How smart banks take the sting out of cybercrime

By

Howard Altman

,

BANKING STRATEGIES

After about a year of having a small amount of funds withdrawn from his Citizens Bank account every month, Steve Puccia finally noticed the money was being taken out without his permission.

“Every month there was a debit on my card from anywhere from $16 to $18 and it was always a website purchase,” says Puccia, 58, of Philadelphia, a partner and chief development officer in graphic design. “The problem was, none of those websites ever existed. It was such a small amount and I use the card so much I never noticed for a year. It was a brilliant scam.”

When Puccia reached out to Citizen’s customer service department, he said the response was equally brilliant.

“They did exactly what I wanted them to do,” says Puccia, “I gave them the info on the fraudulent charges and websites being charged to. They investigated and in one day, they got back to me and credited me.”

For banks, there are many customers like Puccia.

Cyberattacks cost financial services firms more to address and contain than in any other industry and the rate of breaches in the industry has tripled over the past five years, according to a report from Accenture and the Ponemon Institute

The report found that the average cost of cybercrime for financial services companies globally has increased by more than 40 percent over the past three years, from nearly $13 million per firm in 2014 to nearly $19 million in 2017.

That’s far higher than the average cost—less than $12 million per firm—across all industries included in the study. And that doesn’t even include the longer-term costs of remediation.

Cyberfraud’s double whammy

For banks, cyberfraud equals a double whammy. Not only does it cost them a lot of money but also customer loyalty. With so many other banking options, customers are likely to bolt after a bad cyberfraud experience, according to another Accenture study.

“The biggest driver of loyalty for banking customers is the ability to trust their bank in protecting their personal data,” the report found.

The good news for banks is that they are “more trusted than insurers as data custodians today, with only 57 percent of insurance customers willing to share more personal data, compared with 67 percent for banks,” according to the report. “This topic is clearly important to customers and is something banks could build on as they shift to a digital business model.”

In the face of all this, banks are taking a more holistic approach to serving customers.

Big institutions such as Bank of America and smaller ones like the Wyomissing, Pennsylvania-based Customers Bank have whole units dedicated to customer care and helping bank clients navigate through problems resembling the unauthorized charges found by Puccia.

“The security of our clients’ financial information is one of our top priorities,” says Holly O’Neill, head of consumer client services for Bank of America and its chief client care executive. “We’re committed to having our client’s backs to protect their information, and we’re committed to work with them on resolving issues when they do arise.”

Bank of America trains its client advocates “to take the time to understand our clients’ needs and provide the solutions, services and information that address them,” says O’Neill. “Our culture of client care is deeply ingrained in our people; that means we’ll do things the right way, serve our clients with integrity and focus on their best interests.”

How one bank hooked a spearphisher

Customers Bank is a “super community bank” with $10.6 billion in assets, offering commercial and consumer banking services in Chicago and along the I-95 corridor from Washington, D.C. to Boston.

When clients learn they might be a victim of identity theft or cybercrime through another source—maybe a merchant—they should immediately report the incident to all of their banks and credit card companies, says Diane McCracken, the bank’s head of security. If the customer is notified by the bank, they should ask the bank to monitor their account and help protect them—in other words, not face the future alone.

“Customers Bank team members are trained to advice clients to monitor their statements and credit for two years following an incident,” says McCracken. But sometimes it takes more than that to keep customers happy.

Here she cites a recent incident: “A real estate client with whom we do business regularly made an $80,000 transfer that we flagged as ‘suspicious’ because it was different than their pattern of behavior.”  The customer was the victim of spearphishing—receiving an email that “looked real” but directed them to transfer funds to a “different account” for the title company. 

The account belonged to the fraudsters who had manufactured the look-alike email redirecting the transfer. “We worked with the financial institution that had been used by the fraudsters to set up the fake account and indemnified them from action by the fraudsters,” says McCracken, adding:  “The funds were returned to the client.”

‘It’s a constant battle’

While Customers Bank prides itself on its actions to fight cybercrime and protect its clients, “We also know it’s a constant battle,” McCracken notes. “It’s not a matter of ‘if’ you will be targeted, but ‘when.’ So we’re working to educate our customers—and our customers’ customers—to be vigilant, proactive, and smart. We encourage them to ask us for help at the first sign of something unusual.”

Kimberly Ogden, SVP and director of fraud loss Prevention at Customers Bank, has some additional advice:

• Place a credit alert or freeze with credit agencies.  One way to do this is to use ChexSystems (a.k.a. QualiFile), a nationwide specialty consumer reporting agency under the federal Fair Credit Reporting Act. This alert alerts other financial institutions you’re a fraud victim and that they should take precautions if someone tries to open an account with your name. 

• Have a professional check all of your devices for malware waiting to do more damage.

• Watch regular mail and email for alerts from financial institutions. “You might think it’s junk mail but it could be official correspondence about an account you didn’t open or don’t control. This information could indicate identity theft.”

• Check your statements thoroughly each month for unauthorized transactions. “If you find something, call the bank immediately.”

As for Puccia, he said his bank provided exactly the service he needed after the jolt of discovering the fraud. It not only investigated the incident and restored the lost funds but also offered useful advice to someone like him who travels frequently.

“They advised me not to use a debit card when traveling and if so, to transfer money daily when needed,” he says. About the only other thing he could ask for at this point is an additional layer of outreach to help him stay informed: “I’d like a text or email notification every time my cards are used.”

But if lightning somehow strikes twice, it’s a safe bet his bank will come to the rescue again—and thus prove that often, the best ally to fight acts of fraud is a bank that acts like a friend.

BAI
Wayback