Banks’ grip on online fraud is growing, but fincrime attacks remain a threat to the industry’s future

Banks’ grip on online fraud is growing, but fincrime attacks remain a threat to the industry’s future

By Jimmy Fong, CCO of SEON, following the launch of SEON’s latest Global Banking Fraud Index

Let’s start with the good news. Fresh data shows that 65% of companies experienced fraud in 2023. That’s the lowest the figure has been since 2014.

And largely, that is supported by the fact that 45% of all US financial services reported they had fully integrated digital fraud prevention solutions in 2022 – up from 28% in 2020.

Indeed, in 2022, the fintech industry really started to get to grips with the issue of online fraud. It’s become vigilant to the threat that bad actors pose and it’s taking steps to combat it.

However, it’s a threat that isn’t retreating any time soon. While digital transformation is aiding that fight, this digitization also means more bad actors are innovating their approach; and to that end, the data suggests that 71% of financial institutions reported a security breach from business email compromise (BEC) last year.

As the world turns increasingly towards these fully-digitized banking experiences, fraudsters aren’t wasting time hanging around the legacy brick-and-mortar banks with the aim to commit traditional scams.

Rather, they’ve adopted digital lockpicks to crack all the new electronic locks. These locks appear when accessing, buying, and exchanging money online, and criminals are always developing new ways to go about circumventing them.

Speaking on the new report, Tamas Kadar, CEO and Co-Founder of SEON commented: “It’s been an interesting year for the banking sector, but despite a few bumps in the road there’s clear evidence the industry is moving in the right direction. However, to ensure this momentum can be sustained, those working within traditional banks, as well as neobanks, must be highly vigilant about the growing risks associated with fraud.

“If this doesn’t happen, institutions risk monetary and reputational damage because of fraud and fincrime. Thankfully, as well as compiling an index of today’s fraud pain points, companies like SEON are also on hand to provide businesses in the banking and neobanking sectors with new tools to fight back against the fraudsters.”

What are the banking fraud trends for 2023?

In terms of the sea of changes the banking world is experiencing, the shift towards digitization is certainly the most important when it comes to predicting fraud patterns.

When banks and money services cast this much larger net over a previously underbanked population – and normalize a purely digital experience in doing so – they create new attack vectors for fraudsters, as well as new techniques to exploit.

Holistically, those new vectors and techniques can be characterized as either:

• Fraudsters fully submerging themselves in digital
• Fraudsters fully committing to analog

Exemplifying these two angles of attack, JP Morgan’s annual payments fraud survey showed that, on the digital side, card-related fraud types rose by an alarming 10% in 2022, with businesses overall showing lower volumes of online fraud.

The report’s latest key findings also highlighted four further key areas that banks need to be wary of:

1. There remains a prevalence of business email compromise which remains a huge security flaw.
2. There has been an increase in social engineering scams that lead to BEC (business email compromise) and APP (authorized push payment) fraud.
3. There is a continuing problem of flawed account-opening processes.
4. Buy Now Pay Later (BNPL) still offers a unique identity validation challenge to banking institutions.

By prioritizing advanced security measures, enhancing email security protocols, combating social engineering scams, optimizing account-opening processes, and overcoming the unique challenges posed by BNPL, banks can stay ahead of fraudsters and safeguard their customers’ financial well-being with unwavering confidence.

State-of-the-art fraud prevention is increasing but that is not warding off bad actors from low-tech scams

Instead, attackers are looking for new channels with fewer safeguards.

Low-tech scams – those that rely on con artistry and phishing techniques – are on the rise, and the resulting BEC and APP fraud can be damaging in ways that go beyond simple revenue losses.

Business Email Compromise (BEC)

Though broadly referred to as email compromises, BEC can come in many media, but the end result is work-related login credentials that become exposed and exploited. Depending on the level of access granted to a criminal with those credentials, the worst-case scenarios could all become realities: sensitive data leaks, misappropriation of funds, and snowballing phishing with high-level email addresses.

Authorized Push Payment (APP) fraud via phishing

The headline figure here is that 75% of all fraud losses – globally – were related to consumer phishing, with other financial services reporting those cases at 66%. Authorized push payments are payments made from a customer account which, from the institution’s perspective, are authorized by merit of having the correct security details.

They are more common in ecommerce when it comes to unauthorized purchases, but when they occur in banks, the fact that only money is moving can cause even greater fallout for the institution due to the regulations the vertical must adhere to.

In general, APP fraud is harder to catch, as the fraudster will have the correct username and password combination.

We still need to be wary of high-tech scams

While some fraudsters take to the ground level to scam away their illicit money, others choose to fly over the technology. More fintechs and banks are doing a better job of not only implementing but also investing resources into better fraud detection software.

SEON’s own data found that scaled fraudsters hit a ceiling when attempting to circumvent modern fraud prevention tools. At a certain point, it is no longer cost- and time-effective for a fraudster to invest the time and energy needed to beat cyber-security approaches like device fingerprinting and password hashes.

Similarly, legacy digital security implementations like one-time passwords (OTP) or two-factor authentication (2FA) sent by over text messages were previously seen by many as foolproof. Then they were just “good enough”. Now, though, they’re looking positively outdated, with some independent security analysts now downgrading banks that rely on those methods which have been proven fallible in the face of highly sophisticated ploys like SIM swapping and man-in-the-middle (MitM) attacks.

Fraudsters not willing to take to the streets to carry out their crimes have to find a way to get themselves over these hurdles in order to pick the best, highest-hanging fruits.

And now for the all-important question: How can the fintech and banking industry avoid banking fraud in the future?

Though it has always been a good idea for best practice fraud prevention, now more than ever the need to scrutinize digital identity markers is paramount for robust cybersecurity.

Fraud pain points commonly reported by banks and financial services in the past year can be largely addressed by implementing and investing across the following four key areas.

1. Create layers of protection

Complete digital footprint analysis early on in the customer journey, even before account creation or onboarding of customers and users, easily blocks customers who attempt to use stolen, synthetic, or fake identities, including fraudsters armed with legitimate personal credentials stolen via phishing scams.

In the face of threats like APP fraud or BEC, however, this is obviously not enough, as these kinds of scams will be exploiting accounts that have gone past the onboarding stage.

Allowing fincrime and fraud prevention software and anti-money-laundering checks to create touchpoints at different stages across the customer experience will allow fraud teams a better win rate when it comes to preventing costly phishing scams resulting in huge reputational and regulatory damages.

2. Monitor device risk

As more customers turn to mobile apps like Pix for their financial services, businesses should be increasingly leaning on device fingerprinting to remove as much anonymity from the mobile space as possible.

Generally, device configurations are individualized enough to be nearly unique, as well as a strong indicator that a user is the same across multiple journeys. This will mitigate the damage done by synthetic ID fraudsters, business email compromises, and APP fraud.

3. Automation

The adoption of a fully automatable fraud management platform is crucial. Not only does it cut down on human resources devoted to the fraud detection process, but automated solutions can also introduce less friction as they find more useful data that is impossible for a human counterpart to discover – at least within a matter of seconds.

BNPL providers that want to optimize the customer experience for minimal friction should certainly be automating their risk assessment. This way, inspecting identity attributes that aren’t obvious to the naked eye can be detected, and those determinations can then inform the overall risk score, manually defined and supported by machine learning.

4. Education and awareness

Employees throughout the corporate infrastructure should have regular training and awareness of the fraud scams of the day. Software cannot be installed to detect every possible instance of social engineering, even despite how low-tech this method tends to be.

From executives to entry-level staff, anyone with credentials to access sensitive internal data should know things like basic password security, including of course the main tenet: Don’t give your password to anyone.

Methodology

Data found in this index’s images were sourced from ACI Worldwide’s Prime Time for Real-Time report; Cutting the Costs of AML Compliance, published by LexisNexis; Neobanks: The Bumpy Road to Profitability from Aite-Novarica; and the 2023 AFP Payments Fraud and Control Survey Report, which was underwritten by JP Morgan and executed by the Association for Financial Professionals.

Additional statistics came from The World Economic Forum, Retail Banker International, and Oxford Economics. Data was compiled by SEON, informed by our own fraud analysis.

SEON’s latest Global Banking Fraud Index can be read here.

About Jimmy Fong

Jimmy Fong, CCO at SEON, is a young veteran in the fraud detection space. The last three leading fraud and payments startups he has been involved in have been acquired by Visa, Ingenico, and American Express. He’s a regular speaker on disruptive technology in the fintech space and a massive advocate of flattening the tech barrier for merchants and financial institutions to fight fraud effectively. A graduate of Edinburgh University, he looks to marry his passion for tech with doing a bit of good in the world.