What are the biggest fraud concerns for FICO’s customers?
Scams are definitely high on the list. There is a continued surge in Authorised Push Payment (APP) scams, advanced social engineering, and pandemic-related fraud.
The level of sophistication present in scams seems to grow at a daily rate and that is always one of our biggest concerns – staying ahead of the criminals. A coordinated approach to managing the authentication of customers will be a strong starting point for any organization, so that they can adapt and adjust as the market changes. To address current fraud concerns, banks need to take this into consideration. There are specific machine learning models designed to detect scam-related activity, and banks should explore those.
How have scams changed since the pandemic started?
Investment and crypto scams saw a big spike and there was a swift rise in vaccine-related scams with an emergence of a black market for the sale of fake vaccine passports. There is certainly a good level of public awareness of scams, but according to our consumer fraud survey, only 6% of customers said they were most concerned about being tricked into sending payments to a fraudster — as compared with 26% who were most concerned with having their stolen identity used to open an account, which is much less likely. This relaxed attitude in combination with increasingly realistic and creative social engineering and impersonation schemes, is part of the reason why fraudsters continue to succeed in scamming customers.
Authorised push payment fraud is one of the biggest concerns in the digital payments industry. According to UK Finance, APP fraud has, for the first time, surpassed card fraud with £355 million in losses attributed to APP fraud in the first half of 2021.
What is the challenge for banks right now in dealing with APP scams?
APP scams present a unique challenge as they involve tricking the victim into sending money to the fraudster. Despite measures like Confirmation of Payee (CoP) being put in place to stop these fraudulent transactions, the victim will have the final say and can override warnings put in their way. A layered approach is needed to prevent it, multiple tiers of armor are always most effective.
Some improvements in payment technology are actually making it easier for criminals to commit APP fraud. As more consumers and businesses adopt simple ways to send money in real time the pool of potential victims increases, a trend accelerated by the COVID crisis pushing more people to use online banking. Real-time payments also lower the risk for fraudsters, as money is transferred instantly, fraudsters can move payments through multiple accounts in a process of layering to launder the proceeds of the fraud and make tracing them more difficult.
Criminals are devious and clever, and victims cannot simply be written off as gullible exceptions. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.
Maintaining good customer experience by not impacting too many genuine transactions is a growing concern. As banks get better at detecting scams, there is still a very high false positive rate with many genuine customers needing to be disrupted in order to find a single fraud. This is where advanced analytics and particularly a consortium approach are critical aids.
What has your research told you about how different generations think about fraud and scams and the actions they take to avoid them?
We frequently survey consumers across the world to get a sense of their attitudes towards fraud and the security measures implemented to catch it. The results are always interesting and often flag the differences in how age groups approach financial security.
For example, in our most recent survey of 1,000 UK consumers, 55% said they would switch banks if theirs was reported to be involved in a money laundering scandal. The younger age groups would be most eager to swap their financial service provider after a money laundering scandal: 64% of 18 to 24 year-olds would switch, as would 68% of 25 to 34 year-olds.
Those in the Millennials generation – aged 25-34 – appear to be the least impressed with banks’ current approaches to fraud. When asked about account takeover, 19% thought banks were not fair with customers in terms of how they resolved this. And when considering cases of customers being tricked into sending money to fraudsters, 21% of them thought measures were not fair.
How much of an issue is social engineering?
Social engineering is a vital component of a fraudster’s playbook. It is not a new approach for them but is one that can cause devasting results. Fraudsters buy compromised data (credentials, ID documents, personally identifiable information or payment details) and ultimately, they use it to manipulate victims and commit fraud. Sometimes, fraudsters don’t have all of the pieces of the puzzle together, so they often further manipulate systems and customers in order to get the full suite of assets they need to steal.
The complexity of scams and social engineering means that financial institutions have to take a layered approach to prevention and detection. For example, checking device characteristics is useful, but when combined with Confirmation of Payee, transactions analytics, customer profiling and instant messaging services for verification, this is where the layers play extremely well together. When and how fraud prevention solutions are deployed must be balanced with other factors such as customer experience and operational costs. Being dynamic and flexible is key to both creating the necessary balance and evolving at least as fast as the fraudsters can.
Identity authentication isn’t as strong in a scam event as it is in other fraud types. Nearly all fraud events start with a data compromise and with scams it’s no exception. Identifying compromised and vulnerable customers is still very inconsistent across banks, so there is a big opportunity to be more proactive in stopping the scam before it is initiated.
Many banks have incorporated consumer protection into their marketing plans but I would like to see more do it across the industry.
What are the latest scams you are seeing emerging?
Before Open Banking, criminals applied for low-risk accounts using a fake identity in order to start building up their credit file. Over time, they would move into commerce and then onto higher-value targets, hitting them hard.
We believe this approach is finding its way into the Open Banking ecosystem as a faster route to higher-value credit. Having secured low-risk bank accounts and passed the Know Your Customer requirements, criminals are attempting to access new services through Open Banking third-party providers, who offer loan approvals and various other financial and investment services.
We’ve also seen a steady rise in fake videos and audio with targeted content that manipulates and gains access to personal and finance data. As the technology becomes more sophisticated, it’s becoming the new favorite tool in financial crime. For instance, bank manager in the United Arab Emirates fell victim to a threat actor’s scam, when hackers used AI voice cloning to trick the bank manager into transferring $35 million.
We believe this will become a big challenge for banks in Europe and across the globe as they find themselves increasingly targeted in this way. As those deep fake technologies develop, we will see more innovation and use of a wider variety of biometric technology thrown into the mix.
Why is your financial response plan static against dynamic risk?
By Kev Breen, Director of Cyber Threat Research, Immersive Labs
When it comes to cyber security, there is a grave misconception that financial services are the most secure industry. This perception comes from the massive security budgets that financial organisations tend to have. In fact, the combined BFSI industry leads the line in cybersecurity spending, holding 18.7% of the global security market share.
However, larger budgets don’t always mean better security. This is evident from the number of losses financial organisations suffer each year from successful attacks. In the banking sector alone, the annual cost of cyber-attacks reached $18.3 million per company last year.
Effective security often boils down to strategic elements such as how well organisations are managing risks, what response plans are in place, and how well the workforce is capable of tackling dynamic threats.
We talk to Kev Breen, Director of Cyber Threat Research from Immersive Labs in order to understand the critical issues of human cyber capabilities and threat response plans in today’s financial services industry.
Why does the financial sector continue to be a frequent target of cyber-attacks?
The critical and sensitive nature of this industry makes financial organisations a more lucrative target for threat actors. Ultimately, it’s where the money is. Organisations like commercial banks, investment firms, accounting firms, insurance companies, and brokerage firms hold a lot of sensitive data – not just from individual users, but also from businesses and governments. These companies are a gold mine for attackers, in terms of data.
Also, targeting financial organisations allows threat actors to cause mass-scale disruption. For example, if a banking system is hit by a ransomware or Distributed Denial of Service (DdoS) attack, it will hinder its ability to effectively serve the customers until services are restored – leading to significant financial disruption. These are the key reasons why financial organisations continue to be frequently targeted despite investing heavily in cyber security.
What are the shortcomings of current financial response plans that are leading to this influx of successful attacks?
An effective threat response plan is critical for any organisation. When faced with sophisticated attacks like ransomware, your response plan determines how efficiently the workforce manages the security incident. However, the issue is that most financial response plans are static. They look good on paper but have little effect when the situation comes to be.
Also, organisations often don’t test these plans against real-world scenarios. They are established like a theoretical strategy, without any practical assessment or evidence to support its effectiveness in the face of a real security incident.
For example, in a traditional response plan, potential risks are identified, proposed response plans are outlined and then filed away for use when the incident occurs. However, sophisticated risks like ransomware are dynamic. They don’t always follow the same pattern or same variables. Also, they don’t always target the same files. So, if the response plan is not tried and tested against different scenarios, you can’t ensure that it will hold up when threats break.
Moreover, ransomware attackers are now applying a double extortion method. They don’t just encrypt and lock away your sensitive data but also exfiltrate it – threatening companies to pay up immediately or see it get leaked on public domains.
Another critical issue is that most companies develop their threat response plan with only the IT and security teams in mind. However, threat actors can target any department across your workforce, whether it’s the sales team, marketing team, or general admins. Threats like ransomware need a collective response. Every employee has a role to play.
If the response plan or training programs are just catering to the security teams, other employees won’t have the required knowledge or information to fulfil their responsibilities during an incident.
Therefore, in such an unpredictable threat landscape, businesses can’t rely on a static response plan. Chances are that their pre-determined plans won’t fit the variables of the attack or demand during the crisis. These implications were also evident in our latest research findings.
We found that financial organisations performed second worst in crisis simulation exercises out of 10 industries. In fact, out of the top ten worst decisions during a crisis, five came from financial services organisations. So, it’s safe to assume that most financial organisations lack the human-cyber capabilities to make adaptive and agile decisions when faced with dynamic threats like ransomware.
Why does it take so long for financial organisations to develop the necessary skill to defend against cyber-attacks?
Our research found that financial services organisations need an average of 97 days to develop the skills necessary to defend against critical cyber risks. National cyber security bodies recommend that businesses should not take more than 48 hours in patching vulnerabilities and implementing their response plan after the initial detection. Clearly, there is a major gap in human cyber capabilities for such organisations.
The reason for this gap comes down to the lack of cognitive agility among the workforce. Cognitive agility is the ability to adapt and shift our thought processes when faced with critical scenarios. Organisations need a workforce that can make agile and conscious decisions quickly when faced with diverse threat scenarios.
Cognitive agility inevitably increases the human-cyber capabilities of the entire workforce. Employees can consider the different aspects of an attack and make better decisions, instead of following a scripted response plan that wasn’t developed with a consideration of dynamic risks.
What are the proactive steps financial services organisations can take to develop cognitive agility amongst their workforce?
To build cognitive agility among the workforce, financial organisations need to prioritise a cadence of exercising. Simply launching training programs isn’t enough, they need to focus on scenario-driven simulations and test exercises. The aim is to build an entire workforce that can function as adaptable incident responders, who can think on their feet, and effectively react to the situation in from of them.
That’s why scenario-driven exercises are critical. You’re not teaching people to respond to a specific crisis, but rather helping them develop critical thinking and decision-making skills.
It’s also important to consider how you are distributing such exercises across the entire organisation. Financial companies tend to have a very diverse workforce, with multiple different departments and multiple roles. Employees of each department have different skills and knowledge levels. Some might already have a great knowledge of the security domain, while some might be very new. So, making everyone go through the same level of exercises won’t get you the desired benefits.
This is where Cyber Workforce Resilience becomes significantly useful. It’s a robust model that allows companies to benchmark their current human-cyber capabilities, measure the knowledge, skills, and judgement of the current workforce, and prioritise exercises where they’re needed. Cyber Workforce Resilience helps to map human capability within the workforce and generate data/insights to produce a real-time picture of the organisation’s cyber resilience.
Benchmarking current knowledge, mapping out human abilities, and regularly exercising capabilities based on different scenarios will help build a resilient and agile crisis response team, who are always ready to take effective decisions – regardless of how dynamic the risks are.
Interview with Devin de Vries, founder and CEO at WhereIsMyTransport
- Where did the idea for WhereIsMyTransport come from?
At WhereIsMyTransport, we are working to ensure that better data and technology benefits people living and working in emerging markets, and creates opportunities from improved understanding. But the idea for WhereIsMyTransport came when I was a student. At the time, I was challenged to take on a real world problem using technology. I felt then, as I do now, that the strongest potential for growth and impact was in public transportation. Urban mobility is to people what blood flow is to our bodies, it’s vital. We want people to be able to use information that they can rely on to access the things that enrich their lives.
- Can you tell us about your role and responsibilities?
As the CEO and co-founder of WhereIsMyTransport, I am responsible for the company’s vision and strategy. Under my leadership WhereIsMyTransport has grown from a two-person team to a 130-person company with employees around the globe. As the person at the helm, I am also responsible for driving its vision of bringing the benefits of high-quality data and technological innovation to people living and working in emerging markets.
- What has been your highlight in your current role?
There have been a number of highlights over the years. Perhaps the biggest, however, comes from building and leading a globally remote team that is united by turning a vision into reality. We’re taking on what many people would perceive to be an impossible task of making the invisible, visible. Witnessing our determination as a business grow into global impact – a data offering across 50 cities and counting, numerous client successes, and a consumer product helping communities of public transport users has been incredibly fulfilling.
- What is your leadership style?
As the company has evolved, so has my leadership style. In the early days, I was hands-on and very involved in every project. I believe I’m someone who believes in people’s potential, so as the company’s grown, I’ve learned to let go more and more and trust the incredibly talented team we’ve built up over the years. One thing that hasn’t changed about my leadership style is the infectious enthusiasm I’ve tried to impart. This is especially true when it comes to the Majority World’s potential to hold the world’s next great creative solutions.
- What makes a hyperlocal market understanding an enabler for global growth, and what have you implemented in the company to make this happen?
At WhereIsMyTransport, our expertise in producing accurate mobility and location data, on the ground in markets that remain unfamiliar to many, means our clients can establish new opportunities, and generate actionable insights, in high-growth regions. To better understand the impact that a hyperlocal market understanding can have, it’s worth looking at the benefits it can have for individual businesses. Retailers, for example, can use reliable mobility and location data to ensure that their delivery drivers always use the most efficient routes, as well as planning store locations so that they’re always as close as possible to where their future customers go. With that kind of information, they can focus on growth immediately and avoid expensive mistakes held back by lack of data. The same is true for companies of all sizes in all verticals as well as governments and municipal organisations.
- What is the role of location data for understanding emerging markets and how has your team ensured it is possible?
At WhereIsMyTransport, we’ve built our name on producing reliable public transport network data from every mode, however it operates. But more recently we’ve expanded our offering to include location data, so points of interest like retailers, food sellers, and the indoor mapping of pathways and levels at public transport exchanges that are so critical for connections and the first and last mile. Location data like this is critical for improving understanding. Emerging markets are expected to experience greater economic growth than developed markets between now and 2030, but we also know that the informal economy is sizable in these markets. 90% of WhereIsMyTransport’s POIs aren’t available from other location data providers, meaning it’s possible for clients to leverage this unmatched insight into the truth of these high-growth markets. How do we do it? Our approach combines cutting-edge tech with localised processes. We hire teams of local people to map and collate data like bus stops, shops, wifi points, and so on. Our team is trained in their roles and the technologies we use before beginning work in the field. And we remain active after our initial data collection, updating data sets to ensure our offering reflects the ground truth.
- In terms of the company, what are some of the global mobility and urban development megatrends and how might they happen in emerging markets?
As a company, the global mobility megatrends we’re most excited about are all underpinned by what we call “infostructure”. This can be understood as the layer of information that forms the foundation for a well-functioning, modern city. Commuters and businesses in many European, North American, and some Asian cities take this for granted, benefiting from easy access to reliable data. The decentralised nature of public transport in emerging-market cities, however, means the infostructure opportunity has not been well harnessed to date. But the increasing ubiquity of smartphones in these markets means that it’s becoming possible to build this layer in a way that works for them. There is new potential to reach people in innovative ways and, more immediately, for our own data production methods which are partly undertaken using our purpose-built mobile phone application.
Know Your Business (KYB): Exceeding KYC
Victor Fredung, CEO at Shufti Pro Money laundering costs the UK more than £100 billion pounds a year, according...
Tax giveaway is a boost for business, but will it drive growth or fuel inflation? Chancellor Kwasi Kwarteng has...
A zero trust environment is critical for financial services
Boris Bialek, Managing Director of Industry Solutions at MongoDB Not long ago security professionals were still focused on protecting their...
Digital Banking – a hedge against uncertainty?
Ankit Shah, Head of Digital Banking, Apex Group The story of the 2020’s thus far is one of crisis....
Union Bank of India goes live with RuPay Credit Card on UPI with Kiya.ai as a technology partner
Nitesh Ranjan, ED Union Bank of India with Rajesh Mirjankar, Managing Director & CEO, Kiya.ai at the launch Kiya.ai,...
Anyone Can Become an R&D Tax Expert with the Right Foundations
Ian Cashin is a Customer Success Manager at Fintech company and R&D tax software provider WhisperClaims For accounting firms,...
Addressing the ongoing global pilot shortage issue
By Bhanu Choudhrie, Founder of Alpha Aviation The Covid-19 pandemic brought the aviation industry to a halt, causing vast...
How exporters can mitigate risks and operate smoothly in stormy, post-Brexit waters
By Morgan Terigi is Co-Founder and CEO of Incomlend The past few years have presented a series of hurdles...
From employees to customers, workforce management can benefit the entire banking ecosystem
Michael Cupps, SVP of Marketing of ActiveOps explores the significant impact workforce management can have on the employees and customers...
Redefining the human touch with digital transformation
Simon Kearsley, CEO of bluQube It may not be a new phrase, but digital transformation is still inducing anxiety...
CFOs – the forgotten ally in the fight against ransomware
Justin Vaughan-Brown, VP Market Insight at Deep Instinct Ransomware attacks have nearly doubled in the past couple of years....
7 cost benefits of cloud accounting software
By Paul Sparkes, Commercial Director of iplicit, an award-winning accounting software developer Is your accounting software having a laugh...
How does Identity Access & Privileged Access Management help in PCI DSS Compliance?
Narendra Sahoo is a director of VISTA InfoSec. Introduction The Payment Card Industry Data Security Standard also commonly referred to...
Listed private debt deserves a closer look from investors
By Michel Degosciu, Managing Partner, LPX AG Over the past few years, the private debt asset class is attracting serious...
Security vs online payment convenience: which one is tipping the scales for customers?
Chirag Patel, President of Digital Wallets at Paysafe. While keeping their payment details safe is a top priority for...
The Tool and Tips to Truly Get Started with No-Code Development
Author: Chris Obdam, CEO of Betty Blocks Throughout the legal industry, firms and in-house departments are leveraging legal tech...
How ReFi Will Transform Finance
– by Ransu Salovaara, CEO of carbon platform Likvidi Humanity faces a multitude of threats, many of which are...
THE NEXT WAVE OF FINTECH IS HERE
Much has been made of the ‘second generation’ fintech movement recently, but what have these businesses learned from those entering...
UK leaves Europe trailing in its embrace of digital banking
People in the UK have embraced digital and online banking in a way that those across the rest of Europe...
The rise of automation and its impact on the CFO & CIO
By: Gert-Jan Wijman, VP Europe, Middle East and Africa at Celigo On the back of the pandemic, organisations have...