Rarely a day goes by without fraud hitting the headlines.
Much of the time it’s a single, cautionary case study harvested from the personal finance pages; An unfortunate has fallen victim to a caller with supreme confidence and a compelling tale. But in today’s highly digitised financial environment, it would seem that attacks on an institutional scale are increasingly common.
Recent (May 2018) news centres around a high profile IT failure. The story didn’t begin with fraud but it’s becoming apparent that fraud will be the defining theme. While IT systems are compromised, opportunist fraudsters are exploiting the time lags in account verification. All this while vulnerable clients, so desperate to have reassurance from their bank, find that any personal contact comes as a relief and perhaps lower their fraud defences.
In reality, cases of fraud are not on the rise overall. Fraudscape 2018 notes that Cifas, the National Fraud Database, recorded 305,564 cases of fraud, 6% lower than in 2016. However, this was largely down to a reduction in facility fraud – customers defaulting on mobile phone contracts and so on.
Identity fraud and misuse of bank accounts involving young people both saw record levels in 2017. There were 174,523 cases reported to Cifas in the UK in 2017 and bank account misuse was up 13%. ID fraud was only up 1% on the previous year but considering levels 10 years ago, this is a 125% increase over what has been a largely digital decade.
Interestingly, financial services was not responsible for the biggest increase. This was seen in telecoms, online retail and insurance. This may be, the Fraudscape report noted, because there are fewer checks on ownership and identity for these products than in a bank account. It doesn’t mean financial services can rest on its laurels.
For one thing, mobile phone contracts and insurance policies form the bedrock of financial identity checks – if these are falsified, the whole house of cards comes tumbling down. In the case of mobile phones, with two-factor authentication a common form of payment verification, access to a fraudulent mobile account gives fraudsters free rein over customers’ accounts.
This very thing happened to a customer whose mortgage deposit was withdrawn from his account in a way that seemed completely above board to the bank. By convincing his mobile phone provider to swap his number to a different SIM, fraudsters could receive the verification codes needed to make transactions from his account. Since refunded, he initially lost £15,000 in savings and had his overdraft extended without his knowledge, not once but three times.
“Fraudsters seek out organisations’ vulnerabilities and cash in on them. The problems at TSB today and TalkTalk in the past are a case in point. We saw mass fraud at both institutions from impersonations. They are playing a numbers game,” explains TransUnion’s Head of Fraud Consultancy & Sales Support, Sarah Golding.
But just because many of these attacks start out as opportunistic attempts to ‘get in while the going’s good’, that doesn’t mean there is no way to defend against them. “It’s all about customer education. Where fraudsters see an opportunity it’s about how we as an industry come together and help with education.” continued Sarah.
Customers can feel understandably helpless in this scenario. Many of the reports around most recent frauds suggested customers had taken on board vishing advice – but the callers seemed so plausible with access to specific data and even the banks’ own tools for identity verification.
“The criminals have many ways of getting hold of personal data. Whether it’s from a user’s lax social media privacy settings or buying it on the dark web as a result data breach from any organisation. That’s their toolkit and it’s the reason why ID fraud has increased within recent years,” explains Josh Gunnell, Head of PreSales, TransUnion.
“Industry is doing the right thing in looking to create education and heightened awareness – speaking to the customer and getting them to ask themselves ‘should I be volunteering some of this information?’. Equally, GDPR and Open Banking are initiatives which puts the power of personal data back into consumers’ hands. It’s in the interests of financial organisations to demonstrate how well they look after personal data and make sure it can’t be accessed because customer trust is fundamental to that business relationship,” he adds.
Technology can appear to be both the enabler and the solution. The growth in account misuse or ‘money mules’ is facilitated by the speed and ease with which money can move around the digital world. The true origin of that money can be hard to find, even with the digital trail.
With a worrying trend towards a younger end of the age spectrum (a 36% increase in money mules under 21), mules differ from impersonation in that the player is an active participant in the fraud – although youth, peer pressure and general naivete may give credence to the fact that they don’t understand the illegality of their actions. “This is the consumer education piece: If it looks too good to be true, it probably is,” Gunnell states.
Just when it seems like fighting the fraudsters is a Sisyphean task, there is hope. “They don’t make the news headlines but institutions are making massive inroads into stopping fraud. Yes, we need creativity and innovation and a willingness to embrace technology because it can feel like fraudsters can be one step ahead,” Gunnell warns.
These innovations come in many forms, from performing due diligence on existing systems, checks and balances, to integrating new technologies such as biometric two-step authentication and blending data.
“It’s a continuous fight to stay ahead and invest in technology,” Golding admits. “There’s no silver bullet. It’s about creating layers and being smart – taking information from different sources and being dynamic, but it’s true that it’s easier said than done for big organisations that are often less agile and could take a year or more.”
Gunnell adds that the solutions are there now and that the data, which seems so much to be the enemy in the fraud piece, also has the potential to safeguard. “The sophistication with which we profile customers’ needs to be rethought and companies like ours can help with this. Deploying modular solutions gets less agile organisations up and running quickly.
“Financial services has a tricky challenge when it comes to fighting fraud,” he concludes. “You could put up every barrier going and make the customer experience exhaustive which would lead to lost business. But using non-intrusive techniques and solutions to scrutinise personal and non-personal data in parallel, you can blend these technologies to create multiple layers of scrutiny. Fraud prevention is vital but needs to happen in a way that doesn’t compromise the objectives of an institution; to build a valuable relationship for both parties.”