Where Is Fraud Moving to Next?

UK Finance recently published ‘Fraud the Facts 2019’, a comprehensive document detailing UK banking fraud losses for 2019, which makes interesting reading for financial institutions and fraud fighters alike. Firstly, let’s review some key points from the report that show the extent of fraud across a range of channels:

  • Total unauthorised fraud up 16% over 2017 at £844.8m.
  • Remote Purchase fraud up; H1 £211.6m, yet full year at £506.4m.
  • Card ID theft up, with ACTO slightly down and third-party application fraud up 159%!
  • Cheque fraud up for the first time in years, albeit from a low base.
  • Unauthorised Remote Banking fraud down 2% to £152.9m.
  • Authorised Push Payment (APP) fraud at £354.3m is the big storyhere making up 30% of total fraud losses, nearly 2.5 times unauthorised Remote Banking fraud!
What’s is driving these changes?

In far too many areas, fraud has seen across-the-board increases.  In the remote purchase space, the change over the half year was most likely a result of Ticketmaster and other large card compromises. Interestingly, this has taken the Remote Purchase basis points to 13bps, the level for the lowest Transaction Risk Analysis (TRA) exemption under PSD2.  Some financial institutions will be able to use the exemption and others not.

Also affecting these results, cheque fraud has seen the introduction of a new clearing system and a few large counterfeits in the first half of this year, so this is not showing up as a trend yet.  In another key observation, Account Takeover (ACTO) in remote banking is down, yet APP fraud is up massively as investments are working but pushing fraud to the customer./

So, what does all of this data tell us about the evolution of fraud attacks and how does it related to what we will see in the remaining half of 2019 and beyond?

Fraud is often a game of whack-a-mole, which the report data shows has been the case over the last 10 years. As fraud is addressed in one segment, the fraudsters jump quickly to create new threats in other areas. Remote frauds are growing, and social engineering and data compromise are key drivers of both unauthorised and authorised fraud.  I clearly believe that 2019 will bring additional changes, and here are the most prominent:

PSD2 – SCA and Open Banking

As my previous two-part blog discussed, there are new fraud threats emerging but they will take time to become obvious or show immediate impact. Strong Customer Authentication (SCA) becomes law on September 14, 2019, and this will drive a number of changes, including:

  • A move from E-commerce Card Not Present (CNP) to Mail Order Telephony Order (MOTO), and digital to telephony, targeting those who’ve not put SCA in their telephony channels.
  • Drive more social engineering to obtain One Time Passcodes OTPs for card transactions and drive more SIM Swap where SMS is used.
Authorised Push Payment Fraud (APP)

APP will continue to increase as technology solutions, including SCA help reduce unauthorised frauds further, however, the way banks and FIs respond will also have an impact.

The Contingent Reimbursement Model (CRM), gives them a business case to increase investment in protection for their customers and therefore themselves.  They may also be more aggressive in claiming refunds from beneficiary banks. This gives FIs incentives to do more in the inbound payment profiling and mules space, pushing liability away.  It may even help with increased barriers to entry in the PSP space.

It is also likely to drive an increase in cross-border losses as Instant SEPA is now here and both Confirmation of Payee (COP) and the CRM don’t cover international transactions.

New services: Request to Pay, Voice Banking
There are several new services and channels starting to come through that will also change the landscape. With Request to Pay (RtP) due to launch later in the year in the UK, this is likely to be abused, probably as part of more social engineering and other APP frauds. Voice Banking (Alexa et al), Chatbots, messaging apps and IOT payments will all have an effect. By providing more channels for social engineering and increasing confusion for customers, this also impacts on the fraud profiling capability by increasing the attack surface and the volume of data to be profiled. Finally, Point of Sale (POS) Lending is also starting to take off and with this increased fraud levels won’t be far behind.

Identity Theft
POS Lending neatly takes us to the other big trend, which I believe, is in Identity Theft. The UK Finance report has shown the increasing levels of card ID theft, but the combination of changes mentioned above, along with the lack of a UK identity infrastructure, are going to turbo charge this.
 
This won’t play out as traditional ID Theft to obtain facilities, but also for ACTO, as the controls around existing accounts are becoming stronger than those around new accounts. What might this look like:
  •  Obtain details e.g. through compromised cards on the Dark Web
  • Target a new bank, opening an account in the genuine customers name and then:
    • Apply for credit
    • Move money (unsecure loans, APP frauds, bypassing confirmation of payee)
    • Receive and redistribute frauds (mule)
  • Either one or potentially all of the above.
Resurgence of older frauds

Finally, we may see an increase in older, more forgotten fraud types, partly due to poorer systems coverage as investment has been elsewhere, e.g. Cheque Fraud, and Direct Debit refund frauds for example.

What can you do to be ready?

So, what steps can FIs take to be better able to combat these changing trends? There are numerous ways that Fis can adopt additional process that support their anti-fraud measures, among them:

  • Leverage PSD2 investments across all possible channels, especially telephony.
  • Have a roadmap to get rid of SMS for authentication and ensure SIM Swap detection is in place.
  • Build out APP specific models and inbound payment profiling.
  • Digital Identity – use the latest documents checking services, but also link the outputs to the fraud platform to help spot the frauds, specifically the ID Thefts. The attributes from the documents and other data can be useful in joining up looking for ID Theft.
  • Electronic KYC – ditch the utility bill as a proof of address as this step only adds friction and doesn’t stop fraudsters.
  • Bring more data sources into the fraud platform at all points for Onboarding risk, including Mules etc. Victim risk, Risk of ID Theft, Network Analysis.
  • Upgrade fraud platforms’ capability of handling the extra data, new channels and running multiple models to detect fraud. 
  • Build the fraud platform into a fraud hub, linking KYC, AML, application fraud and transaction fraud together to provide a true, more complete customer profiles in order to make intelligent risk-based decisions.
Speak to an Expert