Holiday Edition

Tis the season to be jolly...and jump for joy for the second edition of Fraud Thoughts! ??

If you are new here, welcome. Here, we talk about what's happening, what's new, and what's next in the world of fraud risk management. For returning readers, thank you for your continued support??

This month, I have some ??hot topics lined up for you:

• ???An interview with James Rumph, CPA, CFE, CAMS, CFI, CIA, CVA , where we dive into the insurance fraud landscape and the Coalition Against Insurance Fraud 's Fraud Risk Management Task Force
• ??Novel approaches to check fraud mitigation - a follow-up to last month's focus on check fraud trends (if you missed last month, check it out here)
• ?Using Virtual Reality (VR) for employee training ... and how it can help you level up fraud training at your organization

Read on, and let me know what you think in the comments.

Next month, we will cover novel approaches to scam intervention, calculating the ROI of fraud prevention, and more. This newsletter will be in your inbox on the first Thursday of each month - if you enjoy the content, share it with your network and subscribe above.

A big thank you to each contributor to this edition of Fraud Thoughts who provided their insights and perspectives - including Suzanne Carlson and James Rumph, CPA, CFE, CAMS, CFI, CIA, CVA !

If you have a topic you want to see covered or have questions about any of the content in the newsletter, feel free to reach out to me on LinkedIn or by email at [email protected].

What's Happening? Insurance Fraud Edition

This month, we have a special guest to talk about all things insurance fraud - let's give a big Fraud Thoughts welcome to James Rumph, CPA, CFE, CAMS, CFI, CIA, CVA ! If you don't already know James, here is some background:

James leads Nationwide’s Enterprise Anti-Fraud Team, responsible for fraud risk governance, risk assessment, consulting, and monitoring across the enterprise. He joined the Fortune 100 insurance and financial services company Nationwide eight years ago. James also serves the anti-fraud community as Co-Chair of the Coalition Against Insurance Fraud 's Fraud Risk Management Task Force, is the President Emeritus of the Central Ohio ACFE Chapter , and previously served as Chair of the Association of Certified Fraud Examiners (ACFE) Chapter Leaders Committee and President and Treasurer of both the Central Ohio and Des Moines ACFE Chapters.

Now, let's dive into the interview...

Fraud Threats & Mitigation

From your perspective, what are the top fraud threats in the insurance industry today, and how have these threats evolved over the last couple of years?

At the macro level, the top fraud threats across the insurance industry continue to be policy-related fraud – with concentrations in intentional misrepresentations during the claim and policy application processes. However, these threats go far beyond organized criminal activity, with opportunistic “soft” fraud continuing to be a significant threat. This opportunistic fraud can range from attempts to be reimbursed for more expensive stolen electronics to intentionally leaving a youthful driver off an auto insurance application for the applicant to attempt to save premium costs. Certain product lines with cash value products (e.g., life insurance) face significant concentration in account takeover fraud risk as well, with threats from organized crime groups and others like family members.

Although these top macro-level fraud threats have remained generally the same over the last few years, other fraud threats continue to evolve. For example, in the past, business email compromises may have targeted a single vendor or insured. However, organized crime groups have placed more focus in this space on third-party professional service organizations like law or accounting firms. By targeting these organizations first, they can identify much larger volumes of pending insurance claim payments or information necessary to attempt an account takeover.

What challenges do insurers face in mitigating these threats, and how can they overcome them?

In addition to the typical challenges organizations face in mitigating fraud threats, insurance fraud is an incredibly challenging and high-velocity threat that occurs in many ways and requires significant resources to combat.

As has been widely reported in the news over the past couple of years, to add to the challenges, the property and casualty insurance industry has been experiencing significant cost and loss pressures driven by factors like inflation and significant catastrophe losses.

As many carriers look at opportunities to regain profitability and keep premium rates from unnecessarily increasing, there is a risk of making misinformed resource allocation decisions in areas focused on reducing fraud risk.

This is an area where mature fraud risk assessments can help. Although it is not practical to assess each fraud risk related to insurance fraud with precision, there are significant risks tied to both under and over-estimation of these fraud risks. For example, over- and under-investment in a specific area of fraud protection can cause unnecessary financial losses for insurers and unnecessarily high consumer insurance premiums. Underinvestment is most thought of, but overinvestment in an area that is not providing a return on investment or as high of a return on investment as another opportunity can also negatively impact financial results and consumer insurance premiums.

From your perspective, what emerging fraud threats are on the horizon that insurers should prepare for?

Over the past year, there has been a lot of buzz around the potential for fraudster use of generative artificial intelligence (GenAI) capabilities against the insurance industry. For example, someone may submit GenAI-created images to support a fraudulent auto insurance claim. Alternatively, someone may use GenAI to interact verbally with a carrier to request a fraudulent cash value account withdrawal.

What type of controls, technologies, or other mitigating actions should insurers be looking at to mitigate these emerging threats?

Although it may be difficult to detect in some situations, I haven’t seen evidence of GenAI being used as part of an insurance fraud attempt. However, carriers need to be aware of the emerging threat - carriers need to continue using and considering using already available and evolving detection technologies and continue to maintain layered anti-fraud controls to mitigate the risk of successful GenAI fraud attempts ranging from employee awareness to other authentication and validation controls and beyond.

When it comes to fraud risk management, what capabilities should leading insurers have?

Certain capabilities are required by regulation. For example, insurers must have a Special Investigations Unit (SIU) that investigates suspicions of insurance fraud, and there are various employee anti-fraud training requirements.

...effective fraud risk management capabilities are in the best interest of both the insurers and consumers.

In addition to the regulatory requirements, though, effective fraud risk management capabilities are in the best interest of both the insurers and consumers. Whether directly protecting consumer assets or protecting from unnecessarily high insurance premium rates, fraud risk management should be considered an important area for all insurance carriers. This is such a broad area, but at the highest level, each fraud risk management principle is essential in its own way and complements other principles. For example, effective fraud risk governance helps support effective fraud risk assessments, which support effective internal control activities, which support effective investigation and response activities, and so forth. With no one-size-fits-all approach, the importance of each underlying capability will vary from carrier to carrier.

Want to learn more about the principles James covered (e.g., governance, risk assessment, etc.)? You are in luck! These principles come from the Committee of Sponsoring Organizations (COSO) and the Association of Certified Fraud Examiners (ACFE) Fraud Risk Management Guide. The second edition was released in May 2023. - check out the press release.

The Fraud Risk Management Task Force

What are the goals of the task force?

Fraud risk professionals from Coalition Against Insurance Fraud member organizations come to this forum to collaborate against all forms of fraud impacting the insurance industry and consumers, sharing best practices and growing the collective maturity of fraud risk management. This task force was formed in 2022, with us kicking off monthly meetings in April 2022.

What have been some meaningful outcomes from the task force?

We have established consistent fraud risk management terminology across carriers, which is a foundation that has enabled us to benchmark the maturity of our fraud risk management programs objectively.

Benchmarking against best practices and our peers helps us prioritize efforts for our task force and within our own organizations to enhance our impact on fraud.

Between November 2022 and October 2023, we saw membership growth and measurable growth in average maturity across each of the five assessed fraud risk management areas, including full-level increases in Investigation & Corrective Action, Risk Assessment, and Monitoring maturity.

How does information sharing and collaboration across insurers lead to more effective fraud risk management?

Those who commit fraud share information and collaborate with peers, and it is critical that insurers do the same in ways that impact the fight against fraud.

By working together, insurers can strengthen collective defenses, which in turn protects policyholders and consumers. Many insurance industry vendors provide consortium information-sharing capabilities through data that are vital to the fight against fraud. We can see meaningful industry trends sooner and react more effectively if we work together. Strategies of not working collaboratively to help protect an insurer’s competitive advantage are short-sighted.

How would someone go about joining this task force?

Task force participation is open for all Coalition Against Insurance Fraud’s almost 300 member companies. The Coalition’s member list is included at https://insurancefraud.org/members/. We currently have approximately 20 of these companies participating and are always looking for further participation. Information about joining the Coalition can be received by emailing [email protected]. Information about the Coalition's Fraud Risk Management Task Force can be sought by emailing me at [email protected] or our Co-Chair, Arteniece Lee, at [email protected].

What do you think about the insights James shared with us? Let us know if you have any questions for James or me in the comments or message me directly.

Interview Summary

Are you looking for a snapshot of the interview? Look no further!

What's New? Check Fraud Mitigation Edition

As promised in the last edition, we are diving into novel approaches for check fraud prevention and detection! Now, we are not talking gel pens to avoid check washing (although that is one way ??, but this article by Orbograph explains why it isn't enough). Today, we will discuss approaches you can take to combat check fraud losses at your institution.

On-Us Check Fraud

Before we dive in, the content below focuses on on-us check fraud. You might be asking yourself why. There are always two halves to a fraudulent check - the bank that accepts it for deposit and the bank where the check is drawn - depending on how the check was forged/altered/endorsed, either bank could be liable. The solutions and controls for deposited items (i.e., deposit fraud) are entirely different from deciding whether or not to pay a check drawn on your bank (i.e., on-us check fraud). Today, we are focused on the latter. But don't worry - in a future edition, we will talk about all things deposit fraud.

How to Mitigate Against On-Us Check Fraud

Banks have a number of options for counteracting on-us check fraud for both commercial and retail accounts. Below are six tactics you can and should be using today:

Across these tactics, there is a lot to explore! We may dive deeper into these topics in future editions, but in this edition, we want to hit some highlights…

Automated Image Analysis is Key

Let's dive into image analysis - below is a high-level view of what it can do:

The institutions we have worked with almost always have a transaction monitoring solution - yet those institutions either don't have an image analysis solution or lack advanced image analysis capabilities. With the continued rise of check fraud, this tech gap needs to be closed swiftly.

Today, institutions without image analysis capabilities rely on a manual review of inbound check snapshots that alert their transaction monitoring solution. This can work reasonably well if you have talented reviewers with deep experience in check review - but those folks are few and far between, and what happens when one leaves your company? Even further, is this the best way for your fraud operations team to spend their time? A better scenario is having check fraud signals built in, complementing and further supplementing your transaction alerting capabilities.

So, what is the difference between image analysis and transaction monitoring? Or how can the two complement each other? The answer is simple...

• Transactional analytics can detect anomalous check writing for the account, such as unusual dollar amounts, atypical check writing velocity, or a serial number that is significantly out of range and not clustered with other items.
• Automated image analysis can detect anomalies indicative of forgeries and alterations on the check itself.

The end state is a layered set of on-us check fraud defenses, which enables greater efficiency, reduced losses, and greater peace of mind for customers.

It's Time...for a Consumer-Friendly Version of Positive Pay!

Last time, we covered how commercial banking tools, like positive pay, have been around for some time and can be very effective for on-us check fraud. We also mentioned that commercial banking positive pay services, including payee matching and “reverse” positive pay, are effective fraud mitigation tools that can be extended to consumer banking. It is finally time to dive into the specifics!

Below are three variations of how commercial banking positive pay services can be extended to consumer accounts:

The type of notification or alert in our first two examples is already happening today for other payment types - I am sure we have all been on the receiving end of this type of control. Just this week, my bank sent me a text asking to confirm if a recent Amazon transaction was authorized; the transaction was auto-declined based on their transaction risk scoring engine, and I had to resubmit payment after confirming it was me making a large purchase on Amazon at 1 AM ??. This system is already in place across institutions of all shapes and sizes, so you don't have to start from scratch! Institutions can leverage that existing infrastructure to combat check fraud and protect customers in novel and new ways.

When considering which option may be right for you, keep customer experience, implementation complexity, and operations impact in mind. For example, option three is the highest-friction experience, whereas options one and two minimize friction. The right option may also be somewhere along the spectrum presented in these three options; however, the key is that you must do something. Leading institutions are already on this path, and you don't want to get left behind in the race against check fraud.

Is your institution implementing any of the above tactics? Let me know what your organization is doing and any questions in the comments, or message me directly.

What's Next? Virtual Reality (VR) Edition

You read that right. Let's talk about VR...for fraud training! Before we jump in, let's get grounded in VR training - what it is, the benefits, and some examples.

What is VR Training?

VR training uses cutting-edge technology to simulate real-life scenarios that teach essential skills and concepts. The learner wears a virtual reality headset that immerses them in computer-generated 3D graphics designed to mimic real-world environments. Motion controllers often accompany the headset to allow the learner to interact with the virtual surroundings.

What are the benefits of VR Training?

VR Training has many benefits, including reductions in training time, increased engagement, improved retention, and cost savings compared to traditional training methods.

Don't just take my word for it. A Stanford University and Technical University study in Denmark saw VR training drive a 76% increase in learning effectiveness over traditional instructional methods.

The superior outcomes resulting from immersive experiences reflect a basic tenet of adult learning theory – that adults learn best and retain more information under conditions that approximate real-world performance.

Check out this example from Hilton...

How can VR level up fraud training?

VR can level up fraud training across industries. Let's take a look at a couple of examples...

#1 - Bank Branch Employee

Branch employees combat fraud in their day-to-day jobs. I recently worked with an institution with branch network fraud issues for many reasons. Two core reasons included:

• Branch employees did not know how to and did not feel comfortable questioning customers, focusing on customer service and less on risk management, which led to higher fraud losses.
• Branch employees had varying levels of understanding of fraud and how it could manifest in a branch environment, which led to fraud going undetected and relying on recovery efforts once identified reactively.

How could VR help with these issues? VR training could simulate customer interactions across various fraud typologies with 'good' customers and fraudsters - showcasing how to identify red flags, how to use internal systems and tools to authenticate customers and transactions, how to ask the right questions, how to deal with potential fraud, etc., in a low-risk environment that provides immediate feedback. As you can imagine, this approach would be much more effective than a branch employee reading a policy or watching a recorded training - and presents a safe space for the employee to test these new skills in real-time and fail, without the negative impact of a mistake in reality.

#2 - Contact Center Agent

Like branch employees, contact center agents are constantly barraged with fraud attempts from social engineering to account takeover, unauthorized transactions, and more. I often see contact center agents asked to remove fraud restrictions on an account or seeking approval on a money transfer that was declined in-app or online. While the specific risks vary depending on your industry, the fact stands that your contact center is a potential weak point without the proper defenses.

When it comes to training, I have seen a spectrum of maturity. At an organization I recently supported, the core procedure document was a single page. This page detailed what authentication steps agents needed to take before low-risk (i.e., sign-up or product question) and higher-risk (i.e., profile change) activities. This led to inconsistent performance from one agent to the next, inconsistent approach in authentication (this page left a lot to the imagination!), and did not adequately prepare agents for the onslaught of fraud attempts coming their way.

How could VR help with these issues? In this case, better procedures and operational controls were apparent gaps that needed to be addressed; however, training was also high on the needs list. VR training would provide the ability to train agents in a way traditional methods never could, providing simulated social engineering attempts or practice dealing with calls from potential fraudsters. This practice brings the actual threats agents will deal with to life and arms them with the know-how to handle anything that comes their way.

How can I level up fraud training outside of VR at my organization?

Now, this section is all about my thoughts on what I see as 'next' in the world of fraud management. However, not every organization is interested or at the place to make investments in VR training. In the absence of this, here are some ways you can still level up your fraud training:

• Create role-based training content - have you ever received an email about a corporate training that is due and thought, 'not another boring training' or 'I hope I can turn this on in the background and get other work done'? Most people have training fatigue, which is similar to other obstacles we face at work, like email fatigue. Getting employees excited about training or engaged in the process can take a lot of work. When it comes to fraud, the best way to stand out from other training is to tailor it. Create role-based training that still hits the objectives of general fraud training in a more meaningful, targeted way. When something is tailored just for you, you are more likely to engage in the process and get something out of it.
• Incorporate practical, interactive content - for example, game-based challenges and end-to-end case studies. In lieu of simulated scenarios using VR training, practical and interactive content is your best friend. In my 8+ years working in fraud, one of the most consistent complaints from learners or trainees on their organization's fraud training is the lack of examples! Your people need to know how the fraud threats you are describing manifest and the specific, tactical ways they play a part in mitigating those threats in their particular role. Taking it a step further, your people need to know what can happen if controls or procedures aren't adhered to - for example, an employee may skip or team may have a culture of skipping a process step without realizing that step plays a large part in fraud prevention.
• Develop a formal approach to evaluate the effectiveness of training and awareness efforts - for example, a post-training survey or assessing the level of reductions in policy or control exceptions within the group who received the training. You need to understand if what you are doing is working or achieving the objectives you set out so you can continuously improve. Often, I see organizations making changes based on their perception of how things are working or not making any changes because they believe what they are doing is working. Don't fall into this trap! You can use the outcomes of effectiveness assessments to make insight-driven adjustments to your training approach and content, ensuring the success of these efforts year-over-year.
• Build out metrics to track training and awareness activities and outcomes - metrics may include the # of fraud trainings offered, # of staff who have taken fraud training, and the results of satisfaction or feedback surveys following training. When it comes to metrics, it is always better to track outcomes, but sometimes the pure numbers - like our example of the # of trainings offered - are great for showcasing the work the fraud team is doing to foster a robust fraud risk culture. With metrics, it is easier to talk about the ROI of your efforts or the value achieved. So, track, track, track.
• Weave in frequent communication about fraud - for example, weave in fraud topics at town hall meetings, fraud newsletters, articles in existing newsletters, and internal social media campaigns. This type of awareness efforts can have a more significant impact than you might think. I have seen organizations start on this path and end up with drastically improved fraud risk cultures. If fraud becomes a usual topic, it can improve awareness, drive engagement in fraud risk management activities, and deepen understanding of each employee's role in fraud.

Want to learn more? Check out these resources:

• Safe, engaging, and effective training with VR
• Unlocking the Benefits of VR Training in Financial Services
• Virtual Reality Training 101: A Comprehensive Guide to Understanding the Basics