In the Wake of SVB: 7 Identity Management Dangers
The business world is rocking right now. The impact of the Silicon Valley Bank collapse is just beginning to be felt. Some people are saying there is nothing to really do except let it play out and try for find alternatives for short term cash and other safe havens in the meantime. But this is only one side of the coin. As we all know, the money that flows through the banking system is what powers our economy, our businesses, and what puts bread on our tables.
When I first heard the SVB news, my initial reaction was that the fraudsters are going to have a field day. Already we are seeing the potential impact with call centers being completely inundated with concerned customers, businesses sending emails with new bank accounts and newly released phishing campaigns and social engineering scams being promoted on the dark web. My spidey senses are up and everyone else's should be as well. In terms of what could go wrong, read my blog on potential fraud vectors that people should watch out for.
I’ve been thinking about this more and thought it was important to use my platform to alert people on what exactly I meant by that and what could go wrong so folks can be educated and on alert:
1. Business email compromise - In 2022, Business Email Compromise (BEC) was the second largest category of losses across all reported cybercrimes, with a collective $2.7 Billion in attributed financial loss (FBI). In these severe moments of stress, employees may be more vulnerable to believing potential attackers making a request for payment using non traditional means and/or confirming credentials that can give them access to take over existing accounts.
2. KYB - Only 5% of financial institutions have an automated B2B or corporate banking onboarding process, with 75% of them still relying on Google searches to identify Ultimate Beneficial Owners (UBOs), property owner records, annual filings and financial accounts. In the fall out of SVB, with so many companies scrambling, this is not sustainable and could create another crisis where new accounts are being used to launder money or further other types of fraud as listed here. In addition, given the speed with which all this came down and the time that it takes to do a KYB, it is possible that legitimate users will open accounts on investment platforms (Robinhood, E-Trade, etc.) like they did in the pandemic, while they figure out how to manage their business funds and then those accounts can also become subject to account takeover fraud (see next point).
3. Invoice fraud - In the US companies are losing an average of $300,000 per business annually to fraudulent invoices. An example that may be prevalent in the coming weeks is a phony supplier sending an invoice to a business stating that goods have been purchased and that the invoice is overdue, or may intercept an invoice system and give “updated” wire instructions for a payment that is due.
4. Personal banking account takeover fraud - In the bank run on Thursday and Friday, people moved money into personal accounts because the process to open a business account could take too long. Already 22% of US adults have become victims of account takeover fraud. This fraud can occur by adding another payee to the account (this can be a bank account or another account that is linked to the bank account, like a mobile phone provider, a payment platform (Venmo, Zelle, etc.), or a credit card system or any service that can be linked by Autopay to the bank account. Because so many of our systems are linked and OTP and 2FA are easily bypassed, this is often not noticed until after the fact.
5. FDIC deposit fraud - Fraudsters call the FDIC and redirect the insurance payment and/or dividend payment into an account they control (see the point below about unemployment fraud)
6. Outbound call center fraud - Fraudsters may call people with offers to help open new accounts, establish access to new credit lines and payroll services. There is typically no way to know who is on the other end, so the best thing to do is take the information and go to the website and call the service provider back.
7. Unemployment claim fraud and claim hijacking - Criminals use stolen personal information to illegally log into a person’s unemployment account and steal the unemployment benefit payments intended for the real claimant. This is known as “Claim Hijacking” or “Claim/Account Takeover.” Michigan paid out at least $8.4 billion in fraudulent payments from March 1, 2020 to Sept. 30, 2021, according to a report from the state's Department of Labor and Economic Opportunity. In the same timeframe, the Arizona Department of Economic Security paid at least $4.4 billion. California paid $20 billion. Originally, a lot of this fraud was going into accounts of identities that were not legitimate or people who were not eligible for unemployment, but now hackers are shifting tactics and funneling payments of legitimate claimants receiving unemployment insurance into fraudulent accounts.
The implications of these threats span the startups who are at the core of this crisis, their vendors, their employees, other banks and government agencies. I also saw a list being circulated yesterday of nearly 6000 funds being who were registered as banking with SVB. It is not hard to then cross reference those funds with their portfolio companies to see who may be affected, and then in turn who the management team members of those companies might be. Many of these people are my friends, colleagues or at minimum fellow startup founders and kindred spirits. My heart breaks for what those affected are going through.
I’ve been saying over and over, there is no industry and no entity that is immune from these threats. We need to work better together, especially in these times of crisis to use the tools at our disposal and not to think that any of us are too smart to fall victim to these scams.
These risks can be mitigated by eliminating central honeypots of data and securing user access to information and accounts with persistent, consistent biometrics that connect digital onboarding to downstream authentication. One immediate place where these solutions can be deployed with minimal change management or other risk is the contact center (chatbots, IVR, calls). Inbounds are very high, so it is imperative to speed up authentication times, lower AHTs and help contact agents be more effective. Always with user privacy in mind.
These are definitely trying times. If there is anything I can do to help anyone on here either personally or via Anonybit, please do not hesitate to reach out.