By Karen Wheeler, Country Manager at Affinion
Cybercrime is scarcely out of the headlines and customers are understandably wary. Banks are in the firing line because we all increasingly conduct our financial affairs online or via banking apps, meaning there are more opportunities for criminals to access valuable data and money.
The fight against cybercrimeis like a never-ending game of cat and mouse – no sooner have the security experts identified a cyber-attack and worked out how to combat it, then the cybercriminals invent a new method. In February 2019, Metro Bank became the first major bank to be named as a victim of a new type of cyber-attack which targets the codes sent via text messages to customers to verify transactions.The fraudsters were able to exploit flaws in SS7, a protocol used by telecoms companies to coordinate how they route calls and SMS messages around the world.
On a bigger scale, seven of the UK’s biggest banks including Lloyds, Santander, Royal Bank of Scotland and Tesco Bank were forced to reduce operations or shut down entire systems following a cyber-attack in January 2017. The attack crippled digital services for two days and cost banks hundreds of thousands of pounds.
The risk is high because devastating cyber-attacks can be launched by lone individuals in bedrooms or by sophisticated criminal gangs with links to corrupt governments. Software capable of huge destruction can be accessed very easily – in fact Webstresser technology, linked to the January 2017 attack can be rented for as little as £11.
The worrying truth is that despite the fact that cybercrime is everywhere, an astonishing 75 per cent of consumers would not know what to do if they fell victim to cybercrime. According to Affinion’s Cybercrime SOS report, consumers are confused and unsure who to contact for help when they fall victim to cybercrime.
Furthermore, most consumers have not moved beyond basic online security measures – only 16 per cent of people worldwide have access to identity fraud protection; 17 per cent to a credit report subscription and 30 per cent to a password manager. Even the simplest forms of online security are not universally adopted – a third (31%) of respondents in our study do not employ any form of software protection and only 58 per cent have access to a firewall, suggesting that many consumers are leaving themselves completely exposed and vulnerable to attack.
Consumers risk sleep-walking into serious financial and personal crisis– many do not have the appropriate safeguards in place and seem blind to the scale of the cybercrime epidemic.
From supplier to saviour
This is where banks must step in. Consumers need to be alerted to the dangers and supported when things go wrong and this is something that banks worldwide are already fully aware of. According to a report from Accenture and the Ponemon Institute, the average cost of cybercrime for financial services companies globally has increased by more than 40 per cent over the past three years, from nearly $13 million per firm in 2014 to nearly $19 million in 2017. In fact, cyber-attacks are costing financial services firms more to address and contain than any other industry and the rate of breaches in the industry has tripled over the past five years.
Of course, those figures only tell part of the story. Banks face huge bills in terms of monitoring, detecting, investigating and remediating cybercrime incidents but there is also a cost in terms of customer retention. Customers who do not feeltheir cybercrime complaint is handled properly are more likely to leave a bank. Customer trust is such a valuable commodity and when this is eroded, retention rates will fall.It can cost five times more to attract a new customer, than to retain an existing one so banks are well advised to think very seriously about their approach to cybercrime so that the customer experience is positive.
Getting it right
Many financial institutions are beginning to take a proactive approach, developing strong education and awareness programmes. Barclays, in particular, has invested significantly in its“Digital Eagles” to roll out cybersecurity training to communities across the UK. Its DigiSafe in Cyber Space programme includes tips and guidance on how to keep devices safe, how to navigate different social media privacy settings, advice on pop-ups and tips on recognising fraudulent emails. It also covers how to spot phishing scams, advice on downloading software, effective password practice and being more aware of tricks that fraudsters use to target individuals with the intent of poaching bank details.
It is agreat example of an organisation waking up to cybercrime and empowering its customers to fight back.But what about individual identity (ID) theft cases or times when individuals become aware that their name is being used fraudulently to obtain credit or loans? Who should they turn to?
The problem with identity fraud
ID theft can be particularly distressing and complex to resolve as victims face huge uncertainty, not knowing how many times and for how long the fraudsters might falsely use their name. They can receive demands to repay the criminals’ debt for years afterwards and never really have peace of mind that the issue is dealt with. In addition, there is the very real fear of reputational damage when their identity is stolen, which can affect personal and professional lives. Sadly, it is a growing issue – a third (33%) of respondents have already been directly or indirectly affected by identity fraud, according to our study.
It also shows that whereas a consumer knows to contact their bank or credit card provider if they have been subject to a fraudulent transaction, when it comes to identity theft,they don’t know who to turn to in order to get help.
It is a complicated field to navigate so it’s not surprising people are unclear. There are many different parties involved and lines of reporting and responsibility vary across the globe. For example, in the US, the Federal Trade Commission advises that in most instances you don’t need to report ID theft cases to the police. Whereas in the UK, organisations like Action Fraud provide a raft of options and steps to take including contacting the local police.
Looking for expertise
As things stand, global customers are not confident in their own abilities to prevent, detect and resolve identity fraud and only 16 per cent have any sort of identity fraud protection. There is a strong sense that while many consumers are happy to take day-to-day responsibility for managing their digital lives, if a cybercrime occurs, they would prefer an outside organisation with expertise to resolve the situation. When incidents have happened, 39 per cent credited their bank with resolving the issue and this has boosted brand perception.
There is therefore a window of opportunity for businesses to step in and support customers as they adjust to the brave new world in which we live in. Banks should seize the moment to become part of the conversation and the solution.The uptake of even the most basic forms of protection is not widespread and customers are looking for guidance in terms of how to detect and resolve cybercrime. By dedicating significant resource to the issue, banks can signal to their customers that they take the security of financial information extremely seriously and are on hand to help. Resolving incidents will take time, skill and sensitivity but it will be worth it if customers are retained and become passionate advocates for the bank.