Cybersecurity: Confronting Impersonation Fraud as Banks Reorganize

High-profile organizational changes in banks and other financial institutions may present media-savvy fraudsters with opportunities to commit scams on unsuspecting customers. Law enforcement, financial institutions and the government should continuously recalibrate how they partner to address fraud, which could be far too complex for each to manage alone.

A timely case in point is the reorganization of larger banks in the U.K. in response to the Financial Services (Banking Reform) Act 20131 (the Banking Reform Act), which demonstrates the need to think ahead of fraudsters, money launderers and cybercriminals to protect financial institutions and their employees and customers.

Regulatory Context

The Banking Reform Act imposes higher standards of conduct on U.K. banks and bolsters their loss-absorbing capacity to avoid taxpayer bailouts. Key provisions require larger U.K. banks to segregate their own retail and investment banking to protect the U.K.’s banking and financial systems.2

To comply with such “ring-fencing” regulations, larger U.K. banks must separate their own banking services for individuals and businesses (like checking and savings accounts assigned to the “ring-fenced bank”) from risks in other parts of their business (like investment banking assigned to the “non-ring-fenced bank”).3

Ring-fencing may affect about 75 percent of U.K. consumer banking deposits

Ring-fenced and non-ring-fenced bank subsidiaries must be independent operationally and organizationally, although each may operate alongside the other. By January 1, 2019, new sort codes and customer account numbers must be reassigned. Ring-fencing may affect about 75 percent of U.K. consumer banking deposits.4

Banking Reform Act ring-fencing has been influenced by the Depression era’s Glass-Steagall Act of 1933, when each U.S. bank was given one year to choose whether to remain in either commercial banking or investment banking.5 The Glass-Steagall model was followed in 1948, when post-World War II Japan adopted a legal separation of commercial banking and investment banking.6 Glass-Steagall was repealed in 1999. Yet, the topic of a loosely defined “21st Century Glass-Steagall” in the U.S. has recently enjoyed diverse political support ranging from the far left to the far right.7

U.K. Banks Affected

The Banking Reform Act applies to the U.K.’s largest banks with more than 25 billion pounds (averaged over a three-year period) in consumer and small business deposits.8 Specifically:

  • Barclays
  • HSBC
  • Lloyds Banking Group, including Lloyds Bank, Bank of Scotland and Halifax brands
  • Royal Bank of Scotland (RBS) Group, including Adam & Company and National Westminster Bank (NatWest) brands
  • Santander

Potential Service “Disruption”

In a June 16, 2017 speech to the British Bankers’ Association, James Proudman, the executive director for the U.K. Deposit Takers Supervision at the Bank of England, foreshadowed possible U.K. bank “disruption” due to Banking Reform Act compliance.9

Yet, eight months after this speech, a Google U.K. search of the words “ring-fencing bank disruption” does not readily display one prominent website that centralizes practical details on such U.K. bank “disruption,” presenting media-savvy fraudsters with opportunities to exploit uneven public information from Barclays, HSBC, Lloyds Bank, RBS Group and Santander.

Barclays notified its online, phone and mobile banking customers proactively that they would experience web blackouts one weekend per month between August 2017 and January 2018.10 ComputerWeekly11 reported that planned blackouts should result in Barclays being compliant with the Banking Reform Act in April 201812—about eight months ahead of the January 1, 2019 deadline.

Regarding HSBC, The Telegraph used the term “disruption” in a report about service delays that could occur as account numbers and sort codes are changed for 170,000 customers, payments are redirected and cards are replaced.13

Social Engineering Alerts

Affected U.K. banks have reminded their employees and customers proactively to watch out for fraudsters, who could use impersonation fraud, also called social engineering, to obtain sensitive information (such as usernames, passwords, account numbers and credit card numbers) through:

  • Emails, pop-up windows and websites (called “phishing”)
  • Telephone calls, caller ID spoofing and voicemail (called “vishing,” a combination of “voice” and “phishing”)
  • Text messages (called “smishing,” a combination of “SMS” and “phishing”).14

The Barclays website even offers a phone number checker, so that customers might verify whether a bank phone number is genuine.15

Volume of Changes and Related Publicity

The reported volume of changes varies widely among the U.K.´s largest banks.16 About 900,000 Barclays accounts moved to new six-digit sort codes.17 A smaller number of HSBC and RBS customers were affected. About 10,000 Santander customers moved to new sort codes. Few Lloyds customers were affected.18

Such reported details could encourage fraudsters to target customers of certain larger U.K. banks, based on the volume of sort code or account changes. Larger U.K. banks have information online to warn customers of fraud threats, which, in turn, warns fraudsters that they are being watched.

Still, larger U.K. banks have public webpages on ring-fencing with open-ended statements, like, “If your business is going to be affected by these changes, we will contact you to let you know what this means for you.”19

A fraudster could interpret such an open-ended statement as a cue to impersonate a bank employee and reach out to unsuspecting customers by letter, email, call or text message.

Impersonation Fraud

U.K. banks may also communicate with customers through password-protected online banking. However, fraudsters reportedly obtain U.K. bank accounts by impersonating existing bank customers.20 Money launderers reportedly buy U.K. bank accounts from foreign students (who then become “money mules”) before they leave the U.K.21

Impersonation fraud challenges U.K. banks that allow customers to open accounts online.22 Bank employees have helped fraudsters to impersonate customers of large U.K. bank accounts, so that money might be stolen, laundered through sham companies and then moved offshore.23

Lloyds reports that the most common impersonation fraud types are CEO fraud (fraudulent payment instructions from corporate decision-makers) and invoice fraud (fraudulent payment instructions from a supplier or vendor).24

Coverage for Losses

Impersonation fraud losses can be substantial

Impersonation fraud losses can be substantial. Yet, insurers may not classify theft from impersonation fraud as a cyberattack (if data was not stolen) or as a crime loss (if an employee unknowingly but voluntarily furthered the fraud).25

Social engineering fraud insurance is growing in popularity as a viable alternative. For coverage, insured customers should have processes to protect themselves from social engineering.26

Targeting Scam Alerts

Raising public awareness about social engineering, fraud and exploitation is critical for certain customers who may be susceptible to scams

Raising public awareness about social engineering, fraud and exploitation is critical for certain customers who may be susceptible to scams,27 including elderly28 and vulnerable29 customers, new immigrants and individuals who are not fluent in English.30

Fraudsters could exploit the elderly concerned about pension funds being sponsored by non-ring-fenced banks, which have been portrayed as more volatile than ring-fenced banks.31 At HSBC and Santander, pension funds are being sponsored by ring-fenced banks and at Barclays, they are being sponsored by a non-ring-fenced bank.32

Yet, Barclays’ research in the U.K. indicates that stereotypes about older customers being more vulnerable do not apply to digital crimes.33 A 2017 survey states that U.K. millennials between ages 25 to 34 experience more cybercrime than older respondents, who scored higher on digital safety awareness than younger respondents. U.K. millennials are twice as likely to be victimized by online fraud as are older respondents.34

Forbes recently reported similar survey results in the U.S., where millennials are more likely to be victims of digital crimes. U.S. millennials are more accustomed to using social media share buttons to give out personal information. They are more likely to believe that technology will shield intrusions, and that communications service providers bear responsibility for filtering out fraudulent email, calls and text messages from reaching their computers and mobile devices.35

Banks on High Alert for Cyberattacks

Ring-fencing compliance includes U.K. ring-fenced and non-ring-fenced banks separating their IT systems, operations and agreements with suppliers, licensors and vendors.36 U.K. banks have been cautioned to train staff proactively, treat all bank communications with care, and encrypt transferred data37 consistent with the U.K.’s Data Protection Bill and the EU’s General Data Protection Regulation (GDPR).38

There have been news reports of U.K. bank employee changes, presenting media-savvy fraudsters with opportunities to exploit employee confusion.39

In early 2017, Reuters reported on Barclays’ plans to overhaul back-office operations, affecting more than 10,000 people who support back-office operations in 17 countries. HSBC had to transfer 18,000 people who support back-office operations to a U.K.-based service company in 2015, with plans to shift an additional 1,000 persons from London to Birmingham.40

Barclays became the first major U.K. bank to obtain final approval for its ring-fencing transfer scheme in early March 2018, when the presiding High Court judge considered and dismissed pensions agreement concerns.41

Key Takeaways

  • When planning a reorganization at a bank or other financial institution, include information security early in the planning process, along with other key internal stakeholders such as public relations, fraud, data protection, government affairs, customer service and marketing
  • Diversify identity verification beyond know your customer (KYC) checks to include other elements, such as two-factor authentication, confirmation email, internet protocol (IP) addresses, geolocation data, device identifiers like media access control (MAC) addresses, operating system and browser attributes, application data, website activity and app usage data42
  • If other banks or financial institutions are reorganizing due to regulations, consider collaborating with them on one prominent website that provides practical public updates and links to affected entities, especially if service disruptions are expected
  • Before any information is made public, consider how media-savvy fraudsters might use it to detect opportunities to exploit organizational changes43 and target vulnerable individuals44
  • Check cybersecurity practices of public relations consultants and newswire services to avoid fraudsters being tipped off to press releases45
  • Partner with law enforcement to deter fraud by educating the public on fraud, money laundering and cybercrimes

  • Partner with law enforcement to deter fraud by educating the public on fraud, money laundering and cybercrimes, as Barclays, RBS, Financial Fraud Action UK and the Metropolitan Police Service of London did with the publication of The Little Book of Big Scams46
  • Law enforcement, banks and government should partner to overhaul fraud reporting tools47 and protocols48 that are underperforming in the eyes of the public
  • Review websites that present ways to protect personal customers,49 business and corporate clients,50 and business banking clients,51 and options like social engineering fraud insurance
  • Obtain periodic input from demographically diverse bank customers on fraud and cybersecurity issues, so that their input might be integrated into digital safety awareness planning and development
  • To combat financial fraud, banks and financial institutions should be encouraged to share fraud data internally and with competitors and law enforcement,52 as USA PATRIOT Act sections 314(a) and 314(b) are used to enhance anti-money laundering/counter-terrorist financing compliance.53

Sooner or later, lawmakers in countries like the U.S. will raise the issue of separating commercial banking from investment banking, especially if U.K. bank ring-fencing is executed successfully by January 1, 2019. A “21st Century Glass-Steagall” version influenced by U.K. bank ring-fencing should prompt law enforcement, banks and the government to think ahead of media-savvy fraudsters, money launderers and cybercriminals, who could exploit new bank sort codes and reassigned customer account numbers.

Miguel Alcántar, CAMS-FCI, compliance advisor, Oakland, CA, USA, alcantar@aya.yale.edu

For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/.

  1. “Financial Services (Banking Reform) Act 2013 c.33,” legislation.gov.uk, http://www.legislation.gov.uk/ukpga/2013/33/contents
  2. Timothy Edmonds, “Banking Services: Reform and Issues”¨ Briefing Paper Number 07234, House of Commons Library, December 22, 2017, researchbriefings.files.parliament.uk/documents/CBP-7234/CBP-7234.pdf
  3. “Ring-Fencing and Halifax,” Halifax, https://www.halifax.co.uk/helpcentre/ring-fencing-and-halifax/
  4. James Proudman, “Putting Up a Fence,” Bank of England, June 16, 2017, https://www.bankofengland.co.uk/speech/2017/putting-up-a-fence
  5. Julia Maues, “Banking Act of 1933 (Glass-Steagall),” Federal Reserve History, November 22, 2013, https://www.federalreservehistory.org/essays/glass_steagall_act
  6. Michelle Clark Neely, “Commercial & Investment Banking: Should This Divorce Be Saved?,” Federal Reserve Bank of St. Louis, April 1995, https://www.stlouisfed.org/publications/regional-economist/april-1995/commercial–investment-banking-should-this-divorce-be-saved
  7. Matt Egan, “Trump Wants to Revive a 1933 Banking Law. What That Means is Very Unclear,” CNN Money, May 9, 2017, http://money.cnn.com/2017/05/09/investing/donald-trump-glass-steagall/index.html
  8. “Ring-Fencing,” UK Finance, https://www.ukfinance.org.uk/ring-fencing/
  9. Huw Jones, “BoE Warns of Potential Disruption from Ring-Fencing Banks,” Reuters, June 16, 2017, https://uk.reuters.com/article/uk-boe-banks-ringfencing/boe-warns-of-potential-disruption-from-ring-fencing-banks-idUKKBN1971BF
  10. Chris Lemmon, “Barclays Warns of ‘Web Blackouts’ Until 2018,” FStech, August 17, 2017, http://www.fstech.co.uk/fst/Barclays_Web_Blackouts_Warning.php
  11. Karl Flinders, “Barclays Bank Ahead of Schedule in Ring-Fencing Project,” ComputerWeekly.com, September 7, 2017, http://www.computerweekly.com/news/450425918/Barclays-Bank-ahead-of-schedule-in-ring-fencing-project
  12. “Preparing for Ring-Fencing,” Barclays, https://www.home.barclays/about-barclays/ring-fencing-explained.html
  13. Sam Meadows, “HSBC Changes 170,000 Customers’ Sort Codes: What You Need to Know,” The Telegraph, August 2, 2017, http://www.telegraph.co.uk/personal-banking/current-accounts/hsbc-change-170000-customers-sort-codes-need-know/
  14. “Recognize Fraudulent Emails and Websites,” PayPal, https://www.paypal.com/us/webapps/mpp/security/suspicious-activity
  15. “Protect Yourself from Fraudsters,” Barclays, https://www.barclays.co.uk/security/
  16. Caroline Binham and Emma Dunkley, “Regulators Get Ready to Authorise ‘Ringfenced’ UK Banks,” Financial Times, August 18, 2017, https://www.ft.com/content/5ca81a48-8372-11e7-a4ce-15b2513cb3ff
  17. Jill Treanor, “Banks Issue New Sort Codes in Ringfencing of High Street Operations,” The Guardian, August 6, 2017, https://www.theguardian.com/business/2017/aug/06/banks-reissue-sort-codes-in-ringfencing-of-high-street-operations
  18. Adam Williams, “Bank Customers Set for Sort Code and Account Number Switch—Are you affected?,” Moneywise, July 5, 2017, https://www.moneywise.co.uk/news/2017-06-29/bank-customers-set-sort-code-and-account-number-switch-–-are-you-affected
  19. “What Ring-Fencing Means for our Business Banking and Commercial Clients,” Lloyds Banking Group, http://www.lloydsbankinggroup.com/our-group/ring-fencing/business-banking-and-commercial-clients/
  20. “Cybercrime: Overseas Students Selling Bank Accounts to Fraudsters after Finishing Studies, Police,” iNews, July 21, 2017, https://inews.co.uk/news/uk/cyber-crime-overseas-students-selling-bank-accounts-fraudsters-finishing-studies-police/
  21. “Overseas Students Targeted by Bank Account Fraudsters,” BBC News, September 16, 2016, http://www.bbc.com/news/av/uk-england-london-37339023/overseas-students-targeted-by-bank-account-fraudsters
  22. Faye Lipson, “ID Theft: How Bank Account Fraudsters May Steal Your Identity,” Which?, September 23, 2017, https://www.which.co.uk/news/2017/09/id-theft-how-bank-account-fraudsters-may-steal-your-identity/
  23. Russell Myers, “Bank Workers Jailed for Part in Huge Fraud that Netted Millions from Right Lloyds TSB Customers,¨ Mirror, July 24, 2017, https://www.mirror.co.uk/news/uk-news/bank-workers-jailed-part-huge-10864216
  24. “How to Help Protect Your Business Against Impersonation Fraud,” Lloyds Bank, July 10, 2017, http://resources.lloydsbank.com/insight/gameplan/how-to-help-protect-your-business-against-impersonation-fraud/
  25. “Social Engineering/Impersonation Fraud,” Marsh & McLennan Agency, September 8, 2015, http://www.marshmma.com/Blog/SocialEngineeringImpersonationFraud.aspx
  26. “The Hustle,” Chubb Progress, 2017 Issue 2, 2017, https://www2.chubb.com/uk-en/_assets/documents/progress-issue-2-2017.pdf
  27. Dav Laura Shannon, “Banks Ring-Fencing Could Trigger a Spate of Scams,” This is Money, January 6, 2018, http://www.thisismoney.co.uk/money/saving/article-5241771/Banks-ring-fencing-trigger-spate-scams.html
  28. Sid Kirchheimer, “Caller ID Scams on the Rise—Fraudulent Calls Threaten Your Money and Your Identity,” AARP Bulletin, https://www.aarp.org/money/scams-fraud/info-05-2012/caller-id-scams-on-rise.html
  29. Mark Byers, “Proposed Barclays Ring-Fencing Transfer Scheme—Report of the Skilled Person under Section 109A of the Financial Services and Markets Act 2000,” Grant Thornton UK LLP, October 23, 2017, https://www.home.barclays/content/dam/barclayspublic/docs/AboutUs/ringfencing/REPORT%20-%20Barclays%20Ring-Fencing%20Transfer%20Scheme.pdf
  30. “Protecting the Elderly and Vulnerable from Financial Fraud and Exploitation,” BITS, November 2, 2012, https://www.acl.gov/sites/default/files/programs/2016-09/Smocer_White_Paper.pdf
  31. Patrick Jenkins, “Why UK Bank Ringfences Don’t Make Everyone Safer,” Financial Times, December 18, 2017, https://www.ft.com/content/1d529c3c-e1a6-11e7-a8a4-0a1e63a52f9c
  32. Susanna Rust, “HSBC, Santander Reveal Ring-Fencing Plans for Pension Schemes,” IPE, January 25, 2018, https://www.ipe.com/news/pensions/hsbc-santander-reveal-ring-fencing-plans-for-pension-schemes/10022844.article
  33. “Barclays Digital Safety Index 2017: Summary of Key Findings,” Barclays, https://www.home.barclays/content/dam/barclayspublic/docs/BarclaysNews/2017/May/Barclays%20digital%20safety%20exec.%20summary.pdf
  34. “The Great British Fraud Fightback,” Barclays, May 8, 2017, https://www.home.barclays/news/2017/05/the-great-british-fraud-fightback.html
  35. Kelly Phillips Erb, “Millennials Most Likely To Fall Victim To Tax and Financial Scams,” Forbes, June 25, 2017, https://www.forbes.com/sites/kellyphillipserb/2017/06/25/millennials-most-likely-to-fall-victim-to-tax-financial-scams/#3add114d5353
  36. Karl Flinders, “Barclays ring-fencing project means downtime for customers,” Karl Flinders, ComputerWeekly.com, August 17, 2017, http://www.computerweekly.com/news/450424615/Barclays-ring-fencing-project-means-downtime-for-customers
  37. Stefania Spezzati and Suzi Ring, “Cyber Threat Looms for U.K. Banks as Ring-Fencing Exposes Data,” Bloomberg, November 15, 2017, https://www.bloomberg.com/news/articles/2017-11-16/cyber-threat-looms-for-u-k-banks-as-ring-fencing-exposes-data
  38. “Data Protection Bill [HL],” U.K. Parliament, January 18, 2018, https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/en/18153-EN.pdf
  39. Israel Levy, “The insider threat: the biggest threat in banking cyber-security,” SC Media UK, May 19, 2017, https://www.scmagazineuk.com/the-insider-threat-the-biggest-threat-in-banking-cyber-security/article/654525/
  40. Lawrence White, “Barclays to overhaul back office operations to cope with ring-fencing,” Reuters, February 5, 2017, https://uk.reuters.com/article/uk-barclays-restructuring/barclays-to-overhaul-back-office-operations-to-cope-with-ring-fencing-idUKKBN15K0AT
  41. Stephanie Baxter, “High Court Judgment Dismisses Pension Concerns Over Barclays Ring-Fencing Transfer,” Professional Pensions, March 12, 2018, https://www.professionalpensions.com/professional-pensions/analysis/3028216/high-court-judgment-dismisses-pension-concerns-over-barclays-ring-fencing-transfer
  42. Will Wyatt, “Why Know Your Customer (KYC) Isn’t Fraud Prevention,” Whitepages Pro, September 25, 2017, https://pro.whitepages.com/blog/know-customer-isnt-fraud-prevention/
  43. “UK Bank Ring-Fencing a Fraudster’s Charter,” Treasury Today, September 2017, http://treasurytoday.com/2017/09/uk-bank-ring-fencing-a-fraudsters-charter-ttti
  44. Steve Ragan, “Scammers Using Obituary Notices to Acquire New Victims,” CSO, February 15, 2015, https://www.csoonline.com/article/2885141/malware-cybercrime/scammers-using-obituary-notices-to-acquire-new-victims.html
  45. Lily Hay Newman, “Press Releases Finally Get a Devoted Readership: Hackers,” Wired, August 10, 2016, https://www.wired.com/2016/08/press-releases-finally-get-devoted-readership-hackers/
  46. “The Little Book of Big Scams,” Metropolitan Police Service, 2015, https://www.met.police.uk/globalassets/downloads/fraud/the-little-book-of-big-scams.pdf
  47. Victoria Bischoff, “Dial 555 for Bank Fraud,” Daily Mail Online, October 18, 2017, http://www.dailymail.co.uk/news/article-4994764/Police-plan-new-hotline-modelled-999-emergency-number.html
  48. Nathan Kay, “UK’s New ‘Banking Protocol’ Stops £9 Million of Fraud,” Finder UK, December 13, 2017, https://www.finder.com/uk/uks-new-banking-protocol-stops-9-million-of-fraud
  49. “Protect Yourself from Fraudsters,” Barclays, https://www.barclays.co.uk/security/
  50. “Fraud Smart Centre,” Barclays, https://www.barclayscorporate.com/fraudawareness
  51. “Help Protect Your Business from Fraud,” Barclays, https://www.barclays.co.uk/business-banking/manage/security/
  52. Stavros Gadinis and Colby Mangels, “Collaborative Gatekeepers,” Washington and Lee University School of Law Scholarly Commons, 2016, https://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?article=4500&context=wlulr
  53. Penny Crosman, ¨How Data-Sharing Can Keep Fraud from Spreading,” American Banker, March 24, 2014, https://www.americanbanker.com/news/how-data-sharing-can-keep-fraud-from-spreading

Leave a Reply