12 Most Common Types of Bank Frauds

Bank fraud is becoming more prevalent, with sophisticated attacks resulting in both financial and reputational damage. One study reports that over 70% of financial institutions lost at least $500,000 to fraudulent activity in 2022. The hardest-hit institutions were fintech companies and regional banks.

On top of that, the financial services industry is becoming increasingly regulated, particularly when it comes to verifying customer identities and incorporating anti-money laundering protocols.

Establishing mutual trust between customers and financial institutions goes a long way in preventing bank fraud. With the right practices in place, users enjoy a frictionless experience while financial institutions can prevent multiple types of consumer fraud using increased identity verification and monitoring — all while staying compliant with federal regulations.

Bank fraud is an illegal activity that works to steal money or other property from a financial institution or its customers. Historically, bank fraud consisted of physical acts like cashing a fraudulent check or stealing a credit card. But with the rise of digital banking, attacks have become increasingly sophisticated.

It's important to understand different kinds of bank fraud examples in order to prepare your institution for prevention and protect your customers.

Types of Bank Fraud

Account Takeover

Banks are at high risk for account takeover (ATO) fraud. This is when an unauthorized user gains access to a customer's account using their login credentials. Account takeover can be accomplished using a number of different strategies.

Phishing Attacks

Login credentials can be obtained through phishing attacks, such as fake emails, texts, or phone calls. Usually, the account holder is targeted and tricked into giving out their account information to someone posing as a bank employee.

But bank employees are also at risk of phishing attacks. For instance, call center fraud is a growing problem. Instead of the attacker posing as the bank and contacting the account holder, they pose as the account holder and try to obtain account details from the bank's call center.

Credential Stuffing

Credential stuffing is a strategy used by fraudsters who have purchased stolen credentials off the dark web. Usually, the data is incomplete. So from there, they use computer programs to stuff usernames and passwords into different websites in large quantities, hoping for a match. Success rates are low, but attackers work with large volumes of data to achieve access to compromised accounts.

Session Hijacking

Session hijacking occurs in the middle of the user journey, rather than at the login stage. The attacker uses stolen session cookies to take over a customer's existing session. The stolen data is usually obtained using third party browser extensions, malware-infected devices, or public WiFi networks. The hijacker can view information being sent and received, including financial details of an online bank account.

Social Engineering

With social engineering, attackers exploit human psychology in order to gain access to user account credentials. There are many possible tactics, including:

• Impersonating an executive and emailing employees for information

• Baiting a customer to prevent a fake emergency scenario, such as account suspension

• Bribing employees to bypass authentication practices

Social engineering overlaps with other bank fraud tactics and can impact customers and employees.

Password Spraying

Instead of trying to gain accurate login credentials, bad actors may attempt password spraying by pairing a large number of usernames with common passwords. By using bots to act at scale, attackers can eventually find accurate combinations and gain account access.

New Account Fraud

Existing accounts aren't the only ones at risk in the banking industry. New account fraud is another threat that has many implications. They may use someone else's identity to open a new account, or they may combine both real and fake identities to create a false account.

Know Your Customer (KYC) regulations help banks prevent new account fraud by verifying the individual's identity both when the account is opened and as the banking relationship continues.

Fraudulent Documents

Fake documents can be used as part of a new account fraud scheme. It's a way to make identity theft look real by using fake IDs, email addresses, or checks. Alternatively, cybercriminals may also create fake bank statements in order to get approved for a loan or other type of financing, either under a stolen identity or a false identity.

Check Fraud

Check fraud can occur in a few different ways. The most common type is fraudsters creating counterfeit checks. They look real and can be used either to make purchases or to withdraw funds from someone else's account. Check washing is another type of bank fraud that involves erasing ink from a stolen check (often from the mail). New payee details are then entered before the criminal goes to cash the check.

There are also mobile check deposit scams in which fraudsters give victims a fake check to deposit. The victim is then asked to return a portion of the funds (usually by money order, wire transfer, or gift card), before the check is ultimately flagged as fraudulent.

Money Laundering

Banks are responsible for anti-money laundering (AML) policies to curb criminals from using their bank accounts to house and transfer illegal funds. In addition to Know Your Customer requirements, banks must also incorporate customer due diligence (CDD), customer and transaction screening, and suspicious activity reporting. There are regulatory requirements in place to help reduce the risk of money laundering.

Authorized Push Payments

An authorized push payment (APP) is when a fraudster tricks the account holder into making a payment that is difficult to reverse. They may pose as a business offering goods or services, or create a false scenario involving an advance fee in exchange for a prize or investment. This is an example of how social engineering combines with digital tactics to take advantage of victims and convince them to send money to someone assuming a false identity.

Real-time Payment Fraud

Real-time payments are making transactions faster than ever, which means they're easy to exploit without the proper prevention methods in place. As criminals implement authorized push payment fraud, it's harder for financial institutions to identify these transactions and reverse them, since there is often no way to recall a real-time payment.

And because real-time payments often take place over smartphones and WiFi connections, fraudsters also have the opportunity to hijack sessions and steal credentials for future use.

Wire Fraud

Wire transfer scams are common, largely because fraudulent wires are difficult to reverse. Criminals use multiple strategies to convince individuals to wire money. There are several scenarios bank customers may come across.

While assuming a fake identity, fraudsters may solicit account numbers by calling or emailing individuals, all while posing as government agencies like the IRS or even family members.

Another element of wire transfer fraud is called "money muling." Unsuspecting individuals not involved with the money laundering scheme have their financial information or accounts used as the landing place for receiving the wired funds. Then the money is moved to the criminal's account, which offers some shielding and makes the stolen funds harder to track.

Many fraudsters also impersonate bank officials once a wire transfer takes place. The goal is to slow down the customer from reporting the transaction to the real bank, making it more difficult to recover the stolen money.

Bill Discounting Fraud

Bill discounting is a sophisticated scheme involving criminals who open a business account at a bank. They get the bank to bill the business's clients, who are also part of the scheme. The clients pay at first to establish a positive banking history.

After a while, however, the business asks the bank to credit the bills to their account — since there is a history of payment. Once those credits are made, the fake business owner drains the account, the clients never pay, and the bank loses the funds to this scheme.

Identity Verification

Identity verification keeps you compliant with KYC regulations by verifying that a digital identity matches a real-life identity. Solutions include confirming that a live-face capture matches a government ID and linking digital identities to verified devices or credentials.

Multi-factor Authentication (MFA)

With MFA, your customers are better protected by being required to supply two forms of evidence when logging into an account. 

They'll need two out of three types of confirmation:

• Something they know, like passwords, pins, or KBAs

• Something they have, like a bracelet, key fob, or device

• Something the are, like a fingerprint, voice, face or retinal pattern

This helps prevent scammers from logging into a bank account with a stolen password.

Customer and Employee Education

Educating customers and employees on red flags and common schemes is an important part of fighting against fraud. You can embed warnings in transactions and email communications so they know what looks legitimate and what might be a scam.

Publish literature on common schemes, particularly throughout the year, like during tax season or holiday shopping when online payments are at an all-time high. This can keep people on alert and understand what real bank employees and executives can actually ask of them.

Policy-based Access Control

Integrating adaptive access involves authorizing access based on predetermined policies. Authorization is given (or denied) based on the bank's choice of attributes. 

For employees, this could include factors like job title, security clearance, and time of day. For customers, access may be contingent upon things like location of access, travel velocity, and threat level.

Verified Credentials

Using verified credentials allows banks to confirm attributes of a user with customized policies on what is accepted. This helps reduce fraud and account takeovers because the credentials are cryptographically secured. You can also monitor who issued the credential and who it was issued to.

Risk-signal Monitoring

Banks can also use automated risk-signal monitoring to authenticate users based on multiple unique factors. These could include time of date, IP address, location, and context of requests being made. Risk-signal monitoring can be done in real-time to quickly prevent fraudulent login or limit access if a successful (but suspicious) login is achieved.

In addition to prevention, it's critical (and required) for banks to have a fraud mitigation plan in place. Here are immediate action steps to take in the case fraud is suspected or detected.

• Contact law enforcement and bank account holders: Both notifications are required by federal law. Regulators must be notified within 36 hours.

• Freeze affected accounts.

• Initiate investigations.

• Rebuild trust with customers.

• Enhance security measures.

   

Involve multiple stakeholders when creating the mitigation plan to make sure you have proper communication between departments. Also remember to assess how well the response plan went after an event has occurred and make adjustments as necessary.

Fraud prevention within the banking industry is important in terms of customer retention, federal compliance, and financial security. Starting with a robust digital identity strategy is the first step in ensuring KYC and AML compliance.