WEBVTT 1 00:00:00.510 --> 00:00:02.760 Suparna Goswami: Hello there, I'm Suparna Goswami with 2 00:00:02.760 --> 00:00:06.420 Information Security Media Group. Authorized payment scams, 3 00:00:06.450 --> 00:00:09.720 especially Zelle scams, are rising at an alarming rate. 4 00:00:09.900 --> 00:00:12.900 Victims who fall prey to cryptocurrency scams, online 5 00:00:12.900 --> 00:00:16.260 romances and other schemes are losing billions of dollars. 6 00:00:16.440 --> 00:00:19.170 Meanwhile, banking regulators and lawmakers are putting 7 00:00:19.170 --> 00:00:22.260 pressure on financial institutions to do more to 8 00:00:22.260 --> 00:00:25.560 protect their customers. Information Security Media Group 9 00:00:25.560 --> 00:00:29.040 spoke to bankers and fraud experts about the challenges of 10 00:00:29.040 --> 00:00:32.160 detecting these types of scans and how technology can help 11 00:00:32.250 --> 00:00:33.180 solve the problem. 12 00:00:33.720 --> 00:00:35.670 Ian Mitchell: I really just encourage both financial 13 00:00:35.670 --> 00:00:38.820 institutions and service and solution providers to think 14 00:00:38.820 --> 00:00:42.570 about this first-party fraud and scams problem and think about 15 00:00:42.570 --> 00:00:46.890 how your solution, your service can actually help financial 16 00:00:46.890 --> 00:00:50.640 institutions protect their customers from being duped. We 17 00:00:50.640 --> 00:00:54.270 owe that to our customers. They truly are the weakest link, not 18 00:00:54.270 --> 00:00:59.160 because they're for lack of a better word, they're not 19 00:00:59.160 --> 00:01:03.240 equipped there. These scams are targeting all ages, all 20 00:01:03.240 --> 00:01:08.460 socioeconomic demographics, the smartest in everything. They're 21 00:01:08.460 --> 00:01:09.210 attacking everyone. 22 00:01:10.110 --> 00:01:12.210 Suparna Goswami: The big challenge of authorized payment 23 00:01:12.210 --> 00:01:15.000 fraud is that customers are signing owners themselves and 24 00:01:15.000 --> 00:01:18.180 transferring directly to the criminals. For the most part, 25 00:01:18.240 --> 00:01:21.240 banks and Zelle have not reimbursed customers for these 26 00:01:21.240 --> 00:01:24.960 types of scams, even though they do reimburse customers for other 27 00:01:24.960 --> 00:01:28.770 types of fraud. But that may be changing. In December, seven 28 00:01:28.800 --> 00:01:32.070 U.S. banks and Zelle indicated that they will change the policy 29 00:01:32.130 --> 00:01:34.410 for certain types of authorized payment fraud. 30 00:01:34.830 --> 00:01:37.080 David Pollino: Financial institutions will figure it out. 31 00:01:37.080 --> 00:01:41.400 And they will manage it down to such a way that it's a minimal 32 00:01:41.400 --> 00:01:44.940 inconvenience to them on their bottom line, and customers will 33 00:01:44.940 --> 00:01:48.900 feel safe utilizing those mechanisms. Might take some 34 00:01:48.900 --> 00:01:52.470 time, might even take a name change, who knows if Zelle 35 00:01:52.470 --> 00:01:59.940 doesn't get a handle on it soon, Zelle might become synonymous 36 00:01:59.940 --> 00:02:03.360 with fraud. I hope we don't get to that point because it really 37 00:02:03.360 --> 00:02:07.170 is a cool product. It's good for customers, it's good for 38 00:02:07.290 --> 00:02:11.430 financial institutions, as far as a low cost mechanism to 39 00:02:11.430 --> 00:02:14.640 transact. We just need to make sure that we understand the 40 00:02:14.670 --> 00:02:18.450 operating rules and give customers the ability if they 41 00:02:18.450 --> 00:02:22.770 are a victim of a scam to to do something about it. 42 00:02:23.890 --> 00:02:25.630 Suparna Goswami: With banks looking to take on more 43 00:02:25.630 --> 00:02:29.410 liability for authorized payment scams, fraud experts expect 44 00:02:29.440 --> 00:02:33.160 major growth in technology that can detect scams and prevent the 45 00:02:33.160 --> 00:02:37.240 transactions from happening. This and another platforms could 46 00:02:37.240 --> 00:02:41.410 have an immediate impact on scams by simply slowing down the 47 00:02:41.410 --> 00:02:42.490 transactions. 48 00:02:42.750 --> 00:02:45.180 Ken Palla: That's all about Faster Payments. So if we look 49 00:02:45.360 --> 00:02:48.870 in the U.K., and they talk about the authorized push payments, 50 00:02:48.870 --> 00:02:52.800 well over 95% of those authorized push payments go 51 00:02:52.800 --> 00:02:55.890 through the past payment rails. In the United States, the big 52 00:02:55.890 --> 00:02:59.490 topic we've had has been Zelle and Zelle is immediate. So 53 00:02:59.490 --> 00:03:02.430 there's nothing faster. As soon as you do a Zelle transaction 54 00:03:02.550 --> 00:03:07.050 and click send, the money is at the receiving bank. So clearly, 55 00:03:07.050 --> 00:03:11.340 as we see the evolution of faster payments, that really 56 00:03:11.430 --> 00:03:14.580 brings it about. Now the other side of it, the fraudsters have 57 00:03:14.580 --> 00:03:19.020 gotten so much smarter about social engineering, and so 58 00:03:19.050 --> 00:03:21.780 they're able to do things that if five years ago, if someone 59 00:03:21.780 --> 00:03:25.230 said, this was what the scenarios would look like, I 60 00:03:25.230 --> 00:03:27.780 would have had trouble believing them. I think there could be a 61 00:03:27.780 --> 00:03:32.490 delay of up to four hours on certain high-dollar, high risk 62 00:03:32.490 --> 00:03:37.320 transactions. We have this thing about Zelle and it's faster 63 00:03:37.320 --> 00:03:39.540 payments, and it's immediate payments. And everybody says I 64 00:03:39.540 --> 00:03:43.080 don't want friction. But the problem is, when you look at how 65 00:03:43.710 --> 00:03:47.040 the transactions work, how the scams work, you really have to 66 00:03:47.040 --> 00:03:50.790 rethink this. And I'll give you an example. I've had to send 67 00:03:50.790 --> 00:03:54.420 money to my children every now and then. And they'll call me up 68 00:03:54.420 --> 00:03:58.560 in the morning and they'll go "dad, I need X dollars today." 69 00:03:59.070 --> 00:04:03.690 And I go, "okay," and back then, this was life was pre-Zelle, and 70 00:04:03.810 --> 00:04:06.990 pre-Venmo and things like that. So I'd have to go log on to my 71 00:04:06.990 --> 00:04:11.220 bank account and send a wire, and pay $25-$50 for a wire. But 72 00:04:11.220 --> 00:04:14.310 the important thing was they didn't need it immediately. They 73 00:04:14.310 --> 00:04:18.450 just needed it that day. And so I take that mindset when we look 74 00:04:18.450 --> 00:04:21.840 at Zelle and say, "hey, if I see a transaction, it's a high 75 00:04:21.840 --> 00:04:25.080 dollar amount transaction, it looks like it's high risk, is 76 00:04:25.080 --> 00:04:28.530 there a problem if I delay it for up to four hours?" It'll 77 00:04:28.530 --> 00:04:32.580 still get out today. And the benefit to that is when these 78 00:04:32.580 --> 00:04:37.050 scams occur, the scammer is on the call with the customer. 79 00:04:37.920 --> 00:04:40.740 They're pretending to be the bank, and they're walking the 80 00:04:40.740 --> 00:04:44.340 customer through doing the transaction, and in many cases, 81 00:04:44.340 --> 00:04:47.640 these customers have never done Zelle. But the whole thing is 82 00:04:47.640 --> 00:04:51.270 taking place where the scammer is in the customer's face - if 83 00:04:51.270 --> 00:04:53.820 you will - on the phone and getting them to do the 84 00:04:53.820 --> 00:04:57.390 transaction. So my thinking and I've seen this work in the 85 00:04:57.390 --> 00:05:00.840 Netherlands with the Dutch banks is what If you say "okay, well 86 00:05:00.840 --> 00:05:04.470 let the transaction occur, but we're going to hold it for four 87 00:05:04.470 --> 00:05:07.290 hours." And during that four hours, the scammer is going to 88 00:05:07.290 --> 00:05:10.320 get off the call with the customer. And the customer might 89 00:05:10.320 --> 00:05:13.770 reflect in a moment of peace and quiet. Oh, my goodness, what 90 00:05:13.770 --> 00:05:16.020 have I done, I better call the bank. 91 00:05:16.200 --> 00:05:18.480 Suparna Goswami: Zelle did not respond to an interview request 92 00:05:18.480 --> 00:05:21.750 from ISMG, but a promotional video wants customers to be on 93 00:05:21.750 --> 00:05:22.590 the lookout for fraud. 94 00:05:23.880 --> 00:05:26.460 Zelle Ad: Keep in mind, Zelle can send money from your bank 95 00:05:26.460 --> 00:05:29.970 account to someone else's in minutes. So it's important, you 96 00:05:29.970 --> 00:05:32.280 know and trust the person you're sending it to. 97 00:05:33.230 --> 00:05:35.780 Suparna Goswami: Palla advises banks to look for signs of 98 00:05:35.780 --> 00:05:39.590 fraud, such as an active caller, during the fund transfer, and 99 00:05:39.590 --> 00:05:43.010 then give customers a real-time nudge to warn them before they 100 00:05:43.010 --> 00:05:44.270 complete the transaction. 101 00:05:44.000 --> 00:05:46.520 Ken Palla: A nudge is where you're doing the transaction 102 00:05:46.576 --> 00:05:49.824 online, but because of the anomaly detection that you see, 103 00:05:49.880 --> 00:05:52.961 you want to bring attention to the customer during that 104 00:05:53.017 --> 00:05:56.545 transaction that something seems strange. And you might have on 105 00:05:56.601 --> 00:05:59.905 the nudge, which is a little bit of a pop up, "hey, are you 106 00:05:59.961 --> 00:06:03.378 talking to someone on the phone? Are they telling you to do a 107 00:06:03.434 --> 00:06:06.794 transaction. Do you really know them?" Whatever it might be, 108 00:06:06.850 --> 00:06:10.378 that might be relevant to that transaction, nudge them right at 109 00:06:10.434 --> 00:06:13.963 that point, and see if you can - what I call - break the spell. 110 00:06:14.019 --> 00:06:17.435 So we've also seen that in the U.K., and we're seeing some of 111 00:06:17.491 --> 00:06:21.076 this in the United States. As a matter of fact, one of the major 112 00:06:21.132 --> 00:06:24.268 banks is starting to do one of my third things, which is 113 00:06:24.324 --> 00:06:27.908 education, real time. And so one of the major banks have started 114 00:06:27.964 --> 00:06:31.325 to do popups when you're going into Zelle before you even do 115 00:06:31.381 --> 00:06:34.069 the transaction. They're providing, if you will, 116 00:06:34.125 --> 00:06:37.486 education. To say, look, in essence, there are problems with 117 00:06:37.542 --> 00:06:40.734 Zelle, and be careful that you don't get caught up with a 118 00:06:40.790 --> 00:06:44.094 scammer. Someone calls you on the phone, we're not going to 119 00:06:44.150 --> 00:06:47.455 ask you to do a transaction, so on and so forth. So I think 120 00:06:47.511 --> 00:06:50.871 education being real time and more frequent, maybe every six 121 00:06:50.927 --> 00:06:54.680 months or every three months during the session. Do some education. 122 00:06:55.500 --> 00:06:57.300 Suparna Goswami: While the market is still immature 123 00:06:57.360 --> 00:07:01.020 technology vendors are working on potential solutions using 124 00:07:01.050 --> 00:07:04.590 advanced risk modeling and signal detection capabilities. 125 00:07:04.960 --> 00:07:07.900 Trace Fooshee: I think that there will be a pretty big shift 126 00:07:07.900 --> 00:07:12.520 in the market. And I think there are three segments of the market 127 00:07:12.520 --> 00:07:17.530 that are likely to benefit from this coming shift. The first is 128 00:07:17.530 --> 00:07:22.300 what I would call advanced risk modeling platforms. I also 129 00:07:22.420 --> 00:07:26.860 commonly call these things risk engine platforms. The second our 130 00:07:26.860 --> 00:07:31.900 consortium and network-based signal detection providers. And 131 00:07:31.900 --> 00:07:35.380 the third would be sort of a broad bucket of peripheral 132 00:07:35.380 --> 00:07:39.730 controls. These things work best when they work together in some 133 00:07:39.760 --> 00:07:44.830 form or another of orchestration, the first the 134 00:07:44.830 --> 00:07:47.530 advanced risk modeling platforms. So first of all, 135 00:07:47.530 --> 00:07:50.260 they're becoming more and more common today, largely because 136 00:07:50.260 --> 00:07:54.250 they're very helpful, and they prove very useful in reducing 137 00:07:54.250 --> 00:07:59.770 false positives in areas like check fraud, like screening for 138 00:07:59.800 --> 00:08:03.580 first-party fraud, and generally speaking for a lot of other use 139 00:08:03.580 --> 00:08:08.950 cases like account takeover. I think they will find utility in 140 00:08:08.980 --> 00:08:12.670 modeling for risk associated with scams as well. And in fact, 141 00:08:12.700 --> 00:08:17.110 there's been at least one bank in the U.K. that's piloted some 142 00:08:17.140 --> 00:08:21.520 innovative new models by one particular vendor that have 143 00:08:21.760 --> 00:08:25.480 yielded triple digit improvements in their detection 144 00:08:25.480 --> 00:08:26.650 rates for scams. 145 00:08:27.370 --> 00:08:29.800 Suparna Goswami: Other experts point out that technology alone 146 00:08:29.830 --> 00:08:33.100 will not solve the problem, it will take a concerted effort by 147 00:08:33.100 --> 00:08:36.460 fraud investigators to shine a spotlight on this type of scams. 148 00:08:36.900 --> 00:08:39.120 Ian Mitchell: It starts with our fraud program. We need to 149 00:08:39.120 --> 00:08:42.330 include on our policies and programs the definition of 150 00:08:42.330 --> 00:08:46.620 scams, how it fits into our risk appetite, and how we define and 151 00:08:46.620 --> 00:08:49.560 are going to start classifying scam attacks in our case 152 00:08:49.560 --> 00:08:52.080 management system and our detection. So we just start with 153 00:08:52.080 --> 00:08:54.900 our program level, then we get into our prevention, we still 154 00:08:54.900 --> 00:08:58.110 talk about training, we can talk about really making sure we have 155 00:08:58.140 --> 00:09:02.340 active training and awareness. A side note on this is we can't 156 00:09:02.340 --> 00:09:04.590 train our way out of this. But that doesn't mean we shouldn't 157 00:09:04.590 --> 00:09:07.650 be training our customers. And so we really need to make sure 158 00:09:07.650 --> 00:09:10.470 we are robust and collaborative with all the institution 159 00:09:10.680 --> 00:09:12.930 training but then we get into really making sure that we're 160 00:09:12.930 --> 00:09:16.290 detecting this and we need to start looking at interdiction 161 00:09:16.290 --> 00:09:19.770 models. So we look at our anomaly detection, our machine 162 00:09:19.770 --> 00:09:21.900 learning, we need to start interdicting the transaction and 163 00:09:21.900 --> 00:09:24.720 not just sending a text message and say, did you do this 164 00:09:24.720 --> 00:09:27.390 transaction or verify that transaction, we actually need to 165 00:09:27.390 --> 00:09:29.880 now have a different conversation with the customer 166 00:09:29.880 --> 00:09:34.050 digitally and over the phone, where we actually start having a 167 00:09:34.050 --> 00:09:37.170 conversation that looks like patterns of scams where they may 168 00:09:37.170 --> 00:09:39.990 be being duped. We need to change the way we dialogue with 169 00:09:39.990 --> 00:09:43.140 the customers. We can't no longer go to the lowest cost 170 00:09:43.140 --> 00:09:46.080 provider that tries to automate this interaction with a 171 00:09:46.080 --> 00:09:48.570 customer. We need to now start thinking about this customer 172 00:09:48.570 --> 00:09:51.000 interaction as a meaningful interaction that's a chance to 173 00:09:51.240 --> 00:09:55.020 not only train but help this customer help us and help us 174 00:09:55.020 --> 00:09:58.260 help this customer through a very difficult life event. Our 175 00:09:58.260 --> 00:10:01.500 staff now needs to not be measured about doing 25 alerts 176 00:10:01.500 --> 00:10:04.410 an hour. If you think about these scams conversation, I see 177 00:10:04.410 --> 00:10:07.830 us getting to the point where a seasoned fraud detection analyst 178 00:10:07.950 --> 00:10:09.990 is going to get on the phone with a customer and be on the 179 00:10:09.990 --> 00:10:15.240 phone for 5-10-20 minutes having a conversation to let them know 180 00:10:15.240 --> 00:10:18.690 and unwind the way that they've been duped by these very 181 00:10:18.690 --> 00:10:21.450 sophisticated fraudsters. It's going to change the way we 182 00:10:21.450 --> 00:10:22.440 operationally measure. 183 00:10:23.160 --> 00:10:25.860 Suparna Goswami: He adds that the industry as a whole needs to 184 00:10:25.860 --> 00:10:27.840 work together to solve the problem. 185 00:10:27.000 --> 00:10:29.280 Ian Mitchell: So once we identify the actual scam, how do 186 00:10:29.333 --> 00:10:32.462 we interact with the customer and start investigating? I do 187 00:10:32.515 --> 00:10:35.485 see there are countries that have liability shifts, I do 188 00:10:35.538 --> 00:10:38.614 think it's coming to North America. And I think we need to 189 00:10:38.667 --> 00:10:41.372 change our operational procedures to start not only 190 00:10:41.425 --> 00:10:44.660 interacting with the customer ask important questions, not on 191 00:10:44.713 --> 00:10:47.789 round liability, but to try to capture intelligence of how 192 00:10:47.842 --> 00:10:51.024 these fraudsters are actually committing the fraud and start 193 00:10:51.077 --> 00:10:54.153 classifying them in our case management systems. So we can 194 00:10:54.206 --> 00:10:57.600 have that feedback loop right to the front of the policy and the 195 00:10:57.653 --> 00:11:00.676 detection. I didn't describe anything that's not done for 196 00:11:00.729 --> 00:11:03.858 identity theft, not done for account takeover. The issue we 197 00:11:03.911 --> 00:11:07.199 have is is we're not doing it for scams for some reason. And I 198 00:11:07.252 --> 00:11:10.594 encourage every fraud fighter on the phone. As a fraud fighter, 199 00:11:10.647 --> 00:11:13.404 we've never waited in our history, for regulation to 200 00:11:13.457 --> 00:11:16.746 change to fight fraud. As fraud fighters, I always used to say 201 00:11:16.799 --> 00:11:20.034 the most noble profession in banking is fighting fraud. I now 202 00:11:20.087 --> 00:11:23.269 say that for the noble, about human fighting human crime and 203 00:11:23.322 --> 00:11:26.610 financial crime. I will tell you as fraud fighters, we have an 204 00:11:26.663 --> 00:11:29.898 opportunity to do what our job says, fight fraud and scams is 205 00:11:29.951 --> 00:11:33.186 the biggest fraud problem we have in the globe right now. And 206 00:11:33.239 --> 00:11:36.421 so we have an opportunity to do the right thing, even before 207 00:11:36.474 --> 00:11:39.868 liability shifts to protect our customers to build programs that 208 00:11:39.921 --> 00:11:43.316 are robust enough to solve this fraud problem, the scams problem 209 00:11:43.369 --> 00:11:46.498 and to talk to our solution and service providers, our case 210 00:11:46.551 --> 00:11:49.468 management providers, our detection platform providers, 211 00:11:49.521 --> 00:11:52.862 our servicers and processors to talk to them about what can you 212 00:11:52.915 --> 00:11:56.256 do how can you help me fight and protect my customers and fight 213 00:11:56.309 --> 00:11:58.590 scams? We need to have those conversations. 214 00:11:58.000 --> 00:11:59.320 Suparna Goswami: In the coming months, banks and regulators 215 00:11:59.320 --> 00:12:00.640 will work out liability questions surrounding scams and 216 00:12:00.640 --> 00:12:07.990 technology vendors will work on new innovations to fight this 217 00:12:07.990 --> 00:12:11.890 rising crime. At stake are company reputations, bottom 218 00:12:11.890 --> 00:12:15.820 lines and most of all, the financial health of millions of 219 00:12:15.820 --> 00:12:20.560 consumers. For ISMG, I'm Suparna Goswami. Thank you so much for 220 00:12:20.560 --> 00:12:20.980 watching.