OLEG LYKOV
Mikhail Dutov had just started climbing the career ladder. He was 22 years old, recently graduated from Plekhanov Academy of Economy (a prestigious Russian university), and had been hired in a starter position of customer relationships manager at a branch of WestBank, one of the largest banks in Russia. He had worked in the bank for about a year and people were sure he would be successful. Gossiping tongues, though, attributed his success to the fact that the branch manager was a family friend. An objective observer would have noticed that Mikhail lacked self-confidence and might easily fall under someone else's influence.
The branch where Mikhail worked was located in the center of Moscow, in a popular and crowded area. Mikhail's position was to assist customers who came into the branch and explain the bank's products and services to them, and to bring business into the institution. He was assigned sales targets and was reaching them quite well. Mikhail had recently started working with VIP clients, too. He was happy about his work and looked to his future with enthusiasm.
Previously I worked as the Country Fraud Risk Manager in the Russian subsidiary of WestBank. The bank started corporate business in Russia several years ago and was ranked among the top 30 banks in the nation. When the bank decided to develop consumer business products, it formed a team of foreign and local specialists. The start-up team had to create the processes and products almost from scratch. Adoption of strategies used in other Eastern European countries took significant time and effort due to local requirements. By the time I moved to the consumer arm of the bank, the start-up group was being replaced by the business-as-usual team. Most employees were learning on the job — they often had no previous consumer banking experience. Aggressive sales targets sometimes pushed people to cut corners.
When I joined the consumer business department, the fraud risk management team consisted of two people — including me — and we needed at least four more. The lack of anti-fraud personnel meant we could run only critical routines and had no time to perform a thorough risk assessment of the new and changed products and procedures. We were in an open area where I was able to see the entire back office without even standing up. I sat side-by-side with my colleague — not even in those notorious cubicles, but in a truly open space. Each desk had a phone and we sat next to the collections unit, which spent the workday talking to clients who did not really want to talk to them. At least it was funny sometimes.
When I was hired, I was stunned to see the number of plain-text files containing data from daily transactions (several files represented various transaction flows for each day). It was not just a time-consuming exercise to find — it was simply impossible to look for patterns and analyze data. It was probably a more reasonable system when volumes were insignificant, but during only a few months the bank had doubled in size and was continuing to grow rapidly. Later it appeared that automating the reports was of critical importance — it gave us an opportunity to quickly gather the necessary information about the largest fraud case at the moment, and it meant feeding additional data flows into our system was only a question of a few hours.
Online monitoring of debit and credit card transactions took about 70 percent of my time and it was the only partially automated process. Factor in the manual review of credit card and loan applications and my entire working day would be gone.
Obviously something had to change. I realized the threat of heavy understaffing and was trying to fill the open positions, but there was a lack of experienced people on the market with English skills and a readiness to work for WestBank's low compensation. Also, the level of overtime in our bank was notorious. So my strategy was to hire younger people with basic or intermediate banking experience who were able to speak English to a certain extent, and then train them in fraud risk management.
WestBank offered a range of debit and credit products — plastic cards, loans, savings accounts and deposits. Clients' personal and transactional information was accessible through an internally developed software application and used by the client-facing staff — at branches, call centers and the back and middle office. Additional approvals were required to view the data of bank staff members and VIP clients.
Our clients used an Internet banking system to view their account balances, make wire transfers and execute other transactions. To access their accounts, clients had to enter their card number and PIN code. We could not change this login procedure at that time because it was defined by our head office.
WestBank's consumer client base was growing rapidly but we did not have enough employees in critical units, and our sales targets were too heavily weighted in the compensation program. We employed poorly screened or unscreened sales agents. Aggressive plans and an inadequate bonus system for salespeople — bonuses could be paid regardless of delinquency status of the new client — laid the foundation for ignoring internal compliance requirements. Staff turnover was high, especially at low levels.
Within two months of me being hired, my sole subordinate decided to pursue other opportunities and left, and I was alone for almost six months. As the only employee in a department with six vacancies, I was only able to cover the most critical areas — monitoring card transactions and credit card and loan applications. Ridiculous as it sounds, even when we hired two new employees, they were not able to start working for almost a month because their network credentials and e-mail accounts had to be created overseas. I tried to push IT support to get my new hires operational faster and even engaged my boss to push from his level. Perhaps it would have taken longer without such efforts.
A reasonable person would expect something bad to happen in such circumstances. But surprisingly, the trouble didn't begin until I had two subordinates fully operational and familiar with internal procedures and systems.
One typically busy and snowy winter day another Russian bank contacted me and suggested that three wire transfers they received from WestBank were fraudulent. The employee said he was keeping them on hold until we confirmed their status.
I immediately contacted the customer, determined the wires were not authorized and began reviewing our other customers' wire transfers. There were a few distinctive features of the questioned items that made me sure we had a problem on our hands. The transfers were from an individual's current account but they were marked "for marketing research." Also, three of them were to the same beneficiary on the same date. When I contacted one client for information, he said he had not heard of the beneficiary and also told me he had trouble logging into the Internet banking system. We blocked his bank card (used to access the Internet banking system) and opened a fraud case.
Shortly after the case was opened, my operational unit supervisor, Sergei Krylov, came to my desk. "There is an issue, Oleg," he said. "We received a call from another bank. They suggested that several wire transfers they received today from one of our clients are fraudulent." A quick look at the wires alarmed me — there were several in amounts ranging from $1,000 to $3,500 with the same memo, "for marketing research." They were executed through the Internet banking system.
We continued digging and discovered two more customers with similar wire transfers made on the same date but to another beneficiary. Quite soon we realized about $140,000 had been wired out of the bank within a few days to various Russian banks from the accounts of six customers. We also found that several transfers were made to the same beneficiary, Artimons Ltd. There were four other beneficiaries, both companies and private individuals. We managed to stop some of the withdrawals, but others were already cashed.
Wires were sent to various Russian cities and to one of the Baltic States. Trying to reach the appropriate people in the beneficiary banks and convincing them to stop the transfers before they hit the recipients' accounts kept us busy in the beginning of the investigation.
I reviewed wire transfers for the previous week and then for the month. The fraud appeared to have started three days ago. We had to call a number of clients and make careful inquiries about their wire transfers in order not to alarm them without necessity.
By the end of the day we had about $100,000 in confirmed losses (cash withdrawn from the beneficiaries' accounts) and about $40,000 held in a few banks waiting for our interbank messages. We were able to stop only transfers that were initiated on the date we started the investigation. The wire transfers were initiated using the Internet banking system where the account login credentials were changed shortly before the transfers. The account takeover was made via our call center after the fraudsters provided correct answers to security questions.
My priority was clearly stopping the fraud, but the problem was we had not been monitoring wire transfers due to the staff shortage. My first step was to hire a monitoring team of two people. They reviewed the wires while processing, looking for red flags, calling customers and escalating the investigation if the client could not be reached. Additional training and instructions were given to call center operators, and they were told to contact me if suspicions arose.
We also quickly hired two additional people to monitor wire transfers originating from the Internet banking system and other sources. This was our most successful step in preventing further losses. We implemented a process of parallel monitoring of wire transfers without delaying them.
Five batches a day were reviewed, and to automate the process I had to create an Access database to convert the text files (since wire transfer information came to us in plain-text format) and apply filters for known fraud criteria. I also designed the database to omit some types of payments (e.g., utility bills and taxes) and those below a certain amount (however, multiple payments under the threshold within the same day would still trigger the alert).
We applied additional controls to the customer information database. Access to high-wealth accounts was closed for everyone and reopened only after the individuals received a supervisor's and my approval. This drastic measure allowed us to regain control over access. However, as I learned at a later point, it did not stop the internal perpetrator — he had the right to access the VIP clients.
While trying to stop the fraud without suspending the Internet banking service, we followed a rather standard investigation plan. It involved calling customers, analyzing logs of connections to the Internet banking system, and reviewing records from the customer database. We formed a cross-functional team including fraud risk management, security and collections. Team members listened to numerous phone calls (comparing voices, determining the number of people involved, etc.) and checked IP addresses to map them and compare them to a customer's addresses.
Initially we had three theories for the cause of the fraud: phishing, customer fraud and occupational fraud (with or without external parties involved). After talking to the customers, analyzing their profiles and listening to phone calls, we focused on one theory — account takeover fraud with the involvement of internal and external parties. In other words, we had a thief among us.
We determined that fraudsters had obtained information from an internal informant and were using that information to penetrate our controls, take over Internet banking accounts and perform illegal wire transfers. The IP addresses used to connect to our online banking system were either from Internet cafes or dynamic addresses owned by various Internet providers, including mobile phone operators. Telephone numbers used to call to change the login credentials were mobile phones (in Russia information about those users was not in the public domain and could not be accessed legally by banks).
WestBank's phone records demonstrated that our phone operators were often ignoring red flags, such as hearing page-turning sounds before the individual answered security questions or quick answers to questions that would normally require time to recall (like the last transaction). We arranged for additional training to increase their vigilance, which resulted in a number of attempts of account takeover being prevented by the telephone operators.
Two months later, despite our efforts and fixing control gaps, we were still unable to find the internal perpetrator. We were no longer losing money to this scheme but attempts to steal from our clients were still being made. It was clear that the problem would not go away by itself.
During these two months I had analyzed attempts to take over customers' accounts. I listened to the calls and checked the phone numbers, but they were made from mobile phones. The numbers were registered to fictitious people and were only used once or twice before the telephones were dumped. I had nearly exhausted my investigation methods, and was about to hand over the case to the authorities. However, during a routine check of the phone number used to change login credentials of one of our customers, I noticed it was not a mobile number. This meant a lot — there was a good chance this was going to give us a fraudster's address.
In a few minutes I knew the address from which the call was made. The apartment was located close to downtown and was registered to Ruben Abovyan. Interestingly, the beneficiary's name of the wire transfer was Kirill Rubenovich Abovyan, possibly the son of Ruben Abovyan (in Russian the father's name is used to form the middle/patronymic name of the child). This looked like a good sign for us and a very bad sign for them.
We contacted the beneficiary's bank and explained the issue to the security manager. After discussing the case with his bosses he agreed to help us. The plan was simple: We wanted to talk to the person who would come to their bank to withdraw the transfer.
Kirill called the bank to ask if the transfer had been deposited to his account and he was told that it was the bank's standard procedure to require the customer to visit the bank when a transfer amount is significant (he attempted to transfer $35,000).
Needless to say, when Kirill arrived at the bank we were waiting for him. We announced ourselves and asked him to discuss the transfer with us. He was cooperative when we asked if his father knew about his attempt to steal someone else's money.
Soon we knew everything he knew about the scheme. One of his friends gave him the necessary information to answer account security questions and warned him not to do it from home. Fortunately for us, Kirill was too lazy to think of a better method than calling from his father's apartment. He also knew that the information came from a WestBank employee whose name was Mikhail and was able to tell us the branch where Mikhail worked.
The branch was very small and only one Mikhail worked there. By lunch-time there were three of us sitting in front of him; a pile of papers (mostly meaningless but we needed something that looked like evidence) was in front of us and we were looking through it in silence. Mikhail was obviously nervous. His hands were visibly shaking.
As soon as we began the interview, Mikhail asked for a glass of water — he had quite a few during our discussion. Initially he tried to deny everything, but eventually confessed that he was copying customers' Internet banking information and selling it to an outside contact. Mikhail insisted he only received $800 for the information he provided. The amount seemed ridiculously low to me, but Mikhail stood firm and we had no evidence to disprove him.
The scheme was very simple. Mikhail used his access to customer accounts to look for people with high balances. When he found one he wrote down the information an outsider would need to answer verification questions. We had just created a new monitoring system to detect profile surfing by employees, but apparently it was not receiving all the input data needed to function properly, which was why Mikhail was not on our radar. It was a frustrating demonstration of the fact that internal data flows can surprise you in very unpleasant ways.
After we turned over our evidence to the police, it took them nearly two years to get a conviction and sentence. Six people who purchased account information and made fraudulent transfers were sent to jail for terms ranging from one to six years. Kirill received a one-year jail sentence. Mikhail got a suspended sentence, and the worst repercussion for him was the effect it had on his life — instead of being on the fast-track career path with a large bank, he could only hope to get low-paid positions with no-name companies that existed for too short a time to care about their employees' backgrounds.
We initiated many changes to our internal procedures, including monitoring the systems to ensure we had a complete picture of who accessed customers' data.
Note
Lessons Learned
I learned a number of things from this investigation, primarily regarding Internet fraud. If I had known the following information earlier, I would have been much better equipped to tackle this case:
The heavy understaffing for extended periods of time made it impossible to cover the important job functions, thus resulting in control gaps. A lack of staff means people are doing too much to be able to deliver high-quality work. Results of understaffing may not be visible immediately but will surely appear sooner or later, either in the form of noncompliance with internal rules or as fraud cases that could have been prevented or discovered much earlier. I am sure understaffing was the main cause of the fraud in this case.
When you create a monitoring system, ensure that it catches each related data flow. Check and double-check it. Learn the cycle of customers' information and make sure the monitoring system is capable of accessing and capturing the right data. Talk to back-office personnel and the information security manager. You may be surprised to learn the undocumented ways to access customer files. Do not blindly rely on IT developers and support. If your monitoring system omits just one source of data, it might become essentially useless. If our profile-surfing monitoring system had caught the needed information, we could have discovered Mikhail within a couple of weeks instead of two months.
Keep a record of attendees to fraud awareness sessions and ensure that employees attend them. Mikhail did not attend any, apparently because his branch managers were not happy to temporarily lose their staff and were practically sabotaging them. The tone at the top played a large role in this case.
Establish good working contacts with the local authorities responsible for your office's jurisdiction. It might save you time when you have to file a case.
Know that your investigations may result in a criminal or civil case. Keep your paperwork tidy and ensure your actions do not increase legal risk. Make sure you know exactly how far in your investigation you can go — at a certain point you may become required to report the criminal violation. Talk to your in-house lawyer and keep the lawyer informed about your investigative plans. It may save you from serious legal troubles.
Oleg Lykov, CFE, is an Investigations Senior Manager in Microsoft's Financial Integrity Unit and is based in Russia. In his previous positions he was responsible for fraud risk management and anti-money laundering in the financial services industry. Mr. Lykov is a graduate of the Russian State Financial Academy. He has eight years of experience in fraud risk and anti-money laundering areas.