How this small bank combats fraud without alienating customers

Kennebunkport is a Maine vacation town known for its famous residents (the Bush family), old-world hotels, sandy beaches and tourist-trap town center.

In this idyllic setting, Kennebunk Bank is battling an ever-growing onslaught of fraud.

“Fraud just keeps increasing, increasing, increasing, and we're having to put more and more resources to it,” said Brad Paige, the $1.2 billion-asset bank's president and CEO.

It's hardly alone.

“Community banks and credit unions are experiencing a wave of attacks from serious and organized fraudsters,” said Jonathan Care, senior director and analyst at Gartner. “We are seeing attacks that blend across multiple channels — call center, web, mobile app, and even written letters.”

Al Pascual, senior vice president of research and head of fraud and security, said he’s heard anecdotally of an increase of such attacks on small banks, though Javelin has not yet seen the problem drive a spike in its data.

“Older schemes tend to move downstream over time as larger banks become more resistant to them,” he said.

At Kennebunk Bank, some of the fraud stems from customers falling for phishing attacks or romance scams and giving out their online banking credentials. Other attacks might be coming from fraudsters exploiting data stolen from breaches like the one at Equifax.

“The bad guys used to come in the front door and rob the branch,” Paige said. “Now they're coming in the back door and they're doing it every single day. So the bank is literally being held up every single day of the week.”

Ten years ago, the bank had one security officer and fraud incidents were rare. Today it has a 20-person fraud committee that meets every week to handle an average of five new cases each time.

The 12-person call center, which takes about 350 calls a day, is one target. Con artists try to impersonate customers to conduct account takeovers or wire transfers. But like other banks, Kennebunkport has found that toughening security to block malicious callers creates a painful experience for legitimate customers.

“We've added so many security elements and it's not a great customer experience, generally speaking,” Paige said. “If you call into a bank that doesn't have something like voice identification, you're going to get asked 10 different questions to verify your identity. Whenever we've added or improved security in the past, it's been a burden to the customer and a poor customer experience.

The bank recently implemented voice biometrics from Nuance that actually improves the customer experience, Paige said. Customers are better protected when they call in and they can get to what they called for faster.

“Before, we'd spend half the call verifying who they were and then the other half of the call giving them information they needed,” Paige said. “Today that process is just so much faster.”

About a third of customers who are asked to enroll in voice ID decline it, but only because they don't feel they have time during that call. They do want to be asked again the next time, he said.

“It's not a rejection of the technology,” Paige said. “It's, 'I'm in a hurry and I don't have time to do this right now, but it sounds great and talk to me the next time I call.' " It takes 30-45 seconds to create a voiceprint and enroll. Customers who do enroll seem happy with it, Paige said.

The software, which went live at the beginning of the year, compares the voice of the person calling in against the voice print on file for that customer. It has already caught some suspicious callers. When the program red-flags a caller, the call center rep typically asks for additional information or tells the caller to come into the branch to complete whatever they're trying to trying to do.

It’s hard to determine a return on investment on technology like this, Paige said, because the bank doesn’t know exactly what it’s deflecting. It could be a large-scale scam or a small one. But in a recent case, the software stopped a $70,000 fraudulent wire transfer.

“You get a few of those coming in and stop them, and the software very quickly pays for itself,” Paige said.

Kennebunk Bank is something of an outlier in its adoption of voice biometrics, according to Brett Beranek, director of product strategy at Nuance.

“Traditionally the smaller organizations haven’t invested in fraud mitigation technology,” he said. “I can think of several community banks and credit unions that do not have full-time staff dedicated to fraud detection. The fraud detection function tends to be a shared responsibility within an operations group. It’s underfunded and that has led to fraudsters realizing these are vulnerable organizations.”

While the amount of funds available for each account holder may be lower at community banks than at some larger banks, the success rate the fraudster has at perpetrating fraud is higher, he said.

“The economics make sense to them,” Beranek said.

Lately, Nuance has seen fraudsters using databases of stolen credentials and account information on the dark web to attack banks’ digital properties.

“When they’re successful at authenticating into the web portal, they can take over that account and perpetrate fraud directly on the web,” Beranek said. “When they’re unsuccessful, they’ll call in and claim they’re a legitimate user and need to reset their online credentials, so the account takeover occurs that way.

"The community bank or credit union will go through legacy security questions and provide new digital credentials to the fraudster. The fraudster then perpetrates fraud. That is the most common attack vector we’ve seen over the past 12 months.”

This type of attack grows at a double-digit rate every year, he said.

Some banks have started making the fraud problem worse by automating the password-reset process through chatbots to save them money and provide convenience to customers.

“This is a godsend for fraudsters, because all they need to do is intercept the email or SMS" — sent to the customer for verification — "which has become child’s play for fraudsters,” Beranek said. “They look for these rules-based automated credential reset systems that they can easily take over.”

A virtual assistant combined with technology such as behavioral biometrics could be effective, Beranek said. Nuance works with two behavioral biometrics providers, Biocatch and Behaviosec. The system could be watching the way the customers type or hold their phone and comparing it against their normal behavior, for instance.

The next stop for some banks on secure voice interaction is letting customers bank over their Alexas, Siris and Google Homes. Paige is cautiously optimistic about this idea.

"I'm definitely interested in it," he said. "Anything that can improve the customer experience or allow the customer to interact with us the way they want to interact with us, that's of interest to me."

For reprint and licensing requests for this article, click here.
Cyber security Fraud detection Fraud prevention Fraud Biometrics Identity verification Community banking
MORE FROM AMERICAN BANKER