I am often asked why clients should invest in cyber fraud protection when fraud losses are “under control.” In fact, some clients will invest in cyber fraud protection beyond the fraud losses they attribute to the online channel. The reason is that the impact of fraud goes far beyond actual money lost. Fraud compromises customers’ identities and assets, overloads the enterprise’s internal resources and could ultimately hurt the brand and lead to customer churn. In the simplest sense, forward-thinking enterprises see taking extra measures to secure assets held in their care as a key part of their commitment to customers.
What are the business drivers for fraud protection? In this article, I will explore online (cyber) channel fraud that impacts the primary way customers transact with financial, health care, retail and government organizations. The examples herein will focus on the banking industry.
Cross-Channel Fraud Losses (or the Link Between Online and Offline Fraud)
Our increasingly online lives enable criminals to use technology to steal our credentials and personal data to take over our accounts, often via phishing and malware, resulting in fraudulent transactions. But criminals can also harvest critical information that enables cross-channel fraud, such as check and phone fraud. Criminals no longer need your purse or wallet to know “you;” they simply use information stolen from online systems, such as social security numbers, addresses, phone numbers and check images, to authenticate themselves as their victims and act on their behalf. While this activity isn’t “online,” the online channel makes this information more accessible than ever before.
Fraud Protection Costs (or Who Needs This Headache?)
To deal with fraudulent activity, an enterprise must set up an elaborate process across customer relationship managers, technical support, fraud analysts and criminal investigators. When suspicious activity is detected — often by anxious customers — a deep analysis is required to determine the cause and nature of the incident. Bank personnel immediately engage in attempts to recover the stolen funds, and customer support staff need to work with the victim to restore access to banking services when the customer environment (computer, mobile device and network) is deemed safe. If this sounds like a lot of effort, that’s because it is.
Legal and Regulatory Exposure (or Keep Our Name Out of the Newspaper)
In many cases, fraud is initiated on the end-user device due to less-than-adequate security employed by the victim. U.S. regulators required banks to compensate retail customers for fraud losses no matter how negligent the customer was, however; this is different in other parts of the world, especially in Europe. When corporate customers are involved, there is no legal obligation for a full refund of fraud losses. The law has chosen to view both parties in the case as capable of taking measures to prevent fraud. In some fraud cases, banks choose to go to court with customers over the extent of the refund. No matter the outcome, such publicity, expense and distraction isn’t good for business. Ultimately, some banks have chosen to require business customers to deploy anti-fraud measures on their devices to be granted access to online banking services. This reduces the likelihood of these damaging scenarios playing out.
Brand Impact and Customer Churn (or Customers Can Get Really Upset)
Clients experiencing fraud could lose trust in the enterprise security, even for no good reason. If losses are not fully covered, litigation and bad PR can follow. Even at a smaller scale, fraud incidents are shared by unhappy customers on social networks. All of this “collateral damage” can impact the enterprise brand and lead to customer churn. Fraudulent activity also invites deeper regulatory scrutiny on processes and procedures that further distracts line of business and IT resources.
For all of the above reasons, many clients take the ‘an ounce of prevention is better than a pound of cure’ approach. Clients deploy a layered defense that prevents the initiation of fraudulent activity (described in this article as “offensive” measures) as well as a robust back-end process to quickly address fraudulent activity (described in this article as “defensive” measures). Such approaches will harden enterprise fraud defenses and reduce the tangible and intangible costs of fraud.