Immediate Action Required: Detecting Authorised Fraud
December 29th, 2020
This blog series acts as a companion to the sessions at ENGAGE LIVE. Catch up on the other entries here:
- Looking Back at ENGAGE 2020
- Stay Ahead of First-Party Fraud & Mule Activity
- Catch Me if You Can: Fraud Digital Identity Challenges
- Future-Proofing Fraud with Advanced Technologies
- Fraud: AI in Action
- The Journey to Autonomous Fraud Management
In this session at ENGAGE, we heard from contributors on both sides of the Atlantic about the authorised fraud threat, as well as what can be done to help reduce and mitigate it. In this blog, I’ll cover what authorised fraud is and why your financial institution (FI) must pay attention to it.
What is Authorised Fraud?
Authorised fraud, also known as call scams, covers a number of fraud typologies. The key differentiator from unauthorised frauds is that the customer has made the payment, rather than a fraudster having logged into their account or used stolen credentials. This is an important distinction as this determines that it is the customer, not the FI, who is liable. The nature of the frauds, whether its redirecting property sale process or investment frauds, often mean that the victims lose large, life-changing amounts such as life savings or enough to bankrupt a business.
We hear about a number of different types of authorised frauds or scams, with some of the most common being Business Email Compromise (BEC), purchase scams, investments scams and impersonation frauds.
With BEC, there are sub types such as CEO fraud, where the CEO is impersonated in some way to procure a large payment. One high-profile example of CEO fraud is from Nikkeim where $29 million was lost, along with other household names falling victim. The level of sophistication is also rising as a deep fake voice was used to net over $100,000. In a more recent example, 100 million Norwegian Krone (NOK) was defrauded after an email compromise meant that fraudsters controlled both sides of the conversation in what started as a legitimate piece of business.
COVID-19 has turbocharged authorised fraud and scams. Across the globe, we’ve seen myriad types of frauds that have been changed to have a COVID flavour. These have ranged from purchase scams for PPE to investment scams for vaccines. We’ve also seen fake websites used to obtain card details or credentials through scams or malware.
What are the size of the losses?
The UK has very good figures for the last few years, although these are likely under reporting, especially from the business/corporate side. Losses due to authorised push payment scams were £455.8 million in 2019. This was split between personal (£317.1 million) and nonpersonal or business (£138.7 million). The losses were up 45 percent on 2018. In total, there were 122,437 cases relating to a total of 121,658 victims. Of this total, 114,731 cases were on personal accounts and 7,706 cases were on non-personal accounts.
In comparison, the most recent six months of 2020 showed that cases were up 15 percent and the volume of payments were up 19 percent. Although gross losses were static and likely to rise in H2 2020 as lockdowns caused a drop in the ability of mules to cash out, clearly there is still growth here in already large numbers.
Outside the UK, the FBI estimated that global losses to BEC were $26 billion before COVID and an Australian estimate from 2018 of $7.2 million growing at 50 percent.
Such is the scale of authorised fraud, that when the U.S Fed launched its fraud classifier, it contained a whole section for authorised. The classifier should help improve monitoring and reporting of all fraud types, so hopefully we’ll see better statistics in years to come.
These statistics make clear that globally there are significant levels of authorised fraud that are growing as fraudsters net serious amounts of stolen funds.
Why is Authorised Fraud important to FIs?
As we heard at our ENGAGE 2020 event, there is a voluntary agreement in the UK that the largest UK FIs have signed onto that alters liability. This moves responsibility from the customer to both the sending FI and the beneficiary bank, clearly creating business cases to invest in prevention.
However, even where there is no clear liability, there are still operational issues and costs caused by authorised frauds. Customers will still go to their bank first for help, and these calls and investigations all cost money even if there is no refund. In addition, this is keeping agents from undertaking alerts that directly impacts the bank’s bottom line.
There is also the knock-on impact to banks if the customer who is not refunded has loans with them. If they no longer have the funds or the business goes bust due to the fraud loss, the bank may lose more money on the loan default than if they had refunded the customer.
Then we must consider the reputational impact on the FI if it’s clear that customers are losing money yet not being refunded, as one of the key reasons people use banks is the security they offer.
Of course, by taking a proactive approach, helping protect customers from authorised fraud is better for customers. Not only that, but banks can reduce all these impacts and can even use their success as a marketing tactic.
We need to have industry approaches to ensure that we can do the right thing to reduce fraud in the ecosystem.
How can FIs address Authorised Fraud?
As is so often the case, there is no silver bullet. The need to create a fraud strategy with multiple layers to define, detect and defend against authorised fraud is apparent.
Part of defining these frauds is measuring and monitoring to see if the actions are improving the outcomes, so using the Fed Fraud Classifier is key. This leads to improved detection, as without it you can’t find what you are not looking for.
Create rules and models to detect authorised fraud separately from other types of fraud. It’s worthwhile to segment the different types of frauds so that the data can be recorded and agents can ask the right questions. However, the underlying fraud sub-type (BEC, CEO, Romance Scam) itself is often not relevant for the model builds as it has bias, so use the raw data in the models.
Combine this with additional elements, such as name checking (Confirmation of Payee, COP) and other tools such as behavioural biometrics, to detect when the customer is being coerced. Profiling the different entities involved is also key, so things like the device and payee involved will also assist.
As liability starts to shift, be aware that more onus will be on the beneficiary bank and what they have done to prevent the fraud. This will include things like KYC and CDD, but the inbound payments will increase to scale as well. Adding real-time profiling of payments and mule profiling can really help here, both in terms of protecting losses but also to reduce money laundering.
Operationally, create separate queues in fraud operations and make sure that these are treated differently to ensure the right processes are followed. This includes injecting human intervention into the customer dialogue, as this works well to prevent victims being defrauded.
A further plank in the strategy is educating customers and staff as to what to look out for, including working together at an industry level. This shouldn’t stop at education, but also plan to include working with law enforcement and other stakeholders to disrupt and prosecute the attackers.
By creating a strategy that defines, detects and works together across financial services and other stakeholders, we can improve how we defend against this growing fraud attack.