It was seven years ago in the weekly update with the Data Science team. As Chief Cyber Officer and co-founder of behavioral biometrics company BioCatch, which specializes in online fraud detection, this was my favorite internal meeting: there were always
some new tricks the fraudsters did which the team picked up on, and it was pure fun to learn about them.
This time we were looking at a comment made on one of the records in the weekly fraud file we got from a top 5 UK bank. Normally the records just marked online banking transactions that were reported by a customer as fraud; the data was basically used to
train the behavioral biometric model to predict future fraud. Some records contained a brief account of the frau circumstances, but this particular record had a very long and descriptive comment, telling the story of a sophisticated social engineering con.
If you’re interested in how it was carried out, I covered it in a prior blog, titled
The Perfect Crime. In a nutshell, though? It was the first APP scam we encountered.
That blog was written a couple of years afterwards using 20:20 hindsight, and also talked about the huge advances in detection the banking industry has made, including data sharing and using micro-behavior analysis to track things like distraction, hesitation
or the signs of being guided, but back in 2016 this was still just a weird anomaly. The behavioral biometric AI missed it completely, predicting a low ATO (Account Takeover) risk score, but to be honest I didn’t think this was a big deal. A customer was duped
by shrewd conmen to part ways with a big chunk of her money, but it wasn’t really fraud. I mean, it was the customer who did it. She said so herself. No one penetrated her account. She went to her own online banking account, accessing from her own device,
passing the two factor authentication, and sending money to another bank account as she normally would. Why on earth would anyone expect the bank to catch something like this? The behavioral biometric system was certainly right in saying there was no risk
here: it wasn’t some bot, or remote access, or an intruder. There was no criminal behavior. It was the regular account holder doing the money transfer… Besides, it was just one victim who fell for an unusually clever trick, requiring a dedicated, not too scalable
investment in social engineering. Surely this isn’t the start of a new trend?
By now, most of you in the field know the rest of the story. The unbelievable surge of APP Fraud attacks. The Which? Consumer Rights group’s super-complaint about banks not doing enough to catch it. The regulatory pressure on banks to invest in detecting
the new type of attack. The voluntary code of reimbursement that many top UK banks adopted.
APP Scam losses in the UK started outranking ‘traditional’ online banking ATO fraud several years ago; the H1 2022 UK Finance official figures are around $250m for APP scams (out of which $140m was reimbursed to the user), vs only $65m for online ATO. Of
course, it’s no longer a UK specific problem: APP scams have long crossed the channel and reached the Netherlands, Germany, and the Nordics; Australia was also taken by the same storm, and by now it has hit the US shores.
Thing is, these were all just the precursor earthquakes that mark a much more dramatic seismic shift. 2022 was simply a crazy year in terms of the evolution of scams.
In the UK, the regulatory body
PSR published a groundbreaking draft for a new code of conduct in which all banks are required to provide 100% reimbursement on all APP scams unless they prove gross negligence by the user. This was rather expected; what shook the financial sector far more
was the direction that eventually, the regulator expects that 50% of the loss shall be incurred by the receiving bank, not the originating bank.
That’s an enormous departure from the current paradigm, and frankly would be quite difficult for the local banks to comply with. Talking to friends in the UK, the biggest concern is for the challenger banks who so far were not heavily exposed to APP scam
losses, but may now take a huge burden that will directly impact their bottom line – as a lot of the scam money was laundered through accounts opened with those new, often fully digital, financial institutions. But not all of it; the Head of Financial Crime
in one of the top banks told me that half of the mules in the UK are still ‘traditional’ ones – meaning those that were recruited, either willingly or unwittingly, by criminals to funnel the scam proceeds. Those are far more difficult to detect.
Think about the signals a bank has for intercepting incoming transfers: anomaly detection using transaction monitoring, plus data sharing with the originating bank who would provide details about the originating account. Add behavioral biometric models that
look for anomalous behavior in the online banking account of the receiving party: for example, multiple accounts controlled by the same person, or a change in behavior as a mule herder checks the balance in the mule account. That’s pretty much it. Even for
the major banks we talk about very high false positives – my guess would be north of 98% – and no way to easily investigate those cases, because when talking to 100 people who received a suspicious incoming transfer, 98 are not mules and have a perfectly reasonable
explanation for the transfer, and 2 are mules that will be guided by the criminals on what to communicate to the investigations team. That’s going to be a tough and time consuming investigation.
The implications of all of this on banks are difficult to predict, and that’s just in the UK. In the US, bank CEOs were
grilled by the Senate and asked why they wouldn’t reimburse victims of Zelle Authorized Payments scams – those are cases where the victim pays a conman via the P2P network set up between US banks for real-time payments. The expectation is that banks will
consider those cases just like credit card fraud when someone uses your card or when you don’t get the goods, and refund the user. It’s the biggest liability shift in decades.
What those expectations do not take into account is the fact that in credit card transactions there’s a huge amount of context, and in Zelle scams there’s far less to go on. But US banks understand that this is a turning point in the public mind around online
fraud, and are now
discussing the voluntary code for refunding scam victims.
The scope of what ‘scam’ is also continues to grow. Initially it was just impersonation fraud – I’m calling from the bank or law enforcement and you urgently need to move money into a new bank account – but it’s now pretty much anything. Romance scams, investment
scams, eCom scams, Crypto scams, the works.
Let’s summarize all of this. Scams are by far the most profound change in decades due to several critical reasons:
-
Scams are now bigger than traditional fraud
-
Scam Detection has higher FP rate than normal fraud
-
Scams require a full investigation in order to sift through alerts
-
Scam types are limitless, and the expectation is to cover all of them
-
Regulators in UK and US expect 100% reimbursement of scam losses
-
UK Banks that receive an APP Scam payment will be asked to refund 50%
These are all practical implications of the Rise of Scams, but I think the most fundamental seismic shift is the issue of expectation. Banks are now expected to cover things that were beyond anyone’s imagination until recently, and the pressure from regulators
and legislators on financial services keeps growing at an alarming rate.
The rationale for all of this expectation, and this is also true for expectation about Money Laundering, is that banks really know their customers. If you really know your customer, you can anticipate what their normal financial transactions are and spot
those that are abnormal, right?
Well, I’m going to challenge this rationale. Banks used to know their customers really well, but do they really know their customers nowadays?
I’ll leave you with this thought and write more about it in my next blog post.
