Banks race against cyber criminals

Share the Ink Link love
More than 50,000 St. Mary’s Bank members have signed up for fraud alerts. File Photo

Story Produced by Business NH Magazine, a Member of 


With contactless transactions for everything from pizza to home loans, the pandemic has moved much of the financial world to a digital format. The downside is that these new and different processes have created a rich environment for cyber thieves and fraudsters who get more sophisticated and creative every day, which is forcing financial institutions to step up their game.

Ron Magoon, president and CEO of Franklin Savings Bank in Franklin, says their strategy is one of “defensive depth” by providing education, firewalls, intrusion detection, patch management, network monitoring, and virus and malware systems.

“You have many layers so that if bad actors penetrate one line of defense, you have other layers to protect you,” Magoon says.

Banks are also seeing an increase in check fraud, says Ross Bartlett, executive vice president, chief commercial banking and risk officer at Bank of NH in Laconia. He adds that fraud actors are becoming more sophisticated and wilier in the way they go about things.

“It has become so difficult to do electronic fraud because of the advances in technology and computer learning; they rely more on social engineering and person-to-person transactions where they try to manipulate someone or try to get customers to commit the fraud on their behalf,” Bartlett says.

Michael Gallagher, executive vice president and chief risk officer at Enterprise Bank with branches in Nashua and Hudson, says the pandemic brought a spike in check fraud where an individual will copy the details from a check or even alter a genuine check and bring it in to a branch.

“Intuition is critical. Our tellers are identifying that one of these mules is coming to cash checks,” says Gallagher. “When we call the police, we find that homeless people are being picked up in other cities and are being paid $25 or $50 for each check they are able to cash. In this case, it comes down to a frontline teller who is responsible for identifying the threat.”

Geoff Gilton, senior vice president of technology at Service Credit Union in Portsmouth, says they raise security awareness by communicating across internal teams, working with the fraud team and member services representatives in branches and the digital channels.  Even if only one small thing looks off, that triggers questioning a transaction.

“The more we can do to keep it top of mind and engage people with memes and social media messages, that keeps people thinking about it. We track how much engagement we have on that channel internally,” says Gilton. “The analog devices, the people, [that’s] who the fraudsters, hackers and criminals will target, so we just have to constantly be talking about it, improving awareness.”

Gallagher agrees that people are the weakest link. “We send phishing emails to employees to see if anyone will click on it. Our goal is to reduce that quickly; we know it only takes one person to click on a link.”

“At Franklin Savings Bank, at least once a week everyone at the bank will get an email from the head of IT, titled ‘threat con bravo’,” says Magoon. “They alert us that a lot of emails are coming into the bank that try to look like they are coming from me or our COO Brian Bozak. We train regularly on social engineering to be sure our staff is as critical, conscientious and as on-guard as they can be and look at everything they receive with a critical eye.”

Shirley Bhutto, senior vice president and director of enterprise risk management and compliance at St. Mary’s Bank in Manchester, says while fraud was a problem pre-COVID, it’s only become worse. “I do a monthly report, and we prevented the theft of $47,400 in November. In 2021, for online and cybersecurity, it was more than a half-million dollars.”

She says it is great to have real-time reporting, but a dedicated staff is crucial to look at the alerts, do the investigation, contact the member or halt the transaction. “We put fraud alerts on our website, but unfortunately, the fraudsters are really clever, and we still see members giving out their credentials thinking that is how they are going to get paid or get money from a friend or get a refund. We have to protect the members even when they are doing the actions,” Bhutto says.

For the past 18 months when the credit union identifies fraud, they make sure everyone knows how much it was and who caught it. “We share copies of the fraudulent checks, and we financially reward our staff and give them a shout out,” says Bhutto. “It not only educates our staff about the scam, but it also really encourages them to be asking questions.”

Bank of NH also hosts a quarterly event to recognize staff in several categories including fraud prevention. “We call it out and celebrate it because it is something so important to our customers,” says Bartlett.

Helping Customers Protect Themselves

From a regulatory standpoint, there are certain things that financial institutions must do to protect customers, the so-called Red Flags Rule, which requires a written program to detect, prevent and mitigate identity theft, says Magoon.

“When it comes to customers it’s really all about education, what to be watching for, what to be mindful of, how fraud is being committed and that we are not going to ask for your personal information,” Magoon says. “There is so much that we know about our customers…they have been coming in for 20 years and suddenly they try to do a transaction that doesn’t fit. We are not asking to be rude or to be nosy. Nine times out of 10, it is the customer who ends up on the hook with these losses, so we ask questions, and we probe to make sure people don’t get into a bad spot.”

At St. Mary’s, Bhutto says more than 50,000 members have signed up for fraud alerts. “It used to be that we could just come in the next day and look at what happened yesterday and work the alerts, but with online banking, we need real-time alerting,” she says.

Multi-factor authentication, such as a code that must be entered to proceed with a transaction, is a great line of defense.

Bhutto says that the software they use for fraud monitoring deals with thousands of other credit unions and banks and, therefore, can rewrite rules immediately when fraud is spotted. “It is constant tweaking and learning, and it is the human firewall, educating members to not be afraid to talk to us because fraudsters tell them to lie to us. They should always trust their financial institution and not the person on the other end of the phone,” she says.

Often older adults are vulnerable, and their own children can’t convince them it’s a scam, says Gallagher of Enterprise. The bank became concerned after a woman took out $3,000. She then went to another financial institution, got a home equity loan for $100,000 and came back to her bank to cash the check. “We contacted the local police, and an officer who knew her was able to sit with her for two hours and, with the help of her son, convince her that this was a scam. But it is happening all too often.”

Technology Supporting Humans

As technology improves, so does fraud detection improve, says Gallagher. There are adaptive programs that use artificial intelligence (AI) to identify transaction patterns, like the way banks detect high-risk transactions on credit cards where you may get a text or a call to alert you to an unusual transaction amount, an unusual place where the purchase was made or even a purchase outside of a set limit.

Franklin Savings also uses AI to flag things that are atypical. “We are starting to inject more AI into our systems. It is not what you see every day that catches your eye, it’s those one-offs that you might not normally see. Using AI to constantly scan transactions is a highly reliable and effective way to spot anomalies,” says Magoon.

At Service Credit Union, Gilton says they use robotic process automation (RPA) to help train employees. “We have had a lot of successes in the automation testing and testing our employees to drive phishing awareness. That’s where automation can help in understanding the phish-ability rates and making the tests more challenging,” says Gilton. “Once we start to raise some awareness, we continue to make the tests ever harder, and when someone clicks on the wrong link, the system enables us to give immediate feedback and learning.”

One of the most common schemes right now is “smishing,” text-based phishing that trails marketing initiatives, says Gilton.

Fraudsters are exploiting the fact that people will often sign up for text-based marketing to get discounts from retailers and can be tricked by a text message with super sales offers.

Magoon and Gallagher say customers don’t understand the liability they face. If they give up their password or credentials, it is not the bank’s fault, says Gallagher. There is much confusion and, too often, people assume the bank is responsible. He also points out that FDIC insurance does not cover these types of losses.

“People also underestimate the fraudsters,” says Gallagher. “They are not lone individuals. This is an industry. Just like we do, they have offices with cubicles, telephones and computers. They just find their victim for the day and get paid based on how much they bring in.”

“We all want to do what we can to protect our customers, not just from the financial implications but the time and effort that it takes to deal with these incidents,” says Magoon. “For many people these are life-altering events and, to the extent that we can protect our customers from something like this happening obviously we’re going to do all we can.”

These articles are being shared by partners in The Granite State News Collaborative. For more information visit collaborativenh.org.