First of all, we think that fraudsters will exploit weaknesses in a more widespread set of organisations and not just the large banks and financial institutions. This is already true to an extent, but as more organisations enter and grow within the marketplace this makes them more susceptible to attack. If those organisations have not invested in people, process and technology to the same degree as traditional targets and if anti-fraud capability has not been thought of from the outset then they could be hit.
Also, we need to consider that as more protection is added this will mean a shift back to telephony and/or branch. There is a view that fraudsters enjoy anonymity which the internet provides and would not entertain risking being identified and caught. This might be true but what could be more likely is that fraudsters will employ the vulnerable (students, immigrants, mules, etc.) as part of this process. Telephony itself still provides a certain degree of anonymity and also allows a fraudster to use social engineering, voice morphing and ‘voice deepfake’ to access accounts or make applications. Will we start to see more automated deepfake bots that engage with non-UK based call centres who may not understand subtle nuances of the English language and social cues?
It’s not just application fraud or account takeover, but also online transactions which come under the scope of Payment Services Directive 2 (PSD2) and Strong Customer Authentication (SCA). These are customer-initiated online payments where both the bank and merchant are in the European Union (EU). There are a few scenarios where fraudsters could avoid SCA and impact (for example, transacting without device information being collected):
- Shift to telephone-based transactions – online retailers that also have a call centre should expect an increase in fraud attempts and social engineering
- Use of non-EU based merchants and non-EU based banks – potential decrease for EU but increase elsewhere
- Increased use of non-EU cards (although already likely to be part of existing anti-fraud measures)
- Merchant onboarding/collusion – there are a few areas here and some which are likely to be part of existing fraud measures but should still be considered
- Increase in fraudulent non-EU merchants being created
- Manipulation of low risk and recurring payment exemption processes (for example, the first genuine transaction being SCA authenticated, then the compromised merchant making several identical payments)
- Similar to above – merchant-initiated transactions where the first transaction comes under scrutiny but following ones do not
- Increase in fraudulent merchant onboarding and point of sale terminals – for example, the ability to create a cloned, compromised card and use this with a point of sale terminal instead of online
- Increase in merchant mule events
- Decrease in card compromise events and increase in card acquisition (impersonation, mule or synthetic ID) – SCA is irrelevant here as the fraudster has possession of the card, customer details and device
- Increase in malware, man-in-the-middle style attacks on the cardholder
Open Banking also looks at the digitisation and automatic classification of bank statements. One of the benefits of this approach is that it can reduce the manual effort involved in checking the validity of bank statements and income. While there is a benefit to this it can potentially make it much easier for fraudsters to manipulate the system and inflate income. A common scenario would be in secured lending where the applicant has a source of money which needs to be used for income but cannot be ‘on-book’. Or wishes to borrow more than they should be entitled to and therefore needs to increase income.
Both of these scenarios might involve a friendly person or organisation increasing the income for a certain period of time for the applicant through their personal relationships (and this being paid back in other means or held elsewhere). Or could involve the applicant siphoning money to a third party that claims to be their employer to provide a regular income. By looking at transaction data or statements alone representing a short point in time this might mean small details are missed. But also, should organisations be looking much more into the organisations stated by applicants as their employment? For example, has the applicant claimed to have worked for an organisation for five years but it was only incorporated three months ago? Is their £80,000 salary supported by the income of the organisation declared through accounts? Are the sources of funds for income personal bank accounts?
Regardless of whether fraudsters change behaviour in the face of digital measures or target the weaker organisations, the risk still needs to be managed appropriately.
For my latest blogs on current identity and fraud market issues and challenges please click here.