Community
It seems everywhere today, people are talking about being in the midst of a global epidemic of digital scams targeting victims from all directions. But I’ve noticed that no one is providing an explanation as to why scams – which are usually nothing more than a technology enabled version of an old-fashioned confidence scam (or grift) – have become the dominant fraud type.
I’ve been involved in digital fraud prevention for almost 20 years now, and I have seen attacks evolve in response to bank controls alongside regulatory changes. Most of my working life has been in the UK, which has been at the tip of the spear for many attacks, but it has also taken me further afield into the United States, Australia, and several other countries.
From this perspective, I can see certain commonalities and regulations which have driven the threat landscape – which I think starts to explain why we are now in the position we are in. The UK was the first market to see scams overtake other traditional forms of fraud and gives us all the data points we need to understand the bigger picture.
In my mind, no single event was truly responsible for the rise of scams (of whatever type). Fraud attacks have evolved over the past two decades in response to both the pull of business changes and the push of the changes in threats. The balancing act between the two caused the evolutionary pressure leading to the “scampocalypse” we see today.
Here are the five factors I believe that have contributed to the global scampocalypse.
Factor 1: Uniformity Due to Regulation
Mandatory regulatory and legislative changes create consistency across all banks in a region so attackers face the same challenges no matter which bank they attack. Once attackers have an MO that works for any bank in a region, they will attack all banks who are susceptible to it. They move on to other banks only when stronger controls are put in place and focus their attacks on those that have weaker controls.
For example, in EMEA, the Payment Services Directive 2 (PSD2) mandated Strong Customer Authentication (SCA), increasing two-factor authentication to three (Possession, Inherence and Knowledge). In retrospect, this requirement has not really reduced fraud losses and has increased customer friction – and even discriminated against vulnerable customers due to the complexity of the authentication solutions deployed.
Factor 2: Business Changes
Several changes on the business side can be directly tied to the increase in scam activity including:
Factor 3: Threat Landscape Changes
As business have changed, the threat landscape has changed in multiple ways as well.
Factor 4: Change of Attackers
Attackers have drastically evolved in the last two decades as technology advancements have enabled more automation and specialisation within fraudster communities.
Note: This generalisation does not include the Nation-State type attacks conducted for financial reasons as they are a specific subtype that is more of a Black Swan attack – low probability but high impact.
Factor 5: Wetware Became the Weakest Link
From these four factors, we see that in order for digital banking fraud to succeed, attackers must get around strong authentication – but the technical measures to do this were harder to obtain and often needed social engineering to install them. So why invest in technology and complexity when fraudsters can just use low-cost people instead?
Criminology looks at three factors to determine how likely a criminal attack will occur – risk, reward, and effort. Scams, starting with the bank impersonation scams, needed a phone call to the victim who is then guided to move money themselves. This took more effort than using a technical solution in terms of time, but data breaches already provided all the information on victims needed to scam them. But more importantly, the risk in doing so was lower (less technical footprints during the fraud), and the reward was much higher initially (technical controls such as authentication, device profiling, and transactional analysis gave high false positives, and behavioural biometric analysis was still in its infancy).
Ultimately, criminals conducted sophisticated attacks against the weakest point – the bank customer – as humans became the simplest and best chance at beating the bank controls. Once one attacker group proved it worked and word spread, fraudsters around the world copied them to generate the high volumes seen now.
The Future Is Human
Voice scams, such as impersonation of banks or law enforcement, were the first wave of the scampocalypse, with customers naively believing what they were doing was correct. Today, voice scams are still a big issue. What started out mostly in the UK and spread to the rest of the English-speaking world is now a problem across all regions and languages. For instance, fraudsters invest in native speakers to provide the authenticity they need and now use the same methodology across Europe and Latin America. These regions are seeing the shift from account takeover due to the same technical control improvements the UK was first to implement.
As the UK has shown, behavioural analysis of the customer during these impersonation scams, when layered with transactional controls, has the ability to reduce the reward of the attackers (and means their effort does not scale). More work needs to be done on increasing the risk to attackers, but effort is underway to uncover mule networks and identify where the stolen money is going to. Law enforcement, such as Europol, has already done a lot of work on money mule disruption, and this is likely to increase over time as more data is correlated.
We must not forget the other types of scams that are also out there – purchase, romance, crypto/investment and others. Again, these focus on the human victim, without the technical signals we once relied on for account takeover being present. Behavioural and transactional signals are now the key battlegrounds to spot these, but the focus has now shifted to looking at them at the receiving account as much as the sending.
There are additional viable behavioural signals on the mule side which until recently have been under-utilised. Linking both sides of the transaction gives better accuracy, and when done correctly, reduces the operational cost of both the sending and receiving bank. FRAML (Fraud and AML) operational teams are more common now, and in some cases, cyber fusion centers link infosec teams as well.
My parting thoughts are that with this retrospective view of the combination of factors that caused the threat landscape to shift, we can predict how other verticals outside of banking –insurance, government gateway services, gaming/gambling, eCommerce – are vulnerable to the same attack shift due to similar factors in play. My advice to these industries is to learn from the painful lessons and new capabilities that have come from the banking sector before a scampocalypse overwhelms you.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Sireesh Patnaik Chief Product and Technology Officer (CPTO) at Pennant Technologies
02 October
Jelle Van Schaick Head of Marketing at Intergiro
01 October
Ruchi Rathor Founder at Payomatix Technologies
30 September
Fiaz Sindhu Head of Community Banking at FIS
27 September
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.