The fundamental challenge with detecting and blocking scams is, they trick the victim into being complicit in the fraud. Digital identity intelligence – the mainstay of helping to detect an account takeover or impersonation attempt – can fall at the first hurdle. It’s no longer the challenge of differentiating a trusted user from a potential fraudster, but protecting the trusted user from themselves.
Fraudsters have found a technique that works, and have refined it to absolute perfection. The scams are so pitch-perfect, that anyone can be fooled.
It was the day before my birthday and I receive a text from a well-known delivery company, telling me I had missed a scheduled delivery because it had excess postage to pay. My mum had reminded me to look out for the parcel, so when I saw the text, I immediately thought of my birthday surprise.
Clicking through I went to a recognisable website, put in my bank details, made the payment and looked forward to my redelivery.
The next day, my birthday, I got a call from the bank. We go through a standard set of security questions before the bank representative gets to the reason they are calling:
“I’m sorry Ms Johnson, but it looks like there has been an attempted fraud on your account.”
I immediately panic. How had this happened? I am so careful to make sure that I check all my payments and only access my bank account via the dedicated app on my smartphone.
“It looks like a fraudster now has access to your account. We’ve seen some suspicious activity this morning and it’s vital we act quickly to safeguard your assets.”
The person on the other end of the phone reassures me immediately.
“Don’t panic, I am sending you a text now with the dedicated bank account details of where you need to transfer your account balance. This is a safe account where we can hold your money until we close the old account and set up a new one. We need to make sure we do this immediately to avoid the fraudster moving your money.”
I set up the new beneficiary and make the transfer immediately. I am told I will receive a call back shortly with confirmation of my new account details and that I will receive a new card in the post. I hang up, feeling immensely relieved and hoping that I have mitigated the damage from an apparent identity theft. I make a mental note to change my email address and reset all my passwords.
The next day I am puzzled as to why I haven’t heard back from the bank. I give them a call to see how long I will be without my debit card and to ask when I will be able to see my new account in the online banking app. Every time I have checked this morning my balance just shows zero with no sign of the new account. When the bank representative has finished going through the security checks and I explain the situation, they say:
“I’m sorry Ms Johnson but we don’t have any record of that conversation. And we would never ask you to transfer an account balance to us.”
I feel completely sick. This MO gives one glimpse into a genuine attack: while scam typologies can be diverse and complex, the outcome is always the same. The customer is tricked into either divulging sensitive information that can be used in an account takeover, or exiting funds to a fraudster’s account under the guise of a legitimate transaction. Sometimes these methods are combined into a complex, hybrid attack. The biggest challenge for financial institutions comes when the customer has either authorised the payment from a fully authenticated online banking session, or passed a strong customer authentication check during a payment transaction that was initiated by the fraudster.
The fraudster is lurking beneath the guise of authentication; protected from device anomaly checks because they are inhabiting the victim’s device as their snail shell of protection, protected from a rejected payment because the legitimate account holder is their victim payer.
While the Contingent Reimbursement Model (CRM) code in the UK has shifted the liability from consumers to financial institutions to accept the burden of fraud loss, the shame associated with a fraud that the customer often feels is “their fault” can be extremely damaging. It’s not just about the monetary loss, it’s also about the loss of trust. It’s hugely damaging for the victim, and also for the bank. Customers who have been victims of fraud often default to a different bank, and the bank then loses the lifetime value of what could have been a loyal customer.
What can be done to detect and prevent these pernicious and evolving social engineering attacks? How can financial organisations better protect their most precious asset, their customers? Let’s take the key players in this fraud typology and examine what could be done to better mitigate scams.
Understanding what is normal behavior for the victim, and flagging anything that is anomalous, is key to detecting social engineering attempts. Banks can ask questions such as:
Being able to better profile the beneficiary account, and the movement of money from this account to other accounts in the financial services ecosystem, can better flag high-risk activity related to the potential fraud:
Harnessing shared intelligence across the banking ecosystem can help prevent fraudsters from perpetrating attacks across multiple organisations:
By harnessing intelligence related to the victim, the beneficiary and the online banking session, anomalies and high-risk activity can be flagged in real time, helping financial services organisations prevent the loss of customer money, and prevent further damage to both the victim and the bank later down the line.