How can banks protect against a new pandemic of fraud?
As fraudsters increasingly use fake websites, emails, invoices and companies to defraud the public, banks should look at the record of AI to help them protect themselves and their customers, writes Joël Winteregg
The sophistication and volume of phishing attacks is growing day by day, increasing the risk to the public, banks and other financial institutions of falling victim to fraud.
Phishing attacks involve fraudsters using emails and phone calls to obtain personal information including passwords for computers and bank accounts for their own profit. Spear phishing is when these attacks are tightly tailored to individuals, increasing their chances of success.
The rise of spear phishing
A recent Citizen Lab report in the Financial Times found one group called Dark Basin had set up 28,000 web pages since 2017, specifically to facilitate spear phishing attacks. The group had targeted thousands of individuals and organizations including hedge funds, charities and campaigning groups with emails apparently from popular services such as YouTube, LinkedIn and Facebook. The emails contained rogue URLs that insert malware to collect data including personal information such as date of birth as well as passwords, bank details, photographs, e-commerce activity and even career history.
Fraudsters use this information to mount spear phishing attacks to elicit payments from unwitting victims. For example, armed with an individual’s e-commerce history they can send an offer of a refund, asking for bank details so they can pay it. They then use that information to steal cash.
The FT report followed news of a 400 per cent jump in Covid-19 related frauds in the UK between February and March, including ticket, romance, charity and lender loan fraud. Another report in Forbes put the cost of fraud related to the country’s Covid-19 scams at more than $5.6m since lockdown started on 23 March.
This trend is also evident elsewhere. Mobile phishing attacks, for example, jumped 37 percent in the first quarter of 2020 compared with the last quarter of 2019, including spoofed login pages of two Canadian banks – Scotiabank and Royal Bank –coinciding with the spread of Covid-19.
These examples underline what we already know – that fraudsters are quick to jump on crises, knowing that these events increase a banks’ vulnerability to fraud as people adapt their behavior. Chartis Research expects that the area of anti-fraud activity will evolve rapidly in the next few months.
But it is important to remember that crisis-related frauds and those mentioned above are not the only threats facing banks. The cost of social engineering, CEO fraud, fake invoices and tax refunds, mobile and online banking fraud adds up to billions, with the UN estimating the total, including money laundering, as high as $2tn a year. So how can banks become more resilient?
Sweat the data: get to know the customer
Key to success is robust processes that can distinguish between genuine and fraudulent payments. Although this is increasingly difficult as the attacks become more sophisticated, new technology can help.
Using artificial intelligence and machine learning, banks can create profiles that map the behavior of their customers, even as this evolves over time. Transactions are assessed against the profile and those that don’t fit a customer’s usual spending patterns can be stopped. Parameters that feed into the AI models include habitual payment amounts, the location of spending, beneficiaries, currency, browser, timing, screen resolution, e-banking language and more. Furthermore, it is possible to group profiles so that mass scams can be spotted and stopped, for instance, when organizations are duped into buying fake personal protection equipment (PPE) from a bogus company.
AI better protects the bank. Research also shows it can find more fraud and maintain – or even enhance – the customer experience. The accuracy of the profiles built by AI technologies reduces by a factor of five the number of bona fide payments that are queried by the bank with the customer – the number of false alerts. This helps build public confidence in fraud-prevention systems, because when the customer is contacted, the chance of it being a real fraud is significantly higher. As a result, the customer is more likely to feel reassured that the bank is on top of things rather than bothered by the inconvenience of being contacted.
AI technology is vital in the fight against fraud, the vast majority of which is perpetrated by organized crime. The proceeds are often associated with gangs also involved in other financial crime areas such as money laundering, drug and people trafficking and terrorism. Banks failing to protect their customers face significant costs.
The damage to a bank’s reputation by a failure to stop fraud – whether by an external or internal player – can be colossal. The US bank Wells Fargo is still working to rebuild public trust after a million fraudulent savings accounts were discovered in 2016. The fallout included the loss of its chief executive, the indignity of a federal investigation, at least $3bn in criminal and civil penalties, and a cap on the size of its balance sheet.
In the first year of its commitment to reimburse losses due to payment fraud, UK bank TSB issued refunds totaling £17.5m to customers. This is small change compared with the £45.5m fine levied on Bank of Scotland. And the cost isn’t just financial.
The new fraud mitigation technology available to banks means it is possible for them to prevent similar events happening again, protecting themselves and the public from phishing and other activities that facilitate fraud. We know that criminal gangs will always try to exploit weakness. It’s up to the banks to make themselves as resilient as possible.
You may also be interested in our free white paper: