Fraudsters today are extremely intelligent. Their biggest resources are insiders, because insiders in any bank understand the vulnerabilities in the business process. The other kind of approach is the penetration approach, where you use technology to penetrate and gain entry into a bank. In these Advanced Persistent Threats (APT), someone using malware, phishing or some other network vulnerability gets into your bank. Once they access the infrastructure of the bank, they can roam around in your bank and access data, collect information and find more vulnerabilities. This is happening in many banks across India, where fraudsters have managed to penetrate and go inside. The first thing they are hitting is the customer data base. They may change critical information such as the customer’s phone number, thus defeating all the 2FA right there, because most banks depend on that information for OTP, etc.

Now, banks are becoming more sophisticated, where that information is also signed and secured to detect if there has been a penetration. This is the second thread from the rings where they use some type of IT or network level to penetrate your bank or they use malware, phishing and so on. Banks are getting intelligent and plugging those kind of holes, but fraudsters now recruit people within the bank against whom there is no good defense. There is some defense because you can always look for anomalous behavior, something which people did not use to do and are doing now and that can be your first trigger to monitor employees. For example, collusion within a whole branch is rare. But what can you do when a branch manager and few of his colleagues are colluding?