Fraud has quickly become a multi-billion dollar problem for the banking and finance industry. A report by The Association of Certified Fraud Examiners (ACFE, 2018) found that organizations lose approximately 5% of their annual revenues to fraud. To put this in perspective, according to a business insider article (2019) the top five banks in the world reported revenues of just over $1300 trillion, this would equate to over $65 billion in fraud losses for these companies alone. The emergence of fast fraud, which is where cybercriminals exploit weaknesses in digital fraud prevention systems to steal customer assets, is a major contributor to the fraud losses banks experience daily.
With technology driving a rise in new channel offerings and user interfaces to improve customer experience, new threats are challenging how banks fight fraud in this digital banking era. Cybercriminals are using an array of strategies and tactics to exploit banks and trap their consumers into unwillingly giving up their assets. A significant increase in digital transactions has also created an attractive environment for fraudsters who look to hide their illicit activities within millions of transactions occurring every day. These developments mean that organizations may be obliged to proactively use advanced and competent technology to win the fight against fraud.
A report by Experian (2019) indicates that 55% of businesses reported an increase in loss online related to fraud in 2018, predominantly around account origination and account takeover attacks, particularly damaging to brand reputation.
The 2019 KPMG Global Fraud Survey highlights three fraud typologies that are increasing across all regions from the Middle East to North America. These are online scams, card not present (CNP), and cyber/online fraud. According to the report, less than 25% of fraud losses are recovered, showing how critical it is for banks to effectively detect and prevent fraud from occurring across all channels. Let’s take a closer look at these three identified fraud typologies.
Online scams are nothing new in the fraud world and have been around pretty much since the internet started. Some online scams like phishing and the Nigerian prince scam have been around for decades, the more the internet continues to expand the more online scams grow. Phishing scams are now the top threat to the banking industry as criminal schemes continue to become much more sophisticated in appearing like legit messages from reputable businesses.
According to Avanan’s phishing statistics, 83% of people received phishing attacks worldwide in 2018, and 1 in every 99 emails is a phishing attack. Almost 30% of phishing emails make it past default security, these statistics indicate the serious danger of online scams. Additionally, a recent report by TechRadar (2019) found a staggering 3.4 billion phishing emails are sent each day. With phishing scams on the rise globally, consumers everywhere must be diligent to not provide fraudsters with sensitive data which can turn them into fraud victims.
Moreover, the Nigerian prince scam is a long-running internet fraud which still rakes in an estimated $700,000 per year even though the scam is well-known all across the globe. It consists of fraudsters sending messages posing as some sort of African royalty who needs assistance in accessing their immense fortunes. The scam requests users to either send payment or their bank account information to transfer the funds out of the country for ‘safekeeping’. This results in a loss of funds or even worse the draining of a victim’s bank account by the unknown criminals.
Card Not Present (CNP)
Card Not Present (CNP) refers to digital payments which are made where a card is not required to be physically used for a purchase. The most common forms of CNP transactions are online, mobile, and telephone payments. A Nilson Report found that by 2022 fraud losses related to payment cards will total $34.66 billion, an increase of 43% from 2017. Moreover, a report by the European Central Bank (2018) indicated that in 2016 73% of the value of card fraud resulted from CNP payments. Since a physical card is taken out of the transaction process, this presents an attractive and lucrative opportunity for fraudsters. CNP is all about convenience for consumers but is also creating massive fraud losses globally.
Banks are struggling with keeping up with the amount of CNP transactions occurring daily, a problem that will only be compounded as more and more transactions are made digitally versus in-person. According to Accenture (2018), the US is currently facing a significant increase in CNP fraud due to the EMV rollout (Europay, MasterCard and Visa). They also recommend certain practices for an effective fraud prevention approach which include an operating model created by design for fraud management, authentication that is customer-centric and multi- factor and an omnichannel investment in fraud detection.
According to the 2019 European Fraud Report – Payments Industry Challenges the UK and France continue to experience higher card fraud losses, mainly from CNP fraud on internet purchases, When CNP fraud occurs, it is banks and merchants who are stuck with the costs, a problem that directly impacts the bottom lines of both.
The FBI defines online fraud as the use of Internet services or software with internet access to defraud victims or to otherwise take advantage of them. With billions of people worldwide using the internet daily, cybercriminals see a massive market for illicit activities. The most common types of cyber fraud include business email compromise (BEC), data breaches, malware, phishing, and ransomware. The European Cybersecurity Month 2018 Deployment Report published in January 2019, refers to the following 7 most common online financial frauds:
CEO fraud: fraudsters pretend to be a CEO and tricking customers into paying a fake invoice or making an unauthorized transfer out of the business account.
Invoice fraud: they pretend to be a client or supplier and trick customers into paying invoices into a different bank account.
Phishing/Smishing/Vishing: they call, send a text message or an email to customers to get them to share their personal, financial or security information.
Spoofed bank website fraud: they use phishing emails with a link to the spoofed website, with the aim to collect financial and personal information.
Romance scam: they pretend to be interested in a romantic relationship, using online dating websites and social media.
Personal data theft: they get personal information via social media channels.
Investment and online shopping scams: they present fake online offers or make them believe in a smart investment which seem of great benefit.
Typical methods used for fraud facilitation include malicious software, which can be infiltrated onto a device. According to CISCO, Malware is intrusive software, which can perform damage and possibly destroy computers and their systems.
Malware is a contraction for “malicious software”. Examples of common malware includes viruses, Trojan viruses, and ransomware. Ransomware is a major threat for banks, a ransomware incidents increased by 20% of these attacks can potentially target financial institutions. Ransomware attacks can hold banking software hostage, most commonly through cryptocurrency transactions. The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as malicious software which denies access to a computer system or data until a ransom is paid. Ransomware can develop through phishing emails or by visiting an infected website.
Technology is a silver lining for the banking industry. It has truly transformed the way people bank whether it be from their smartphone or on a tablet. However, this added convenience has also brought great challenges, therefore banking teams must be prepared to address them efficiently in real-time.
Fraudsters will always discover sophisticated ways to steal assets from unsuspecting customers, it is up to banks and customers to protect themselves from these illicit attacks. The development and increase of new channels mean opportunities for fraudsters and we may not be able to win the war against fraud, but we can make sure we are thoroughly prepared to predict and deter fraudulent activity from negatively impacting, not only the assets of consumers, but those of the organization’s and their brand reputation.