As banks opened up mobile payments to higher-value transactions, especially during the COVID-19 pandemic, it created the perfect storm pushing fraud to mobile apps. Many banks are using fraud detection tools that are less sophisticated than, or not properly suited to, protecting newer methods of processing payments. Cybercriminals have seized on this, and banks around the world have seen a dramatic increase social engineering scams such as authorised push payment fraud (APP fraud).
In a recent webinar, we spoke with Paul Davis, the Director of Fraud at TSB, a large retail bank in the United Kingdom, about combating social engineering and APP fraud and key industry challenges financial institutions will face in 2022. Here’s what Davis had to say, and ideas for how to strengthen your response.
Authorised Push Payment Scams: 2022 Trends
In the era of mobile attacks, authorised push payment fraud is taking a spot front and center in the threat landscape. APP fraud is a kind of real-time social engineering scam where an attacker contacts a target, typically over the phone, and convinces them to log into a genuine bank account and make a transfer to the attacker. These attacks are expensive: in 2020 alone, the UK experienced £479M worth of losses due to APP fraud, averaging over £7K per victim.
According to Paul Davis, Director of Fraud at TSB, mobile payments are making these scams easier and more lucrative than ever before. “They’ve been widely adopted by consumers. The volume of these faster payments is incredible. They’re great for consumers because you can pay bills, pay friends instantaneously. But, they’re great news for fraudsters as well because they enable them to move money quickly.”
Davis does not expect these attacks to disappear anytime soon; if anything, he expects them to spread. However, the news is not all bad. He also expects some improvements around understanding and response.
Increased Activity in Online English-Speaking Countries
Davis cites the high adoption of mobile payments and social media in the UK as a driver, and also the use of the English language by global cybercrime gangs. “You probably want to choose English as a language to commit your crimes in, given how widely it is spoken around the world.”
Davis also cites the volume of crime versus law enforcement’s comparably low ability to actually catch people doing it. Davis has seen similar trends in other English-speaking countries like Australia and Canada and expects it to build steam.
Regulatory Intervention
No matter what, banks have a strong incentive to prevent APP fraud. “It’s the right thing to do. It’s in no bank’s interest to have one of its customers fall victim to a crime,” Davis said, noting that an affected customer can suffer emotional distress and may feel their relationship with the bank affected badly enough that they switch banks.
However, it goes beyond the interest of individual banks or customers. Oversight bodies have already turned their attention to APP fraud. The Contingent Reimbursement Model (CRM) lays out best practice for protection and response and also sets out standards for reimbursing customers who are not to blame for scams. However, many banks and fintech firms have not signed up for it yet, and Davis notes that the document remains subjective. Questions remain over whether customers who have been given fraud warnings should be reimbursed, and what level of care a customer should demonstrate in order to be entitled to a reimbursement – and this has led to a refund rate of just 49% of all fraud losses. “What we’ll see is greater regulatory intervention of some kind in that debate in the future,” states Davis, and the percentage of reimbursement remains to be determined after this intervention.
Social Media Advertising Restrictions
With social media usage being one of the drivers of APP scams, Davis sees some optimism around social media companies becoming more responsible. In the UK, Google now requires companies that are advertising financial products or services to show that they are regulated. Davis was skeptical of this rule at first but has noted an effect. “We haven’t had a TSB report of a customer falling victim to an investment scam via a Google search where a payment was made after those initial controls came in.” From this, Davis sees reason for optimism that there will be more forward-thinking ways for tech companies, telcos, and banks to address scam activity.
How to Protect Your Business and Customers
Fortunately, you can protect your business and customers against APP fraud, bank transfer scams and other social engineering attacks, even as you adopt modern mobile payment technology for common tasks like paying invoices. Combating most cyber threats requires a defense-in-depth approach.
“I think the behaviours all of us need to be looking to embed in consumers are not so much around not using email or SMS at all, but around checks and balances that consumers then follow to actually make the payment,” Davis said.
Processes to strengthen the security of mobile transactions include contacting the supplier through a method other than the inbound phone call or wrapping Confirmation of Payee (CoP) services around the payment and showing the user whether this payee matches the intended payee. And, though CoP is often implemented as a yes-or-no binary at the time of payment, it should be woven more widely into an anti-fraud program.
“We need to start better integrating Confirmation of Payee into our risk engines, and using it to detect anomalous payments,” Davis said. This, along with other data including transaction analytics and behavioural biometrics, can build a richer analytical picture of whether payments are legitimate or fraudulent. That can, in turn, improve future detection and decision making.
Implementing real-time fraud detection is also an important step toward preventing APP fraud losses. BioCatch can help detect social engineering fraud in real time, with behavioural biometrics. BioCatch has separate models tailored for social engineering scams and account takeover and continues to tune both based on behavioural indicators from actual activity. The platform uses machine learning to understand multiple indicators including session length, segmented typing, hesitation, and displacement, providing a stronger assessment of the likelihood of fraud than from individual indicators. In addition, BioCatch gives banks and businesses the data insight they need to explain their fraud detection and prevention program effectiveness to senior management, make comparisons to the industry landscape, strengthen their fraud prevention programs, and support their reimbursement decisions.
“The lesson I’ve learned from tackling Authorised Push Payment,” Davis said, “is it’s got to be a holistic approach if you want to actually make a difference. And banks and other companies need to take the lead in stopping the fraud happening, rather than just hoping that a warning or a right message will be enough to stop the scam. These are smart people falling victim to sophisticated scams.”
Learn More About Preventing Social Engineering Scams
Hear the whole conversation between Paul Davis, Director of Fraud at TSB, and Iain Swaine, the Director of Global Advisory at BioCatch in this on-demand webinar or download the white paper, Spot the Impostor: Tackling the Rise in Social Engineering Scams, for more information on the range of tactics at your fingertips to protect customers.