In my recent panel session with Dianne Doodnath from UK Finance and Steve Cornwell from TSB, we discussed one of the biggest challenges around fraud, namely how it’s not going to disappear any time soon. As soon as we close down one avenue for attack, fraudsters will quickly migrate to another. As Dianne said, ‘There’s no silver bullet for fraud.’
Shifts in fraud strategies have been driven by the changes in behaviour that we’ve all seen over the last few years. Fraud needs volume to hide in, and that’s exactly what the online world provides. With more and more people spending more and more time online, fraudsters are exploiting every available option to find and target their victims, from crypto and investment schemes to romance scams.
APP is on the rise
Most recently, we’ve seen fraudsters shift their focus towards approaches such as APP – authorised push payment fraud. Here, bad actors will masquerade as trusted agents, such as bank representatives or the police, aiming to coerce their victims into making large money transfers.
Because the transactions are initiated by legitimate customers following the fraudster’s coercion, it’s hard to detect. The login is coming from the user’s own device and location, and there’s little need for the fraudster to resort to other fraud tactics such as malware or Remote Access Tools (RATs).
And the numbers are involved are enough to cause alarm for anyone: in the first half of 2021 alone, there was a staggering 71% rise in APP fraud.
Social engineering is the key to this: bad actors will invest significant time when it comes scamming their victims, often spending days and weeks winning their confidence over until they finally relent and transfer money over. Despite the time and effort involved, the ROI for the scammers can be very high.
Shifting liabilities for reimbursement
The cost to the victims has traditionally also been high, but it’s an area where significant changes are taking place. In the past, defrauded customers had little or no recourse and the onus was on them to prove that they had been taken in by a scammer.
That’s changing, however. Criticism from victims, amplified by the press and social media, has led – in the UK at least – to widespread adoption of the Contingent Reimbursement Model (CRM). Developed by the UK Payment Systems Regulator and supported by signatories that include the largest banks in the UK, the code came into force in 2019, and gives customers a degree of protection around irrevocable real-time payments that they didn’t have previously.
Making amends, with benefits
At present, it’s a voluntary code. Banks can still refuse to reimburse victims where they feel that there’s evidence of negligence, first-party fraud or even collusion between customers and criminals. But that carries a reputational risk if the customer persists, or the costly outcome for the bank of having its decision overturned by the ombudsman.
But the CRM also brings significant benefits for the banks who adopt it. Not least of these is customer trust, something that is hard to win but easy to lose: in a survey conducted by Callsign, we found that 45% of people lost trust in an organisation purely on the basis of it being namechecked in a scam.
However, one major advantage of the CRM is that it allows banks to refocus their resources. Dealing with fraud on a case-by-case basis is massively time consuming, particularly if the outcome in the majority of cases is going to be reimbursement. That’s time that could be better spent tackling fraud.
And when the fraud in question is APP, time is one of the deciding factors. While bad actors will spend a considerable amount of time and effort coercing and coaching their victims, once the fraud is underway, the bank may only have minutes or seconds to intervene.
The roles of detection, intervention and prevention
For many banks, the only line of defence is an alert message. But because these static warning messages usually appear at the same places in every customer journey, and display the same text, fraudsters are able to anticipate them and talk their victims past them.
But that all falls apart if the fraudsters encounter an element in the journey that they can’t anticipate – one that’s very difficult for the fraudster to talk their way around. Instead of a static warning, a dynamic intervention is a highly effective way to give the user a cognitive jolt, and some valuable breathing room to reconsider and terminate the transaction.
Solutions such as Callsign, which layers behavioural biometrics with device intelligence, can stop the scammer dead in their tracks. By passively analysing a customer’s behaviour, this technology can detect deviations from the normal, such as that customer taking longer than usual to navigate familiar menu options while their phone line is engaged
This combination of anomalies would indicate a high probability that they’re speaking to a scammer who’s trying to talk them into making a transfer. If that customer then suddenly sets up a new beneficiary and attempts to transfer a large sum of money to it, this would be instantly flagged as unusual behaviour.
By recognising these danger signals in real time, the user can be prompted with a dynamic warning message that’s contextual to their situation. Were you expecting to make this transaction today? Are you on the phone to someone claiming to be from your bank? Has someone contacted you online about a crypto investment opportunity?
If the customer confirms that this is the case, then they could be further warned that they’re being targeted by a scammer, and to terminate the transaction.
The fraudster is caught cold – this is something that they didn’t anticipate, something that’s not on their script. And because the message is clearly spelling out exactly what’s going on, they’re unable to coach their potential victim past the message.
Taking the seconds back
For bad actors, APP fraud and scams hinge on offsetting the time that they spend researching their targets and working on their victims against the critical few moments when the customer is at their most vulnerable and ready to make that transaction.
APP fraud might be on the rise at present, but that’s a situation that can be changed. A solution such as Callsign’s dynamic interventions can provide an effective defence against it, by giving banks back those crucial moments that stand between a successful fraud and keeping customers safe.
