Fraud prevention can hinder InfoSec - or it can help

How eliminating manual reviews through automation makes your company less vulnerable to data breaches

Read our InfoSec White Paper to find out more

Are manual reviews a hidden vulnerability in your company?

Strong cybersecurity is a multi-layered and complex effort. There’s one area many companies could improve which they don’t even realize is a problem: replacing the human vulnerability of manual fraud reviews with automation.


“There is no patch for careless, greedy or stupid”, said former FBI Computer Intrusion Unit head Don Codling. Almost more frightening than that, “Savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks.”

The key to dealing with this weakness is to limit employee access to data. In many cases, you can do this by making information on a ‘need to know’ basis. If your fraud team is still relying on manual reviews, though, you have a problem - quite possibly one you’ve never known about.

Giving the Criminal the Key to the Vault

The job of your fraud team is to prevent loss to the company, both by stopping fraud and by removing friction from fraud prevention so that it’s not discouraging sales. But many fraud teams still rely on the manual review of transactions - and that means, ironically, that they’re potentially a huge source of loss.

Reviewing a transaction requires a close analysis of the data - as much data as possible. That includes PII. And teams are often primed to ask for even more information in cases of doubt - for example, a photo of a customer’s ID. If a machine belonging to a manual reviewer is hacked, it’s like giving the criminal the key to the vault.

Criminals are continually coming up with new attacks - they're creative by default, always looking for new approaches. That can make their techniques hard to track. A Javelin study found that 63% of merchants indicated that it is difficult to keep their employees up to date on emerging schemes. It's obvious what an increased risk that indicates.

The Security of Automation

For many years, there was no alternative. But recent technological developments mean that full automation is now an option. Manual reviews, and the risks attached to manual reviewers, are no longer necessary.

An automated system, returning instant, automated fraud decisions, is not subject to these kinds of vulnerabilities. There are no humans to be tricked into granting access to information, no humans with unnecessary access to data which they might even choose to use themselves.

Full automation makes far more powerful the principle of least privilege (least privileged user account access), which means each user/service is granted only the privileges they need to do their job. With no manual reviewers requiring deep access privileges to investigate transactions, the principle of least privilege can do far more to protect your business. Automation leads to increased security.

Time to Bite the Bullet

In today’s world of well-publicized data breaches and hacks that cost companies millions of dollars, it’s no wonder that security is top of mind. InfoSec professionals should leverage that fact to push improvements in diverse areas of the company that will increase cybersecurity readiness and strength.

Ironically, one of the very departments that organizations rely on to prevent loss is actually a potential source of loss. The fewer people with access to PII data the better - and that makes manual reviews decidedly non-ideal. Once, there was no alternative. But now, if your company is still relying on manual fraud reviews, you’re adding extra vulnerability simply because the organization hasn’t upgraded their processes or their systems to take advantage of full automation.

Yes, it represents a change from how things have been done previously. Yes, it requires a new way of thinking. But the InfoSec advantages are significant. It’s time to automate antifraud.

To find out more about information security, fraud prevention and automation, download the Fraud Prevention as Information Security white paper. 


In case you were wondering

Forter is PCI Level 1 certified, and also has SOC2 Type 2 certification. Our guide on Github about SaaS security has become a go-to resource. We take security extremely seriously. If you'd like to know more, we'd happy to talk to you - just get in touch