May 1 • 2023
The scourge of scams – what more is required to defeat the fraudsters?
Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.
Written by Rob Tharle, Head of Product
Authorised fraud, also known as scams, are now the prevailing type of fraud in many countries and the sums are huge. Just look at the recent FBI IC3 Internet Crimes Report for the US and we see similar trends everywhere, for example the UK and Australia.
What the figures show though, is the clear need for joint strategies to combat this threat, with governments and regulators being involved across the whole fraud chain, not just targeting one area alone.
This is the first part of a two-part blog, with part 1 covering; the elements of the fraud chain outside banking and payments, a look at some of the counterpoints to UK’s move to refund victims of scams, along with what is required to help bring about a reduction in scams and their impacts.
Part 2 will provide an overview of the recent UK parliamentary and government reviews of economic crime and fraud, including if it goes far enough.
Where are the gaps that are being exploited?
The UK, and this is also reflected globally, has significant levels of fraud, against consumers, firms and the government agencies. This is increasingly via the utilisation of social engineering to get the victim to authorise transactions themselves.
Many countries are taking steps to curb this, with the UK a leader in incentivising banks, particularly beneficiary banks, to do more to detect and prevent fraud and money laundering. Other countries are taking different approaches such as targeting scam texts, e.g. Australia for example.
However, the actual payment away is often just the last part of the fraud, although investment scams with financial grooming can be drawn out with multiple payments over a long period of time. The frauds actually start much earlier and away from the bank or payments firms.
There are a number of platforms and other industries that help enable the success of these social engineering scams and frauds, for example:
- Abuse of telcos – such as spoofing of numbers, scam messages and SIM Swaps
- Social Media and job site platforms are used to recruit the mules that move the proceeds of fraud and scams
- Fraudsters use dating apps to target people in Romance Scams and financial grooming
- Abuse of advertising firms and platforms to lure people into investment scams
Not to mention the slew of data compromises from all sorts of firms, that are the start of so many of these scams. All of these are well removed from the actual payments systems of banks.
Governments too, must do more to prevent frauds, especially in terms of national registers and identity. The abuse of UK’s companies house for instance, can help bring legitimacy many frauds, due to weak controls on company set up.
The UK government is set to improve this under the forthcoming Economic Crime Bill as part of the Economic Crime Plan published last month.
What’s required to close these gaps? – Why it’s more than just banks?
So far, the UK has gone down the route of assigning liability to banks, with no direct action on any other players bar some blocking of technical gaps at telcos. The UK’s PSR has consulted on bringing in 100% refunds to victims from the paying bank, who then get 50% from the beneficiary bank. This provides plenty of incentives for banks, especially beneficiaries, to invest in prevention and detection throughout the customer life cycle.
However, this has its many detractors globally, including the banks themselves. It is not difficult to see the argument; why should banks take the hit for these scams, when there are so many other players involved, and that if it happened with a cash transaction, they would likely not have the liability. Realistically, this also leads to increasing costs for all banking customers to pay for the refunds and/or the investment required to prevent.
Building on this argument, is moral hazard. If the customer has no liability, why would they choose to take any precautions at all? Will the UK, become even more attractive to fraudsters because of refunds? Further, there could be an increase in first- and second-party fraud; you claim you have fallen for a scam, get a refund and then share the fraudulent refund.
There are, however, counterpoints to this. Firstly, the financial services industry across the globe has invested in efficient real time payments, yet the benefits are at risk due to lack of trust due the scams and the lack of refunds.
We have yet to see any evidence of moral hazard from the UK data, over the last few years the Contingent Reimbursement Model (CRM) has been in place. Consumers, businesses, and governments are falling for scams in large numbers; we are at the point that anyone could fall for them at any time. And consumers do take steps to protect themselves, yet are hampered by data compromises caused by many companies.
In terms of abuse of refunds, this risk already exists to a large extent with traditional unauthorised frauds. Yes, there needs to be controls to stop abuse, however, this is not a reason not to help victims.
It is also important to remember where the money goes once the scam has happened. Firstly, it will go to a mule account or wallet, which is often (and if in fiat, always) an account at a regulated financial institution, before either cash out or, more likely a number of other mule accounts and/or crypto before its final destination. That destination is organised criminal gangs. We have to remember the bad things that they do with this money. It is not just used to buy an expensive car.
So, what is else is required to ensure a reduction in the amount of funds getting into the criminals’ hands and increased asset recovery when it does? This requires the right strategies, regulations and investments across whole areas. Yes, banks, especially beneficiary banks, can and should do more.
However, as well as incentives for banks, crypto exchanges and other payments firms, to invest, incentives are required for the other elements in the fraud chain.
The other players need to have some skin in the game. We cannot let firms profit where the real costs of these services are externalised.
Some countries require telcos to do more on scam calls and texts, which is welcome, but we need some penalties for enabling or turning a blind eye to abuses here too, if there are insufficient controls in place.
This also goes for other firms in terms of hosting services, advertising platforms, social media and other platforms. Incentives to put the right controls on to stem the abuse and share intelligence for all the parts of the chain to utilise to increase detection and prevention.
These incentives should also be on law enforcement; to have the correct tools and resources to disrupt and enforce against these gangs and for appropriate asset seizures and repatriation or harm reduction.
Finally, there is a e need for greater intelligence upstream of the frauds, which can be achieved by the use of greater data sharing across many participants.
In all, lots of work to do across government and private enterprise to improve matters. The second part of this blog will look at what the UK’s plan of attack is, and if this is enough.