It may be time for a revision of, “the customer is always right,” at least in the financial sector.
That, Boston Police Detective Steven Blair told an audience of bankers at the Boston Fed’s 2017 Cybersecurity Conference on Monday, is because too many banking “customers” are fraudsters, who take advantage of the generally laudable desire of front-line employees to provide good customer service.
Attendees had heard Kenneth Montgomery, first vice president and COO of the Boston Fed, say earlier that cybersecurity is now, “the number-one operational and enterprise issue” for the financial sector. He said the worldwide costs of cybercrime are estimated at $3 trillion annually now, and expected to double by 2021.
Blair, who handles most of the white-collar and cybercrime cases in the department, said a significant chunk of those losses are coming in two cybercrime “hot spots” – business phishing emails and counterfeit credit cards. “We’re getting killed. We’re chasing our tails,” he said.
He called reports that credit card fraud is declining, “fluff.”
“It’s gotten to inner city kids,” he said. They’re buying them on the black market like crazy – 1,000 at a time. They get all the numbers by email and then make their own cards. Business is booming.”
Their success, he said, is because of another long-time reality – humans are the weakest link in the cybersecurity chain.
Boston Police Detective Steven Blair
That weakness exists at two levels. The one that is better known is when an employee falls for a phishing email and either downloads malware into the company network, or wires money to a criminal’s bank account, thinking the instruction came from a bank officer.
“The emails look really legitimate,” he said, as if they come from the CEO or other high bank officer.
Blair said he handles 15 to 20 cases a day involving that kind of fraud, and spends a considerable amount of time contacting banks, “pleading with them to send money back.”
That, he said, is difficult because the “receiving bank” will generally ask for a “hold-harmless” letter from the bank that made the fraudulent transfer.
He said one of the largest banks in the region, which he called the “evil empire,” generally won’t send out such letters. “They tell customers they’re on their own,” he said.
The other weakness is on display in customer service, he said, when fraudsters, “walk in with a counterfeit driver’s license. They say they left their debit card at home and need to do a wire transfer.
“Customer service helps them out immensely,” he said, with obvious sarcasm. “They come in with out-of-state license for an out-of-state customer. They take $10,000 to $15,000 in cash, but also send $200,000 or $300,000 by wire, usually to the UK, China or South Korea.”
He said thieves who know which account they are going to rob will even do some advance authentication work. “They’re pretty smart,” he said. “They’ll call customer service a couple of weeks ahead and change the phone number. Then if you call, you’re getting the bad guy.”
Blair said a lot of that fraud could be stopped if banks simply got more aggressive about authentication. “Make a copy of every customer’s driver’s license. Then you can pull it up to check. Yes, it takes up a lot of space, but we’ve got the cloud.”
He also said bank service employees should do a more detailed check of the account information. “If the phone number has changed recently, that’s a red flag,” he said, adding that they should also demand passwords and PIN numbers.
He said he is mystified that many banks won’t change their policies because they don’t want to alienate customers. “I’d be happy if my bank was a bit more diligent,” he said.
Yet another depressing fact for victims, he said, is that even if a thief is caught, “in Massachusetts, the law is that if he no longer has the money, he doesn’t have to pay it back.”
The only note of hope he offered was, “If we get notified within 24 hours, we have a good chance of getting it back for you.”
Otherwise, “if you want to protect your money, don’t lose it,” he said.