In talking about a fraud classification model and fraud/scam data in general, there has been general discussion on the Federal Reserve Bank’s FraudClassifier Model, the PAY.UK Enhanced Fraud Data Standards, the Euro Banking Association (EBA) Fraud Taxonomy, The UK Finance Annual Fraud Report, the annual U.S. IC3 Internet Crime Report, the FTC Consumer Sentinel Report and the Australian ACCC ScamWatch reports. What is interesting is that most of these documents/reports relate to tracking fraud/scams after the fact. But the newest version of the Pay.UK/UK Finance Enhanced Fraud Data Standards actually talks about creating an API to be used to send transaction information “to identify suspicious payments, or Authorised Push Payment (APP) scams, prior to a credit transfer occurring.”
There is a lot to cover on this topic at one time. So, this will be a blog series, with the first blog focused on the tracking and reporting of financial scams after the fact followed by a discussion of fraud transactions, and possible API interfaces to standardize the reporting of fraud data, in the next blog.
Scams Are Increasing At Least 30% Every Year
Financial scams have become a big deal in the past few years. In the UK, fraud from financial scams outpaced traditional card fraud for the first time ever. In the U.S., losses from scams again eclipsed that of traditional identity fraud crimes last year, with an average loss of $915 per identity fraud scam victim, according to the 2023 Identity Fraud Study published by Javelin Strategy and Research.
Here are some of the recent reported statistics from several countries:
Scams are increasing 30-100% per year, depending on which country is discussed. Most reporting of scams, other than by UK Finance, is done by the consumers themselves to their national government. And since most consumers are embarrassed or pained by the scams and want to forget them, they do not report them. This means the scam numbers are probably much higher than reported.
How to Improve Financial Scam Tracking and Reporting
So, what should financial institutions (FIs) be doing about scams? Generally, scam losses do not hit the bottom line of the FI, other than in the UK under the Contingent Reimbursement Model (the ‘Code’) and pending required reimbursement legislation in 2023 for APP scams. In the US, it is soon expected there will be a reimbursement obligation for selective Zelle bank impersonation scams for receiving banks. Singapore also has scam reimbursement controls under consideration.
Meanwhile, scams continue to destroy many consumers, financially and emotionally. I have recently heard of consumers losing hundreds of thousands of dollars, or even over $1 million to pig butchering scams (now better known as Financial Grooming scams to show better respect to the victim). And financial scams oftentimes impact the FI’s senior citizens where more care is required.
FIs should be adding more controls to help prevent consumer financial scams. To help justify project expenses to add controls to prevent scams, FIs need to start tracking their customer scam losses to understand how big the problem is for their customers.
The good news is that to start tracking and reporting on scams, you don’t need a full fraud/scam taxonomy in place. Let’s look at some of the best reporting. The UK, via UK Finance, has been doing this for several years. Their reports account for both fraud and scams. For scams, they report on 8 types of scams as follows:
- Purchase
- Investment
- Romance
- Advance Fee
- Invoice
- CEO/BEC
- Impersonation Police Bank
- Impersonation Other
The FED FraudClassifier model does not yet get down to the detail level of specific scams. But, in looking at the UK Finance report, the IC3 report, the Aite-Novarica report by Trace Fooshee, Scams: On The Precipice of Scampocalypse, and the scams I think FIs should include for reporting, here is a more complete list of scams:
- Advance Fee
- Business email compromise (CEO email compromise)
- Employment
- Grandparent or Loved One (relative in serious trouble-help!)
- Impersonation: Financial Institution Staff
- Impersonation: Police, Government, IRS, Utility, other
- Inheritance/419
- Investment (includes Financial Grooming/pig butchering and crypto)
- IT Repairman (also known as Help Desk and Tech Support scams, often involving remote desktop access)
- Invoice (payment redirection)
- Lottery Scam
- Overpayment
- Payroll Diversion
- Purchase
- Real Estate (email scam redirecting money for home sale)
- Rental Scam
- Romance
- Other
There are a number of data fields the FI should collect to help in the mitigation process. These are some of those fields:
|
Data Field |
Why Collect |
|
Scam Incident Number |
|
|
Date of Report |
By having the date, this allows monthly or annual reporting. |
|
Who is Reporting Scam? (customer, FI employee) |
|
|
Name of Victim |
|
|
Customer FI ID |
|
|
Date of Scam Occurrence |
|
|
Customer Type (consumer, small business, commercial) |
|
|
Location of Customer-by state (US, Australia and Germany), geographical regions (England), provinces (Canada), regions (France) or similar) |
This may help detect scams by geographic area. |
|
Age of Customer |
This is important to collect for general understanding of who scams are affecting and the need for elder abuse awareness. |
|
Scam Type |
This can be a dropdown field where all of the scam types are listed. |
|
How Scam was Detected (online control, call center employee, branch employee, customer) |
This helps to understand how FI controls and training are working. |
|
Value Amount of Scam (e.g., show in local currency--$, €, £, AU$, S$, ¥, etc.). This is also known as the Total Exposure Amount. |
Include one scam event per transaction (e.g., a victim who sent 5 international wires over a six-month period totaling $250,000 would be five separate reporting transactions). Include scams where FI detected and prevented the scam. |
|
Amount Prevented By FI |
This is the amount detected by the bank and prevented from being sent. |
|
Amount Recovered |
This is the amount the FI recovers (via wire hold, crypto subpoena with LE, etc.). |
|
Amount Reimbursed |
This is the amount of the scam reimbursed by the FI (voluntary or required) to the customer. |
|
Net Customer Loss |
This is Total Exposure Amount less Amount Blocked, Amount Recovered and Amount Reimbursed. |
|
Starting Point of Fraud (phone call, text message, WhatsApp message, Instagram, Facebook, etc.) |
It is important to know how the scam began to better understand the scam and how it works. |
|
Scam FI Channel (online, branch, call center) |
It is important to know where the money movement began. |
|
FI Product Used for Scam (cash withdrawal, domestic wire, international wire, faster payment transaction type - Zelle/UK Faster Payment/FedNow, ACH/Bacs, check, etc. |
It is important to know how money leaves the FI. This can affect how controls/education are defined. |
|
Transaction Destination (list the routing code/account number, Zelle token, etc. where money was sent) |
This can be used for collaboration reporting. |
|
Cash Movement: If a cash withdrawal, where did cash go (e.g., gift cards, crypto ATM, money order, Uber package delivery) |
This can help complete the story of the scam. |
|
Comment Section |
Customer provides additional information about the scam (e.g., I was on a phone call for two hours while scam occurred; after I clicked the link on the popup, I was talking to a Microsoft representative and then a bank official directing me to withdraw funds; I started to get involved romantically then my girlfriend helped me invest in crypto.) |
The ideal place to collect this data would be in the fraud investigation case manager platform. But often, the case manager platform is hard-coded, or it can take months to get the vendor to make changes so the FI may need to create a custom reporting database for this solution. Once this information is collected, the FI can start to understand the magnitude of its customer scam problem (even with just a few months of data).
There are a number of ways to report this data, and many reports can be produced with this data. One of the best examples of detailed scam reporting is by the Australian Competition and Consumer Commission (ACCC). See how they collect the scam data (https://www.scamwatch.gov.au/report-a-scam) and provide reports (https://www.scamwatch.gov.au/scam-statistics).
At some point in the future, it would be worthwhile to share some of this data (maybe excluding recovery, reimbursement and actual customer losses) with other FIs. If there was truly an industry format to collect this type of information, that would be great. But so far, only the UK offers such a solution with the UK Finance Annual Fraud Report and the more detailed EBA Fraud Taxonomy for PSD2/3 reporting.
Now is the time for every FI to begin internally tracking and reporting consumer scams in detail. In some cases, since commercial BEC fraud has been around since 2011, there may be some reporting and mitigation already in place. With this scam tracking information, the FI can justify the expenditures to help mitigate these scams.
Remember, financial scam losses are not only a financial risk; they also create reputational risk. These financial scams generally move money to fraudsters via the FI’s own payment rails or the customer removes a large amount of cash from the local branch. Having full visibility into the source of scams and subsequent movement of money is the first step in really understanding the scope of the problem.
Additional Resources
Here are some additional related resources related to the topic:
Use Your Brain When You Create Scam Warnings for Customers
Identity Theft and the Forgotten Victims
The New and Surprising Role of Receiving Banks in Scam Reimbursement
