Banks Have a Better Grip on Online Fraud, but the Threats Persist

Let’s start with the good news. Fresh data shows that 65% of companies experienced fraud in 2023. That’s the lowest the figure has been since 2014.

That is largely supported by the fact that 45% of all U.S. financial services companies reported they had fully integrated digital fraud prevention solutions in 2022, up from 28% in 2020.

Indeed, in 2022, the fintech industry really started to get to grips with the issue of online fraud. It has become vigilant to the threat that bad actors pose and is taking steps to combat it.

However, the threat isn’t retreating any time soon. While digital transformation is aiding that fight, this digitization also means more bad actors are innovating their approach. According to the data, 71% of financial institutions reported a security breach from business email compromise (BEC) last year.

Fraudsters exploit “new attack vectors,” says SEON’s Jimmy Fong.

As the world turns increasingly towards fully-digitized banking experiences, fraudsters aren’t wasting time hanging around the legacy brick-and-mortar banks with the aim to commit traditional scams. They have adopted “digital picks” to crack the new electronic locks. These locks appear when accessing, buying and exchanging money online, and criminals are always developing new ways to go about circumventing them.

“Tools to Fight Back”

Speaking on the 2003 SEON fraud report, SEON co-founder and CEO Tamas Kadar commented: “It’s been an interesting year for the banking sector, but despite a few bumps in the road there’s clear evidence the industry is moving in the right direction. However, to ensure this momentum can be sustained, those working within traditional banks, as well as neobanks, must be highly vigilant about the growing risks associated with fraud.

“If this doesn’t happen, institutions risk monetary and reputational damage because of fraud and fincrime. Thankfully, as well as compiling an index of today’s fraud pain points, companies like SEON are on hand to provide the banking and neobanking sectors with new tools to fight back against the fraudsters.”

Trends for 2023

In terms of the sea of changes the banking world is experiencing, the shift towards digitization is certainly the most important when it comes to predicting fraud patterns.

When banks and money services cast this much larger net over a previously underbanked population – and normalize a purely digital experience in doing so – they create new attack vectors for fraudsters, as well as new techniques to exploit. Holistically, those new vectors and techniques can be characterized as fraudsters either: (1) fully submerging themselves in digital, or (2) fully committing to analog.

Exemplifying these two angles of attack, the JPMorgan AFP Payments Fraud and Control Survey showed that, on the digital side, card-related fraud types rose by an alarming 10% in 2022, with businesses overall showing lower volumes of online fraud.

The report’s latest key findings also highlighted four key areas that banks need to be wary of:

• There remains a prevalence of business email compromise (BEC), which remains a huge security flaw.
• There has been an increase in social engineering scams that lead to BEC and authorized push payment (APP) fraud.
• There is a continuing problem of flawed account-opening processes.
• Buy Now Pay Later (BNPL) still offers a unique identity validation challenge to banking institutions.

By prioritizing advanced security measures, enhancing email security protocols, combating social engineering scams, optimizing account-opening processes and overcoming the unique challenges posed by BNPL, banks can stay ahead of fraudsters and safeguard their customers’ financial well-being with unwavering confidence.

Persistence of Low-Tech Scams

Attackers are looking for new channels with fewer safeguards. Low-tech scams – relying on con artistry and phishing techniques – are on the rise, and the resulting BEC and APP fraud can be damaging in ways that go beyond simple revenue losses.

Though broadly referred to as email compromises, BEC can come in many media, but the end result is work-related login credentials becoming exposed and exploited. Depending on the level of access granted to a criminal with those credentials, the worst-case scenarios could all become realities: sensitive-data leaks, misappropriation of funds and snowballing phishing with high-level email addresses.

APP Fraud via Phishing

The headline figure here is that 75% of lenders’ fraud losses were related to consumer phishing. The  comparable figure for “other financial services” – including non-lending banks, fintechs, brokers and exchange marketplaces – was 66%. Authorized push payments are those made from a customer account which, from the institution’s perspective, are authorized by merit of having the correct security details.

They are more common in e-commerce when it comes to unauthorized purchases, but when they occur in banks, the fact that only money is moving can cause even greater fallout for the institution due to regulations that it must adhere to.

In general, APP fraud is harder to catch, as the fraudster will have the correct username and password combination.

Higher-Tech Scams

While some fraudsters take to the ground level to scam away their illicit money, others choose to fly over the technology. More fintechs and banks are doing a better job of not only implementing, but also investing resources into, better fraud detection software.

SEON’s own data found that scaled fraudsters – who might be in organized rings or using bots to push out thousands of stolen credentials – hit a ceiling when attempting to circumvent modern fraud prevention tools. At a certain point, it is no longer cost- and time-effective for a fraudster to invest the time and energy needed to beat cybersecurity approaches like device fingerprinting and password hashes.

Similarly, legacy digital security implementations like one-time passwords (OTP) or two-factor authentication (2FA) sent over text messages were previously seen by many as foolproof. Then they were just “good enough.” Now they are looking positively outdated, with some independent security analysts downgrading banks that rely on those methods which have been proven fallible in the face of highly sophisticated ploys like SIM swapping and man-in-the-middle attacks.

Fraudsters not willing to take to the streets to carry out their crimes have to find a way to get themselves over these hurdles in order to pick the best, highest-hanging fruits.

Future Fraud Avoidance

Though it has always been a good idea for best-practice fraud prevention, now more than ever the need to scrutinize digital identity markers is paramount for robust cybersecurity.

Fraud pain points commonly reported by banks and financial services in the past year can be largely addressed by implementing and investing across the following four key areas:

• Create layers of protection. Complete digital footprint analysis early on in the customer journey, even before account creation or onboarding, easily blocks customers who attempt to use stolen, synthetic or fake identities, including fraudsters armed with legitimate personal credentials stolen via phishing scams. In the face of APP and BEC threats, however, this is obviously not enough, as these kinds of scams will be exploiting accounts that have gone past the onboarding stage. Allowing fincrime and fraud prevention software and anti-money laundering checks to create touchpoints at different stages across the customer experience will result in a better win rate when it comes to preventing costly phishing scams risking huge reputational and regulatory damages.
• Monitor device risk. As more customers turn to mobile apps for their financial services, businesses should be increasingly leaning on device fingerprinting to remove as much anonymity from the mobile space as possible. Generally, device configurations are individualized enough to be nearly unique, as well as a strong indicator that a user is the same across multiple journeys. This will mitigate the damage done by synthetic ID fraudsters, business email compromises and APP fraud.
• Automation. Adoption of a fully automatable fraud management platform is crucial. Not only does it cut down on human resources devoted to the fraud detection process, but automated solutions can also introduce less friction as they find more useful data that is impossible for a human counterpart to discover – at least within a matter of seconds. BNPL providers that want to optimize the customer experience for minimal friction should certainly be automating their risk assessment. This way, inspecting identity attributes that aren’t obvious to the naked eye can be detected, and those determinations can then inform the overall risk score, manually defined and supported by machine learning.
• Education and awareness. Employees throughout the corporate infrastructure should have regular training and awareness of the fraud scams of the day. Software cannot be installed to detect every possible instance of social engineering, even despite how low-tech this method tends to be.

From executives to entry-level staff, anyone with credentials to access sensitive internal data should know things like basic password security, including, of course, the main tenet: Don’t give your password to anyone.

Jimmy Fong is chief commercial officer of fraud-prevention solutions company SEON, which has prevented over €160 billion in fraudulent activities while working with more than 5,000 companies. Three previous fraud and payments start-ups that Fong was involved in were acquired by Visa, Ingenico and American Express. The above article draws from data in SEON’s latest Global Banking Fraud Index.