Online investment fraud has seen a rapid acceleration since the onset of the coronavirus pandemic, and much of society’s most vulnerable people are bearing the brunt.
Despite industry players campaigning for the UK government
to include online fraud within the scope of its response to the Online Harms White Paper, in December 2020 the government ruled it out. Industry
leaders and police are calling for more attention and responsibility to be placed on the role of search engines in online investment fraud, while others point the finger at challenger
banks and the
reported role they play in fraudulent online schemes.
Just last week, Starling CEO Anne Boden
lamented the government’s decision not to include online fraud in its Online Harms Bill, stating: “I hope it’s not too late to change this. Banks invest billions to tackle economic crime, but we cannot stop it on our own.” She also called for cooperation
of industries, particularly the social media platforms and telecoms networks that are abused by criminals for the express purposes of financial crime.
Covid-19 lays fertile ground for new fraud trends
Speaking at a recent
Work and Pensions Committee hearing, Mark Steward, executive director of enforcement and market oversight, FCA, commented that Action Fraud has seen 30,000 instances of unregulated activity in the past 12 months, a significant trend on previous years.
He added that a significant driver is the increase in online advertising and marketing of fraudulent opportunities, “combined with the fact that there is no regulation of social media and advertising on social media,” which is unfortunately also coinciding
with people spending more time at home and online.
In her
foreword to the 2020 Half Year Fraud Update, Katy Worobec, managing director, economic crime, UK Finance called for a new regulatory framework to address vulnerabilities. She also requested that it be included within the scope of the government’s online
harms regulatory framework, “to help ensure that online platforms address vulnerabilities that are being exploited by criminals to commit fraud.”
As the globe has been forced to operate in a fully digital environment for work, social, and communication purposes, it is only natural that fraud has followed.
Investment fraud wears a new mask
Peter Hazlewood, group financial crime risk director, Aviva, explains to Finextra Research that over 90% of the fraud the insurance firm is witnessing during the period of the pandemic is cloned investment fraud.
This is where fake comparison websites are set up by scammers and link through to cloned versions of authentic investment website where fraudulent products are advertised. He adds that it is organised crime gangs (not sole actors) which are taking advantage
of the economic conditions being suffered globally such as poor Investment Savings Account (ISA) returns and being stuck working from home, to conjure up alluring investments which draw in the unaware victims.
“Gangs are crafting fraudulent products which may appear to look like a fixed term investment bond or ISA over a one, three, or five year period, but promising higher returns than would be offered elsewhere,” explains Hazlewood. He adds that these products
look entirely legitimate to the untrained eye, with one notable exception; the investment return is a little too good to be true.
The pensions-age segment is proving to be particularly vulnerable to this type of investment fraud. Often holding a comfortable amount of disposable assets this affluent and less tech-savvy demographic is a particularly tempting target to fraudsters.
UK Finance explains that the sophisticated techniques being used by criminal groups include adverts on internet search engines or social media platforms, which tend to take the unsuspecting investor to a cloned website that is impersonating an FCA-regulated
firm.
These sites are carefully crafted often using materials sourced directly from the reputable, well-known brands themselves. Customers are typically instructed to complete online forms to register their interest in the investment and are then contacted by
a criminal impersonating an investment firm or broker to sell what the victim believes to be an investment product.
Hazlewood exclaims that when he recently undertook a straightforward search for “good ISA returns” or “fixed term bond returns”, a whopping 30% of the ad results were from such fraudsters.
“Across 26 well known industry brands, we see an average loss of £46,000 per fraud and this is accelerating rapidly. Overall, it amounts to hundreds of millions of pounds being lost by vulnerable, pension-age investors.”
How do criminals get around AML controls?
In correlation with the increase in this type of online investment fraud, Hazlewood adds that Companies House has seen a sizeable uptick in the number of registrations. Criminals register these companies (with similar names to reputable brands) to circumvent
banking controls. When scam victims make a payment to this new company the money is typically transferred to a mule account before being sent overseas.
In September, Companies House announced it would clamp down on fraud and money laundering by requiring that directors will not be able to be appointed until their identity has been verified.
Civil fraud expert Andrew Herring, Pinsent Masons
added at the time that “questions remain about how far these measures will go to prevent individuals from around the world from continuing to use the cloak of respectability created by an English registered company as cover to commit fraud and other criminal
activity. For instance, it will be interesting to see whether these new consultations result in increased due diligence overshadow directors, company formation agents and virtual offices.”
Do newcomer banks make easy targets for fraudsters?
While reluctant to identify specific challenger platforms or institutions which typically hold these ‘mule’ accounts, Hazlewood adds “there are so many of them and you have to question what exactly their controls over the receipt of these funds are. Are
they asking enough questions? Is it a level playing field with traditional providers like insurers or bricks and mortar banks? Or are the barriers to entry too low for the digital challenger platforms?”
In addition to her disappointment that online fraud was omitted from the Online Harms Bill, Starling Bank’s Boden added that despite their effort and investment, banks cannot tackle financial crime alone. She calls for greater cooperation from other industries,
specifically social media and telecoms which are used by criminals to dupe victims.
Echoing agreement with Boden, Hazlewood comments that “at the end of the day while it may be the search engines which act as the enabler or the ‘shop front’ for organised criminal fraud” and it is the mule accounts often provided by digital payments platforms
with such low barriers to entry which facilitate the actual holding and transfer of funds.
“The barriers to entry to a digital payment platform would appear to be materially lower than they are at a bank. Until those digital payment platforms are operating on a level playing field, this isn’t going to change.”
Phil Rolfe, group CEO, P2 Consulting further explains that when it comes to the question of appeal of this type of fraud, there is no competition. He says that “we’re seeing a switch from low-level account fraud into proper organised crime. This is definitely
becoming more sophisticated and shows the lengths that people will go to for these large sums of money.”
Rolfe adds that this type of fraud is attractive because it doesn’t entail the traditional ‘cash nightmare’ that may come from say drug dealing. “Would you rather be selling drugs on the street at £20 a bag or have a team working with you to move money?
Your hit rates can be much more minor, because you’ve got bots doing all the legwork, so you only need to spend time reacting to ‘hits’. The (criminal) team can then build on these leads and turn those into cash.”
Undoubtedly a much more lucrative approach.
How can fintech help?
We’re seeing a fundamental shift in approach to fraud monitoring and AML thanks to the proliferation of Regulatory Technology (regtech) and Supervisory Technology (suptech) firms, which is proving vital to keep up with sophisticated fraud.
Rolfe believes the fintech market has matured sufficiently for large (established) financial institutions to begin partnering for point solutions. Just last week HSBC
announced that it would partner with regtech startup Silent Eight to boost its efforts to fight financial crime.
Banks’ approach to outsourcing technology in order to quickly implement robust compliance or AML procedures means that it is now possible to see the wood for the trees. Rolfe explains that where we were once deluged with huge amounts of administrative ‘tick
box’ exercises the technology is now scenario-based automation.
Historically banks would have to spend huge sums on big box compliance solutions, implementing them, and upgrading them, and these solutions would typically just provide ‘trigger’ services with meagre results. Hazlewood notes that the average effectiveness
ratio for transaction monitoring in banking is still (miserably) between one and three per cent: “That’s between 97% and 99%
ineffective. Astonishing.”
Today however, Rolfe explains that we’re seeing big data companies hoovering up this data across organisations and pushing this it through multiple scenarios in order to look for patterns which are out of the ordinary. He adds that this is immensely more
effective than traditional transaction monitoring approaches and given the increasing reliance on cloud the need to invest in a vast data centre is no longer necessary.
Hazlewood adds that the true progress will emerge as the sector comes together in order to share intelligence. Often, he explains, there will be a data point held within another organisation that “we are not privy to – an IP address for instance. If we were
alerted to this data point, we may be able to identify a raft of fraudulent investments or policies. The legal framework for this type of intelligence sharing exists in the UK under the Criminal Finances Act.”
Can compliance constitute a business case?
Rolfe explains that a core challenge for organisations is to establish and sell the business case. Implementing large scale compliance programs puts pressure on balance sheets and they typically fall under the category of threat avoidance rather than profit
making. An attractive development in this space, Rolfe continues, is the integration of security as more of a ‘build-in’ to the customer journey.
“Taking the typical ‘whack-a-mole’ approach to these projects is often forced, whereas if you go back and fundamentally re-engineer the approach entirely by improving customer data and overlaying new tools you will reap the long-term benefits. This approach,
however, does require firms to take a five to 10 year view.”
This is in stark contrast to days gone by, Hazlewood describes, when he worked as an early member of JP Morgan’s global financial crime team, “there were three people running this division globally. I was Mr Asia, there was one in Europe and another covering
the US. That was it. There are now several thousand in the team.”
“In the old days there was no automated monitoring, KYC policy consisted of a checklist of questions on reputational risk from the frontline, perhaps you’d file a Suspicious Activity Report (SAR), you’d do some training and tell a few war stories. When America
Software entered the scene with the first transaction monitoring system, we were all blown away.”
“The bigger organisations now realise that they can't just keep adding analysts to fix the problem. They're leaning much more heavily on big data and analytics and recognise that a good business model must invest in quality data for inputting into scenarios
for more accurate automation.”
While we may have come quite a way since the 1990s approach, it appears that regardless of the sophistication of the technology at the financial world’s fingertips, the relentlessness of fraudsters is unlikely to be thwarted. At the very least, it would
be heartening to see decisive and more importantly swift action on the part of legislators to make clear the responsibility of every player in chain.