Overall, which types of fraud has your organisation experienced in the past year?

Transcription

1 1) Overall, which types of fraud has your organisation experienced in the past year? Insider fraud Corporate Account Takeover Consumer Account Takeover ATM/ABM (skimming, ram raid, etc.) Bill pay Cheque Corruption or bribery Credit/debit card Cross-border Call Centre First-party Customer information theft Customer information deletion or corruption Intellectual Property theft or piracy Intellectual Property deletion or corruption Mobile device (malware, hack, etc.) Money-laundering Mortgage Online banking ecommerce (non-banking) Theft of physical assets Third-party POS skimming Vendor, third-party or supplier (non-skimming) 2) Which types of fraud do you feel your organisation is currently best prepared to prevent and detect? Insider fraud ACH/wire (corporate account takeover) ATM/ABM (skimming, ram raid, etc.) Bill pay Check

2 Corruption or bribery Credit/debit card Cross-border Call Centre First-party Customer information theft Customer information deletion or corruption Intellectual Property theft or piracy Intellectual Property deletion or corruption Mobile device (malware, hack, etc.) Money-laundering Mortgage Online banking ecommerce (non-banking) Theft of physical assets Third-party POS skimming Vendor, third-party or supplier (non-skimming) 3) How is a fraud incident involving your organisation typically detected? At the point of origination At the point of transaction During account audit/reconciliation Internal whistleblower Third-party investigation Third-party notification Through automated data analysis or transaction monitoring software When a customer notifies us 4) When fraud occurs, how long do you estimate it takes your organisation to uncover the incident? 1 to 2 hours 3 to 4 hours

3 5 to 6 hours 7 to 8 hours More than 8 hours We lack that ability every incident is different 5) Upon discovering fraud, how long does it take for your organisation to react, respond and resolve the incident? 1-8 hours 9-16 hours hours 1-2 days 3-5 days More than five days We lack that ability 6) Have financial losses linked to fraud increased, decreased or stayed steady in the past year? Increased Decreased Remained Steady Unsure 7) Beyond the financial toll from the fraud incidents, what non-financial losses did your organisation suffer from fraud incidents? Customer accounts (moved to other institutions) Loss of productivity No losses Regulatory or other compliance issues (additional scrutiny from regulators or standards bodies) Reputational impact

4 8) Which are your organisation's biggest challenges to fraud prevention? Difficulty integrating data from various sources Difficulty investigating crimes across borders Inadequate fraud detection tools & technologies Insufficient resources (budget and/or personnel) Lack of customer awareness Lack of skills on staff Organisational silos Poor coordination with law enforcement 9) Which of these recommended technology-based controls has your organisation already invested in? Multifactor authentication Device ID Out-of-band verification for authentication Out-of-band verification for transactions "Positive pay," debit blocks, and other limits on transactional use Enhanced control over changes to account-maintenance activities by customers Enhanced controls over account activities Enhanced customer education Fraud detection and monitoring systems Internet protocol [IP] reputation-based tools Behavior-based anomaly detection technology Manual processes to detect online banking anomalies Cross-channel fraud detection Big data analytics Artificial intelligence 10) Which anti-fraud investments do you plan to make within the next 12 months? Multifactor authentication Device ID

5 Out-of-band verification for authentication Out-of-band verification for transactions "Positive pay," debit blocks, and other limits on transactional use Enhanced control over changes to account-maintenance activities by customers Enhanced controls over account activities Enhanced customer education Fraud detection and monitoring systems Internet protocol [IP] reputation-based tools Behavior-based anomaly detection technology Manual processes to detect online banking anomalies Cross-channel fraud detection Big data analytics Artificial intelligence 11) Who ultimately should be held responsible for losses incurred from financial data breaches (assuming the fraudsters themselves are not tracked down)? The organisation whose systems were breached The institution that issued the compromised financial instrument or transaction channel (e.g. payment card or bank account) The security vendor that testified to the breached entity's security The payment card brands whose cards are susceptible to breach and fraud The holder of the account that was compromised Organisations who's systems or products were used to conduct the fraud (such as domain name providers) without due diligence being taken as to their use 12) In the most common or most serious cases of fraud your organisation experienced, which PRIMARY mechanisms were employed to obtain information for fraudulent use? (select two) Phishing - to capture web credentials Phishing - to install malware (from attachment or web site) Malware infection (visiting compromised web site) Malware infection by any other method Call Centre Social Engineering Employee Social Engineering (other than Call Centre)

6 Physical data removal - stolen Physical data removal - lost/poorly disposed of Network penetration (e.g. poor firewall or data segmentation policies) Application security compromise Poor authentication policies (e.g. default, shared or simple passwords) Large scale data breach using a combination of the above (potentially an "Advanced Persistent Threat") 13) What attack mechanisms do you feel that your company is BEST able to defend against? Phishing - to capture web credentials Phishing - to install malware (from attachment or web site) Malware infection (visiting compromised web site) Malware infection by any other method Call Centre Social Engineering Employee Social Engineering (other than Call Centre) Physical data removal - stolen Physical data removal - lost/poorly disposed of Network security circumvention (e.g. poor firewall or segmentation policies) Application security compromise Poor authentication policies (e.g. default, shared or simple passwords) Large scale data breach using a combination of the above (potentially an "Advanced Persistent Threat") 14) What change have you seen in account takeover activity in the past year? Corporate Account takeover incidents have decreased Consumer Account takeover incidents have decreased Corporate Account takeover incidents have increased Consumer Account takeover incidents have increased No measurable impact

7 15) What change have you seen in account takeover financial losses in the past year? Corporate Account takeover losses have decreased Consumer Account takeover losses have decreased Corporate Account takeover losses have increased Consumer Account takeover losses have increased No measurable change 16) Over the past year, how did card-related fraud losses most commonly occur? Customer perpetrated the fraud Data breach at a payment processor Data breach at a retailer Insider/employee perpetrated the fraud Mail or telephone order/internet fraud/card-not-present PIN point-of-sale fraud Signature point-of-sale (skimming) fraud Unauthorised ATM (skimming) withdrawals not applicable 17) Over the past year, have you detected a rise in cross-channel fraud, where multiple channels are compromised concurrently? Yes, we detect an increase in cross-channel fraud No significant increase Cross-channel incidents have decreased 18) How has the number of targeted phishing attacks aimed at your employees changed in the past year? Increased Decreased Employees have not been targeted

8 19) How has the number of fraud incidents resulting from these targeted phishing attacks changed in the past year? Increased Decreased Employees have not been targeted 20) What mobile malware trends have you seen over the past year? We see a significant increase in mobile malware attacks We see no significant change whatsoever We actually see a decrease 21) How does your organisation defend against mobile malware attacks? Secure mobile apps Provide free mobile malware detection software Provide secure mobile-browser banking Customer education Anomaly detection Mobile malware is not a current concern not applicable 22) How has the number of insider fraud incidents changed in the past year? The number has grown The number has decreased No measurable change 23) How does your organisation currently address insider fraud risks? Cross-checks with HR for unsatisfactory performance Use of centralised logging to detect data exfiltration Use of encrypted Web sessions via traffic inspection to detect data exfiltration

9 Use of SIEM signatures to detect precursors to IT sabotage Enhanced IAM systems Behavioral monitoring Anomaly detection Heightened background checks Quarterly reviews of employee activity Internal whistleblower 24) In your opinion, how effective are awareness & training programs for employees and customers in reducing incidents of fraud? Done right, very effective Not at all effective - just lip service Only somewhat effective 25) How do you assess your organisation's current anti-fraud awareness & training programs for employees? 1 - superior 2 - above average 3 - average 4 - below average 5 - failing 26) How do you assess your organisation's current anti-fraud awareness & training programs for customers? 1 - superior 2 - above average 3 - average 4 - below average 5 - failing 27) Does your organisation calculate the total impact of fraud across all channels on an ongoing basis? Yes No 28) Does your organisation report fraud incidents to the police?

10 Yes, in all cases Only when losses incurred reach a pre-determined level No 29) Does your organisation share information on fraudulent activity with other companies in your sector? If so, how effective is this strategy in reducing fraud perpetrated against your company? We do not share information on fraud outside our organisation Sharing information on fraudulent activity with other companies has no measurable impact on reducing future fraudulent activity against us Sharing information on fraudulent activity with other companies helps us implement appropriate counter-fraud measures which has a measurable impact on future attempts at fraud 30) Do you support the need for added public surveillance and expanded monitoring powers for law enforcement in combatting cyberfraud? Always for matters of a national security scope Only in extreme cases where court authorisation can be produced In specific cases where court preauthorisation can provide blanket access Law enforcement & intel agencies should have access to all available information Surveillance and monitoring are always acceptable with proper notice & consent So long as the fundamental right to individuals' privacy is respected 31) Where should we draw the line for warrantless access when investigating cybercrime or traditional fraud activity? Warrantless access with proper notice, consent and disclosure is permissible It must be disclosed well ahead of time in every instance It must be publicly disclosed & independently audited, but allowed It must only be kept secret if deemed of a national security nature It should never be used as it erodes public trust not applicable 32) Why is the battle against money laundering and ID theft so difficult in the UK?

11 Cybercrime trends are moving faster than law enforcement can keep up Inadequate training for law enforcement & intelligence agencies Lack of collaboration and shared/centralised information access Discrepancies in law across geopolitical boundaries Organised cybercrime is too complex, layered and decentralised Don't believe the hype. The UK has made great progress in the past 36 months. 33) In what ways has cyberfraud supplanted traditional fraud? Actually, cyberfraud and cybercrime require entirely different law enforcement capabilities Both are motivated by profit and leverage deceptive tactics, but cyberfraud does it on a larger scale For traditional fraud to scale, it must go digital, so cyberfraud is the natural next step Law enforcement already treats them largely the same way Laws should be harmonised to prosecute and treat them with equal veracity 34) How should the effectiveness of fraud reporting be enhanced in the UK? Fraud reports should be openly accessible by everyone Much more resources should be allocated to combatting emerging threats Public education programs should be widely available across UK Free tools should be made available to supplement enhanced education Better metrics and quantitative methods should be used to track fraudulent activity There should be single reporting point for fraud and cyber crime 35) What is the title of the person charged with leading fraud prevention at your organisation? Chief operations officer Compliance officer Fraud manager Information security officer IT Physical security/loss prevention officer

12 Risk manager local counter fraud specialist 36) How large is your organisation's department assigned to fraud prevention and detection? 1 to 5 6 to to to 100 More than 100 We do not have a designated dept. Duties are managed by audit, compliance, IT, risk, etc. 37) What is your primary job function? Auditor BSA officer CEO/COO/CFO/CIO Compliance manager Fraud/loss prevention Finance/Accounting Operations Risk officer Security officer CISO Security consultant CRO Risk manager Senior Security/IT (non-c titles) Technical Staff 38) What type of entity is your organisation? Bank Building Society Government agency Independent service organisation

13 Other financial services organisation 39) If a bank or other FI, what is your organisations size by assets? Under 250 million 250 million to 500 million 500 million to 1 billion 1 billion to 5 billion 5 billion to 10 billion Over 10 billion Not applicable 40) Where is your organisation headquartered geographically? United Kingdom Asia (except India) Australia/New Zealand Canada Caribbean Europe (except UK) India Mexico Pacific/Oceania South America 41) The first 50 respondents will receive a 15 Amazon gift card. Please submit your address to qualify. If you would like to be notified of survey results, please provide your address in the box below: