I recently read a headline that had an all too familiar theme – [consumer] loses [$some amount of money] to fraud via [payment platform]. The article goes on to speak of the evils of banks and payment platforms. Whenever I read these articles, I think to myself, “What if this transaction was cash?” Would the consumer have behaved the same way?
As fraud professionals, we need to look at these situations analytically. The words we use to describe these situations matter. If a nefarious actor purchases login credentials off the dark web and uses the credentials to move money out of an account without any action or knowledge of the account holder, that is an unauthorized transaction. But if the same nefarious actor engages the account holder and convinces them to initiate a transaction, that transaction is authorized. This distinction between unauthorized fraud and authorized fraud is important to recognize and well-articulated in the FraudClassifier Model published by the Federal Reserve.
I’d like to spend a bit of time on the topic of authorized fraud. It is always heartbreaking to read these stories because a real person experienced a real loss. What causes people to react to scammers? How do scammers convince people to act in ways against their best interests? What can be done to help identify these situations and, perhaps, help customers help themselves?
Scams are not new. Research into the psychology of scams – both the scammers and the scammed – goes back decades. Back in 2009 – when the internet was an adolescent, we had just been introduced to “apps,” and instant payments did not exist. Vaughn Bell penned a piece for Mind Hacks summarizing a study done in the UK on the topic. More recently, in 2018, Stacey Wood from Scripps College summarized research done by her and colleagues on the topic. Both pieces pre-dated instant payments and the prevalence of SMS and voice as channels for scammers.
And the stakes are indeed high for financial institutions. According to the 2023 Identity Fraud Study by Javelin Strategy & Research, 41% of consumers say they have closed an account because of identity fraud concerns. With the cost of acquisition for financial services averaging over $600 per customer, it is well worth the investment by financial institutions to help prevent customers from falling for scams.
Some common themes emerge from the psychological studies referenced above. A scammer’s basic recipe relies on three predictable scripts to be successful:
- Authority – “We’re from the government and we’re here to help.” Make a statement that appears to be 1) from a party with some control and 2) creates some call to action. These statements are structured to give the attacker some power over the target. Present a scenario with a very high upside or a very low downside.
- Urgency – “Act now or miss this opportunity!” Create the impression that if something is not done immediately, the problem will get worse or the opportunity will disappear. Time is of the essence.
- Action – “Here is what you must to do...” Present a course of action that will deliver a delightful outcome. Follow these instructions and the opportunity will be realized or the problem will be solved.
Scammers will double down on this recipe every time. Everyone reading this article has received emails, text messages, or calls that use this exact recipe. Hopefully, you haven’t responded. But if you did, you would have heard the scammer reinforce their authority, reiterate the urgency, and remind you of the action.
How do targets respond? Why do they react? This comes down to a few different motivations.
- Trust – The scammer is the expert, they know more than I do.
- Fear – The situation is dire. If I don’t do something now, I will truly suffer some harm.
- Greed – This sounds like a great deal! Who wouldn’t do this?
- Lack of knowledge – Some people are just not aware of scams and not in tune with the risky signals.
We cannot stop all consumers from reacting to scammers. The good news here is that data science has shown that people behave differently when they are acting under the influence of another actor. These changes in behavior, however subtle, are detectable. While any one behavior might not be conclusive, signals from a variety of behaviors can provide a strong indication of a person acting under the influence of another.
Think of a parent sending money to a child at university via Zelle. Chances are, this is a transaction that happens frequently. After the first transaction, the motions the parent goes through, the cadence with which they use the bank application, and the pace at which the transaction is completed will be quite consistent.
That same person (the parent) will react quite differently if they are under the influence of a scammer. The pace of the transaction will be much slower. There will be significant pauses or mouse doodling while they wait for instructions. They may put their phone down at times, or they may hold their phone to their ear if they are on the phone with the scammer in the middle of the transaction. Any one of these signals can occur in the course of a normal transaction. But taken together, they can indicate when someone is acting under the influence of another.
Financial institutions CAN help customers when they have fallen for the story presented by a scammer. By understanding a baseline of their typical behavior, a financial institution can recognize when the customer is behaving differently. When risky behavior is detected, they can alert the customer within the transaction flow. They can interrupt the transaction flow. Or they can allow the transaction to be requested but hold the transaction for a period of time.
Further studies have also shown that when a person is questioned contrary to the person in authority (the scammer), they will stop and think. Frequently that moment of thought will be just enough to help the customer slow down, think about what they are doing, and perhaps reach out to someone (perhaps their financial institution) for help.
Protecting customers from scams can come down to determining their intent through behavioral analysis – a difficult but possible task. Establishing a baseline is important, and understanding how your customers behave in the normal course of their lives provides that baseline. Financial institutions pay attention to this information for transactional activity. Why don’t we do the same for behavioral activity?