Banks and other financial institutions have a myriad of security risks to manage. Cyber threats and physical threats alike are valid concerns for financial institutions, giving security leaders in this sector many risks to mitigate. 

Here, we talk with Tracey Santor, Assistant Vice President for Financial Institutions at Travelers, about handing these risks. 

Security magazine: Tell us about your title and background:

Santor: I am the product manager for Financial Institution Bonds, Kidnap and Ransom policies and ID Fraud policies for Bond & Specialty Insurance at Travelers. I began my career in the Claim department, where I ultimately managed the Claim professionals who handled Bonds, Kidnap and Ransom and ID Fraud claims, along with a variety of commercial crime claims for many years. I transitioned to my current product manager role in 2013. I have enjoyed the challenges of monitoring my products’ strategies, profitability and training as well as the changing market place.

Security magazine: Social engineering fraud tactics have evolved and become quite sophisticated, and banks should always be on high alert that an illegitimate fund transfer request might be coming. How can banks mitigate this risk?

Santor: Social engineering schemes have been such an easy way for fraudsters to get money. To guard against this exposure, banks and financial institutions have to work just as hard as the fraudsters, and stay on top of any new threats that emerge. 

One of the best ways to defeat a social engineering scam requesting payment is to make a phone call to a number that is on file and ask if the person you received the request from really sent those instructions. Often, requests to transfer funds comes through email, so responding through a different method can sometimes uncover that the request is not legitimate. Confirming with the appropriate person on file through a verbal phone call that a funds transfer request can proceed is a smart way to identify scam attempts. The company and its person you are confirming the request with should appreciate the diligence the bank is taking. With possibly hundreds of thousands or even millions of dollars at stake, it’s worth taking the extra time to confirm the validity of a funds transfer request.

Security magazine: Employee theft is another threat. What tips can you share to help banks reduce the chances of becoming this type of victim?

Santor: This is also a serious threat that requires a bank’s attention. There are ways to combat this. Implementing a separation of duties and making sure someone has oversight of what others are doing is always encouraged. Giving one person the opportunity to work with and manage a bank’s finances and assets without anyone else’s involvement is asking for trouble. Creating a system of checks and balances, with multiple employees directly involved with a bank’s finances instead of only one, should provide the framework needed to catch employee theft, and discourage people from attempting it.

Security magazine: Any other scams you’re seeing that banks and financial institutions need to be aware of and guard against?

Santor: We’re seeing a lot of Financial Institutions claims where fraudsters are embedding themselves into customer accounts. The fraudster poses as a person with authority from the bank’s customer and requests that a new individual be added as an authorized financial approver with full access to everything. If the bank complies, it is like handing a criminal the keys to the vault, and the vault, not surprisingly, very quickly gets wiped out. 

Banks should talk to their frontline people about this scam, and how to vet it. Just like with other social engineering attempts, calling the company and not emailing is always the best response. Calling someone other than the alleged employee who is to receive the new authorization abilities is the safest checkpoint.

In addition to the staff training and reminding them what banks can do in the fight against funds transfer fraud, securing appropriate insurance coverage is another protective step a bank can take.