By Gemma Staite, Threat Analytics Lead at BioCatch
The financial services industry is experiencing unprecedented levels of fraud activity. A recent survey by UK Finance reported a 151% increase in fraud in 2022 compared to last year’s offences.
The imminent “scampocalypse” is caused by two major elements. Scammers’ ranks have grown as a result of the introduction of peer-to-peer payment apps, as well as the unexpected displacement of workers and a hastily implemented stimulus strategy at the onset of the pandemic. So, what’s driving the sudden uptick in social engineering bank account scams and what can financial institutions (FIs) do to stop a scampocalypse scenario?
A Beginner’s Guide To Scams
For banks to solve the scam problem, a functional definition of what constitutes a scam is required. While the definition varies depending on who you ask, most financial institutions agree that a scam is a social engineering attack designed to get the victim to give critical information or pay money directly to the attacker. It’s helpful to divide the universe of scams into those that exist for the primary purpose of coercing the victim into making a fraudulent payment and those that exist primarily for the purpose of harvesting sensitive information in support of fraud attacks that may take place at a later time.That gives us two categories of scams: Harvesting scams and payment fraud scams.
Harvesting scams – An attacker uses a harvesting scam to trick the victim into disclosing information such as login credentials or financial and personal information. The attacker then holds on to the information to use for future bank account scams — primarily account takeover fraud.
Payment fraud scams – Payment fraud scams, such as authorised push payment (APP) fraud, occur when an attacker coerces a victim into making an authorised bank transfer or sending money in real time over a P2P payment network. Because of the increased acceptance of digital banking and payments, as well as the convenience with which it may be done, this type of scam approach is flourishing.
Who is responsibility are scams?
The first place that scam victims usually turn to for reimbursement is their bank. When a victim contacts their bank, the customer team will take immediate action to protect the user from losing any more money.
APP fraud makes it harder to recover stolen funds if the account owner sent money to someone because of a scam – for example, if they paid a fake invoice or bill. Most banks will agree to repay lost funds voluntarily if a customer falls for a scam. However, the customer may be asked to present additional evidence to prove they are truly a victim. This may include:
- Obeyed any security warnings sent by the bank
- Believed the transaction was legitimate
- Were not acting careless when payment was made
In the UK, where a “scampocalypse” of sorts began in 2013, the APP Contingent Reimbursement Model Voluntary Code, dubbed “The Code,” provides some protection. Recent changes to the reimbursement code, specifically “confirmation of payee” checks which require a user to input a person’s first and last name and account details before sending them money, may help reduce the impact of scams. In addition, the UK government has stated that legislation will be introduced to help combat this specific type of fraud, but it hasn’t happened yet, and there is still uncertainty of what it will look like.
What is the solution, and who is accountable for putting it into action?
The question of responsibility doesn’t have a clear answer. In the UK this year, victims were fully reimbursed in 73% of incidents of bank and credit account fraud, 64% of incidents of advance fee fraud and 46% of incidents of consumer and retail fraud.
While there may be no legal consequences for FIs who refuse to refund a victim following a payment fraud scam, it severely damages the faith that customers hold in them. In addition to being robbed, falling prey to a scam causes tremendous emotional damage, which is only made worse when a victim calls their bank and is told they will not be reimbursed. It adds a feeling of betrayal to an already terrible situation. Ignoring this issue only sets FIs up for failure in the long run; the industry is based on trust, and customers will leave their FI for another if they don’t feel their money is being protected.
Avoiding the scampocalypse
While the potential of a “scampocalypse” is frightening, techniques exist to avoid even real-time scams, allowing institutions to protect their customers from becoming victims. Behavioural biometrics is a preventative measure implemented by FIs that can be used to detect social engineering scams. Since a person under duress behaves differently than one banking under normal conditions, our models catch on and help prevent payment fraud scams as they happen.
It’s critical to remember that there is a human element to this problem. Some customers stand to lose their life savings to one of these attacks. In an industry where trust is everything, it makes sense for FIs to get ahead of the problem and do their best to prevent their customers from becoming victims.
Whether or not regulatory actions affecting reimbursement models are implemented, banks can be proactive in addressing the scam problem before it negatively impacts customers. The only certainty is that FIs and customers will have to collaborate to avoid a scampocalypse.