The UK’s ongoing economic downturn and high levels of inflation, coupled with a severe cost-of-living crisis coming directly on the back of the COVID-19 pandemic has created a perfect storm of opportunities for fraudsters. With their guards down, individuals and businesses are vulnerable like never before as fraudsters cynically capitalise on the crises with tailored attacks and convincing messaging designed to catch people unawares. Thankfully, technology designed to stop these malicious attacks is also becoming smarter.
Below, we look at six key fraud threats currently affecting individuals and businesses, as well as considering the market and regulatory response to these malicious activities.
Volumes of scams and social engineering shows no sign of abating. The increasing pressure on household budgets due to higher living costs provides an opportunity for scammers to target victims desperate for alternative means of generating income or increasing their savings. We're already seeing an increase in social engineering and phishing attempts since 2020. This will continue to rise in 2023 with scams detailing fake job adverts, investment opportunities, bogus Government assistance grant schemes, and fake messages impersonating family members. Scams trick victims into sending money or paying for goods and services that don’t exist whilst divulging Personally Identifiable Information (PII) that, once obtained, enables fraudsters to impersonate their victims to make purchases, access credit facilities on their behalf, or even to create ‘synthetic' identities – fake identities created using real information, for the purposes of enacting fraud.
2023 sees the introduction of the PSR’s proposals on authorised push payment scams1, mandating reimbursement to victims of scams within 48 hours of reporting a fraud. If it becomes regulation, this will have significant implications for UK financial institutions of all sizes. Building on the previous CRM 2019 code, the proposal notably recommends a 50/50 liability shift, instructing recipient payment services providers to share equal liability in reimbursing scam victims. The greatest impact is likely to be felt by small-to-medium sized financial institutions e.g. digital challenger Banks. They may be required to invest in new fraud prevention and know-your-customer solutions to ensure increased risk protection, or face incurring heavy losses through reimbursement. As they look to expand, smaller financial institutions will have to find a balance between greater risk acceptance and the increased liability of reimbursements. With no set limit to the value of reimbursements and with year-on-year increases in the value of APP scams2, payment services of all sizes are at significant risk of loss should they fail to respond sufficiently to the new regulatory change.
Money Mules continue to present a significant risk for banking institutions. Infesting social media channels with their convincing recruitment messages, Mule Herders offer an appealing route to make a ‘quick buck' for the millions of individuals experiencing increasing financial hardship. As such, the profile of a new-look Money Mule is increasingly emerging from an older, middle-class demographic. Whether victims participate willingly, or are unaware of the illegality, Money Mules are facilitating a financial crime – money laundering – punishable by up to 10 years in prison.
The PSR’s new proposals stand to make an impact here too. If transposed into regulation, it will be more important than ever for firms to facilitate transparency of credit and debit activity, identifying mule accounts quickly and enabling fraudulent payments to be blocked before the money is siphoned off into the fraud network.
Economic crime has been transformed by the advent of cryptocurrencies. Criminals still favour the use of crypto exchange accounts to receive money generated from scams, removing them from the vigilant gaze of financial institutions and supervisory bodies, and facilitating anonymous money laundering activities on a global scale. Fraudsters have also capitalised on the crypto interest to target millions of inexperienced investors with investment scams through the promise of lucrative returns. Action Fraud report that 2022 saw a 32% increase in crypto-related fraud, estimated at £226M3. As the cost-of-living crisis wears on through 2023, this fraud trajectory is likely to continue. Whilst more experienced crypto users normally opt for larger, more reputable firms, people new to exchanges may be unfamiliar with the risk of fraud and quickly find themselves losing significant amounts of savings.
The crypto-asset landscape remains volatile, however. The collapse of the crypto exchange FTX towards the end of 2022 lost billions of investor Dollars and triggered the demise of multiple exchanges. Although the future of the market looks uncertain, we can expect to see an increase in regulatory scrutiny on cryptocurrencies globally. Consultation has already begun in the UK. The Financial Conduct Authority reports that 85% of crypto-asset companies who applied to its register failed to meet its anti-money laundering standards4. As we have seen with the UK Government’s approach to scam-prevention, similar scrutiny may be placed on financial institutions to demonstrate sufficient anti-fraud controls for crypto assets.
Fraud is big business. Criminal gangs are sophisticated, well organised and their operations are often run just like any legitimate business. The use of advanced tools and automated attacks such as botnets and malware are expected to increase in 2023, thanks to fraud services readily available on the dark web. Among the concerning array of services are oven-ready ‘blue-ticked’ fake social media account run by bots, ready to launch impersonation attacks, phishing campaigns or recruit unwitting mules.
Malware and scripted attacks – another means of compromising victims’ accounts – present a particular threat, as they can be deployed with ease using phishing methods and remain dormant for an extensive period. Multi-Factor Authentication (MFA), the approval notifications we all receive on SMS or apps to prove our identity when transacting online, may also be the product of a malware attack. For example, MFA bombing, which floods a victim’s device or application with authentication requests in anticipation that one may ultimately become successful. These differ from traditional social engineering techniques to trick a user into disclosing their One Time Password (OTP). For businesses, the frequency of ransomware and email compromise attempts showed a significant increase in 20225, partially fuelled by the rise of hybrid working. It is now more important than ever for businesses to promote safe cyber practice amongst employees to ensure systems and customer data is not compromised.
Changing consumer habits are leading to an ever-increasing range of available credit services. Analysis conducted by Worldpay7 shows that BNPL (Buy Now Pay Later) products and digital wallets (contactless payment via mobile phone) will take the majority share of global online payments by 2023, shifting consumers away from traditional cash and credit cards. Over 17 million UK consumers are reported to have used BNPL services in 20228, many of whom are younger shoppers. Worryingly, the impact such incentivised shopping has on people’s behaviour is not yet fully understood. Many – particularly young people – may quickly find themselves in debt and turning to alternative credit sources and loans to meet repayments. According to research conducted by OpenMoney9, 43% of respondents admitted to using BNPL to pay for services they otherwise would not be able to afford. The rise in synthetic identities – created using a combination of fake and genuine information, artificial intelligence and deep fakes – poses an existential risk to the credit market, particularly BNPL loans that require relatively simple due diligence checks, by making it increasingly difficult for providers to decipher fact from fiction. Credit institutions may expect increasing rates of first party fraud as applicants gain access to credit cards, loans or BNPL products which they have no intention of paying back.
James Rushe, Engagement Manager - Fraud & Identity, LexisNexis® Risk Solutions, March 2023