Fight fraud by reducing human error via cybersecurity training.
Perhaps the most practical, cost-effective way to fight fraud is a good training program. “At the end of the day,” notes Chris Guard, VP/compliance and fraud at $40 billion North Carolina State Employees’ Credit Union, Raleigh, “most fraud is not a result of sophisticated technology but human error.” The human element remains the weakest link, and educating staff is critical. “Attacks occur simultaneously across multiple channels,” he explains, so the contact center, the tellers and the new accounts people all have to be alert to what’s happening across all these channels.”
“No product can replace a vigilant credit union employee,” says John Buzzard, previously principal of the counterfeit ATM fraud operation at FICO and now industry fraud specialist at CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, California. “The fraudsters may have a lot of data needed to fool machines, but an alert person can throw them off just by changing the routine a bit and asking good questions. I attended a conference once,” he recalls, “where the primary speaker was a convicted (and recently paroled) cyber thief. When someone in the audience asked him which corporate target was the toughest to penetrate, he replied, ‘That would be American Express, because they allow their employees to think outside the box by asking unusual questions. Many of them would simply place me on hold and call the actual cardholder directly, thwarting my best efforts with a single phone call.’ Sometimes the simplest action has the most powerful results.”
BrightWise is a cybersecurity training firm based in West Des Moines, Iowa, a joint venture with LMG Security, Missoula, Montana, that was formed in September 2018 to help financial institutions train their staffs to avoid breaches, reports Corey Skadburg, chief operating officer. “The big attacks are orchestrated by computers and the financial institutions are protected by computers—infrastructure versus infrastructure—but more than half the time the fraud happens because of human error,” he reports. Deceptive phishing tactics can still get a staff member to click on a link that downloads malware, and from there, the crooks can take over a credit union’s systems, he explains. Or members could be tricked into giving their credentials to the bad guys through phishing emails and links that look like they came from the CU.
The answer, Skadburg says, is to educate people so they don’t accidentally open the door to a break-in, which is the BrightWise mission, he explains. “There is a ton of fraud mitigation software out there, which the fraudsters recognize and try to get around, but the weak point of fraud mitigation is the naïve or careless human who makes a costly mistake. No computer can prevent a member-services rep from revealing confidential information if he or she is convinced that they’re helping a legitimate member, he insists. So training is needed and recognized and practiced, but not always in the most effective ways, he claims. MSRs are not necessarily the weak link, he notes; it’s just as likely to be the CEO or a board member who gets tricked.
“Too many financial institutions use training to satisfy compliance, not primarily to prevent fraud,” Skadburg charges. “You can’t have annual training sessions and expect staff to remember it all during the year.” Short videos—as short as three to six minutes—that can be used as monthly reminders or for new hires or to head off new threats are a better solution, he argues. That’s what BrightWise provides to clients who are just starting to use the product. There are no case studies yet on how well it works, but the company has run successful training exercises: It trained a CU staff on recognizing phishing, and then launched phishing attacks against the staff. Nobody fell for the scams, he reports.
For most CUs, training staff is a lot easier than training members. For that, BrightWise provides messages a CU can post on its web site or attach to statements and hope that they are heeded.
Richard H. Gamble writes from Grand Junction, Colorado.