A few months back, I wrote a white paper on additional changes that banks can deploy today to help mitigate Zelle scam losses.  As a large portion of Zelle fraud is attributed to bank impersonation scams where the transaction is done by the customer at the direction of the fraudster, there is a huge opportunity for banks to rethink consumer education by providing more effective alerts to the customer during the transaction process. 

Recently, a customer was denied reimbursement in the UK for a scam, with part of the reason cited as the customer “overlooked a generic pop-up warning on the payments page that says requests for money may be a scam.” 

Consumer education has to be impactful in preventing scams, but the way the industry has been doing it for years is clearly not working.  In thinking about how a typical authorized payment scam works, there are many ways to effectively introduce warnings to a customer. Here are a couple of examples from my recent white paper:

  • Smart education close to the transaction. For example, introduce an interactive educational message for the first new payee or when a new payee is set up. This education should be based on the psychology of influence.  
  • Transaction nudges. This is a message to the customer at the time of a transaction where the bank sees something anomalous about the transaction. The message might read, “Do you know the person you are sending this payment to?” The point is to get the customer to stop and think.

Recently, the Wall Street Journal published a very interesting article entitled, Why Do We Fall for Hackers?  Blame our Brains. It was written by Anthony Vance and C. Brock Kirwan from the Neurosecurity Lab. They basically said stop adding security warnings all over the place because the way our brains work, people just aren’t ‘seeing’ them. Instead, the researchers suggest we need to think about how the brain really works and build prompts around that. This is probably why the scam victim mentioned above ignored the generic warning message on the screen. If we take a new approach to building these warnings, it could truly have a real-time influence on customers who are in the process of being scammed.

So, what are the researchers really talking about? Well, first off there is a bunch of brain science that I am going to skip. You, however, should read it at the Neurosecurity Lab. The first point the researchers make is that humans are simply not good at multi-tasking (as much as some of us like to think we are).  Consider a customer who is in the midst of a scam and being directed to complete a transaction by a fraudster. The person is likely under stress so introducing a security pop-up at the same time is only going to cause them to actually ignore the warning as they are focused on completing the transaction.  Instead, the researchers suggest that once the customer has completed the transaction, it might then be best to bring up a warning (with the bank knowing the transaction is being held until the customer responds to the warning message).  So, transaction first, then warning message.

The second point is that the warning messages must not look and feel like every other pop-up we see on our device.  The researchers state “when people get used to security warnings, (there is) a neural process called habituation (warning fatigue).” This can happen almost immediately.  So essentially, a bank that creates a good warning message, but uses the same message and format again and again, has created what becomes an invisible message.  No wonder the customer listening to the scammer just plows ahead.  To address this problem, the researchers recommend significant changes to the warning messages, such as “making warnings all red, adding an exclamation point or jiggling the warning.”  Perhaps even changing the location of the pop-up.

Another suggestion is to make security warnings interactive. Force the customer to interact with the message in some way. Maybe they have to click every warning phrase or move a slider on the message to acknowledge they read it. In studying the impact of a slider, the researchers “compared a standard click-to-dismiss warning with one where people had to use an on-screen slider to respond. The warning with the button was 2.8 times more likely to be disregarded after a series of notifications. By contrast, the warning with the slider was no more likely to be disregarded after a series of notifications.”

From a programming standpoint, this means more creativity and logic around deploying warning messages.  Plus, the look and feel of the security warnings should be varied and different from other system warning messages shown to the user.

Why do these ideas make sense?  Well, the researchers at Neurosecurity are sticklers for details.  They used functional magnetic resonance imaging (fMRI), which is an indirect measure of activity in the brain using changes in blood flow, and eye-tracking data simultaneously in their testing to observe how the brain is thinking and where the eyes are looking during the experiments of observing warning messages.

As we continue on our quest to offer effective customer education for scams (e.g., stop the scams), we need to remember two key points: 1) the fraudsters are very psychologically savvy and 2) our customers’ brains function in a certain way.  Providing education through informational emails and generic alerts will not work.  Both education and alerts need to be well thought out and created with the help of psychologists (to help influence the customer to react) and neuroscientists (to make the warnings be ‘visible’ to the customer).  Our customers are not careless about security.  We just need to reach them in a different way.

As a final note, it was just reported that over $629 billion was sent over the Zelle network in 2022, with over 99.9% having no reported fraud or scam activity. But again, that means up to 0.1%, or $629 million, involved fraud or scams.  With scams at about 50% of total fraud activity, that means that up to $300 million of Zelle fraud could be directly attributed to scams.  And Zelle is only one payment rail. Thus, getting the correct and effective scam warning messaging is ever so important and worth spending money to do it right for Zelle and other faster payment transactions (e.g., wires for romance scams).  This is clearly a situation where banks can come together to share the costs of creating and testing these effective messages for customers.

 

 

Recent Posts