Case Study: How to Stop Scams

SD Bank Trains, Rewards Employees for Spotting Fraud Schemes
Case Study: How to Stop Scams
From online phishing attacks to over-the-phone scams, social engineering schemes come in many flavors. And fraudsters are constantly improving their methods of separating people from their personal and financial information.

But one midwestern community bank has developed a unique program that not only helps stop the scams before they cause damage, but also rewards the bank employees who first report them.

BankWest Inc., a $754 million institution based in Pierre, S.D., for two years now has trained customer service center and frontline staff to quickly target the latest social engineering schemes, and then work with customers to identify suspicious e-mails, phone calls or in-person visits from third parties. The training resulted in the launch of the Information Security Employee Rewards Program, which honors staff for efforts to reduce the bank's risk.

"It paves the way for us to know what's happening on the front lines," says Patti Broer, the bank's information security administrator who developed the rewards program.

"The schemes are so dependent on the human element and are constantly evolving," she says. "You can't deploy a patch update to fix these schemes."

The Challenge

In 2008, BankWest determined that social engineering schemes ranked among the most damaging fraud threats -- they are just too difficult to contain, Broer says.

Typically, these schemes are launched via phishing e-mails or over the phone to customers. Social engineering schemes can also include in-person branch visits by individuals posing as service technicians or vendors, sent to con staff into providing secure information about systems or accounts.

Beyond theft of information or money, these schemes can shatter customer confidence in financial security, even when the institution is not to blame.

In June of 2008, BankWest spearheaded its educational effort focusing on employees. Broer says she came up with the idea for a training and rewards program after attending a webinar on IT security and fraud prevention.

"I walked away thinking, 'We need to get everyone involved,'" she says.

The Training

Broer and the rest of the bank's information security team regularly attend workshops and participate in forums related to social engineering and other fraud schemes. The information collected is immediately shared with the staff, to keep the entire bank team abreast of new and emerging fraud threats. All staff members also are required to complete online training in scheme detection that is designed by the bank.

Training includes:

  • How to identify phone scams, such as vishing attempts, which rely on automated phone call messages that lure customers into giving personal information, and pretext calls;
  • How to identify phishing e-mails and use caution when clicking on links or opening file attachments;
  • Monthly training and employee-orientation demonstrations on how to spot face-to-face, personal social engineering schemes.

The bank also provides information about social engineering schemes on its website. Employees are encouraged to point customers to the site, as well as provide information about fraudulent schemes when customers visit the branch.

"When we train and educate our staff, it trickles down to our customers in a very natural flow of information-sharing," Broer says.

Employee Rewards

The rewards program is simple and inexpensive. Employees who identify suspicious schemes are given certificates and small rewards. When an employee is given a certificate, his or her immediate supervisor is notified and encouraged to further reward the employee. BankWest has found that employees take pride in the program, prominently displaying their certificates for others in the branch to see.

Examples of scams that have been identified by BankWest staff:

  • Sweetheart schemes -- An online relationship between a customer and an overseas user that can last up to six months. Over the course of the relationship, the overseas convinces the customer to wire funds, share bank account information and open accounts.
  • Letters, postal service or email -- A bank customer is notified that he or she has won the lottery or a sweepstakes.
  • Phone scams --A customer is asked to provide information from a government check and receives repeated phones calls, with each call asking for a different bit of personal information - Social Security number, birth date, etc. Phone scams usually target elderly customers and depend on the social engineer's ability to develop a rapport with the customer.
  • Cell phone scam -- A customer is told that his or her debit card has been compromised and customer is asked to provide card details for replacement.

Social engineering schemes have not decreased as a result of the education and rewards program, Broer says, but reports of schemes have dramatically increased. Tracking the success of the program has been difficult, since some employees derail schemes without notifying management. But based on the incidents of which Broer has been made aware, she says she safely estimates that employees are catching more than they're missing.

Tips for Success

Working closely with IT departments and management provides buy-in from the top down and ensures business continuity, Broer says. For other institutions interested in launching awareness and rewards programs, she recommends:

  • Stay Current -- Ensure that the security administrator and/or security department is aware of the latest schemes, either through networking with other security professionals or by participating in security forums provided by banking groups such as the American Bankers Association;
  • Stay Focused -- Ensure that the training program developed for staff is clear and concise, with employees fully understanding management's expectations of them;
  • Get Buy-in from the Top -- BankWest's information security officer serves on the executive management team, which is therefore involved and informed on security matters. Having that kind of connection with the bank's executive leadership has helped make the program a success.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.