Cash advance scams involving credit cards are nothing new; but the scam still works because some banks and credit unions have let their guard down, and the bad guys know this. The most recent cash-advance schemes targeting smaller banking institutions just go to show that the employees of financial institutions could use a refresher course in information security awareness.
The FICO first noticed these scams two years ago, and issued several notices to financial institutions about the methods being used, but apparently bank employees still fall victim to the attacks. This to me is a major warning sign that the security protocols in these banks are not being met or followed, pointing to human error. The old saying, “If you can’t hack the technology, hack the people” holds true. The cash-advance scam is easy to identify and catch, if bank and credit union employees are trained not only to spot them, but to handle them as they come.
Protection & Prevention
Obviously, the first step to prevent these attacks is employee training. Not to sound too much like an advertisement but rather to make a point, InfoSight offers comprehensive information security awareness courses that include social engineering. Our customers often request that training be followed by a “secret shopper” – i.e., one of our security experts who reinforces the training by posing as a scammer, unbeknownst to employees.
Other ways to mitigate the risk is to encourage the communication between institutions, as well as notifying payment processors, along with any associations associated with the bank. It’s important to educate everyone on the scam and the precautions to take.
And it never hurts to show your customers how your institution is taking a proactive approach to these attacks. You might even invite your commercial customers to participate in security awareness training that you provide for them through our education arm, InfoSight-U.
In short, if someone walks into your institution and is not a customer but wants a cash advance, some bells and whistles should go off. Tell me, what measures does your institution take to mitigate the risk of scammers?
What do YOU do? Please help continue our conversations by commenting on this post.