and efficiency over security, creating gaps that the fraudster was able to exploit.


We have seen how many companies operate under the assumption that "technology alone can save the day" by relying on data to validate a person's identity. However, this abstract, unlinked data is not automatically connected to a specific customer, and may not even be real. To prevent fraud, it is important to augment existing policies and procedures with a forensic level identity document authentication process.





Comentários


bottom of page