How identifying bogus checks at M&T Bank is a lot like hunting cybercriminals

It turns out the crimes of yesteryear are being thwarted with some of the same tools that stop today’s criminal activity.

Until recently, the process of detecting check fraud at M&T Bank involved a team of 15 employees who manually looked through physical checks or scanned documents, trying to trace how scammers had attempted to fleece the financial institution.

For M&T, it could take up to 900 man-hours to investigate a check-fraud campaign, according to chief information security officer David Stender.

“In the typical old-school check fraud world you’d look at hundreds and hundreds of checks until you found the one that was fake,” he says. “People still rob banks. Even if it doesn’t yield much money anymore, they still do it. And people still write bad checks.”

High-profile financial crimes these days typically include some breakdown in cybersecurity, like business email compromise, ATM jackpotting attacks, or fraudulent money transfers made possible by advanced malware. Check fraud, though, is an example of how the banking industry remains exposed in some old-fashioned ways. It affects 70 percent of financial organizations, according to a JP Morgan Chase survey published last year.

According to Stender, the tricks to beating cybercrime and bad checks apply some of the same techniques. Digital forensics and analytics tools, typically used to identify abnormalities in network traffic, also can be used to stop traditional scams.

The NSA’s influence

Roughly 275 M&T Bank employees are working on cybersecurity, Stender says, and about 20 are dedicated full-time to analytics, where they consider the best ways for the bank to act on all the numbers generated throughout its systems.

Data analytics providers are darlings of the security industry right now, with analysts paying close attention to firms like Splunk and Alphabet’s Chronicle, which soon will be absorbed by Google Cloud. But security analytics tools are valuable as a complement, rather than the backbone, of corporate security programs, Stender says.

“Much of my previous career was at NSA and that’s nothing but analytics,” Stender said recently at the SINET Cybersecurity Innovation summit in New York. “That entire organization is all about taking whatever data there is — and I’m a big believer that if one bit of data is good, then a billion bits of data is better — then let’s take that and analyze it and you’ll start to proactively start to solve a lot of problems.”

The shift to analytics at M&T Bank began after Stender began his role in 2014, he said. The company went through a “very large” internal fraud case that convinced the security team to experiment with data in new ways. He didn’t provide much more detail — one fraud case uncovered around that time reportedly cost M&T $5 million — but the result was for Stender to hire a small team of analytically minded people with intelligence experience.

“I gave them manual access to do work on what this person had done and sue enough he topped out at the highest level of risk,” Stender said. “Then I told them to come up with an automated way of doing the exact same thing.”

A familiar kind of hunting

The long, draining check fraud investigations at M&T are gone, says Stender, a former U.S. Navy cryptologist. The time suck was killed as part of the security team’s digital transformation. After 2014, the Buffalo-based bank began to use analytics and big data for as many parts of its security infrastructure as possible.

M&T employees started running digital comparisons capable of matching check details like routing numbers, account numbers and payee names. Then they create alerts for the timing and circumstances in which a check was written or deposited.

It’s an example of how financial security teams, which often complain they’re flooded with data, have customized and prioritized the information that makes it to their desk. Finding and tracing a bad check might still involve digging into digital anomalies, user behavior, business applications, identity and access management and threat intelligence.

Specific alerts have yielded patterns that allowed the bank to reduce the number of people working on check fraud from 15 to three. An algorithm flags suspicious transactions for those three employees, who then decide which events are true instances of fraud and which are false positives.

Roughly 20 percent of the flagged transactions are fraudulent, Stender said.

“We can just about get to the point where, if you’re a bad guy and you go into a branch to deposit a check so you can fund an account that’s going to be used for fraud later on, we’ll be able to catch you when your still standing in the teller line,” he said. “I’m looking to put a couple new computing capabilities like that into place within six to 12 months.”