The financial services industry is facing an unprecedented amount of scam activity. In a recent survey by Aite-Novarica Group, 94% of fraud executives reported that consumer scam attacks were on the rise, with 28% of stating the amount grew by 25% or more between 2021 and 2022.
Two key factors are behind the impending “scampocalypse.” The introduction of P2P payment apps has opened a new avenue for scammers, and the sudden displacement of workers and a quickly applied stimulus strategy at the start of the pandemic has caused scammers’ ranks to swell.
In a recent webinar, we spoke with Trace Fooshee, Strategic Advisor of Fraud & AML at Aite-Novarica, about what’s driving the sudden uptick in social engineering bank account scams and what financial institutions (FIs) can do to stop a scampocalypse scenario.
What is a “scam?” Scamming methods in 2022
Before banks can address the scam problem, we need a functional definition of what qualifies as a scam. While the definition varies based on who you ask, most FIs agree that a scam is a social engineering attack that aims to get the victim to divulge sensitive information or send money to the attacker directly.
From there, Fooshee explained that “it’s helpful to divide the universe of scams into those that exist for the primary purpose of coercing the victim into making a fraudulent payment and those that exist primarily for the purpose of harvesting sensitive information in support of fraud attacks that may take place at a later time.”
That gives us two categories of scams: Harvesting scams and payment fraud scams.
In a harvesting scam, an attacker tries to get the victim to divulge information such as login credentials or financial and personal data. The attacker then holds on to the information to use for future bank account scams — primarily account takeover fraud.
Payment fraud scams
Payment fraud scams, like authorized push payment (APP) fraud, occur when an attacker coerces a victim into initiating an authorized bank transfer or sending them money over a P2P payment platform in real time. This type of scam method is flourishing because of the rapid adoption of digital banking and payments and the ease with which it can be done.
What does the law say about bank account scams?
The first place scam victims usually turn for reimbursement is their bank. But in the U.S., there’s not much in the way of consumer protection for people who’ve been scammed.
For harvesting scam victims, the Consumer Financial Protection Bureau (CFPB) has stated that Regulation E indicates that banks should shoulder the responsibility for harvesting scams in situations where the customer isn’t the one actually making the decision to transfer funds. This is a recent move, which Fooshee says will cause “many FIs with restrictive conditions for reimbursing unauthorized payment claims” to make “substantive changes to those policies or prepare to defend them.”
For payment fraud scams, where the transfer is technically “authorized” by the user, there are currently no applicable laws holding banks accountable. The decision is largely left up to FIs.
In the UK, where a “scampocalypse” of sorts began in 2013, the APP Contingent Reimbursement Model Voluntary Code, dubbed “The Code,” provides some protection. Recent changes to the reimbursement code, specifically “confirmation of payee” checks which require a user to input a person’s first and last name and account details before sending them money, may help reduce the impact of scams. In addition, the UK government has stated that legislation will be introduced to help combat this specific type of fraud, but it hasn’t happened yet, and there is still uncertainty of what it will look like.
What’s the solution and who’s responsible for implementing it?
The question of responsibility doesn’t have a clear answer. In the case of a payment fraud scam, customers expect to be reimbursed by their FI for the money they lost. But, only 6% of the banks surveyed by Aite-Novarica reported that their intention is to reimburse all scam victims while 30% said they generally don’t reimburse scam victims, and the remaining 64% reimburse on a case-by-case basis.
While the aforementioned action from the CFPB indicates that victims may have some legal recourse in the case of harvesting scams, there’s nothing outside of an FI’s written terms and conditions governing how they handle payment fraud scams. At the time of this writing, whether or not to protect customers from payment fraud scams in the U.S. is up to FIs.
Taking control of the narrative — the case for customer trust
While there may not be any legal ramifications for FIs that choose not to reimburse a victim after a payment fraud scam, it greatly harms the trust that customers place in them. In addition to being robbed, falling prey to a scam causes tremendous emotional damage, which is only made worse when a victim calls their bank and is told they will not be reimbursed. It adds a feeling of betrayal to an already terrible situation. Ignoring this issue only sets FIs up for failure in the long run; the industry is based on trust, and customers will leave their FI for another if they don’t feel their money is being protected.
Although it’s unlikely that banks will reimburse every instance of fraud, Fooshee points out that they will likely need to change their stance soon. A mixture of proactive communication to make sure that customers understand the dangers of scams and better reimbursement policies could bring FIs and their users together on the issue.
How BioCatch is changing the story
While the threat of a “scampocalypse” is daunting, the tools exist to prevent even real-time scams, enabling banks to prevent customers from ever falling victim. BioCatch has proven that behavioral biometrics presents a viable route to stop social engineering scams. Since a person under duress behaves differently than one banking under normal conditions, our models catch on and help prevent payment fraud scams as they happen.
It’s critical to remember that there is a human element to this problem. Some customers stand to lose their life savings to one of these attacks. In an industry where trust is everything, it makes sense for FIs to get ahead of the problem and do their best to prevent their customers from becoming victims.
It’s not the end of the world — yet
Whether regulatory actions that could impact reimbursement models come about or not, banks can be proactive about getting ahead of the scam problem before it negatively affects customers. The only thing that’s certain is that FIs and customers will have to work together to prevent a scampocalypse.
Watch the full webinar to get more insights into the scamming methods we’re seeing in 2022 and what can be done to stop them.
If you’re interested in the full research, download the Aite-Novarica Group report, On the Precipice of the Scampocalypse.