Scams are fast becoming scourge of the banking world, taking their place in the deadly triptych alongside the well-established categories of fraud and financial crime.
The fundamental challenge with detecting and blocking scams is, they trick the victim into being complicit in the fraud. Digital identity intelligence – the mainstay of helping to detect an account takeover or impersonation attempt – can fall at the first hurdle. It’s no longer the challenge of differentiating a trusted user from a potential fraudster, but protecting the trusted user from themselves.
Fraudsters have found a technique that works, and have refined it to absolute perfection. The scams are so pitch-perfect, that anyone can be fooled.
A Scam Less Ordinary
It was the day before my birthday and I receive a text from a well-known delivery company, telling me I had missed a scheduled delivery because it had excess postage to pay. My mum had reminded me to look out for the parcel, so when I saw the text, I immediately thought of my birthday surprise.
Clicking through I went to a recognisable website, put in my bank details, made the payment and looked forward to my redelivery.
The next day, my birthday, I got a call from the bank. We go through a standard set of security questions before the bank representative gets to the reason they are calling:
“I’m sorry Ms Johnson, but it looks like there has been an attempted fraud on your account.”
I immediately panic. How had this happened? I am so careful to make sure that I check all my payments and only access my bank account via the dedicated app on my smartphone.
“It looks like a fraudster now has access to your account. We’ve seen some suspicious activity this morning and it’s vital we act quickly to safeguard your assets.”
The person on the other end of the phone reassures me immediately.
“Don’t panic, I am sending you a text now with the dedicated bank account details of where you need to transfer your account balance. This is a safe account where we can hold your money until we close the old account and set up a new one. We need to make sure we do this immediately to avoid the fraudster moving your money.”
I set up the new beneficiary and make the transfer immediately. I am told I will receive a call back shortly with confirmation of my new account details and that I will receive a new card in the post. I hang up, feeling immensely relieved and hoping that I have mitigated the damage from an apparent identity theft. I make a mental note to change my email address and reset all my passwords.
The next day I am puzzled as to why I haven’t heard back from the bank. I give them a call to see how long I will be without my debit card and to ask when I will be able to see my new account in the online banking app. Every time I have checked this morning my balance just shows zero with no sign of the new account. When the bank representative has finished going through the security checks and I explain the situation, they say:
“I’m sorry Ms Johnson but we don’t have any record of that conversation. And we would never ask you to transfer an account balance to us”.
I feel completely sick.
This MO gives one glimpse into a genuine attack: while scam typologies can be diverse and complex, the outcome is always the same. The customer is tricked into either divulging sensitive information that can be used in an account takeover, or exiting funds to a fraudster’s account under the guise of a legitimate transaction. Sometimes these methods are combined into a complex, hybrid attack. The biggest challenge for financial institutions comes when the customer has either authorised the payment from a fully authenticated online banking session, or passed a strong customer authentication check during a payment transaction that was initiated by the fraudster.
The fraudster is lurking beneath the guise of authentication; protected from device anomaly checks because they are inhabiting the victim’s device as their snail shell of protection, protected from a rejected payment because the legitimate account holder is their victim payer.
While the Contingent Reimbursement Model (CRM) code in the UK has shifted the liability from consumers to financial institutions to accept the burden of fraud loss, the shame associated with a fraud that the customer often feels is “their fault” can be extremely damaging. It’s not just about the monetary loss, it’s also about the loss of trust. It’s hugely damaging for the victim, and also for the bank. Customers who have been victims of fraud often default to a different bank, and the bank then loses the lifetime value of what could have been a loyal customer.
What can be done to detect and prevent these pernicious and evolving social engineering attacks? How can financial organizations better protect their most precious asset, their customers? Let’s take the key players in this fraud typology and examine what could be done to better mitigate scams.
Understanding what is normal behavior for the victim, and flagging anything that is anomalous, is key to detecting social engineering attempts. Banks can ask questions such as:
- Is this login behavior normal, and does the customer’s device look and behave in the same way as usual? Is the customer displaying any signs of stress or coercion?
- Has the customer set-up a new beneficiary and then made a quick payment attempt to that beneficiary? Is the payment higher than the normal payment amount in comparison to the customer’s average? Is the customer transferring whole / high % of account balance?
- Is the customer interacting with their device / online session in a different way to normal? Are they spending longer on particular pages or fields? Do they appear to be on an active phone call?
- Has this customer been a victim of fraud before?
- Has this customer been associated with any scam activity at other banks?
- Does this customer look like the profile of other scam victims?
Being able to better profile the beneficiary account, and the movement of money from this account to other accounts in the financial services ecosystem, can better flag high-risk activity related to the potential fraud:
- Is this beneficiary associated with any known high-risk activity, e.g., other scam payments, known mule activity, movement of money to other high-risk sort codes or accounts?
- Where is the victim’s money going, and how is it being distributed?
- Is the sort code of the beneficiary located a further than average distance from the sort code of the victim?
Harnessing shared intelligence across the banking ecosystem can help prevent fraudsters from perpetrating attacks across multiple organizations:
- Has this device, persona or pattern of behaviour been seen related to a scam attack elsewhere?
- Has the beneficiary been associated with confirmed mule or scam activity at other financial organizations in the UK?
- Does the beneficiary look like a potential mule account?
- Using intelligence related to the customer / their pattern of behavior to better inform risk decisions in-branch and at the call centre.
By harnessing intelligence related to the victim, the beneficiary and the online banking session, anomalies and high-risk activity can be flagged in real time, helping financial services organizations prevent the loss of customer money, and prevent further damage to both the victim and the bank later down the line.