UK Fraud Losses – A Look at 2020 Insights
November 18th, 2020
In September 2020, UK Finance published their half year update on banking and payments fraud in the UK, showing the most recent fraud landscape. As I have for the last couple of years, I’ll draw out some key trends and implications. Before I do, here are some key numbers from the report:
- Total unauthorised fraud down 8 percent over H119 at £374.3M
- Card fraud losses down 8 percent over H119 to £288.2M
- E-commerce fraud static compared to H119 at 183M
- Cards fraud to turnover ratio static at 8.4bps as card spending down 8 percent
- Cheque fraud back down 78 percent (after recent increases) at £6.4M
- Unauthorised Remote Banking fraud up 21 percent on H119 (down on H219)
- Authorised Push Payment Fraud losses flat H119 to H220 after large increasesin recent years.
The gross loss numbers above seem to show a largely reducing loss trend; however, these hide some more interesting figures.
In most areas, the volume of cases is up, often significantly, as is prevented fraud. When the prevented fraud is added to the gross losses, we see that the attack level by value has risen as well as by volume. This means the fraudsters are having to work harder to get the money out as banks are stopping more attempts, earlier.
However, this just goes to show the sheer volume of compromised cards, credentials and identities available to the organised criminal gangs to exploit. This is particularly worrying point as it shows that the current very high level of attack is likely to continue for some time, irrespective of the action’s banks take.
Major Fraud Impacts
Of course, there are two big factors impacting on this year’s figures. First COVID-19 and second, we now have 12 months of data since the Contingent Re-imbursement Model (CRM) for Authorised Push Payment Fraud (APP) came into force.
Starting with COVID-19, there have been a few key impacts. It has clearly provided fraudsters with many new hooks for social engineering scams and for malware. These are then used to obtain card details and online banking credentials to commit unauthorised as well as authorised frauds. People have largely been at home, making some frauds harder, such as those to do with theft of mail, while making some doorstep scams easier.
The lockdown has had a number of impacts, such as increasing use of digital banking channels and making cashing out at the height of lockdown difficult for the fraudsters.
Cheque fraud was down significantly at 78 percent over H119, but is still double the low of H118 before the new image-based clearing cycle came in. The prevention figures, along with case reduction by only 50 percent, show that banks have been better at detecting the frauds as well as a lower attack level, likely caused by COVID. The level of attack may yet increase in H2 as the economy opened up more.
Changing Spending Patterns
There has been a reduced level of spending in the UK, albeit with increases in contactless and e-commerce at the expense of cash and Chip & Pin contact payments. In fact, contactless fraud dropped for the first time, yet the volume of spending was static (albeit up as a percentage of all transactions) leading to a drop in basis points to just 2 bps compared to 8.4 bps overall.
While the e-commerce loss number was static, overall card spending was down significantly in H1 and e-commerce in June 2020 made up 42 percent of the transaction value compared with 30 percent in June 2019. This clearly shows the continuing upward trajectory of e-commerce fraud – it is now up to 82 percent of all card fraud and increasing.
Turning to unauthorised remote banking fraud, we’ve seen losses up 21 percent on H119, while lower than H219. Importantly cases were up 59 percent and preventions up 40 percent. The overall attack level here has risen considerably over both H1 and H2 2019 as shown by value and volume. It’s possible for a further rise in H2 2020 as cashing out will have been easier post lockdown. While both internet and mobile banking fraud have increased, telephony banking fraud has dropped.
Many banks have added voice biometrics to improve their phone security, but due to COVID-19, it has often been very difficult to phone banks. However, phone banking is often still a weak link, as it can be an enabler for other frauds as stolen credentials can be used in the IVR to elicit more information.
Mobile banking losses reflect the increase in usage – one bank reported a tripling of mobile banking sign ups during lockdown.
Looking at APP fraud and the CRM, the fact that we have a static loss number for the first time is encouraging, especially as more firms are now reporting. We’ve also seen Confirmation of Payee (COP) introduced during Q220. Also, as the level of cases is up, more frauds are being detected and stopped earlier. There was also a big increase in refunds to victims reflecting the CRM in place since 28 May 2019.
Shifting Fraud Tactics
It’s worth noting that we are seeing a shift in the types of frauds. Invoice and mandate frauds, where people are tricked into paying a fraudster instead of the firm they meant to pay, have dropped (39 percent by case and 18 percent by value), presumably as both the education campaigns and COP are working.
Impersonation, romance, investment and purchase scams have all increased in either cases, losses or both. These do not rely on COP, and COVID-19 has made it easy for fraudsters to come up with convincing stories, such as investing in vaccines or buying PPE. In fact, with some investment scams, the customer actually phones the fraudster via fraudulent website as they try to find returns in a low interest environment.
Looking across APP & remote banking, the rises in attack level and cases to around 100,000 in just a six month period suggests significant volume of mules. Given that payments often go via several mules before the final cash out, even deduplicating for multiple frauds per account, it is likely the volume of mules is a multiple of the case volume. Given this, it seems there is more to do in preventing and detecting mules.
With all this information, what can banks do to protect their customers and themselves?
The UK stats show that the investments made are working, as in many instances they are reducing the gross loss and average loss per case, albeit some controls just move losses between types.
For e-commerce improved authentication is key, removing reliance on SMS OTPs and more use of biometrics and mobile apps. However, this must be risk based, so advanced analytics will be extremely important.
Improved profiling systems that have more power and greater access to data helps models and profiles across all of a customer’s transactions to make better decisions, including on the level of authentication required.
Further, look to undertake real-time inbound payment profiling as the majority of the non-plastic frauds all involve payments to other bank accounts, often retail domestic accounts. This means KYC and other due diligence needs to increase.
As we move into the final weeks of 2020 and look ahead to 2021, keep these trends and insights in mind as you work to improve your fraud financial crime program.