By Gemma Staite, Threat Analytics Lead at BioCatch
Record levels of fraud are being dealt with in the financial services industry. In comparison to the offences committed in 2018, there has been a 151% increase in fraud in 2022, according to a recent UK Finance report.
The upcoming “scampocalypse” is being caused mostly by two things. Peer-to-peer payment apps’ emergence, the sudden shift in labour, and a hastily devised pandemic stimulus plan have all contributed to an increase in scammers. So, why have social engineering bank account scams dramatically increased, and what can financial institutions (FIs) do to stop a scampocalypse?
A beginner’s guide to scams
For banks to address the scam issue, a practical definition of what constitutes a scam is required. Most financial institutions concur that a scam is a social engineering attack intended to deceive the victim into providing crucial information or directly paying the attacker, even though definitions vary depending on who you ask.
It’s helpful to divide the universe of scams into those that exist for the primary purpose of coercing the victim into making a fraudulent payment and those that exist primarily for the purpose of harvesting sensitive information in support of fraud attacks that may take place later. That gives us two categories of scams: Harvesting scams and payment fraud scams.
Harvesting scams – An attacker uses a harvesting scam to trick the victim into disclosing information such as login credentials or financial and personal information. The attacker then holds on to the information to use for future bank account scams — primarily account takeover fraud.
Payment fraud scams – Payment fraud scams, such as authorised push payment (APP) fraud, occur when an attacker coerces a victim into making an authorised bank transfer or sending money in real time over a P2P payment network. Because of the increased acceptance of digital banking and payments, as well as the convenience with which it may be done, this type of scam approach is flourishing.
Who is responsible if you fall victim to fraud?
Banks are typically the first place scam victims turn to obtain compensation. The customer support staff at the victim’s bank will take prompt action when the victim phones to stop further financial loss.
APP fraud makes it harder to recover stolen funds if the account owner sent money to someone because of a scam – for example, if they paid a fake invoice or bill. Most banks will agree to repay lost funds voluntarily if a customer falls for a scam. However, the customer may be asked to present additional evidence to prove they are truly a victim. This may include the customer being asked to prove:
- If they obeyed any security warnings sent by the bank
- That they believed the transaction was legitimate
- They were not acting careless when the payment was made
In the UK, where a “scampocalypse” of sorts began in 2013, the APP Contingent Reimbursement Model Voluntary Code, dubbed “The Code,” provides some protection. Recent changes to the reimbursement code, specifically “confirmation of payee” checks which require a user to input a person’s first and last name and account details before sending them money, may help reduce the impact of scams. In addition, the UK government has stated that legislation will be introduced to help combat this specific type of fraud, but it hasn’t happened yet, and there is still uncertainty of what it will look like.
The PSR wants the payments industry to change the way it manages APP scams. The measures being proposed include:
- Requiring reimbursement in all but exceptional cases – so more victims will get their money back.
- Improve the level of protection for APP scam victims – so there is greater consistency in protections for all victims, irrespective of who they bank with.
- Incentivise banks and building societies to prevent APP scams – because responsibility for allowing fraudulent payments is the responsibility of both the sending and receiving banks or building societies.
The issue of accountability
The question of accountability does not have a straightforward solution. In the UK this year, victims in 73% of bank and credit account fraud cases, 64% of advance fee fraud cases, and 46% of consumer and retail fraud cases received full compensation.
While there may be no legal consequences for FIs who refuse to refund a victim following a payment fraud scam, it severely damages the faith that customers hold in them. In addition to being robbed, falling prey to a scam causes tremendous emotional damage, which is only made worse when a victim calls their bank and is told they will not be reimbursed. It adds a feeling of betrayal to an already terrible situation. Ignoring this issue only sets FIs up for failure in the long run; the industry is based on trust, and customers will leave their FI for another if they don’t feel their money is being protected.
Preventing the Scampocalypse
While the prospect of a “scampocalypse” is terrifying, there are strategies available to avoid even real-time scams, allowing institutions to protect their consumers from becoming victims. Behavioural biometrics is a preventative measure implemented by FIs that can be used to detect social engineering scams.
Since a person under duress behaves differently than one banking under normal conditions, behavioural biometric models catch on and help prevent payment fraud scams as they happen. It’s critical to remember that there is a human element to this problem. Some customers stand to lose their life savings to one of these attacks. In an industry where trust is everything, it makes sense for FIs to get ahead of the problem and do their best to prevent their customers from becoming victims.
Whether or not regulatory actions influencing reimbursement models are undertaken, banks can be proactive in resolving the scam problem before it negatively impacts customers. The only certainty is that FIs and customers will have to work together to avert a total scam catastrophe.