How investigators work to combat data theft

In almost two decades of work in the financial services industry, Brad McFarland has spent most of that time heading up fraud investigations. McFarland, currently director of corporate security with The South Financial Group, a South Carolina-based financial services holding company, is also responsible for the organization's physical security and loss preventions in addition to fraud investigation.

Over the course of his career, McFarland has seen drastic changes to the emphasis and importance placed on fraud. In the past, said McFarland "Many institutions did not employ fraud investigators. Fraud was a cost of doing business."

But times have changed. Thanks not only regulatory requirements, the reputational pressures a financial firms faces in an age of rampant data leakage and identity theft have now made stopping fraud a main priority. And that means the way investigations are conducted have evolved, too. McFarland gave CSO a break down of how fraud investigators, corporate, physical and information security now come together in a combined mission to stay one step ahead of the bad guys.

CSO: As Director of Corporate Security you lead fraud investigations within the organization. How do you draw line between fraud and corporate security? Brad McFarland: Those processes are linked. Each security discipline must hold hands in order have an effective security program. The security program impacts fraud prevention, the safety of your employees, the security of institutional data, and customer information. A program needs to address the security of your facility and maintain or keep in-check reputational risk. As part of a global security program it is important to institute an effective training program for respective security disciplines.

I don't see any real barrier between those groups anymore. It's necessary that we maintain a strong, unified partnership to combat the issues we are seeing now across the financial services industry.

Of course professional certifications are important and they play a valuable role in expanding one's knowledge base. Certifications also have a special value in industry and they can represent advantages to employees that obtain a relevant designation.

However, from a broad perspective, there are a few basic steps that all security leaders should employ: First, and foremost, have a basic understanding of accounting principles. Assist in the implementation and utilization of sound accounting practices from a risk management perspective you should trust but verify accounting controls. Second, make sure that you are aware of the legal regulations that govern your field. Third, one simple guideline:communication. Effective communication plays a strong part in acquiring desired results. And fourth, implementation of an effective investigation processes; to include interviewing of witnesses, documentation, and analysis tools.

What kind of fraud scenarios do you typically investigate in the financial services industry? Fraud is constantly evolving as perpetrators co-opt the technological advances that are meant to assist us. Fraudsters are creating more diverse and complex schemes. That has required us to be more sophisticated in our approach to prevent attacks. (See also: Telltale signs of ATM skimming)

External fraud that we investigate is often check fraud, our biggest category and exposure. That's true across financial services.

Despite the continued growth of online payment systems, check fraud cases have continued to grow in both number of cases and total exposure amounts.

Today, fraud risk associated with the check fraud category is generally derived from organized counterfeit check ring activity. The majority of check fraud cases originate from foreign lottery scams, check overpayment scams, Internet auction scams, and work from home scams. Investigation of these incidents are a challenge as the individual that negotiates the fraudulent item is an unwitting participant in the criminal enterprise and the mastermind behind these schemes is usually located outside of the US. Institutions are also experiencing a significant increase in internet and cyber-based crime.

Other external fraud includes wire fraud, ACH fraud, AML issues debit card fraud as a result of skimming devices, external loan fraud, identity theft, fraudulent accounts with fraudulent identities, online customer credential theft and hijacked accounts.

Internal fraud is globally on the rise. It is an ongoing challenge to our industry. I foresee a continued increase as fraudsters continue to take advantage of the relative anonymity that's provided by new technologies and the internet.

Criminals are energized by the current market for information. At one time, internal fraud simply meant a theft of cash. We now see that criminal activity from an internal perspective includes the theft of data. That is where a huge risk lies; particularly as related to customer data. Reputational risk, financial risk, and regulatory risk surround theft of data.

What other internal fraud do we investigate? Really any internal theft. It could be falsification of an application. Manipulation of data. Theft from customer accounts. Customer data theft, where customer information is converted for fraudulent personal use or the stolen data is sold to organized criminal groups.

Why do you think global fraud is on the rise? Is it a by-product of the economy or do you think it's that technology enables it more now? I think it's really based on the technology. Although we have controls in place to assist in addressing vulnerabilities, fraudsters co-opt the technology and utilize it to create more diverse schemes. It is an ongoing battle as we attempt to stay one step ahead of the bad guys.

What's the most challenging aspect of fraud investigation? To me internal fraud is the most challenging, due to the time it takes for an internal fraud to be detected. Because of the time lag that is typically experienced between the initiation of the fraudulent activity and its detection, it's difficult for a financial institution to recover funds. That is one of the jobs of Corporate Investigations. It's our job to stop the bleeding and recover any funds available.

Historically, most fraud was reported via a tip; suspicions aroused from within an internal business unit, discrepancies noted by customers, etc. Today, it is important that companies implement data analysis in an effort to take a proactive stance against fraud.

At face value, data analysis is a fraud detection tool. When a fraudulent scheme is detected, an organization can take the necessary steps to prevent additional loss. Fraud detection begets fraud prevention. Strong data that is analyzed in tandem with knowledge of potential criminal schemes can effectively allow an organization to mitigate their potential fraud risk. Data analysis can assist an organization in the identification of counterfeit check activity, compromised accounts, potential insider issues and detection of potential regulatory issues.

Fraud detection / prevention systems that are used to identify potentially suspicious behavior should be flexible since they must account for the fluid nature of fraud schemes. A fraud analyst can determine if the flagged activity is an actual fraud or an anomaly. If the activity is confirmed as fraud, the issue should be escalated via the investigation process.

With data theft, it's really difficult to detect what data has been stolen and to what parties it's been transferred to. It is a long, arduous process that often requires a lot of forensic investigation on computers/systems that the individual might have accessed. It often takes a lot of law enforcement cooperation as well.

The greatest issue with internal fraud boils down to risk - the potential for loss is huge because of the time period; the reputational risk and the continuing liability issues that can arise because of the trickle down identity theft that can occur as a result of that stolen data. Because of the capacity for associated civil liability and reputational risk, the potential impact of an internal fraud is colossal.

How do internal fraud and external fraud investigations differ? At ground level, investigation is investigation. But for internal investigation, the biggest difference is the number of parties that become involved in the investigation: You typically have the business unit where the fraud originated, management from the impacted areas, and human resources. Information technology or information security, need to be involved to look at any available data and analyze what kind of electronic fingerprints have been left by the perpetrator(s).

In our organization, we deploy a risk management team. This is not necessarily to assist in the investigation; instead, this group is a by-product of the investigation, whose function is to look at controls that need to be implemented in an effort to prevent issues from reoccurring.

It is increasingly important that you communicate with peer institutions and with law enforcement. Perpetrators are operating in multiple areas and are involving multiple institutions and players. If we want to prosecute fraudsters effectively, it's important to have dialogue with others to try and get the full picture. Information sharing is a tremendous benefit, but it can be a challenge in coordinating those parties. That is why we are such an advocate of external fraud information sharing groups and partnering with law enforcement.

You said you work closely with the CISO at The South Financial Group. Tell me about that relationship. The relationship between Information Security and other security disciplines is highly visible in our organization.

Controls addressing physical and information security have an impact on fraud prevention. A physical security break and a data security break can lead to removal of assets or data that can be used in a fraudulent scheme. Incident monitoring, incident analysis and incident response are a direct link between corporate security and fraud risk mitigation.

Services like video surveillance, access control, multi-factor authentication, logging practices, firewalls, log-on requirements, strong passwords and clean desk policies play an important role in fraud prevention and investigation efforts either through preventative measures or recovery of data that is recorded. Because of the partnership with information security, we find we can capitalize on resources that were typically used for data security management in the fraud prevention arena.

In our organization, we have implemented a Risk Team that is comprised of representatives from each of the security disciplines, Risk Management, Corporate Legal and potentially impacted business units. This team is utilized to assess risks in response to a reported incident or associated with a new initiative. Via process analysis the group recommends controls that might mitigate any associated risk.

It is important that companies realize the importance of seating security management at the table, when discussing product development or operating policy implementation. Effective utilization of an organizations security team allows for a better understanding of risk across the enterprise. As a result, the company can realize enhanced ROI for risk and compliance initiatives.