How Fraud can Ruin your Investment Firm

Feb 9, 2020

How Fraud can Ruin your Investment Firm

Feb 9, 2020

Most CEOs of Investment firms are aware of the prevalence of fraud in the digital market today. According to Experian’s Global Fraud and Identity Report for 2018, almost 75% of businesses believe that fraud is a growing concern and about two-thirds have reported fraudulent losses over the past year.

What is Fraud?

Anytime an individual’s payment information is used without authorization it is considered fraud. When a malicious actor or hacker accesses your notwork and accesses your or your clients’ sensitive information, this is a breach and the information they retrieve can be used to commit fraud.  The person who actually causes the breach may just resell the information that is then used for fraud later, such as making purchases or creating accounts.

Pervasiveness of Fraud

This is because the majority of business and consumer data remains vulnerable. As the value of digital information grows in total (even if individual records can be purchased “cheaply”) so does the criminal’s motivation to develop methods to avoid detection from the latest precautionary technologies.

The existing account setup process requires individuals to provide a lot of personal information including passwords, secret questions, and more. Anytime this data is improperly stored and protected, it leaves the door open for criminal activity.

Just like other criminal activities, fraud is a cat and mouse game. Criminals are combining real and false information to create new identities making it difficult to catch.

Most business owners just don’t have the resources or confidence to combat fraud and protect their companies or their clients.

One problem is that most CEOs are reactionary when it comes to their cybersecurity and aren’t investing in more sophisticated data protection solutions. This results in increases in the vulnerability as the security gap widens leaving them open to breaches and subsequent fraud.

Fraud is growing risk

For investment firms, managing the risk of fraud is a delicate balancing act between providing an ease of use for clients and employees vs. fraud protection. They struggle between mitigating fraud and providing a positive experience. Unfortunately, the  experience wins out in most cases, and businesses are willing to risk fraudulent losses over losing customers or adding red-tape to their employees. Ironically, they are at risk of damage to their reputation where they will end up losing customers anyway, fail to gain new ones, and possibly face financial penalties and litigation costs.

The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction in the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million.

More than half of businesses say they still rely on passwords as their top form of authentication. Even knowing that passwords isn’t the most secure option, businesses continue to use them because that’s what customers are used to. More advanced authentication is thought to be too expensive but this would quickly be argued against once legal fees and penalties are factored when a breach occurs.

How data breaches and fraud are connected

Data breaches and fraud don’t usually occur at the same time and place. Cybercriminals won’t steal a customer’s information and turn around and use it for a purchase from the same business. So it’s not easy for a business to detect when a breach occurs.

Data breaches are typically detected by using specific security tools that monitor all payment activity. Merchants should follow PCI/DSS Standards to identify and prevent breaches and remain compliant. PCI-DSS audits will help you find vulnerabilities in your system and reveal inadequacies that must be eradicated.

A successful case of fraud spreads like cancer

If a hacker can get one password, they may have the keys to other password-protected accounts. The more online accounts people open, the greater their risk. And most people have quite a few. If the hacker can figure out the password to someone’s email account, they may also have the key to their credit card and banking accounts as well.

You must remain vigilant to prevent data breaches and fraud.

What to do if you suspect fraud

A key indicator of evidence of fraud is in chargebacks where a customer disputes a charge on their credit card, and where you aren’t paid for the service or product. If your chargeback rate increases above a 1% margin, this is a good indication that you’re experiencing fraud.

In this case, you should hire a third-party auditor like an IT Managed Services Provider (MSP) to help bring you back into compliance and stop the thieves. They will detect where the problem(s) exist and if what they find indicates a data breach. PCI-DSS compliance requirements mandate that you do this to stop the fraudulent activity.

Of course, you should contact the card processor as well. They will connect you to the card providers who can often identify the point of access or detect a suspicious pattern of activity.

What You Can Do to Reduce Fraud and Data Breaches.

Use EMV Technology.

EMV (Europay Mastercard Visa) is the global standard to authenticate payment cards. EMV technology can help you protect your business from fraud. It ensures the card is legitimate and that the person using the card is the authorized user.

EMV chips are microprocessors that store and protect cardholder data. They use a unique cryptogram that’s validated by the card issuer. This makes it more difficult for hackers to break the code and steal card information to commit fraud.

Today, if you don’t use an EMV-capable terminal, and the transaction turns out to be fraudulent, you can be held financially liable for that transaction.

EMV has been used in the United Kingdom since 2004, and card-present fraud has gone down by 80% as a result. By comparison, without EMV in the U.S., fraud increased during this time by nearly 70%.

Protect Data in Transit by Using Encryption.

When credit card data is stolen, it’s considered a data breach. Considering the number of card payments your business processes in a month, hackers may view you as the “Pot of Gold at the end of a Rainbow.” In other words, your business is a prime target.

You can help stop the hackers from accessing data in transit by using end-to-end encryption (E2E) and point-to-point encryption (P2PE).

The advantages of end-to-end encryption are:

  • That you don’t need a separate key for the decryption of the data.
  • You have flexibility in deciding what data to encrypt.
  • You can choose specific configurations for more functionality.
  • The file size is small, and the processing time is minimal.

Point-to-point encryption encrypts transmitted data as it goes through a designated “tunnel.” This is used most often for credit card information that’s encrypted from the point-of-sale (POS) to the credit card processor.

With encryption, if a breach does occur, and data is stolen, it will be useless to cybercriminals in its encrypted state.

Protect Data at Rest by Using Tokenization.

Tokenization breaks up a sequence of data into pieces such as words, keywords, symbols, phrases, and elements called tokens. Tokens can be words, phrases or even whole sentences. In other words, tokenization keeps cybercriminals from using data by replacing it with meaningless characters. Tokenization is helpful for businesses that store sensitive card data for re-billing. It’s also one of the most effective and affordable ways for businesses to protect their customers’ confidential card data.

Combining encryption and tokenization is one of the best ways to protect your business from the devastating effects of a data breach.

Secure Your IT Environment

  • Ask your IT Managed Services Provider (MSP) to set up a next-generation firewall, anti-spam, and anti-virus solutions.
  • Ensure your POS and router are on different networks and separate from other systems that access the Internet.
  • Don’t use your business POS for surfing the Web. This can expose it to viruses and result in vulnerabilities that can be breached.
  • Assign separate login credentials for each user.
  • Forbid sharing of login credentials and enforce this.
  • Keep your user list up to date and disable accounts that are no longer needed.
  • Only provide remote access for users with a clearly identified need.
  • Don’t leave remote access software turned on when unattended.
  • Keep all software and anti-virus, anti-spam programs up-to-date.
  • Regularly run and review scans for malware.
  • Regularly have your MSP run vulnerability scans.
  • Ask your MSP to train your staff on the latest security threats and what to do if they come across one.
  • Train your staff how to detect unauthorized skimming devices that could be installed on POS or credit-card terminals.

Have Your MSP Train Your Employees on Cybersecurity Awareness.

Teach your employees about password security and make sure you enforce this behavior:

  • Don’t use words from the dictionary.
  • Don’t use names of family members.
  • Don’t reuse passwords from your other accounts.
  • Don’t write down your passwords or put them where others can see them.
  • Consider using a Password Manager (e.g., LastPass or 1Password).
  • Use password complexity (e.g., P@ssword1).
  • Create a unique password for work separate from your personal use.
  • Change passwords at least quarterly.
  • Use passwords with 9+ characters.
    • A criminal can crack a 5-character password in 16 minutes.
    • It takes five hours to crack a six-character password.
    • Three days for a 7-character password.
    • Four months for eight characters.
    • 26 years for nine characters.
    • centuries for 10+ characters.
  • Turn on Two-Factor Authentication if it’s available.

Teach employees about ransomware and phishing threats. These appear to be from an official like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, don’t! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it. Teach them to:

Beware of messages that:

  • Try to solicit your curiosity or trust.
  • Contain a link that you must “check out now.”
  • Contain a downloadable file like a photo, music, document or pdf file.

Don’t believe messages that contain an urgent call to action:

  • With an immediate need to address a problem that requires you to verify information.
  • Urgently asks for your help.
  • Asks you to donate to a charitable cause.
  • Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

  • Respond to a question you never asked.
  • Create distrust.
  • Try to start a conflict.

Watch for flags like:

  • Misspellings
  • Typos

Ask Your MSP to Help You with PCI Compliance.

PCI Compliance is not a one-time event but should be a continual process to ensure your IT systems are appropriately transmitting and storing sensitive data. It mandates that network and business practices are secure.

Failing to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS) can ruin your small business if you get hit with a data breach.

It’s not always easy to do this on your own. Your MSP can help by:

  • Performing scans of your network to identify and eliminate vulnerabilities that can lead to data breaches.
  • Monitoring network activity and blocking malicious activity before it can lock down or steal your data.
  • Providing you the tools and resources to promote compliance.
  • Implement data-breach protection solutions.
  • Help you sign up for a breach assistance/cyber insurance program that provides for reimbursement of certain card brand fees that are charged if data is compromised. Some cover the costs of a data breach, which can be upwards of $100,000 or more.

Protect Your Business from Data Breaches, Fraud, and the Resulting Consequences

When you take all of this seriously, you’re not just protecting your customer’s confidential information; you’re also protecting your business from fraud.

Most companies that experience a data breach will see a rise in cost to retain existing customers. And, they will also see an increased cost to acquire new customers. When you add these increases in cost to the loss of revenue from customers that choose take their business to your competitors, you’ll soon see how your damaged reputation dramatically affects your company’s bottom line.

You don’t have to face this alone.

The right IT Managed Services Provider can be your best ally against security threats. From helping you with integrated and compliant POS systems to implementing technologies like encryption and tokenization, and providing compliance and breach assistance, the right IT Partner is worth every cent when it comes to helping you secure your business against the devastating effects of credit-card fraud and data breaches.