Imagine keeping your house locked, only for burglars to break in. When you report the crime, law enforcement tells you it's your fault for not having an "unbreakable" lock. Disturbingly, this victim-blaming mindset is still held by some senior politicians, police officers, and esteemed citizens for many crimes in society, citing a victim's "behaviour," "attire," or “choice of company” as the cause.

This harmful mentality extends beyond personal crimes to digital crimes such as financial frauds and scams, where victims are frequently blamed for losing their hard-earned money. If governments fail to put protections in place and society is quick to blame a victim, it should come as no surprise when organizations are not scrambling to help victims who lose their hard-earned money to fraudsters.

It is well-known that victims of digital crime have a much lower rate of reporting than victims of other crimes. According to a study of online fraud victims conducted by Scamwatch, the difficult experience and lack of support are primary reasons. Many victims who attempted to report the crime found themselves bounced around to different agencies, with some even refusing to take a report. Victims cited that the reaction by authorities heightened the level of trauma they were already experiencing.

Who is responsible and for what?

I am not saying that customers are not responsible for safeguarding their accounts, including credentials, chequebooks, and debit/credit cards, but if a customer does all of that and still loses money, is the customer still to blame? Should there be different considerations when a customer might be socially engineered, scammed, and unknowingly have their credentials compromised?

There is no lack of examples where customers are tricked into sending money to scammers. From bank and law enforcement impersonation including “digital arrests” to investment scams, customers are constantly being targeted. And technology is making it easier for scammers to gain access to credentials and socially engineer victims. A recent study showed the use of “smart” algorithms was able to crack 45% of passwords in less than a minute. AI-generated deepfakes that can mimic a person’s face and voice have already been used to commit fraud.

While scams remain a problem for banks and consumers globally, emerging markets, such as regions in Southeast Asia, are particularly vulnerable due to the lack of government oversight and lack of consumer awareness about digital threats. Absent of any clear mandates on scam reimbursement policy, many of these cases end up in court and decisions usually favour the victim. By the time that happens, cost of reimbursement increases substantially when one considers the legal cost, management time, interest, and penalties imposed by the courts.

The questions of who is responsible and for what do not have easy answers. However, we must recognize that customers have limited tools at their disposal contrary to the companies who have access to a lot of information. If they use all that information, they can certainly do a better job at protecting the customer.

Verification and authentication processes have gaps

Usually, organizations rely on validating transactions through “what the customer knows” and “what they have,” missing out on a very important part of verification process which is “who they are.” We are talking about using biometric information to validate transactions. Some organizations wrongly assume that biometric verification which relies on device level authentication is secure. However, that’s a misconception.

Consider one example where a fraudster using their own device registers for Apple Pay or Google Pay (also called as tokenization) by compromising customer credentials through social engineering. In such registrations, banks allow card linkage based on one time OTP/other authentication mechanism which is NOT repeated for subsequent transactions done from that same device. The fraudsters prefer this as they don’t have to social engineer customer for each transaction, rather they do it once and then keep on doing transactions by authentication from their own mobile device. Technically, it appears as a biometric-verified transaction, but it's the fraudster's biometrics that gets verified. Under this fraud modus operandi, the card is tokenized based on one time verification of OTP by the card issuer. Subsequent verifications rely on the device's biometric, without ensuring it's the customer and not the fraudster.

My bank is like my mother

Thinking back on my experiences as a practitioner, I remember one customer with whom I interacted after he lost money and reported the fraud to the organization after three months. I always remember his words, “I trusted the bank like my mother and assumed my money was safe.” This is how much trust customers put in their financial institution. Maintaining that trust should be a top business priority.

Organizations should plan customer journeys in a way that verification and authentication processes can detect and prevent the compromise of customer credentials and identify scams in progress – before a payment is sent and the damage is done. For more information and recommendations on securing the customer journey, refer to my previous blogs below:

Improving Payment Security

Why Payment Security Should Start at Onboarding

Preventing Account Takeover

Account Takeover: From Bollywood to Hollywood, Even Celebrities Are Not Immune from Fraud

Recent Posts