As banks strive to make online banking even easier and payments even faster for their customers, they also face a race against the clock to keep their security up-to-date and compliant. Here are three fraud trends we expect to see move up the banking industry’s agenda in 2020.
Social engineering to make a come back
As anti-fraud technology adapts and improves, fraudsters employ alternative techniques in their attempts to fly under a bank’s radar. If they start to find it harder to hack banking systems, then we can expect them to move their attentions to an easier target: the customer.
In 2020, we expect to see an increase in fraud attacks involving social engineering, where criminals attempt to deceive people by performing confidence tricks, lying to innocent customers in order to manipulate them into divulging their personally identifiable information (PII).
This form of attack does not depend on coding, meaning scammers do not have to be expert hackers in order to fool their victims. Anyone could do it. For this reason, people need to be aware of what to look out for.
This is by far the most common type of attack and the one that most people are aware of. Phising works because criminals prey on a person’s fear and sense of panic.
Fraudsters can recreate websites or email domains of well-known and trusted companies so that they look legitimate. They then send unsuspecting people links to malware via email, which they are then tricked into downloading onto their devices.
Phishing continues to evolve and now increasingly takes place via SMS (smishing) or voicemail (vishing), which is increasingly ‘successful’ for fraudsters. With vishing, they can cleverly re-create the Interactive Voice Response (IVR) system of a renowned company.
They then attach it to a toll-free number and, ironically, the recorded message will often claim to be a bank telling the victim that money has fraudulently been taken from their account. The victim is then asked to input their bank details to confirm their identity and thus give away their credentials to criminals whilst conversely trying to help stop them.
Quid Pro Quo
This form of social engineering can also take the form of a ‘quid pro quo’. For example, someone impersonating the US Social Security Administration can contact an individual, detailing a computer issue at the company.
They then ask the individual to confirm their social security number to check it matches the one they have on file. The fraudster will then use this information to commit identity theft.
They seem to be promising a service but, in reality, they offer you nothing but trouble.
This is when the criminal offers an enticement to the user in order to trick them into giving up confidential information.
How many times have you been on a webpage when a dialogue box has popped up, congratulating you on being the 1000th visitor to the website and telling you to ‘click here’ to claim your new iPhone – all you have to do is enter your PII.
This is baiting, and an effective way to gather confidential information.
New Account Fraud - NAF
An increase in social engineering will mean we see a rise in something that is already a top priority for banks to combat: New Account Fraud.
Simply put, this is where a customer’s information is stolen and used to fraudulently open a new account, which can then be drained to its credit limit. This can result in huge financial losses for banks and unfairly ruin customer credit scores
APP Scams set to rise
Authorized Push Payment- APP
Authorized Push Payment (APP) scams are when victims are tricked into authorizing payments into an account that they initially believe to belong to a legitimate payee, but in fact turns out to be controlled by a scammer. We expect this to increase for two reasons:
- A bank’s priority is most often to provide an increasingly seamless user experience. But is that leaving both the banks and their customers open to more attacks? As Faster Payments is steadily unrolled across the globe, fraudsters can now steal and receive money in real-time, making it easier than ever to cut-and-run before anyone has even caught a whiff of fraudulent activity.
- APP scammers often use social engineering. For example, they can use pretexting to dupe customers. This is where they might pose as someone who was recently employed by the victim – for instance a builder or a solicitor – and send them an invoice for the work done. Therefore, the victim has a pretext for paying them and wouldn’t even think to question the request. When they find out that the details on the invoice are not for who they thought but instead belong to a bank account controlled by a con artist, it is often already too late.
A rise in younger victims?
Research from Lloyds Bank shows that there has been a four-fold increase in younger victims of fraud in the last year than the year before. In fact, Lloyds claim this group is just as likely to be targeted as over 55s.
"The tech-savvy Generation Z have grown up with technology at their fingertips, and their self-assurance of their inherent expertise perhaps comes at a cost."
They forget to listen to warnings about fraud whilst the fraudsters are constantly devising new ways to target youngsters and exploit their overconfidence, and this increase looks very much set to continue. They are particular vulnerable to scams such as APP.
New regulatory initiatives could change the economics of fraud worldwide
While only applicable to the UK, an initiative called the Contingent Reimbursement Model (CRM), which fully comes into effect on 28th May 2020, could change the economics of fraud.
Banks which sign up to this voluntary code commit to being liable for reimbursing APP scam victims within 15 days. (You can see a list of participants here.)
The code is designed to protect customers who are vulnerable to APPs and who would find it difficult to recover their funds if they fell victim.
For example, if someone transferred a sum of £200, it may go unnoticed by most banks’ anti-fraud measures but to a lot of people that is a large sum of money. Under this code, customers can now report the instance of fraud themselves, claim the money back from their banks and rest easy.
What does this regulation mean for banks?
While CRM only applies in the UK, that market is often the bellwether for other countries, so we can expect all nations to be keeping a close eye on how CRM pans out.
It also comes on top of other new regulations, most notably PSD2, which stipulates an immediate refund by the payment service provider to the customer in the case of an unauthorized payment transaction. In addition to this, where there is a suspicion that the user is behaving fraudulently, a maximum liability amount of €50 has been set.
Whether its CRM or PSD2, the increased obligation for banks to refund customers affected by fraud comes at a cost. If banks are refunding customers – but they aren’t able to recover their losses – it’s going to hit them where it hurts them the most: in the balance sheet.
This will no doubt compel banks to reduce their exposure to fraud by introducing measures that proactively identify fraudsters before they can do any damage.