Gain insights from our fraud experts to help protect your business from the emerging fraud threats amidst the coronavirus pandemic.
In a recent live webinar, experts from Santander discussed the forms of fraud that most commonly affect small business owners and are becoming more prevalent during the coronavirus pandemic. Hear from our experts on several fraud scenarios to show how real cases play out, so you can educate and equip yourself to better prevent a fraud attack.
Close Transcript
Jessica
This time, let's begin today's webinar fraud in the time of COVID-19, current and emerging threats. I would now like to turn today's presentation over to your first speaker, Amir Madjlessi, Managing Director of Business Banking, Santander Bank, North America. Amir, you have the floor.
Amir Madjlessi
Thanks so much, Jessica. And good afternoon, everyone. Thank you so much for joining. We have a great panel here to provide some tremendous insight and information trends, and of course tips. But first and foremost, for everybody on the phone. I just hope that you and your families are healthy and safe. We're not only dealing with obviously a pandemic, but a financial crisis and there is clear social injustice going on in front of us where many of our communities are suffering from pain here. So, we're privileged to be able to have this time with you and to provide some, hopefully what is value added information today, from Santander and the colleagues that work here.
You know, the pandemic is truly changed how we do business. We're obviously not face-to-face with our clients as much. There's a lot of anxiety about the economy. And there is an absolute demand to change how we do business so that we can survive and thrive., in these unprecedented times. We're also online more. We're engaging digitally much more because we're forced to and in many ways, behavioral changes are evolving the ways that we do business and how we interact with customers or prospects. But the good news is we're here to help and I think that's what this particular fraud webinar is all about is to give insights to the business community. I'm proud to know that we have some of our business owners that bank at Santander on this webinar. Thank you so much for your business and your loyalty and we have others on this webinar as well. And I think that is at the heart of what Santander would want to achieve, which is, no matter what we're here to help people and businesses prosper.
I want to first introduce my esteemed colleagues that have joined me here today, Tim DeRidder, Head of Fraud Risk Management from Santander Bank, U.S. and Dan Hyland, Head of Claims Collections and Fraud Operations at Santander U.S. as well. Quickly, we're going to run through the agenda. We've got some interesting and emerging trends. We have some very unique threats that we want to make sure that we educate. We have some ways to provide tips and insights on how to ensure that you're reducing those risks and exposure points to your business. And then of course, we've got a Q&A which we're happy to answer any of your questions.
Let me know start with this first slide that you see on the screen. And this is startling, right 60% of small businesses, business fraud victims don't recover any of their losses. I have been in conversations with our clients when these incidents occur and it's devastating, obviously. So, you know, we want to make sure that you take every measure possible to protect your business and the hard work that you've put in to establishing and growing what you've developed here over time. And small businesses typically have fewer protections, right and I know, you're running your business, you're doing everything that you can, to drive satisfaction for your clients and to have financial outcomes that are worthy of your effort that you've put in. And so you tend to do a lot more in your business from day to day. So, it's incredibly important that you get as many tips and tools available to you to really protect yourself. So, without any further ado, let's turn it over to Tim DeRidder and he's going to walk us through the COVID-19 and fraud conditions that we're contending with today. Tim, over to you.
Tim DeRidder
Great, thank you, Amir for the introduction and for having me. Good afternoon, everybody. To start off the discussion, we felt it was pretty important to showcase recent articles and scams, which have targeted both consumers and businesses as a result of COVID-19. During this unprecedented time, bad actors are continuing to prey on people's emotions during difficult times so I urge everyone to remain vigilant.
If we shift right into fraud trends, let's talk about some of the additional trends that myself and my peers are seeing across the industry. I really first like to describe fraud itself as an eco-wide system challenge affecting consumers, businesses and financial services alike. This challenge and the dynamics of how fraud attacks shift over time, is similar to a balloon animal. When one side decreases, the other increases but ultimately, the air never escapes. We'd like to think the bad actors get legitimate jobs. However, if that was the case, I might not be here speaking with you all today. To address these shifts, banks and businesses alike are investing billions of dollars in fraud capabilities and controls to protect our consumers. A great example of this in the United States is the adoption of EMD chip technology. You can find these chips on nearly every one of your credit and debit cards but these chips have effectively ended counterfeit fraud, forcing bad actors to shift over to team in fraud and identity theft, two threats that everyone should be aware of.
Another trend we're experiencing in the industry relates to data breaches, and that the sheer number are just not slowing down. Bad actors used to attack businesses to obtain their payment information. Now it's far more rewarding to obtain personally identifiable information or PII and sell this over the dark web. And it’s an easy way to envision this as criminal selling social security numbers, your passport information, medical records and even loyalty reward accounts anywhere from $1 to thousands of dollars on this nefarious underground marketplace.
Another area for all of us to focus on is authentication. This pertains to a business attempting to identify the person that they are speaking to over the phone. Seeing in person, maybe not so much now with COVID, but also interacting with online or digitally. Identifying a customer has become increasingly harder over time, because the information that I just mentioned being sold on the dark web is being used against us to circumvent our controls. Typically, these attacks also focus on misrepresentation of some form, falsifying of documents, income, and even employment fraud. All of these industry trends that I mentioned are super impactful because just as Amir mentioned, small businesses are a target for bad actors, and unfortunately, they typically have fewer controls. If there's one thing that I have learned in my career in fraud, it's that fraudsters or bad actors will always go after the path of least resistance.
So, moving on from industry trends, I thought it might be helpful to dive into some of the specific attacks that plague small businesses. The first of which is phishing and this is definitely not the phishing you might typically enjoy during the summer in the sun on a boat. Fraud phishing is the sending of communications from what appears to be a legitimate source, in an attempt to again gain PII or payment details. Typically, these communications try to create urgency, they try to threaten you or the recipient, and they want you to click links or open documents so that they can infect the victim with malware or viruses. A prime example of this could be an email, which appears to be from your bank informing you that your account has been blocked for suspicious activity. These emails typically tell you to click a link and you can remove the block and make everything better. Please do not click random links or respond to these emails.
A specialized type of phishing, which you see secondly, on the page is spear phishing. This is a targeted phishing attack, typically to high profile customers business leaders such as CFOs, perhaps your accountant, a vendor supplier or owners that can control money movement. Imagine an email that you received from what appears to be your CEO instructing you to wire funds to Iceland for the procurement of new equipment activity. This might sound off, but most employees will snap into action after they receive an email from a higher-ranking leader.
At this point, you're probably asking how do I protect myself from some of these attacks? Some of the best tactics I'm about to take you through might seem super basic. Stay with me. They are truly effective. The first is to pause. Do not react out of urgency or fear. Ask yourself if the communication that you've received is really legitimate from that sender. In the spear phishing example that I gave you above, call your CEO, ask them if the instructions were correct. I guarantee you it's better that they receive a call to verify the actual instructions. Otherwise, you're going to call them to inform them that you've lost the funds. Look at the communication itself. Poor grammar, misspelling weird placement of graphics, links. They're typically giveaways.
Another trick that I commonly use in my personal life is to point to the sender field on an email and look to see what the URL addresses. If you just received an email from Apple asking you to take an action, you wouldn't expect the sender address to be Freddiefraudster@gmail.com. Also, one of the tag lines that I want to share with you that we use internally at Santander quite often is think before you click. links and documents are always the number one source of potentially harmful viruses and malware.
Speaking of malware, let's move on to cyber-attacks and ransomware. This is where the line between fraud and hacking really starts to blur. Over time, fraud attacks have become more complex and criminals are really shifting to digital fraud. A primary driver of this increases the investment most businesses are making to go digital. Going digital typically offers businesses lower upkeep costs and gives customers easy self- service options. On the other hand, these channels also offer bad actors anonymity, and they make them a perfect target. Something to remember is not all customer facing digital web pages are a direct target for criminals. And the widely publicized target data breach were hackers who stole millions of account numbers. Hackers entered targets digital infrastructure through the Wifi that connected the heating, cooling and ventilation systems.
Another particular attack that I mentioned when I opened the slide was ransomware. This is typically perpetrated through phishing which we just covered, where the victim will click a link or open a document attachment. At that point, the ransomware will then infect the victim's device or network and block employee access, holding data hostage, with the threat of deletion unless payment is rendered.
Now that I've probably scared most of you, here's some more prevention techniques against malware. Performing regular backups is important information. Ransomware attacks will attempt to delete or hold hostage your important records. There have been news articles recently of companies that were infected with malware, and the bad actors deleted their customer relationship data which was not backed up. Once deleted this will effectively destroy their business.
Again, this next one might seem very basic, but having antivirus and malware software installed can be a lifesaver. Be sure to do routine sweeps with your antivirus and malware software and ensure it stays up to date. Over time, companies like Microsoft and McAfee and Apple will patch updates to help eliminate vulnerabilities. This is one of their primary duties. Staying on old software makes your business a better target. Also secure all your Wifi networks and access points linked to your firewall using strong passwords, which are not mirrored across accounts. This one's really tough because on average, a consumer has 13 unique passwords that they have to remember and over 50% of consumers reuse the same passwords across websites. Trust me, my wife would tell you I am super guilty of this one. I cannot understate the next point enough. Please be sure to invest in your employees. Train them to pause, train them to identify the warning signs of any of these attacks that we're going to cover today. And if they suspect anything, escalate it.
Next I'm going to move on to smishing and phishing. We get to talk about phishing is close cousins. Smishing is another form of phishing, which is executed via text messaging. I'm sure most of you have or continue to get annoying messages which might have clickable links. Do not readily click them and assume that you will be safe. Remember, we have miniature computers in our pockets that store far more personal information than our laptops and even personal computers. A prime example is some of the text messages my wife literally just received last week, telling her that there is a, a vaccination for COVID as long as she starts to purchase Target gift cards and send them. Another example could be a text message that you receive from your doctor's office stating that your information has been compromised. Do not click the link. These are tips your doctor's office will typically not solicit you via text message links.
Phishing is another variation of session. This occurs over voice calls or voice mail. A great example of this is the ever so popular IRS tax evasion voicemails that you might receive, stating that you owe back taxes and if you don't call them back, a SWAT team will be kicking in your door to take you to prison. I guarantee you this is not the case. With phishing, and in general for any phone calls that you or your business receive, be wary of anyone asking you for your personal information such as your account details, your login credentials or PIN numbers. If you feel uncomfortable, remember that you can hang up the phone and call the company at a verified phone number. At any point, if you suspect potentially fraudulent activities, I urge you to call your relationship manager. It's better to be safe than sorry.
With that, I'm going to turn it over to my esteemed colleague, Dan Hylands, who's going to continue taking you and talking you through business email compromises. Dan, over to you.
Dan Hyland
Thanks, Tim, and good afternoon, everyone. I want to spend some time talking about business email compromise, or BEC, which is one of the most popular tactics used by fraudsters today. BEC is one of the easier fraud attacks to execute but it's also really effective use of this tactics that skyrocketed over the last five years. And most recently, the FBI identified that there's actually been a 46% year over year increase, no reported BEC fraud cases.
So what’s BEC. There's a lot of different iterations of this attack. Most common example typically plays out something like this. There's a fraudster posing as an executive at an organization and the fraudster sends out an email to an employee an urgent request to execute a payment. That payments is typically a wire transfer, although it could also be a check, ACH, everything's fair play. Email address used by the fraudster appears to be either identical to the one used by the actual executive they're impersonating or close enough to it that the victim employer doesn't stop the difference. For example, you might have an email domain, which is the email address after the add symbol. You might have a lowercase Le replaced with a one, you might have a dash replaced with an underscore something that's very difficult to detect and very few people are applying that level of scrutiny to the email addresses when they receive them. The payment request is pressing to be executed immediately. If it's not executed timely by six applications and in many instances, the execute or I'm sorry, executive can't be reached directly. But we usually call that out in the email. Some instances will put contact information that will actually connect you to the fraudster themselves.
The employee thinks the request is legitimate and they go ahead and execute that wire transfer to the fraudulent account. You know, sometimes there's back and forth. If they have questions, the fraudster will make it a point to stay vague and continue to push that sense of urgency. This kind of goes back to what Tim had mentioned, they don't want you to sit and think about this too much. They just want you to hit send.
Once the fraudster successful withdraws the funds from the beneficiary account, they'll typically continue to attempt to solicit more payments until the victim realizes that they've been scammed. So, organizations have been defrauded for millions and millions of dollars to this tactic and for small business, this can totally shut your doors than effective BEC scam. It can also be very challenging to recover, you know when these funds are moved, in some cases, they'll try to move the funds internationally. That'll raise suspicions too much. They may try to have you send the funds locally, domestically, and then they might have access to that account that is being sent to it might have an easier way to send it internationally put in there. It can be very, very challenging to get your hands on those funds once they moved out.
There are a few items that are worth considering when it comes to protecting yourself and your organization from falling victim to a BEC attack. One is awareness. You know, Tim brought this up as well. It's so important just to be aware of what these schemes are. When you see this is at a minimum, it'll make you stop and think right? So, if you get an unusual email, you know, if there's any warning signs on it like it's pressing, it's charged to admin expenses or it's a project for something you've never heard of before, then it's uncharacteristic of the person sending the email. Those are all things that should raise your eyebrows, right? Any unusual circumstances, you just want to stop and breathe and make sure that you fully understand you know what it is that you're doing. And the biggest piece of this is validation. So, anytime you receive new or modified payment instructions, it has to be par for the course that you're making a direct phone call to an established number to confirm those changes. And that doesn't mean the number that's on the email. Again, most of these cases that will connect you to the fraudster. That's an established phone number for the individual or business entities that you're dealing with. And, if you unfortunately, become a victim, the first thing you want to do is reach out to your bank, and they can provide you further instructions and help you take action to try to recover those funds.
So, with the COVID environment that were in right now, you know, BEC has been around for a while. And I mentioned before, it's a very popular tactic. However, I'd tell you that anytime there's a large public event, especially something impactful and widespread like the global pandemic, fraudsters will immediately find a way to take advantage of it. We tend to see a spike in activity like BEC, when these events occur. So, I think it might be helpful to walk you through a specific example of one of the COVID related BEC scenarios that we've been seeing recently.
(5 second pause)
So, the first piece here is the identification page. And again, I touched on this briefly in one of the prior slides, but the fraudster is going to start by conducting research online looking for an opportunity to take advantage of an organization, such as a healthcare facility that may be struggling to obtain PPE personal protective equipment, face mask, gloves, etc. The fraudster identifies organization i.e. the buyer to target and identify is likely through online research that they have an existing relationship with a seller that provides PPE.
The fraudster creates an email address with very similar, sometimes identical, by the seller and they begin the communication with the buyer. The fraudster will then indicate what they have available, but there's a high demand, again, create that sense of urgency, the transaction has to take place immediately. It's not going to be an invoice after the fact it's going to be a wire transfer and it has to happen either that day or by the next morning. They don't want to give you time to assess the situation. The buyers pressured into quickly initiating the wire transfer into a fraudulent account, and they never actually received the product. So, there's another version of this to where the fraudster actually does hack into the legitimate email of the supplier and there is a legitimate business transaction that's about to take place. And at the last moment, the fraudster will send an email to the buyer and say, “hey, we're still on but I actually need you to send it to using these payment instructions instead of the ones that I provided previously.” And that’s exactly what happens. The fraudster will then send the funds into the wrong account. The fraudster pulled up the funds and runs away with that. So again, I just want to, you know, press upon the audience here, that sophistication of the attacks has really increased over the years. You know, many instances, these are well funded, well-resourced organizations that are perpetrating this fraud. They're sitting in cubicles, they have quotas. They have team lead and human resources departments. Frank, very sophisticated, which is making it really difficult for folks to differentiate between legitimate and fraudulent activities. So I'll wrap up on this topic, but again, just to reiterate, the three key considerations when you're looking to protect yourself in the scheme, creating awareness with yourself, family members, folks that you work with, and management you know. Identifying unusual circumstances, and it doesn't pass the smell test, make sure that you're pausing and always validate if you have any new or modified payment requests and always make a call to an established phone number.
So, we'll move on to check fraud. As many card issuers continue to migrate to chips, making it more difficult to perpetrate fraud plastics. What we see is a lot of fraud migrating to the check fraud space, we've seen just across the industry, large increases in attempted check fraud. The association for financial professional made them up 74% of organizations experienced check fraud in 2019. And I would tell you that when you issue a check, you're essentially sending your routing number and account number out into the universe. You know, when folks get their hands on that, they can create counterfeit checks, very easily. Fraudsters will also try to steal actual checks from the mail, faking their hands on it. They can wash the check using chemicals and change pay information for deposit. So again, as you go back, they try to get away from some of the electronic authentication practices that are in place, and then you go back to something a little bit more like manual checks.
So, a few things to consider if you are within businesses issuing check. Have highly advise exploring security options with your bank, particularly a tool like Positive Pay, which allows the business to provide a list of authorized checks for the bank. Any unauthorized checks that attempt to pay against the account are available for the business to review and approve or reject. So, it’s important to ensure that you have the right internal controls. Duel authorization for issuing checks or payments, keeping your check under lock and key, and consider implementing surprise audit practices. You know, that's always a good practice to employ and check your statements routinely. I think is good maintenance across the board. Also ensure proper safety when it comes to business and systems access. You know, sometimes there are scenarios where someone that leaves an organization, they still maintain access. And then months later, they go in and they start moving money around or sending themselves checks. So just another item to consider. If you're part of a business that’s accepting checks, it's a good idea to be on the lookout for any type of fraudulent items.
Now, some telltale signs are for when you receive the item: it's smooth or no perforated edges, that there's any type of logo, it's very faint washed out, the papers flimsy here, shiny stock, the micro line on the bottom of the check may appear to be raised. These are good indicators. These are actually all good indicators that a check may be counterfeit or may have been altered in some way, shape or form. So, keep your eyes out for that.
So, I won't spend a lot of time on this, but it's important to keep forged or fake documents on your radar. This type of fraud is a little bit more complex. The first of a red flag, to keep in mind when reviewing documentation. Some of our listed on here for formatting spelling or grammar errors, security features such as watermarks, you know their absence that are on some pages, but not others. If the deductions are certain line items that they just don't add up or the math just isn't there. Another big one is there’s an issue where you have someone that's in a profession where the income is just completely out of whack. You know, that's that’s something that we see relatively often just make sure that everything makes sense. And again, kind of pass the smell test, you go through it and then any type of mismatched information by issuing organizations, those are all tell-tale signs as well.
One other thing that I want to bring up and I don't have any dedicated slides on this, but I'd be remiss not to spend a little bit of time on it is the confidence scams. We've been seeing a large impact on some confidence scams over the last couple months. For kinds of confidence scam, there's hundreds of iterations of it. But ultimately, it's an attempt to deceive someone for financial benefits to gaining the trust. So, I'm sure a lot of folks in the call are familiar with romance scams. You know, you meet someone online or head over heels and then very shortly after, they're asking you for sensitive information or money. These things we will look out for, it's the relationship that evolves rapidly, you know, avoid oversharing of personal information, obviously, request for money, you know, should raise your eyebrows, and then the person is not sharing photos or doesn't want to meet in person, they don't want to jump on a video chat. And those are those should all be red flags. Charity scams, for obvious reasons are extremely popular right now. And so, a lot of these are associated directly with COVID, so you want to make sure that if you are sending funds to a charity, we want to make sure that you do your diligence first, particularly out on social media, since there's a lot of this going on and appears to be a charity. Someone may even reach out to you and appear to be legitimate, but it may be being sent to a fraudulent account.
And then online shopping scams. There’s another one that that's been around for a while. You may have someone reach out to you. I think, as it relates to COVID, Tim had touched on this a bit. Somebody had, you know, figured out the miracle cure the vaccine, test kit PPE, they're trying to sell it to you. Also, you want to be wary of it also just as general housekeeping. So, it's a good idea to be measured in terms of what you're sharing on social media. While I don't have a large presence on social media, my wife does. I have a lot of family and friends that do as well. But something that seems innocuous, it really wouldn't have much of an impact, as it’s very useful for a fraudster even a post online like, John's 40th birthday was yesterday and we bought him a new dog named Rover. So, you just provide a gender, date of birth, and pet's name to answer authentication question. And unfortunately, fraudsters go out there and create fake identities online. Try to create as many connections as possible and sit out there and just gather information harvested for days, weeks. They've been taking that information and trying to manufacturer these things online. So just something to be wary of. I know it's very challenging to avoid social media, in 2020, but something to consider. So, that's all by me. With that, I'm going to pass it back to Jessica to start Q&A.
Jessica
Great. Thank you so much, Dan. So just as a reminder, if you'd like to ask questions to our speakers today, please locate that Q&A panel that you should see in the upper left corner of your screen. Go ahead and type your questions into the text field at the bottom, and then click on submit to get your questions into the queue. And with that, I'll hand it over to you, Amir, to see what questions we have.
Amir Madjilessi
Terrific. Thanks, Jessica. Tim and Dan, thanks so much for the great insights, the trend and the ways to help protect ourselves. I will say a personal testimonial that I have personally been perpetrated with fraud. Dan on the phone here and helped me try to figure out who was trying to do that and prevent this from that happening again. But, it is much more prevalent than we would all want it to be.
We do have a first question here. Tim, I think this one might be for you so I'm gonna offer it up here. Are there any resources the bank offers business owners to utilize for educating themselves and their employees? What would you let people know about what resources we have?
Tim DeRidder
Sure, thank you. Yeah, education is one of the most powerful tools here for fraud. And here's my shameless plug. Another fantastic resource available to everybody is Santander’s privacy and security hub. Our primary goal is to spread awareness as Dan and Amir pointed out and educate our customers on the dangers of scams and fraud. On the hub, we specifically talk about what Santander does to protect our customers, what our customers can do to protect themselves, and how elders and vulnerable adults can avoid financial exploitation. And we even give a monitored email box where you can submit potentially harmful communications. Anyone can access this resource like I stated before, by navigating to Santander.com and heading to the bottom of the page under the resources header and clicking on privacy and security. I encourage everyone on this phone call to check in on our site often as we'll be updating these resources over time. Remember, if I can leave you with one thing, security is a shared responsibility and if you see what I'm saying make sure that you say something.
Amir Madjilessi
Great. Thanks so much, Tim. Appreciate it. Next question. Dan, I think this one's for you, you actually got another question here. If, we, as a client, a business owner identifies a check and fraud after the app, what is their recourse? And I think you alluded to this earlier in your presentation, but what is their recourse and what should they do?
Dan Hyland
Great question. So, the first thing you want to do is call into your bank and make sure that you connect with the fraud prevention team at that financial institution. You know, there's a lot of nuance when it comes to the check fraud space and different scenarios, but they'll obviously work with you to try and recover those funds and try to make the customer whole.
Amir Madjilessi
Great. Thanks, Dan. And Cindy, it sounds like Tim should have answered your question in terms of if you get one of these emails, should you contact your bank? So, thank you for that question. We have another question here from Jonathan. How does Santander strike the balance between the digital convenience and protecting their small business customers from fraud? Tim or Dan, which one of you guys can take that one for?
Tim DeRidder
Yeah, I can start off here and then I'll let Dan jump in if I miss anything here. It is a fine balance and I think, Jonathan, I think you put it marvelously. One of the things that financial institutions actually candidly struggle with across the industry is that balance. We want to make sure that our customers are safe, and that their assets and their funds and their businesses are protected. But we also want to make the convenience of using our services and our products super convenient for you. It is a trade off. Sometimes, you know, we do get it wrong. There's always false positives in the mix. But it is all about making sure that you have the most simple and streamlined experience while making it safe and effective to use our products. So hopefully that helped a little bit. And Dan, I don't know if you have anything additional to mention.
Dan Hyland
That's, um, I think he covered a lot.
Amir Madjilessi
All right, terrific. So I've got a question here from Vicki. What about ACH debit fraud, any insights? Are there things that clients can do or business owners can do to protect themselves or act if they see any ACH debit fraud activity?
Dan Hyland
I can take that one Amir. So, you know, when it comes to ACH debit activity, I think a lot of the same rules apply in terms of protecting yourself, that we went over during the presentation today. And also, you know that the key is timeliness when keeping an eye on your statements and your activity. And when you identify any type of unauthorized transactions, you're immediately reaching out to your bank and working with them to try to recover those funds. I think that's the biggest component is ensuring that you're keeping eyes on all the activity within your business or the personal accounts. But yeah, from protection standpoint, again, I think a lot of the same rules apply, versus what we discussed today.
Amir Madjilessi
Great. Thanks so much, Dan. I've got a really good and very direct question from Anthony here. And I, you know, maybe for Dan, but we could offer to both of you, gentlemen. If a banking customer accesses and web or mobile banking service using a compromised device, who's responsible for losses that occur as a result? Is there a user responsible to secure their own devices? Or is the bank responsible to monitor all activity on the service? I think it's a really good question, Anthony. Dan, might I send that over to you and then maybe Tim can add in?
Dan Hyland
Yeah, of course, a great question. And so there's really not a one size fits all. All these can look a little bit different. I would certainly say that there is responsibility to, you know, from the user perspective, in terms of sharing that you like devices and sets of malware. There is also responsibility, certainly on the banks on to do everything we can to identify any type of anomalous activity and use all the tools at our disposal, where it can sometimes become a little bit challenging. And when that activity looks typical, it looks like standard activity that the customer might perform, right. Or even in the case of a BEC scenario, like we had just talked about earlier. You have with these are voluntary payments that are actually going in and being made by the customer. So you know, every situation looks a little bit different. I would say there's responsibility on both sides. You know, there are some regulatory implications for certain types of transactions that clearly spell out where the line will be. But you know, generally speaking, I would say that it's important to ensure that you run antivirus that, you know, you maintain that responsibility on the customer side. But we continue to evolve and all banks will continue to evolve to do the best we can to try to identify the activity and prevent any losses from occurring.
Amir Madjilessi
Now, here's an interesting question. So when some fraud happens in a business, business owners are curious if the FDA insurance covers that fraud, fraudulent events, the fraud activity is actually not insured by the FDIC. The FDIC insurance is it's in the event of bank failures, not necessarily in fraudulent events. So moneys are protected for clients and it just gives the institutions more security and confidence for you to have your deposit accounts there. So the answer to that question is no.
Here's another question. Are there any new steps Santander is taking to help out with ATM fraud issues and or mobile phone deposits? Where fraudsters are double depositing using these methods? Maybe, Dan, I can send that over to you?
Dan Hyland
I think Tim, we'd be better positioned for the specifics on that. But I can tell you that there's a large body of work going on right now. It's assessing our current ATM infrastructure and part of that is ensuring that, you know, we have the right controls and fraud prevention tools in place, moving forward. So what we're doing though, right now is we've a lot of information we're using on the back end, when it comes to ATMs, mobile deposits, to try to avoid we have the same checker the same payment that's, that's applied twice. But you know, it's certainly top of mind, the organization in the lot of good things coming down the pipeline right now.
Tim DeRidder
There are a lot of things like Dan had mentioned that we are investing in as a financial institution. And we heavily do invest every single year. From a remote deposit capture perspective, the industry is moving to new image- based detection tools. So that's something cool that is coming down the pike. We're also heavily investing in passive authentication controls. This is where we are going to protect our customers behind the scenes making the experience seamless, and then actively authenticate who you are when you access any of our digital channels or call us. Perfect example is everyone's cards transactions are monitored 24/7, if we detect any suspicion, we will attempt to reach out to you via an SMS email or phone call. So, we are continually investing in both payment security and card security. So hopefully that helps.
Amir Madjilessi
That's great. Thank you both appreciate it. Uh, let's see here. I think maybe Tim and Dan, you just may have answered this question but the does the bank pick up on the usual transactions and I know the answer firsthand there, but maybe then, Dan and Tim, you can both reinforce the answer there.
Tim DeRidder
Yeah, I can start off Dan, and then you can take it if you'd like. One of the things I'd be remiss if I didn't answer is or give out to the group that most folks may not realize is also besides all this cool, sexy technology we invest in. We wouldn't be anywhere if it wasn't for the over 150 fraud fighters that both work for Dan and myself. We employ an army of folks that not only, their first duty is to protect our customers, but they're also really relentless at making sure that we spot and detect fraudulent transactions. And we are up to snuff on the latest trends protecting both the bank and our customers.
Amir Madjilessi
Thanks so much. Appreciate it. Let's see here. We've got another question here. How many days does a customer have to after they identify the fraud, who actually file a claim with their bank?
Amir Madjlessi
Thanks so much. Appreciate it. Let's see here. We've got another question here. How many days a customer has, after they identify the fraud, to actually file a claim with their bank?
Dan Hyland
Yeah, so I can take that. So again, it's going to be different for each product. And also, depending on what actually transpired. So I would say again, that as soon as you become aware of that you want to reach out to your bank. And, you know, there's some some hard and fast rules for eating up from a regulatory standpoint, you know, with each one of the different products. But no, we had some time there. And obviously, I would imagine that most financial institutions will do everything we can, you know, to work with you, the customer to try to make you whole. So, again, it's gonna vary wildly across the different payment types and what exactly took place. But I would say, you know, again, just make sure that you're keeping an eye on all the activity if there's anything off price, just reach out to your bank immediately. Thanks, Dan. Good. I think Chris, as you asked the question, hopefully that that answers question as well related to how can someone under compensate for the loss that a business owner has has incurred? And, you know, I can say personally, I've been a part of a few different fraud cases for our clients, where we have, we have actually seen over a million dollars in fraud wires that have gone to fraudsters. And in that case, it was a tag team effort between us and the authorities and the client to see how much of that money we could recover. I mean, obviously, that is incredibly devastating to a client. And so importantly, we worked with the authorities and the client and the receiving and sending banks that were part of that wire ecosystem. And we were able to recover half of it right but obviously still incredibly damaging to that business owner in terms of the the net loss to their organization, but they were in total out over a million dollars and we were able to recover half Based on the good work that Dan and his team were doing with that with Tim's team as well. So it is a case by case situation, it does depend on the instrument that that folks are using in terms of acth, wire check, etc. But we we stand ready to help our clients to figure out what the issue is and see what amount we can recover from there. Let's see here. Cindy's asking a question with our business insurance cover fraud. Dan or Tim, do you want to maybe cover that? I'm not sure if you have insight into that or not? Sure. Yes, Tim, I think it really depends on the policy that you might have Sunday, and what your writer specifies. There are policies within the industry that you can obtain for cyber insurance or fraud insurance. However, you know, I would just encourage that businesses do review those policies and if it makes sense, and it take a risk based decision on that. So the short answer is It really depends on the policies and the writers that you have for your company. But there is cyber insurance available in the industry. Another question on here, and it's a good one important one, you have DNS, if we do get these emails, we contact the bank, even though we know it's fraud, we're not going to act on it. It's a great question. And I would say absolutely, you know, obviously, everything that Tim had talked through not clicking and responding, but if you know that it's fraudulent when a black female dress, and then the best course of action is to, you know, reach out to the bank because we take that information we work with, with law enforcement, our information security team and others and we're trying to identify Is there a larger campaign going on? Is there something we need to be aware of that we need to take action on? So feeding us those informations particularly the original email itself, which some, you know, some work can be done on identify where it came from, etc. Very valuable. And then also if you know you do fall victim, you click on something, another action to take as you can file a formal complaint with ice cream, which is the internet crime complaint centers. So great question.
Amir Madjlessi
Thanks, Dan. Appreciate it.
First and foremost, thank you so much for spending. What has been almost an hour together really as a as a business community, learning a little bit more about what's happening out in the marketplace, the trends and the issues that are much more pronounced I think in this COVID 19 environment. And I think it's incredibly important that we work together and stay vigilant together on identifying these issues, escalating them and then for us to continue to help protect what you have spent so much time putting together which is your, your small business and businesses across America. Again, I will end with what I started with. First and foremost, I just hope that you and your families remains healthy and safe. Looking forward to the various phases of reopening, if you will, in the various stay at home efforts that are across the country. I know that you know, business centers in this time have been going through the most extraordinary challenges and we are just inspired at Santander bank with what you've been able to do to persevere and to ensure that that you stay, you know, successful in the in the marketplace. And we're here to help in any way that we can. Again, I just thank you so much for spending the time with that. And have a great rest of the afternoon, and hopefully Talk to you soon. Thank you so much.