From processes to anti-fraud victories

Tom Shaw, CFE, CAMS, a seasoned pro, knows that fraud examiners only see victories when they've diligently planned for every possible fraud quirk. Here's help for incorporating metrics-driven processes into your anti-fraud efforts.

All the road signs said, "Trouble Ahead." The Financial Crimes Investigation Team of USAA — a financial services company for U.S. military and their families — had identified an upward trend in identity fraud matters via its "metric dashboards." Tom Shaw, CFE, CAMS, vice president of enterprise financial crimes management, and his team initiated a "deep dive" (an in-depth study) and learned that an organized fraud ring "was establishing new checking accounts online in rapid succession" on USAA's website, he says. USAA was exposed to an otherwise unknown vulnerability.

Fraudsters were quickly establishing bank accounts using stolen and fake identities and funding them with prepaid cards. The Financial Crimes Investigation Team determined that the fraudsters had designed an automated program script to systematically open accounts online.

Shaw's teams created new detection strategies to identify the new fraud accounts and alert members and employees. The team quickly implemented a "CAPTCHA" (Completely Automated Program to Tell Computers and Humans Apart) to defeat the automated scripts plus sophisticated fraud algorithms to detect and block attack vectors from other devices and IPs. The Financial Crimes Analytics Team used regression analysis to identify all established fraud accounts.

The teams prevented more than $2 million in scheduled fund transfers from leaving USAA accounts, and the company recovered more than $1 million from external institutions that received the fraudulent transfers.

Processing the processes

This systematic plan of attack on an intruding fraud shows Shaw really likes process excellence and analytics: a series of actions his team takes to achieve particular ends. In the past, they've helped him successfully roll out many anti-fraud plans with measurable results.

Now, we know that fraud is a slippery target. We can plan incessantly, and it still stubbornly persists or reemerges in different forms. However, Shaw has organized his team members' tactics so they know how to tackle most frauds and reevaluate their battle plans when they see deficiencies. He knows victories go to those who have planned for them.

"We concentrate on five core processes: prevention, detection, service, investigations and recovery. For each of these processes we have dashboards and metrics to measure our effectiveness, productivity and quality," says Shaw, who also is the identity theft officer for USAA.

"I come from a process-engineering background and have completed both Six Sigma Green Belt and Black Belt Training [an organized methdology for eliminating defects], so I recommended in 2006 that USAA create an Enterprise Financial Crimes Center of Excellence for each USAA company to be managed holistically in one fraud-fighting organization," Shaw says. "It was logical to break down the core processes of fraud management in order to be effective in fighting fraud, and to provide outstanding service and support for our members who are victims of ID theft, credit card fraud or account takeovers."

Shaw created Enterprise Financial Crimes Management (EFCM) nine years ago. "The employees who work in EFCM are a diverse and global team in four different countries consisting of detection and recovery analysts, investigators, compliance specialists, authentication experts, decision science analysts and process engineering," Shaw says. "We are a mix of diverse backgrounds and experiences from the financial services and law enforcement industries to recent college graduates with advanced degrees in mathematics and/or statistics."

Shaw is also sold on the training benefits of the ACFE for his team members and its Corporate Alliance program, of which USAA is a member. Plus, he's the chairman of the ACFE Foundation Board of Directors. The foundation's mission is to increase the body of anti-fraud knowledge by supporting anti-fraud professionals worldwide through the funding of the Ritchie-Jennings Memorial Scholarship Program.

As we near the U.S. Veterans Day, Nov. 11, we thought it would be good time to interview Shaw from his office in San Antonio.

The weakest link in the cybersecurity chain is the human element.

FM: Scammers recently have been approaching USAA members via social media to make quick cash in exchange for their debit card PIN and login credentials. Can you briefly describe this scam and how you're fighting it?
       TS: Card cracking is a social media scam in which fraudsters entice strangers to provide their personal bank information in exchange for quick cash. Once personal information is given, the fraudster electronically deposits a fraudulent check into the individual's account and then quickly withdraws cash before the funds are validated. The individual is left responsible for the fraudulent funds withdrawn from the account. This is currently an industrywide problem affecting financial institutions, and USAA is not specifically targeted.

From our company's perspective, of the people being targeted, 87 percent are under the age of 31 and of that, 28 percent are under 21 years old. With the nature of our membership, the majority are armed forces. Fraudsters have used specific military hashtags to start conversations with targeted individuals.

USAA assembled a Card Cracking Crimes Task Force (C3TF) consisting of fraud and bank operations, legal, communications and social media. This team is constantly reviewing and enhancing operational processes, partnering with social media platforms to shut down fraudulent activity and educating individuals to detect and deflect the scam. More than 900 fraudulent social media profiles have been shut down as a direct result of the efforts of this team.

FM: Can you give other examples in which hackers have targeted or are targeting members of the U.S. armed forces and their families?
       TS: Our members are targeted alongside all banking customers.

In account takeover and identity theft scams fraudsters exploit USAA members — as they have others — when they purchase their personally identifiable information on the Darknet as a result of recent cybersecurity incidents, such as Anthem BlueCross BlueShield and the U.S. Office of Personnel Management. Fraudsters use this information to take over accounts and are most interested in members with higher net worth and higher military ranks.

Advance fee scams take on many forms. In one example, fraudsters will offer the military fake loans that require no credit checks and instant approval. However, they require upfront fees that demand victims pay in peer-to-peer payments or money orders, but they never get their loans. In another example, fraudsters post classified ads around military bases for properties that are already occupied and/or don't exist at all.

FM: Since Dr. Joseph T. Wells, CFE, CPA, founded the ACFE in 1988, we've sounded the clarion call of fraud deterrence and prevention. As you've said, your company has many prevention measures in place, but can you describe a few that are unique in the financial services industry?
       TS: We were the first financial services company in the industry to roll out biometrics to all our membership. We have close to one million members who have already enrolled in biometric authentication via their iPhone or Android phones. This giant step addresses safeguarding personal information harvested from data breaches and social engineering and focuses on what you have and who your verifiers are.

We're also in the process of rolling out chip cards to all our membership so they can take advantage of this more secure technology when shopping. As you know, there have been many high-profile data breaches over the past couple of years like Target and Home Depot. The cards provide strong transaction security when used at a chip-enabled terminal. This added layer of security could help minimize cardholder impact when a data breach occurs.

FM: How specifically is the chip-card technology preventing fraud? Do you know of some specific cases?
       TS: The current magnetic stripe card technology is outdated and offers limited security. Fraudsters continue to exploit this technology by stealing magnetic stripe information from merchant payment terminals through malware intrusions. [See Future Fraud Trends (hyperlink here). – ed.] Fraudsters then use this information to create counterfeit cards so they can make purchases at merchants. Chip technology will resolve the counterfeit vulnerability through advanced cryptogram authentication. Today an issuer is responsible for counterfeit fraud losses. Beginning in October, counterfeit fraud liability shifted to the least secure method of card payment. This will motivate issuers and merchants to convert to chip technology.

It will be a journey to reduce and prevent counterfeit fraud in the U.S. as merchants, card issuers and all players in the ecosystem convert to chip technology over the next couple of years.

FM: How do you find the weakest links in the cybersecurity chain? 
       TS: The weakest link in the cybersecurity chain is the human element. Most of the large-scale data breaches have been the result of honest employees not being vigilant or the rogue employee actor. Humans are susceptible to social-engineering techniques to manipulate users to click on links and/or download files that give cybercriminals the opportunity to spread malware. Also, the insider threat where a disgruntled employee with privileged access always poses a risk. That is why companies need to constantly educate their workforce not to click on unknown emails or verify whom they are dealing with. Advanced internal threat monitoring systems should be in place to detect the insider threats.

FM: Over the years, your company has made it a priority to train staff in different job functions throughout the organization to become Certified Fraud Examiners. Why is it important for you to do this? 
       TS: Aside from career benefits, an educated employee in the field of combating fraud is a big benefit for the member. We know our military men and women have high standards, so we should expect the same for ourselves. CFE credentialing and the required continuing education is a benefit for all risk management positions in any enterprise. Our fraud experts at USAA use the information contained in the Fraud Examiners Manual on financial transactions and fraud schemes, law, investigation, and fraud prevention and deterrence. I often refer back to my ACFE materials that are always on my desk.

FM: What are the results from this commitment to ongoing anti-fraud education for your team members?
       TS: It has helped our team build a solid foundation of anti-fraud and investigation knowledge and keeps us up to date with developments while providing the opportunity to baseline our technical understanding and evaluate our workforce. (See Shaw's anti-fraud tips.) Employee growth is always encouraged at USAA because it represents our compliance and commitment to the fight against fraud. Obtaining a respected professional credential, such as the CFE, allows employees to distinguish themselves among their peers both internally and within the industry.

Dick Carozza, CFE, is editor-in-chief of Fraud Magazine. His email address is: dcarozza@ACFE.com.

Shaw has more than 25 years of experience in anti-fraud work

Shaw has more than 30 years of experience in the financial services industry. Shaw says he began in banking as a teller on his 18th birthday when he was first eligible to become a bank employee. He says he saw fraud attempts firsthand when fraudsters tried to pass counterfeit checks and tamper with ATMs. Shaw says the close encounters with fraud convinced him that he wanted to become an anti-fraud professional.

Shaw participates in various working groups for financial crimes mitigation such as the American Bankers Association, BITS, the MasterCard US Fraud Advisory Council and the Visa North America Risk Executive Council. Shaw is chairman of the ACFE Foundation Board of Directors.

Shaw offers cogent anti-fraud tips

FM: How many of your team members are CFEs?
       TS: Nearly 50 percent of EFCM employees are registered members with the ACFE. Of these registered employees, more than 75 percent have obtained their CFE credential.

FM: What are the benefits to USAA as a member of The ACFE Corporate Alliance? 
       TS: USAA has been able to take advantage of the discounts on training and self-study materials, such as the special pricing on the CFE Exam Prep Course. Also, the group membership has enabled USAA to renew all memberships at once, which eliminates the administrative process for renewing individual memberships.

FM: How have you seen membership in the Alliance pay off for USAA?
       TS: Within EFCM, after our membership in the ACFE Corporate Alliance, we have seen a 25 percent increase in CFE credentialing.