Turning the tables on online fraud
Online banking fraud is a real threat to your business, and criminals are more sophisticated than ever in their methods. This article explores what Nordea is doing to protect customers like you, and what you can do to keep your business safe.
Understanding the threat
Online banking fraud doesn’t just affect consumers — it affects corporate customers too. Criminals today use a range of sophisticated techniques to gain access to business accounts, from hacking and malware to phishing and ambitious social engineering efforts — where they approach customers or call centre agents by phone, email or even by post or in person.
As a corporate banking user, you are liable for the cost of fraud perpetrated on your account, and any bank will recommend that you take out insurance to cover yourself. But that doesn’t mean you are completely on your own. The banking community works hard to protect customers from fraud.
But there’s a huge variation in the amount of effort individual banks put in. Because overall fraud losses are relatively small, and the efforts required to prevent them so significant, some banks have been accused of accepting fraud as an unavoidable cost of doing business.
Nordea takes a very different view. We believe that neither our customers nor we should just accept fraud. It is not just about avoiding the financial losses caused by fraud; for us it is about maintaining our customers’ trust. As a result, we work hard in several areas to keep our customers safe from fraud, while all the time balancing security against service usability.
Behind the scenes, we have an adaptive fraud prevention engine that monitors each customer’s risk level and dynamically adjusts the level of account verification we need from you. So if you’re making a small transaction to a regular supplier at a normal time of day from your usual IP address, we won’t get in your way. But if you’re making a large transaction to a brand new account, we will look much more carefully.
The role of people
Technology is not everything: we believe people have a hugely important contribution to make to preventing fraud, too. We train our staff extensively about fraud, so they can spot the first signs of attacks, even before customers do. When a customer calls up reporting that their computers are behaving strangely, our agents recognise that this can be a sign of malware and take action accordingly. In fact, about 80% of fraud attacks on our customers are spotted by telephone agents in this way.
Given that social engineering is becoming such a popular method with attackers, we believe it’s vital that all your employees are made aware of the risk of fraud, too. We give users a notification when they login if there’s a particular malicious campaign ongoing. We’re publishing a range of information videos to educate the finance community about risks and best practices. And we hold events and training for our customers across the Nordics.
No matter how vigilant our staff and how sophisticated our technology, we know that some amount of fraud will always happen: it is how you respond to it that counts. Without the right processes and procedures in place, responses to fraud events risk being uncoordinated, slow and ineffective. It is harmful to have no plan of action, but it can be just as damaging for a bank to burden its teams with cumbersome manuals, particularly if they sit on a shelf unused until a real emergency happens. We have created a 1-page business continuity plan structured by threat level — yellow, orange, red, black — which outlines what each team will do if such an attack occurs. Most importantly, we constantly run scenario-based rehearsals to test, refine and practice our plans.
Supporting the community
We also take seriously our commitment to fraud intelligence. We cooperate with other banks, notify law enforcement agencies, and invest a lot of time in keeping abreast of developments in fraud, and understanding the implications of other banking trends on fraud — for instance, how same-day international payments enable criminals to distribute money much more quickly, or how mobile devices can help as two-factor authentication tools.
What you can do to prevent fraud
As a customer, you have your own role to play in preventing fraud. Here is what we recommend. Although many of these actions may seem basic, we are confident that fraud would be reduced significantly if they were adhered to consistently.
1. Keep your technology secure.
Always keep your software up to date, with anti-virus, firewall and network monitoring turned on. This will help block malicious traffic and keep your PC free of malware.
2. Use multi-layer authorisation (Confirm 2-Together).
Define which actions (for example, setting up a payment to a new recipient) require multiple people to authorise them — this prevents criminals stealing money after getting hold of just one user’s credentials.
3. Train and use common sense to avoid social engineering.
This is not just about phishing emails trying to get back details; criminals increasingly target weaknesses in business processes. For example, we have heard reports of businesses being sent false invoices. The invoices look exactly like those from a usual supplier, but with a different account number for payment. Unless the finance person is being vigilant, they may end up paying a criminal. Such scams can be hugely damaging, and they don’t involve the bank at all.
4. Get specialist technical advice from security firms.
The security threat landscape is changing all the time, and it is worth taking advice about how to harden your technology, processes and even physical security to protect not just your banking details, but other sensitive data around your organisation.
Security is an important issue, and you and your banks need to work together to keep your money safe. We recommend asking your banks about their anti-fraud efforts — everything from the technology they use to the processes they follow — and making their answers a factor in your banking strategy.