Case Study: How to Stop ScamsSD Bank Trains, Rewards Employees for Spotting Fraud Schemes
But one midwestern community bank has developed a unique program that not only helps stop the scams before they cause damage, but also rewards the bank employees who first report them.
BankWest Inc., a $754 million institution based in Pierre, S.D., for two years now has trained customer service center and frontline staff to quickly target the latest social engineering schemes, and then work with customers to identify suspicious e-mails, phone calls or in-person visits from third parties. The training resulted in the launch of the Information Security Employee Rewards Program, which honors staff for efforts to reduce the bank's risk.
"It paves the way for us to know what's happening on the front lines," says Patti Broer, the bank's information security administrator who developed the rewards program.
"The schemes are so dependent on the human element and are constantly evolving," she says. "You can't deploy a patch update to fix these schemes."
The ChallengeIn 2008, BankWest determined that social engineering schemes ranked among the most damaging fraud threats -- they are just too difficult to contain, Broer says.
Typically, these schemes are launched via phishing e-mails or over the phone to customers. Social engineering schemes can also include in-person branch visits by individuals posing as service technicians or vendors, sent to con staff into providing secure information about systems or accounts.
Beyond theft of information or money, these schemes can shatter customer confidence in financial security, even when the institution is not to blame.
In June of 2008, BankWest spearheaded its educational effort focusing on employees. Broer says she came up with the idea for a training and rewards program after attending a webinar on IT security and fraud prevention.
"I walked away thinking, 'We need to get everyone involved,'" she says.
The TrainingBroer and the rest of the bank's information security team regularly attend workshops and participate in forums related to social engineering and other fraud schemes. The information collected is immediately shared with the staff, to keep the entire bank team abreast of new and emerging fraud threats. All staff members also are required to complete online training in scheme detection that is designed by the bank.
- How to identify phone scams, such as vishing attempts, which rely on automated phone call messages that lure customers into giving personal information, and pretext calls;
- How to identify phishing e-mails and use caution when clicking on links or opening file attachments;
- Monthly training and employee-orientation demonstrations on how to spot face-to-face, personal social engineering schemes.
See Also: CISO Guide to Business Email Compromise - How to Stop the $1.8 Billion ProblemThe bank also provides information about social engineering schemes on its website. Employees are encouraged to point customers to the site, as well as provide information about fraudulent schemes when customers visit the branch.
"When we train and educate our staff, it trickles down to our customers in a very natural flow of information-sharing," Broer says.
Employee RewardsThe rewards program is simple and inexpensive. Employees who identify suspicious schemes are given certificates and small rewards. When an employee is given a certificate, his or her immediate supervisor is notified and encouraged to further reward the employee. BankWest has found that employees take pride in the program, prominently displaying their certificates for others in the branch to see.
Examples of scams that have been identified by BankWest staff:
Social engineering schemes have not decreased as a result of the education and rewards program, Broer says, but reports of schemes have dramatically increased. Tracking the success of the program has been difficult, since some employees derail schemes without notifying management. But based on the incidents of which Broer has been made aware, she says she safely estimates that employees are catching more than they're missing.
Tips for SuccessWorking closely with IT departments and management provides buy-in from the top down and ensures business continuity, Broer says. For other institutions interested in launching awareness and rewards programs, she recommends:
- Stay Current -- Ensure that the security administrator and/or security department is aware of the latest schemes, either through networking with other security professionals or by participating in security forums provided by banking groups such as the American Bankers Association;
- Stay Focused -- Ensure that the training program developed for staff is clear and concise, with employees fully understanding management's expectations of them;
- Get Buy-in from the Top -- BankWest's information security officer serves on the executive management team, which is therefore involved and informed on security matters. Having that kind of connection with the bank's executive leadership has helped make the program a success.