The protection of money against theft has always been one of the main reasons for banks’ existence. The basis of trust causes people to deposit their money in a bank rather than hold onto it themselves as they perceive it as better protected than hiding it under their mattress. The other pillars which justify the existence of banks are loans (extending credit) and transactions (acting as a trusted clearinghouse).
Physical bank heists nowadays are all but extinct (at least in Europe, and while the U.S. still sees them, the number is down drastically). This doesn’t mean that the safes have become impenetrable, nor that all bank robbers have become choirboys. To quote the infamous American bank robber Willie Sutton, when asked why he stole from banks: “Because that’s where the money is.” Since his time, heists have been virtualised and now tap into the other banking pillar – transactions, taking advantage of the weakest link – customers.
In the past, the bank’s specialists were responsible for the protection of money, by ensuring the security of the safe and if a withdrawal was being made by a customer or an imposter. In the digital world, that responsibility has gradually shifted to the customer. And while great strides have been made in raising public awareness, customers do still need protection. It is way too easy to say that customers should be aware of fraud; they are warned about them, so are fully responsible themselves. Banks were well aware of bank heists, were warned about them, but they still happened. A lot.
Let’s face it, veteran police detectives and fraud experts are known to have fallen for scam artists who tricked them into providing the authorisation codes for their transactions, which shows no one is immune to them. Even finance teams at large businesses or banks are not immune to CEO fraud. All humans are susceptible to being scammed if the right trigger is pulled – or when targeted at the right moment of vulnerability. A phone call to a person under stress or using a lure that is similar to something that is happening coincidentally in their lives can cause anyone to fall victim.
I once was the target of a scam attempt in the Forbidden City in Beijing. The two lady scam artists were obviously new to the job, and therefore their attempt was a bit messy which gave me the impression they could be honest. In the end, they were the only ones to lose money, and I got away with a frustrated slap in my face. Scammers don’t have to win every time, they just need to win some of the time.
For scammers, defrauding people is a full-time job, and they are very experienced, especially with their Modus Operandi (MO). Most people might encounter a scammer a few times in their life, and a specific MO once or maybe twice. Criminal versus victim – it is a very uneven battle, and the success rate does not need to be high for fraudsters to make a good living.
Let’s consider a simple example. A fraudster purchases a list of 10,000 user profiles on the dark web containing some basic PII for $100. Even if the fraudster is only able to achieve a 1% success rate and scam each victim out of $915 (average loss per scam victim, according to Javelin Strategy and Research), that is $91,500 – well above the average median annual income of most European and American households. Victims would need to win every time for fraud to not be so lucrative – and that is not easy to do even for the best of us.
Customers entrust their bank to keep their money safe, and there is a reasonable expectation that the bank invests in controls to keep that money safe. The question being: to what extent? What is the right balance between customer liability and the bank’s duty of care? Customers do not only expect their money to be safe, but they also want the benefits of the digital aera: anytime, anywhere access to their money without disruption or delay. These seemingly conflict with each other. Today, legislation exists for both customer protection as well as duty of care, but like all regulation, these measures take time to be enacted. Fraudsters aren’t bound by these pressures, and thus, the threat landscape is free to continually move on.
How about romance and investment scams? You can argue that they have been around for hundreds, if not thousands, of years and always have been the customer’s responsibility. If a customer voluntarily gives money away, who is the bank to refuse? Yet, digitalisation also radically changed this discipline. It made it way easier to find victims – the whole world is literally a click or call away, and the scalability of these scams is beyond what we could have imagined only a couple of decades ago. Fraudsters nowadays operate call centres to handle all their opportunities, and it is paying off as 1 in 5 consumers reported losing money to a phone scam last year. With tools like ChatGPT and the ability to create deepfakes on the fly, this will only get worse in the future. As a result, banks have become heavily affected as they execute all transactions associated with these scams.
Whatever balance legislators decide on – think of the differences between the UK PSR reimbursement model and European PSD3 – a layered approach has always proven to be the most effective. Here are five layers that are critical to every fraud prevention program.
Education. The more customers are aware of what a scam looks like, the less likely the chances they will fall for it. Also, being proactive and interjecting effective messages as close to the point of transaction when a potential scam is detected can be a powerful way to get a customer to stop and think. Forewarned is forearmed.
Device intelligence. If a fraudster initiates the transaction, then it will be from a device under the fraudster’s control. As fraudsters are lazy and reuse the same infrastructure to commit their crimes, it is likely that the device has been seen in previous known fraud attempts. This, and many other indicators, can give away a fraudster is active.
Behavioural intelligence. Looking at the detailed behaviour signals within a session can amplify the signals of device intelligence or dismiss them as genuine. If a customer is conducting the transaction from their own device, behavioural intelligence can uncover powerful cues that show they are acting under the guidance of a fraudster. The combination of layer 2 and 3 improves detection and reduces false positives. Device intelligence can’t detect a scam, where behavioural intelligence can.
Transaction monitoring. The first rule any fraud detection expert learns is “high amount to a new payee.” It is a great rule but ridden with false positives. Best in class are behavioural detection models using machine learning and/or AI that check if the current transaction fits the known behaviour of the payer and payee. This is best done holistically, so looking at all channels a customer uses from multiple angels. Again, the combination of layer 2, 3 and 4 improves detection and reduces false positives.
Payee (mule) detection. The defrauded money must go somewhere to end up in the fraudster’s pocket. For every scam, there is a mule on the other end of the transaction. Looking at the detailed behaviour associated with a receiving account is a highly effective way to identify a mule – even before the first payment hits the account. Mule account detection also incorporates layers 2 and 3, but with the lens of a network behind it. The paradox is that this is the last layer, but alongside the first, it is the most preventive as a transaction can be stopped before it leaves the victim’s account.
There is hardly a bank that doesn’t actively educate their customers and leverage device intelligence and transaction monitoring (layer 1, 2 and 4). This approach works for all kinds of phishing and account takeover but shows limitations for social engineering attacks like bank impersonation scams. It is here that behavioural intelligence (layer 3) shines as it spots the deviations from normal user activity. Effective mule account detection (layer 5) takes fraud prevention up to an even higher level to help identify some of the most difficult types of fraud, even romance and investment scams. If you can’t detect or stop the payment, you can still prevent it from ever reaching the fraudster’s hands.