Post on 13-Aug-2020
When the seconds count: How Analytics focused
on security improves defenses against Financial Crimes
Eric Herson, Principal Industry Consultant
SAS
Key talk points for today:
New ways to think about the linkage between Cyber and Fraud
This session will focus on the Industry Trends that have led to the global increase in both Cyber and Fraud
attacks.
How are Cyber and Fraud linked?
How do you protect your organization from Unknown Risks?
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
15
42#1
14,021TOP
94 83,000
148
26%
94%
Ranking for SAS US
Great Place to Work list
the past years12
SAS employees worldwide
of the top
100companies
on the
GLOBAL 500 LISTAnnual reinvestment in
R&D
Countries
Annual customer retention rateYears of
BUSINESS
ANALYTICS
World’s
privately held
software company
LARGEST
Customer sites worldwide
Customers in35.4%Market share
Worldwide Advanced and
Predictive Analytics Software
Predictive Analytics
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
SAS Fraud & Security Intelligence (Commercial) Cross Industry Fraud & Cyber Analytics
• AML Compliance
• AML Transaction Monitoring
• Customer Due Diligence
• Financial Crimes Optimization
• FCIU
• Fraud in Banking
• Cards/ACH/Wire Fraud
• Online Fraud
• Application Fraud
• Insider Threat / Banker Supervision
• Healthcare Cost Containment
• Medicaid Fraud
• Application Fraud
• Insurance Fraud
• Claims
• Application/Agent Fraud
• Procurement Integrity
• Government
• Tax Compliance
• Rx Drug and Opioid Abuse
• Child Well Being
• Law Enforcement Intelligence Management
• Benefits Fraud
• Emerging Technologies
• Visual Investigator
• Adaptive Learning & Intelligent Agent System (ALIAS)
Themes Machine Learning & Artificial Intelligence Analytic Impact (Operationalizing Analytics)Intelligent Case Management Decision Latency & Real-timeCyber Intelligence
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Agenda
The changing face of Global Fraud
How Cyber is connected to Fraud?
• Trends: What are we seeing?
• Solutions: Where is the Industry going?
- Highlight: Synthetic Identities
- Real Time Fraud Decisioning Hub
- Insider Threat Detection
We Live in interesting timesGoal: Share Trends we are seeing Globally
Explore: The link between Cyber Events and Fraud
A Practitioner's Perspective. Industry Best Practices & Use Cases
Yes, the headlines are true. Exponential Growth in
Financial Crimes across all Industries
Swift presses banks on security as more hacks surface
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
SAS: (We know why we are here today…)
2017: Colombia accounted for 8% of cyberattacks carried out in
Latin America this year, with losses estimated at US$6.18bn (Business News Americas)
“Colombian economy suffered from hundreds of millions of dollars lost due to cyber-
crime. Cyber crime affects up to six million Colombians annually…Fraudsters have used
Business Email Compromise (BEC) platforms to target organizations. These are
organizations that deal with international suppliers who pay for their trade using
international electronic transfers..” (2017 DarkNetMarkets)
The Virus or the Hack was just a distraction. Their Prize was the Cash.
Colombia was the only country ahead of the UK in
terms of reported fraud and cyber security
incidents, with 95% of Colombian executives saying
they were affected by both crimes Kroll
International 2017
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Comfortable? Complacent? Or, not feeling well?
34% of respondents say they have high confidence in their organization’s ability to detect and prevent (Cyber) and Fraud before it results in serious business impact.
56% of respondents say today’s fraud schemes are too sophisticated and evolve too quickly
45% of respondents say their current systems allow for only limited analytics
Source: ISMG, 2016 Faces of Fraud: The Analytics Approach to Fraud Detection, August 2016
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Is it Cyber or is it Fraud?The Evolving Face of Fraud
“Cyber-attack is any type of offensive maneuver employed by individuals or whole
organizations that targets computer information systems, infrastructures, computer
networks, and/or personal computer devices by various means of malicious acts
usually originating from an anonymous source that either steals, alters, or destroys a
specified target by hacking into a susceptible system.” – Wikipedia 2018
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
The 83 Day Problem
Cyber Analytics focus on intraday / near real time “machine to machine” peer
grouping and comparisons. There are no “good versus bad” outcomes. Cyber
Analytics are looking for outliers and anomalies.
Fraud Analytics are developed off of historical data to predict and identify
fraudulent events in real time in the transaction stream. Fraud Models predict
behavior based upon known “good versus bad” outcomes of customers,
accounts, and transactions
Target of Cyber attacks: Information, Credentials, IP,
and of course Money!…
Defining Cyber
How does SAS Define Fraud?
Intersection of Cyber & Fraud
Cyber versus Fraud:
If you lose money, IP, data,
or reputation…. the labels
don’t matter
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Current Risk-Based Approach to Cyber SecurityWhere Is the Focus?
Reconnaissance
(1)
Weaponization
(2)
Exploitation
(4)
Installation
(5)
Command & Control
(6)
Actions on Objective
(7)
Indicators of AttackDetect & Analyze
Compromise Indicator (IoC)Contain, Eradicate & Recover
Delivery
(3)
Cyber Kill Chain® courtesy Lockheed-Martin
•Most security operations are reactively focused on Indicators of Compromise
• Most security operations are reactive and focused on Indicators of Compromise. By that time the damage is done!
• Tactics, techniques, procedures are ever-changing. Organizations must analyze behavioral activity across multiple data dimensions to find the intrusions.
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Diversity Scale
Trust
Challenges obtaining, managing & acting on security insights driven by issues of• Diversity: Context & data• Scale: Data, resources & systems• Trust: Analytics, results, risk view• Messy Data
Detecting Cyber is Messy
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
How is this being solved? The move from Reactive to Proactive Cyber Security
Requires Multidimensional, Data-Driven Insights
• Data enriched prior to detection
• Behavior simultaneously triangulated across key dimensions
• Contextualized events to streamline & optimize response
= An approach that surfaces Cyber Anomalies faster with lower False Positives
Threat
App IAM
EndpointNetwork
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
“Chicken and Egg” Question
What came first? Cyber or Fraud?
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Linking Cyber to Fraud and Economic Loss
What do the following have in common?
• Insider Collusion
• $5.00 USD Router
• Spell Check: ‘foundation’ as ‘fandation’
• Casino Chips as “Stored Value Devices”
• “Rinse, Wash, Repeat” everyday, across the Globe
• Horrendous Loss of Reputation
Answer: The Bank of Bangladesh”
- $81 Million gone in less than 24 hours”
- The Cyber Fraud Cycle
Eventually: “It’s all about
the money”
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Cyber leading to Fraud: We are all (potential) victims
Implications:• Entire US population advised to “freeze credit”• Life Time Exposure / Can’t run from the Dark Web
(Official Site was jacked into a Phishing site = more compromised accounts)
LATAM facing similar threats!
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
How do hackers compromise organizations?
All Cyber begins with a “compromise event”
And, how does this lead to “Business Email Compromise?
Setting the Stage
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
How do our clients get into this mess? Or, “this could never happen to me….”
2 NE_kick-off_vishing_long.mp4
<<<6 min video>>>
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Cyber opens the door to Fraud Attacks
A closer look at Industry Trends
The Long Road to Now. How did we get here?
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
(Cyber) Fraudsters at work. A Real Time View
Don’t show this to your Boss. They won’t sleep either.
http://map.norsecorp.com/#/
Norse Attack Map
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Fraud is Evolving: From “physical” to “digital”Globally changing the face of Fraud / Shifting Definitions
Payments: Any Electronically enabled Transaction
• Growing digital wallet choices
• 2018: Estimated about 30% of payments to be part of mobile, digital, and virtual currency
• “When was the last time you went into a Bank Branch?”
North America Europe Mature APAC Latin America CEMEA Emerging Asia
Cards Direct Debit Credit Transfer Checks
Source: https://www.worldpaymentsreport.com/reports/noncash_payments
What’s driving the increase in Fraud?
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Payments: Increased Digital Account Opening ripe for App Fraud
A Growing Trend
***2014 – Only 12% of customers used digital channels to open accountsEnormous jump in 2017 & 2018 opens the door for Synthetic Identities leading to App Fraud
Co mpany Co nfidentia l – Fo r Inter nal Use OnlyCopyright © SAS Inst i tute Inc . Al l r ights reserved.
Financial Services Payment Fraud: “The threat is persistent, adaptive and sophisticated and it is here to stay.“*
• How are clients being impacted?
- Common for banks to see Payment fraud losses of 3 to 6% +
- “Fraud Is Now approx. $11 Of Every $100 of Digital Sales” (Payments.com. November 2016) .
- 2017 # predicted to be closer to $13
*Finextra, Aug 31 2016
Hacking / Cyber – these are the effects
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Tipping Point with EMV
24
With the move to EMV or "chip cards" in the U.S. it’s
becoming harder to commit fraud at the point of sale.”
Impacts of EMV Reduced POS Fraud
Rise in CNP (Card Not Present)
Rise in older fraud types
Increased Fraud Applications and Account Takeover (ATO)
Counterfeit
Type of Fraud
TNFATO
Credit Losses
How did we get here? (US Centric View)
Criminals are very, very clever. Fraud is never static. And, will evolve & exploit the weakest link in your defenses.
“We have met the enemy and it is us”
Co pyright © SAS Inst i tute Inc . A l l r ights reser ved.
2018 Fraud Heat Map / Customer Survey
Synthetic ID
ATO
CFT
True Name Fraud
1st
L/S
Wire NSF
CNP
Net Loss
Freq
uen
cy
NRI
Bubbles: Complexity of case
The changing face of Fraud:
Synthetic Identities
Cyber Attacks opening the door to Fraud Attacks
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
• Synthetic identities are a combination of fabricated credentials
• The implied identity is not associated with a real person
• Unlike identity theft or manipulation, where the core identity of a person is impersonated or manipulated by a fraudster, a synthetic identity is an artificial identity with no particular person behind it
What are Synthetic Identities?
9 year old’s Identity tied to decreased person’s identity
Cyber Attacks & Fraud
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Application Fraud Closer look at Synthetic Identities
• Hard to measure the frequency of synthetic ID fraud as there really is no consumer “victim”
• Gartner, Inc. estimates synthetic schemes constitute at least 20% of credit charge-offs and 80% of losses from credit card fraud.
• 88.3% of identity fraud is from synthetic Fraud = 73.8% of total dollars lost
• FTC – synthetic ID theft accounts for nearly 85% of the more than 16 million ID thefts each year.
• More than 1 in 4 NAF victims is between the ages of 18 and 24.
• Children provide even more valuable IDs
No real human experienced the loss…No one calls to complain…
Companies have no way of contacting “victim”
New account fraud allows perpetrator to control the fraud from initiation (Cultivate the account.)
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
App and Synthetic ID Fraud is a Cross Industry Issue
Retail –Unsecured LinesWhere no collateral put up and risk is base, personal trade line of credit, etc.
Retail -Secured LinesCollateral put up against value of loan, such as a house, car, etc.
Commercial Business based loans, can also include trade finance – of which SAS has targeted message
Telco/Utility eg. Phone provided on Postpaid plans based on customer credit history or determined risk
Goverment Programs & Benefits fraudsters increasing targeting of govt as fraud detection is much lower
Insurance -General, Life, HealthManipulation of information and/or identify to receive coverage, reduce premium, etc.
False or manipulated information provided to yield a more positive outcome
Not just a Bank problem. Seeing huge increase in Fraud in Government, Telco, & Insurance
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
What’s Needed? How do you fight Application Fraud?
Cyber Opens the Door… Fraud Detection Closes it…
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Synthetic Identities and Application Fraud Three components of application fraud detection
• Identity Verification Analytics
• Confirms that an applicant’s details match historical records.
• Device Verification Analytics
• Analyzing and comparing device information to past experiences and the information provided by the applicant in the application.
• Identity Authentication Analytics
• Ensures that applicants are who they claim to be
Where are our clients taking us?
How do you prevent this type of Fraud?
Impossible to do this manually….
Perfect Application for AI and Machine
Learning Need Software and Analytics to Solve and Resolve
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Synthetic Identities and Application Fraud
Software to find: Proof of Life• Confirmation of DL – 30x more
likely to be fraud if no DL associated with ID
• Single credit bureau – Identity identified in one credit bureau only have 10x greater chance of being synthetic
• Multiple addresses associated with single SSN / Identity # –2/20%, 4/60%
• Synthetics have higher credit shopping rates AND lower verification rates
• 73% of synthetic IDs have no family relationships in data
Our clients want to bring different data together: Process
Automation
Leading Indicators of a problem
Implement Software and Analytics to find
these anomalies
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Hybrid Scoring Approach for App Fraud
Alert Generation
Process
Database Searches
Text Mining
Predictive Modeling
Anomaly Detection
Automated Business Rules
Levels Of Detection
Event
Entity
Network
Anomaly Detection for App Fraud requires a combination of Tools
C op yr i g h t © 2014 , SAS Ins t i t u te Inc . A l l r i g h ts r eser v ed .
APPLICATION & SYNTHETIC FRAUD CASE
• An application fraud case derived from a real case• The applicant imposes high risk due to network association and application history • Collusive fraud ring including both a known fraudster and third-party unknown individual• Fraudsters utilized different synthetic ID manipulation to bypass existing detection technology
How do you find “Proof of Life?”
“Degrees of Association”
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Case Study – Australian Bank POV resultsNumbers and Beyond
5Kcontact phone numbers reference a Casino
Fraudsters flying below the radar. High volume, low value applications
“Bust out” risk
2.5Kcontact phone numbers reference same branch
1.4Kcontact phone numbers reference a slaughterhouse (abattoir)
60Kcontact phone numbers reference immigration agent
$3mPer month, more at risk applications found by Analytics than existing approach (CC and PL)4x
more application fraud found by Analytics than existing approach 2.5x
Faster investigation
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Real Time Fraud Detection
Blocking Cyber: The Need for Real Time Fraud Decisioing
Cyber opens the door. Fraud Detection closes it…
Co pyright © SAS Inst i tute Inc . A l l r ights reser ved.
Enabling Technologies for Fraud
Gartner: Fraud Loss = “Authentication problem, not a Fraud Problem”
Problem Statements: • How do I easily bring in 3rd Party Data and insights into my Fraud Platform?• How do I map in new data sources without the need for extensive IT time & resources?• How do I launch and protect new products, channels, payment vehicles? • How do I have “end to end” contextual awareness?
• “Future proofing” Fraud Platforms
Overcoming the biggest Implementation Challenge. Software utilities that allows for simplified Data Mapping now and two years from now
Company Confidential - For Internal Use OnlyCopyright © 2016, SAS Institute Inc. All r ights reserved.37
Empowering“Contextual Awareness”
Step One: Simplifying Data Integration for Cyber and Fraud
Event - The need to “Score” everythingEverything is a transaction.
“Traffic Cop” intelligently feeding authentication, transactions, events, data into a Fraud
Decisioning Platform
Transform Convert any incoming customer transaction into a format consumable
Enrichment Add additional information to the transaction
Plug in any 3rd Party Data: Session, IP, Log in, Bio-metrics, Device ID, Proof of Life, Bureau, Scores, Flags, Reason Codes….
xt to the eve
Reduces Reliance on Static Data
Increase Reliance on Authentication and Dynamic Data
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
To Fight you need a: Fraud Decisioning Hub
Real Time Decision Engine
Need a Solution that addresses the 3 Pillars of Fraud: Prevention, Detection, and Resolution
What attributes are required for Fraud Control?
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Fraud Detection and Machine Learning
(Who knew that Machines can learn? Answer: Fraud vendors did over 20 years ago)
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Provides a holistic picture of a customer by looking across all their activity
• Information must be maintained at multiple entity levels - keeps track of the behaviors of different entities (card, account, terminal, device, address, user-ids, beneficiary)
• Can seamlessly integrate an expanding domain of new data types, sources and models
• Provides a mechanism to convert customer behavior into inputs for the model
• Enables the model to adaptively learn the customer’s (changing) behavior
The power by Analytics to manage every transaction as ‘individual”
These techniques finds Fraud at the first transaction
PROFILES,
SIGNATURES,
PATTERN
RECOGNITION
AKA MACHINE
LEARNING
In Real Time, using
layers of data or
intelligence to look for
anomalies &
evidence of Cyber
Need: Analytics Learn and Understand Customer Behavior
C op yr i g h t © 2012 , SAS Ins t i t u te Inc . A l l r i g h ts r eser v ed .
NEED: USE “NON MONETARY” EVENTS IN FRAUD DETECTION
• Non-monetary activities, e.g.
• Correspondence change: Address/phone/email change
• Daily limits change
• Online/Phone banking: logon, password change, secret QA change
• Any Change in Credentials :
• Master files
• Account, customer etc.
Non Mon and Monetary
Transactions influence Signatures.
Machine Learning Analytics learns and
understands your customer’s behavior
“Evidence of Cyber
Manipulation”
Copyr ight © SA S Inst i tute Inc . A l l r ights reserved.
Cyber Attack / Fraud Case Study
Domestic and International Wire Fraud / Monitoring SWIFT Messages
Blocking SWIFT Transactions in Real Time
C op yr i g h t © 2012 , SAS Ins t i t u te Inc . A l l r i g h ts r eser v ed .
CASE STUDY TIER I US BANK
CEO Wire Fraud aka “Business Email
Compromise” / Cyber Hacking
• Situation (Circa 2013)
• “Comerica Effect”
• 1 in 3 US households served by bank
• Customer experience/retention risk of Commercial clients
• Reputation risk > Wall Street Journal & Wall Street
Experi-Metal, Inc., v. Comerica Bank (Docket Number:
2:2009cv14890) is a decision by the United States District
Court for the Eastern District of Michigan in a case of a
phishing attack that resulted in unauthorized wire
transfers of US$1.9 million through Experi-Metal's online
banking accounts. The court held Comerica liable for
losses of US$560,000 that could not be recovered
from the phishing attack, on the ground that the bank
had not acted in good faith when it failed to recognize
the transfers as fraudulent.“Wholesale payments, on the other hand, tend to be large in value
per transaction and in comparison with retail payments relatively
small in terms of the number of transactions generated daily.”
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Focus: Commercial Payments (Wires and ACH) Fraud
Analytics that catch and block “Black Swans”?
Rare Event Fraud Monitoring:
• Low Fraud Incidence but potential of high losses
• Reputational Risk
Analytic Approach: Unsupervised Analytics
Analytics where there aren’t enough “bads” to develop or train a suite of neural net models• Goal: Find all of the “Good Patterns”
• Build a profile of what’s acceptable (Regular Behavior)• Machine Learning analytics to classify and ID the Outliers• More abnormal the pattern, higher the risk, higher the score
Operationalizing Fraud Analytics: Real Time, in the decision steam Wire Fraud detection and scoring: Block, Refer, Investigate
• Decision Rules that measure transaction aggregation and velocity by entity, country, and,…
• Analysis of “non mons”: all customer requested changes• Monitoring: Channel Data (Logon, Session, Device)
Stopping Wire Fraud in Real Time
Designed to monitor the bank’s “Wire Room” and sniff out Cyber Attacks
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Focus: Commercial Payments (Wires and ACH) FraudRare Event Fraud Monitoring
Multi Entity Signatures:
Remembers Behavior of
relationships (accounts,
payee payer
relationships)
Highly Accurate in looking for Cyber penetration Anomalies
• Higher Detection Rates, often at the First Transaction• Lower False Positives = Enhanced Customer Experience• Protects Reputational Risk while stemming Economic Loss
• Results• Ability to suspend batches and payments intraday and avoid
“claw back” process
• Detection of fraud improved by over 70% (VDR)
• 4X improvement in Detection / with Lower False Positives
Cyber attacks may have opened the door. Fraud Solutions closed it….!
C op yr i g h t © 2016 , SAS Ins t i t u te Inc . A l l r i g h ts r eser v ed .
New
Uncovering: Internal Collusion & Insider Threat. Cyber often involves someone on the inside
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Insider Threat, Employee Supervision and Sales Practices Oversight
Global Retail banking industry is under intense scrutiny• Sales Practices in retail banking has
become a highly visible issue in the eyes of regulators and retail financial consumers
• High profile, pervasive violations have led to major fines and long-lasting reputational damage
• Sales practices are now a Board-level issue at all major banks
• Regulators will now hold the Board of Directors accountable for pro-active monitoring of their sales force and incentive structure
• Failure to meet standards can result in prohibitions from asset growth
Industry participants are aware that their current surveillance operating model is not fit for purpose, forcing strategic platform reviews over the next 6 – 18 months.
The OCC sent formal letters to banks under its supervision including J.P. Morgan Chase & Co., Bank of America Corp. and Citigroup Inc. seeking information about sales practices and incentive-compensation structures
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Market Growth vs Peers
Wells Fargo growth has significantly lagged competitors since initial consent order. By a difference of 50-90%
Wells Fargo – Case Study
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Surfacing Insider Threats
VulnerableClient Abuse
Credit Abuse, App Fraud and
Collusive Fraud
ImproperSales
Practices
Bribery Corruption &Procurement
Fraud
Money Laundering
Payroll Fraud
Data (IP/PII) Theft
Rogue Trading,MarketAbuse
Analytics to monitor Employee Behavior / “Ignore the good and find the bad”
RulesSet-up rules to filter abusive behavior
Advanced AnalyticsKnowledge discovery, data mining, predictive assessment
Anomaly DetectionDetect individual and aggregate abnormal patterns
Social Network AnalysisPerform knowledge discovery through linkage analysis
Text Mining & AnalyticsExtract suspicious patterns, context & sentiment in the unstructured data
Requires a multi-tier hybrid approach to deliver more effective and expansive detection
Increase Abuse Detection
ReduceFalse
Positives
Banker Supervisionfocus area
Proactive behavior-based detection Cyber often involves someone on the inside
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
The future of Sales Practices & Insider Threat monitoringMoving beyond retail bankers to other lines of business
• Detect and prevent improper sales practices• Fake accounts
• Abusive sales
• Procedural / legal deficiencies
• Reduce internal fraud• Unauthorized account
access
• Theft and improper fees
Banker SupervisionFA & Broker Monitoring
Cap. Market AbuseInsurance Agent
GamingRetail Banking Wealth Management Capital Markets P&C Insurance
• Detect and prevent improper financial advise• Suitability / fiduciary
duty requirements
• Conflicts of interest
• Portfolio drift
• Reduce FA / broker misconduct• Unauthorized trading
• Registration & licensing
• Detect and prevent improper trading activity• Market manipulation
(spoofing, front-running, etc)
• Insider trading and collusion
• Reduce trader misconduct• Rogue trading
• Client fraud
• Tax offenses
• Detect and prevent manipulative insurance agent behavior• Agent gaming /
commission manipulation
• Application fraud
• Reduce loss due to fraud• Premium and claim
leakage
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
What is Text Mining….? Turning Natural Language into Data
• Image Recognition
• Proper Noun extraction
• Emails and Voicemails into text
• Entity Resolution
Another way to ID employees that are associated with your customers or known “bad actors”
Text Analytics on:
Vmail
Web and Session Monitoring
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Text Analytics of E-Communication ActivityEmployee Alert Details
User Activity Drill Down and Peer Comparison
Internal Threat Alert Dashboard
Finding Internal Fraud requires Smart Workflow to harness Analytics
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Internal Fraud Case StudyQuickly Identify degrees of Association with “bad actors”
Clients have been able to uncover Fraud Rings prior to “bust out” and economic loss
Reputation Protection
“$500,000 loss last week ultimately traced to call center employees”
“14 Delinquent Mortgages linked to the same Attorney, employee, and…”
“Seeing same mobile # dozens of times”
“Low and slow forensic investigative tools”
Company Conf ident ia l – For Internal Use OnlyCopyr ight © SAS Inst i tute Inc . A l l r ights reserved.
Before we go….
New ways to think about the linkage between Cyber and Fraud
This session will focus on the Industry Trends that have led to the global increase in both Cyber and Fraud
attacks.
How are Cyber and Fraud linked?
How do you protect your organization from Unknown Risks?
Company Confidential - For Internal Use OnlyCopyright © 2016, SAS Institute Inc. All r ights reserved.
Nigerian Astronaut stuck in Space and wants to go home*
FRAUDSTERS ARE VERY CREATIVE
“Dear Mr. Sir,
REQUEST FOR ASSISTANCE-STRICTLY CONFIDENTIAL
I am Dr. Bakare Tunde, the cousin of Nigerian Astronaut, Air Force Major Abacha Tunde. He was the first African in space when he made a secret flight to the Salyut 6 space station in 1979. He was on a later Soviet spaceflight, Soyuz T-16Z to the secret Soviet military space station Salyut 8T in 1989. He was stranded there in 1990 when the Soviet Union was dissolved. His other Soviet crew members returned to earth on the Soyuz T-16Z, but his place was taken up by return cargo. There have been occasional Progrez supply flights to keep him going since that time. He is in good humor, but wants to come home.
In the 14-years since he has been on the station, he has accumulated flight pay and interest amounting to almost $ 15,000,000 American Dollars. This is held in a trust at the Lagos National Savings and Trust Association. If we can obtain access to this money, we can place a down payment with the Russian Space Authorities for a Soyuz return flight to bring him back to Earth. I am told this will cost $ 3,000,000 American Dollars. In order to access the his trust fund we need your assistance.“
Eric.herson@sas.com
Thank you!