Discover a strategic framework empowering IT and financial leaders to unify teams, detect vulnerabilities, and combat escalating financial crimes efficiently.

To help financial firms prevent fraud attempts on their companies and customers, a member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, has published a Cyber Fraud Prevention Framework for Financial Services

The framework published by the Financial Services Information Sharing and Analysis Center (FS-ISAC) provides “an actionable model to strengthen collaboration between cybersecurity, fraud, financial crime, and anti-money laundering (AML) teams.”

Organizations can leverage the framework’s fraud response protocol to identify vulnerabilities earlier in the attack lifecycle, enhancing threat visibility and strengthening fraud controls.  

According to Linda Betz, Executive Vice President of Global Community Engagement, FS-ISAC: “The interconnectedness of fraud and cyber threats is intensifying, and financial firms cannot afford for their internal teams to operate in silos. This structured approach to information sharing and collaboration empowers teams to identify and disrupt cyber fraud schemes. This helps financial firms strengthen their collective defenses as well as safeguard the reputation and financial assets of the sector.”

The framework breaks the lifecycle of a cyber-fraud attack — that is, fraud conducted on cyber channels, into five phases:

  1. Reconnaissance: Threat actors gather intelligence, set up infrastructure, and plan for attempted fraud
  2. Initial access: Attackers gain a foothold for fraud against a consumer, financial services
  3. Positioning: Threat actors manipulate account information, credentials, or payment details to prepare for fraud execution
  4. Execution: Stolen data is monetized through unauthorized transactions or fraudulent fund transfers
  5. Monetization: The stolen funds are transferred to the threat actor

These phases give teams a common language to share fraud information, enabling them to coordinate their activities. The frameworks suggests that firms analyze fraud from multiple angles to pinpoint vulnerabilities and deploy controls earlier in the fraud lifecycle. 

The framework in practice

An organization can put the framework into action as soon as it detects a threat:

  • The first step is to assemble representatives from all the teams involved in cyber fraud prevention — cybersecurity, threat intelligence, financial crimes/AML, data analytics, fraud, etc.
  • Next, each team should research the techniques and indicators they have discovered, and bring their initial research to the collective table for full analysis. That way, everything that is known about the fraud can be surfaced. Fraud indicators can be discovered at any phase of an attack, so the framework is designed to be implemented wherever the indicator is found. Each phase can contain a mix of discrete adversarial techniques and indicators. The teams will likely bring perspectives unique to their field in the various phases. For example, cybersecurity teams tend to have the most knowledge about Phase 1 (Recon) and Phase 2 (Initial Access) and can bring insights on domain registration, IP intelligence, and reviews of social media, the Dark Web, and digital fingerprints, among other issues. Similarly, fraud teams can share their perspectives on account activity, data analysis, and risk rule alerts. Treasury management or anti-money laundering functions may have insight on call center alerts and indicators, among other issues. Sometimes perspectives overlap, such as cybersecurity and fraud teams’ insights on Phase 3 (Positioning). When those techniques are discovered, the specific details and indicators should be documented in terms standardized across the institution (appointing someone to manage full documentation may help). That process:
    • Limits irrelevant situational or contextual information
    • Facilitates accurate, comprehensive communication of the fraud lifecycle
    • Directs team members toward aspects of the scheme unique to their domain
  • Having identified as much as they know on a team level, the group uses the collated information to uncover how the criminal achieved that phase — they “look left” on the framework. The collective insights of the group highlight gaps in information that direct them to gather more, as yet unknown, data. (It should be noted that all members of FS-ISAC have access to threat feeds and member intelligence.)
  • By walking through the crime, the group can gather insights into the fraud, identify indicators, and place controls to prevent the criminal from moving forward . Those insights can be used to analyze other accounts and transactions for similar fraudulent activity. Importantly, if the group continues to “look left” and pools information, it will develop a clearer understanding of fraud activity in the institution. If the group uses that knowledge to “look right,” participants can better predict how that activity will proceed (or has already proceeded). That information can be used to detect or prevent other threats.

Therefore, by unifying teams, leveraging intelligence at every attack stage, and implementing targeted fraud controls, organizations can uncover the origins of an attack and anticipate future fraudulent activity before schemes are fully executed.

The framework also provides recommendations on how to effectively share fraud intel with peer firms to strengthen the defenses of the entire financial sector.