A rise in investment scams puts pressure on banks to protect consumers, says Abhinav Anand, Chief Product Officer at the software company Smartnumbers, pictured.
As the pandemic transformed our lives last year, fraudsters were ransacking our bank accounts offering us investment deals that were simply too good to miss and preying on us at our most vulnerable. UK Finance identified £479m was lost through nearly 150,000 scams where criminals promised high returns, enticing unwitting participants into transferring real savings into bogus investment products or bank accounts. Investment fraud was the highest volume in losses of any type of Authorised Push Payment (APP) fraud.
Naturally, there was a wave of advertising and awareness campaigns launched to help protect consumers. It was all well intentioned, urging us to be careful as to where we invest our money and to be particularly wary of online savings and investment adverts appearing in Google search rankings. But it doesn’t appear to have had the impact the Government was hoping for. Crucially, the vast majority of adverts that do appear in Google are genuine, but fraudsters are known to place Pay-per-click (PPC) adverts in results listings hoping to trick consumers into transferring funds, or even worse, entering personal details in a fake form.
This savvy approach from fraudsters comes at a time when it’s easier than ever to make payments. Applications on our phones and internet banking offer us greater control of our money and the simplicity to move it around with just a few clicks, but it increases our vulnerability to the kinds of social engineering attacks scam artists use to get us to part with our hard-earned money.
And if you’re thinking that there are fail safes in place to help these people who have been scammed in getting their money back, these efforts aren’t always successful. Unlike other types of fraud, the transactions are ordered by the customer themselves, making reimbursement a complex issue. UK Finance reported that just £73.1 million of the £479 million lost to APP fraud made it back to the victims.
But how exactly does APP fraud take place, and how can banks do more to protect their customers?
While there is a huge variety of scams and tricks being deployed by fraudsters, there are a number of steps and warning signs that should set alarm bells ringing.
First, fraudsters harvest information about potential victims. This is routinely sourced from banks’ own automated contact centre systems, often alongside information purchased from the ‘dark web’.
Then, target victims are sent text messages, known as smishing attacks, purporting to be from their bank, mobile phone provider, a courier company or a major retailer. The convincing messages suggest a recent payment or delivery has failed and they must enter bank details to resolve the matter. The messages are worded to incite panic, resulting in the victim losing capacity for critical thinking, entering payment details in a mock website, identical to that of the true organisation.
Next, the victim receives a call from the fraudster posing as a bank employee to inform them, their account is compromised and they need to move their money to a new ‘safe’ account which has very kindly been set up for them.
And finally, the victim authorises the transfer of funds to the ‘safe’ account, potentially handing over thousands.
More fraud types to watch out for
While investment fraud gathers pace, other types of scams continue to plague consumers.
Romance scams, often referred to as ‘catfishing’, where fraudsters trick consumers into thinking they’ve met the love of their life online and dupe them into transferring money into their account, are becoming increasingly common. Likewise, banks and consumers should also watch out for purchase scams, where fraudsters pose as the seller of a high-value product, demanding cash before delivery, making off with the funds without ever sending the goods.
And, finally, mandate scams see criminals interpose themselves into what would otherwise be legitimate business transactions, demanding payments be sent to a different account. The breadth of techniques criminals use to entice individuals to hand over funds or sensitive information is a testament to the growing risk and complexity of APP fraud
How banks can tackle APP fraud
While regulators and the banking and payments industry are working together to help APP fraud victims recover lost funds, there is more work to be done. Preventing criminals from successfully scamming people in the first place has to be where banks take action.
Doing it successfully requires a multi-layered approach, with scam warnings and interventions injected into the seamless flows of online banking and mobile applications to help create moments of reflection for victims. Here’s what banks can do to prevent fraudsters from getting what they want:
1.Implement Confirmation of Payee
Last June, the UK’s six largest banks introduced Confirmation of Payee. Designed to add an element of friction in the payments process and flag where there is a mismatch between the names of the recipient and the associated account details, the tool has been relatively successful. That said, this tactic doesn’t always do the trick as fraudsters know it exists and warn the victim in advance and explain they don’t need to be concerned.
2.Educate teams and spread awareness
Banks and the Government must work harder (and together) to provide consumers with information on how to avoid becoming a victim of fraud. The better we educate the public, the more difficult it is for fraudsters to manipulate victims. This should include advice such as to never disclose security details and to always double-check contact details for the recipient bank.
Alongside education, there needs to be work done to encourage customers to sense check emails, texts or phone calls before responding to their requests. Organisations such as CIFAS and Action Fraud are prolific in their attempts to update the public with useful resources, but more must be done.
3.Prevent reconnaissance in the contact centre
Smart fraudsters run reconnaissance programs through banks’ contact centres to try and collect useful information on potential victims. Leveraging the Interactive Voice Response (IVR) systems or even the online chatbots, they are able to harvest sensitive information that can be used to socially engineer customer service staff.
There are tools and technologies available to address these vulnerabilities in the contact centre and other channels. Bank customer service teams and fraud teams must work together to explore what’s available on the market to make the fraudsters’ job as hard as possible, and keep customers safe.
Protecting members of the public from significant financial losses is only possible by detecting and stopping fraud early in the attack cycle. Banks have a responsibility to their customers to enhance their security and thwart fraud attempts, so it’s time for them to adopt the right mindset, execute the right tactics and implement the right technologies to do so.
