One ordinarily would not leave a pile of cash unattended on a table in a public place — it may not be there long. But the advent of electronic banking, plan administration and account information makes it possible for cyber criminals to plunder assets on a virtual picnic table, absent protections. Experts at the recent 2018 SPARK Institute National Conference held in National Harbor, MD addressed online threats to financial assets — virtual, but also very real.
Daniel Lyons, a supervisory special agent at the FBI, is struck by the persistence and creativity with which cyber criminals seek to penetrate systems and obtain illicit funds. “Every day there is a new and different technique that we’ve seen,” he remarked.
The FBI is especially focused on account takeovers from outside, Lyons said. Such efforts often start surreptitiously with seemingly innocuous things, such as “spoofed” emails purporting to be from an employee’s superior, or which impersonate a genuine customer and gradually gains control of an account and initiates unauthorized transactions. Some cyber criminals even pretend to have disabilities in order to penetrate systems and gain access.
Further complicating the effort to combat fraud, reports Lyons, is the use of “money mules” — middlemen who transfer illegally acquired money to fraud perpetrators and who are compensated for doing so, and whom he said make it difficult to determine the identity of a fraudster. “We spend a lot of time with money mules,” he said.
And banks can be difficult about sharing information to help the FBI, Lyons said, noting that they can encounter “a little bit of friction” with banks about getting information. The FBI typically asks them for all basic and customer information, as well as the IP address used by the suspect, with date and time of access.
Callan LLC Senior Vice President Ben Taylor, speaking at a consultants’ forum at the SPARK conference, remarked that, “Fraud is very successful in small amounts.” Further, Taylor said, the shift to smaller “nickel and dime” fraud makes it harder for law enforcement to combat it. “We’re going to have a continuing issue” in these matters, he said.
Importance of PII
Lyons said in his session that personally identifiable information (PII) — such as Social Security numbers, dates of birth, information from public-facing websites, biographies and information gleaned from Facebook — is used to authenticate an account holder’s identity and gain access. Edwards at her session suggested that PII has risen in importance to such a degree that it needs to be handled in a more serious and deliberate fashion. “PII needs to be treated as a plan asset,” she asserted.
Steps to Take
Lyons suggested that obtaining voice recordings can be helpful in identifying and stopping those who perpetrate fraud, noting that call centers often record voices. Identifying IP carriers also can be helpful, and obtaining account holder information. “Gather every single piece of information that you can,” Lyons recommended.
One prospective step that can be taken, Lyons suggested, is to set up contacts with the FBI in advance. This can entail setting up a meeting with FBI personnel to explain one’s business and situation and letting them know what potential problems may exist. And it may be worthwhile to take that approach with other law enforcement entities as well, such as state and local officials, Lyons suggested. “The FBI is not the only game in town,” he noted.
“The weak spot is the client,” Taylor said at his session, suggesting that information should be provided to clients concerning cyber crime.
Marina Edwards, Senior Director, Retirement at Willis Towers Watson, suggested that companies may need to have fraud policy statements in a fashion similar to the policy statements they compose regarding other issues. Taylor agreed, remarking “I think we may be pushed in that direction.” He added, however, that is it unclear what the fiduciary guidelines may be regarding such a step.