Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Types of Bank Fraud And How to Prevent Them (With Examples)
Back to blog homepage icon Ping Identity Blog
  • What is Bank Fraud?
  • Prevention Strategies
  • Banking Fraud Mitigation
  • Bank Fraud Prevention With Ping Identity
    • Back to top
    Back to blog homepage icon Ping Identity Blog
  • What is Bank Fraud?
  • Prevention Strategies
  • Banking Fraud Mitigation
  • Bank Fraud Prevention With Ping Identity
    • Back to top

    12 Most Common Types of Bank Frauds

    Apr 8, 2024
    -minute read
    Adam Preis
    Director, Product & Solution Marketing

    Bank fraud is becoming more prevalent, with sophisticated attacks resulting in both financial and reputational damage. One study reports that over 70% of financial institutions lost at least $500,000 to fraudulent activity in 2022. The hardest-hit institutions were fintech companies and regional banks.

     

    On top of that, the financial services industry is becoming increasingly regulated, particularly when it comes to verifying customer identities and incorporating anti-money laundering protocols.

     

    Establishing mutual trust between customers and financial institutions goes a long way in preventing bank fraud. With the right practices in place, users enjoy a frictionless experience while financial institutions can prevent multiple types of consumer fraud using increased identity verification and monitoring — all while staying compliant with federal regulations.

    What is Bank Fraud?

    Bank fraud is an illegal activity that works to steal money or other property from a financial institution or its customers. Historically, bank fraud consisted of physical acts like cashing a fraudulent check or stealing a credit card. But with the rise of digital banking, attacks have become increasingly sophisticated.

     

    It's important to understand different kinds of bank fraud examples in order to prepare your institution for prevention and protect your customers.

     

    Types of Bank Fraud

     

    Account Takeover

    Banks are at high risk for account takeover (ATO) fraud. This is when an unauthorized user gains access to a customer's account using their login credentials. Account takeover can be accomplished using a number of different strategies.

     

    Phishing Attacks

    Login credentials can be obtained through phishing attacks, such as fake emails, texts, or phone calls. Usually, the account holder is targeted and tricked into giving out their account information to someone posing as a bank employee.

     

    But bank employees are also at risk of phishing attacks. For instance, call center fraud is a growing problem. Instead of the attacker posing as the bank and contacting the account holder, they pose as the account holder and try to obtain account details from the bank's call center.

     

    Credential Stuffing

    Credential stuffing is a strategy used by fraudsters who have purchased stolen credentials off the dark web. Usually, the data is incomplete. So from there, they use computer programs to stuff usernames and passwords into different websites in large quantities, hoping for a match. Success rates are low, but attackers work with large volumes of data to achieve access to compromised accounts.

     

    Session Hijacking

    Session hijacking occurs in the middle of the user journey, rather than at the login stage. The attacker uses stolen session cookies to take over a customer's existing session. The stolen data is usually obtained using third party browser extensions, malware-infected devices, or public WiFi networks. The hijacker can view information being sent and received, including financial details of an online bank account.

     

    Social Engineering

    With social engineering, attackers exploit human psychology in order to gain access to user account credentials. There are many possible tactics, including:

     

    • Impersonating an executive and emailing employees for information

    • Baiting a customer to prevent a fake emergency scenario, such as account suspension

    • Bribing employees to bypass authentication practices

     

    Social engineering overlaps with other bank fraud tactics and can impact customers and employees.

     

    Password Spraying

    Instead of trying to gain accurate login credentials, bad actors may attempt password spraying by pairing a large number of usernames with common passwords. By using bots to act at scale, attackers can eventually find accurate combinations and gain account access.

     

    Types of account takeover fraud

     

    New Account Fraud

    Existing accounts aren't the only ones at risk in the banking industry. New account fraud is another threat that has many implications. They may use someone else's identity to open a new account, or they may combine both real and fake identities to create a false account.

    Know Your Customer (KYC) regulations help banks prevent new account fraud by verifying the individual's identity both when the account is opened and as the banking relationship continues.

     

    Fraudulent Documents

    Fake documents can be used as part of a new account fraud scheme. It's a way to make identity theft look real by using fake IDs, email addresses, or checks. Alternatively, cybercriminals may also create fake bank statements in order to get approved for a loan or other type of financing, either under a stolen identity or a false identity.

     

    Check Fraud

    Check fraud can occur in a few different ways. The most common type is fraudsters creating counterfeit checks. They look real and can be used either to make purchases or to withdraw funds from someone else's account. Check washing is another type of bank fraud that involves erasing ink from a stolen check (often from the mail). New payee details are then entered before the criminal goes to cash the check.

    There are also mobile check deposit scams in which fraudsters give victims a fake check to deposit. The victim is then asked to return a portion of the funds (usually by money order, wire transfer, or gift card), before the check is ultimately flagged as fraudulent.

     

    Money Laundering

    Banks are responsible for anti-money laundering (AML) policies to curb criminals from using their bank accounts to house and transfer illegal funds. In addition to Know Your Customer requirements, banks must also incorporate customer due diligence (CDD), customer and transaction screening, and suspicious activity reporting. There are regulatory requirements in place to help reduce the risk of money laundering.

     

    Authorized Push Payments

    An authorized push payment (APP) is when a fraudster tricks the account holder into making a payment that is difficult to reverse. They may pose as a business offering goods or services, or create a false scenario involving an advance fee in exchange for a prize or investment. This is an example of how social engineering combines with digital tactics to take advantage of victims and convince them to send money to someone assuming a false identity.

     

    Real-time Payment Fraud

    Real-time payments are making transactions faster than ever, which means they're easy to exploit without the proper prevention methods in place. As criminals implement authorized push payment fraud, it's harder for financial institutions to identify these transactions and reverse them, since there is often no way to recall a real-time payment.

     

    And because real-time payments often take place over smartphones and WiFi connections, fraudsters also have the opportunity to hijack sessions and steal credentials for future use.

     

    Wire Fraud

    Wire transfer scams are common, largely because fraudulent wires are difficult to reverse. Criminals use multiple strategies to convince individuals to wire money. There are several scenarios bank customers may come across.

     

    While assuming a fake identity, fraudsters may solicit account numbers by calling or emailing individuals, all while posing as government agencies like the IRS or even family members.

     

    Another element of wire transfer fraud is called "money muling." Unsuspecting individuals not involved with the money laundering scheme have their financial information or accounts used as the landing place for receiving the wired funds. Then the money is moved to the criminal's account, which offers some shielding and makes the stolen funds harder to track.

     

    Many fraudsters also impersonate bank officials once a wire transfer takes place. The goal is to slow down the customer from reporting the transaction to the real bank, making it more difficult to recover the stolen money.

     

    Bill Discounting Fraud

    Bill discounting is a sophisticated scheme involving criminals who open a business account at a bank. They get the bank to bill the business's clients, who are also part of the scheme. The clients pay at first to establish a positive banking history.

     

    After a while, however, the business asks the bank to credit the bills to their account — since there is a history of payment. Once those credits are made, the fake business owner drains the account, the clients never pay, and the bank loses the funds to this scheme.

    Types of new account fraud

    Prevention Strategies

    Identity Verification

    Identity verification keeps you compliant with KYC regulations by verifying that a digital identity matches a real-life identity. Solutions include confirming that a live-face capture matches a government ID and linking digital identities to verified devices or credentials.

     

    Multi-factor Authentication (MFA)

    With MFA, your customers are better protected by being required to supply two forms of evidence when logging into an account. 

    They'll need two out of three types of confirmation:

     

    • Something they know, like passwords, pins, or KBAs

    • Something they have, like a bracelet, key fob, or device

    • Something the are, like a fingerprint, voice, face or retinal pattern

     

    This helps prevent scammers from logging into a bank account with a stolen password.

     

    Customer and Employee Education

    Educating customers and employees on red flags and common schemes is an important part of fighting against fraud. You can embed warnings in transactions and email communications so they know what looks legitimate and what might be a scam.

     

    Publish literature on common schemes, particularly throughout the year, like during tax season or holiday shopping when online payments are at an all-time high. This can keep people on alert and understand what real bank employees and executives can actually ask of them.

     

    Policy-based Access Control

    Integrating adaptive access involves authorizing access based on predetermined policies. Authorization is given (or denied) based on the bank's choice of attributes. 

     

    For employees, this could include factors like job title, security clearance, and time of day. For customers, access may be contingent upon things like location of access, travel velocity, and threat level.

     

    Verified Credentials

    Using verified credentials allows banks to confirm attributes of a user with customized policies on what is accepted. This helps reduce fraud and account takeovers because the credentials are cryptographically secured. You can also monitor who issued the credential and who it was issued to.

     

    Risk-signal Monitoring

    Banks can also use automated risk-signal monitoring to authenticate users based on multiple unique factors. These could include time of date, IP address, location, and context of requests being made. Risk-signal monitoring can be done in real-time to quickly prevent fraudulent login or limit access if a successful (but suspicious) login is achieved.

    Banking Fraud Mitigation

    In addition to prevention, it's critical (and required) for banks to have a fraud mitigation plan in place. Here are immediate action steps to take in the case fraud is suspected or detected.

     

    • Contact law enforcement and bank account holders: Both notifications are required by federal law. Regulators must be notified within 36 hours.

    • Freeze affected accounts.

    • Initiate investigations.

    • Rebuild trust with customers.

    • Enhance security measures.

       

    Involve multiple stakeholders when creating the mitigation plan to make sure you have proper communication between departments. Also remember to assess how well the response plan went after an event has occurred and make adjustments as necessary.

    Bank Fraud Prevention With Ping Identity

    Fraud prevention within the banking industry is important in terms of customer retention, federal compliance, and financial security. Starting with a robust digital identity strategy is the first step in ensuring KYC and AML compliance.

     

    Know Your Customers: The Power of Digital Identity for Financial Services

     

    Listen in to a discussion of the role that identity proofing plays in fostering customer trust, reducing fraud losses, and growing your business.

    Watch the Webinar
    Share this Article:
    Related Resources
    What Is Strong Authentication? Processes & Best Practices
    Adam Preis
    Oct 28, 2024
    Understand the key components of strong authentication, and best practices to protect your organization and customer data.
    The Dawn of Open Banking in the U.S.: How Identity Powers CFPB’s Personal Financial Data Rights Rule
    Adam Preis
    Oct 24, 2024
    Enable CFPB personal financial data rights rule with digital identity to power US open banking.

    Start Today

    Contact Sales

    sales@pingidentity.com

    +1 877-898-2905

    See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.