Online banking fraud is all the rage and everything seems to point to the trend continuing in coming years. It may stop being a trend and become something structural, something that banks will have to deal with from here on out, in the same way that the online shopping format has already established itself as something intrinsic in new and future commerce.
If we look at loss data for banks, the number of thefts victimizing customers, we see figures that become unimaginable when they are translated into economic costs.
If we read news about the police arresting bank fraudsters, about hacker networks that have been dismantled, or about police operations related to online banking fraud, we also find stratospheric numbers that are rising daily.
Attacks on online banking are no longer the exclusive domain of expert hacker gangs or very complex criminal groups. We no longer encounter the ingenious hackers of the '80s, those expert computer programmers with tremendous technical knowledge who attacked the biggest banks in the world.
Nowadays, people who are inexperienced or have very little computer knowledge manage to carry out these scams after watching some tutorials and buying tools on the black market.
This kind of behavior is increasing among young people, who are barely university age, that start making their first forays into bank card theft and phishing.
People who, without any links to a criminal environment or any experience in the world of crime, begin to see online banking fraud as a way of life that, as we will try to explain later, they sometimes do not even consider wrong. It is as if the online world had generated wide open spaces for crime without any type of external or internal control, still beyond justice’s reach, and where inner questions such as morality and honesty have blurred.
As Evgeny Morozov, author of the book The Net Delusion: The Dark Side of Internet Freedom says, the web is overflowing with spam, scams, and identity fraud. Stealing a bank account has never been easier and the tools to do it cheaper and more accessible.
Given these data, we may ask ourselves: What's happening, has everyone become an online fraudster?
It is true that online banking’s development and business volume have burgeoned in recent years. And since there is more business, it stands to reason that there is also more crime in this area.
But does this explain everything? We need to understand and more deeply examine the Psychology of Fraudsters if we want to answer this phenomenon completely and if we really want to prevent fraud, any fraud, and especially online fraud.
Online banking fraud model: the Fraud Triangle
In 1961, when this phenomenon of online banking was not yet even a dream, Donald Cressey presented a theoretical model of fraud that can be perfectly applied today to explain what happens with fraud in this sector.
According to this model, known as the Fraud Triangle, the risk of fraud arises when these three elements coincide:
This is what prompts a person to engage in fraudulent behavior, due to some kind of internal or external pressure. This element signifies that the scammer is not a born criminal, not a person who is genetically programmed to commit a crime, but is rather a person who decides to engage in robbery or online banking fraud for some reason, at a certain point in his or her life.
This pressure can come from an internal impulse; for example, to get revenge, to obtain something that they consider their own, to respond to a feeling of injustice... but it can also come from something external.
For example, to answer an economic need, respond to extortion or be able to engage in the same behavior as others.
This element provides the motivated person a chance to commit the fraud. It is a security breach, a loophole in the processes or an open door that makes it possible to carry out online banking fraud.
Problems in guaranteeing user identity or the processes to guarantee it are examples of open doors that hackers can take advantage of to attack.
Obviously, no system is 100% perfect; an opportunity will always exist.
This is the person's internal mental process; a process by which the subject who commits the fraud seeks a justification so as not to see himself or herself as a swindler.
This element is the one most neglected in the fight against fraud, but it is the most effective for prevention. We are going to examine it in depth below.
Inevitably, there will always be people motivated to commit fraud. It is unthinkable that we could succeed in eliminating the human nature that sometimes makes someone decide to commit a crime; to cross the fine line into illegality.
This does not mean that this component of the triangle cannot be influenced. Nothing could be farther from the truth. Any human motivation can be eliminated, diminished or replaced.
For example, if a company has a support system for employees who may have financial problems (when facing a healthcare expense, for instance), this measure may help keep employees from thinking of inside fraud as a solution to their problems.
In other words, one way or another, we will always find people who have a motivation to commit fraud; we will be able to influence some of them, but not all. In addition, as we mentioned at the beginning, these motivated people seem to be drawn to online banking fraud to achieve their goals.
This point is complemented or explained by the “opportunity” component. Despite ever-greater cybersecurity measures, online banking offers numerous doors through which to sneak in and commit online banking fraud. Possibly this type of banking is still in the development stage, which means that not all the necessary security mechanisms have been fully established.
But perhaps it is also an unsolvable problem that is part of the structural nature of "online". In any case, although cybersecurity is logically striving to fill in any emerging security gaps and eliminate opportunities, the fraud triangle includes two other components available for preventive resource investment.
The element that may be the most important for the prevention of fraud, including online banking fraud, is undoubtedly the element of rationalization. If there is one thing that we humans like, it is to feel good about ourselves. Even if we have to deceive ourselves to do so. Nobody likes to see themselves as a thief, as a criminal, to have the feeling that they are a ruthless swindler and someone who is cheating others.
However, everyone also wants to benefit in some way from little "harmless" tricks, little shady incursions that don’t hurt anyone. A small change on our income tax return, inflating the cost of an object in an insurance claim, billing an extra hour or two...
If someone offered us the possibility of a low-risk theft of € 5,000,000, most of us would probably say no. If it were € 50,000, some might go along with it; and if it were € 500 in the end, many would find that amount acceptable for crossing the line into dishonesty without feeling bad about it. Stealing a computer from the office is very bad, but a few sheets of paper or a couple of pencils are something else, right?
The main question is where each person draws the line: in which of the above examples they would stop resisting and agree to commit the theft. This is what Dan Ariely calls the "fudge factor", or the level that allows us to retain our self-image as reasonably honest individuals without feeling guilty.
This factor can be increased or decreased by internal and external variables. For example, religious questions may mean that my tolerance level is very low and I cannot steal even 5 cents. Sometimes external factors can increase it as well.
What if stealing paper from the company is acceptable; if everyone does it? What if there is a feeling that the company has money to spare?
Online banking has a series of characteristics that make this deception factor very high, which cybersecurity needs to take into account in its approach:
- Widespread fraud. If everyone does it, it doesn't matter and I can do it too.
- Victim denial. The banks have surplus money, it doesn't matter if I rob them, it won't hurt anybody.
- Public acceptance. Robbing a bank is looked upon kindly. Robin Hood, or the mantra that banks rob us, legitimizes fraud against them.
- Distance from the fact. Online banking fraudsters do not physically see the money; they only see figures that go from one place to another. So they don’t feel so bad because the theft of actual money is not so perceptible.
Based on the above, cybersecurity experts must include these elements to build measures and strategies that influence this deception factor and make it harder for banking fraudsters to "feel good" when committing online banking fraud.