Application Security & Online Fraud , Finance & Banking , Fraud Management & Cybercrime
Top Scam-Fighting Tactics for Financial Services FirmsBolster Identity Controls With Intelligence and Anomaly Detection, Experts Urge
Fraudsters are having a field day as the pandemic persists, with experts warning that scams targeting consumers and businesses remain at record-high levels. In 2020, scams made up 60% of net fraud losses in the U.K. and Australia, according to a Reuters report. In the U.S, scam calls in the financial sector more than doubled from 1.1 billion in December 2020 to 2.5 billion in January 2021, wireless network operator T-Mobile found.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
To combat such attacks, experts say financial services firms need to bolster their identity controls with tools to more accurately track and counter scams. This refers to any fraudulent scheme that can take the form of a phishing attack or involve social media, SMS, fake technical support, phone calls, etc. A scam, in most of cases, involves money, while fraud may or may not.
At its core, "all fraud may be an identity problem," says Ian Mitchell, managing partner at U.S.-based fraud consulting firm Omega FinCrime, and the founder of the The Knoble, a non-profit Network that fights human crimes like scams.
The concept of identity needs to evolve beyond just authenticating a customer interaction with an isolated bank and should be expanded to include all transactions across the financial network, Mitchell tells Information Security Media Group.
"From my estimates, scams may become the single biggest financial fraud loss line, greater than identity and counterfeit, and may even be larger than some financial institution existing fraud losses across all types. What I find strange when I speak to solution providers is that many are still focused on where the problem has been," he says.
The Fraud Landscape
In the past five years, a majority of software vendors have prioritized identity verification and authentication controls for investments, but they don't pay nearly enough attention to the growing fraud landscape, says Mitchell. A part of the problem, he says, is because there is not enough demand beyond identity solutions.
The repetitive nature of scams over the years concerns Trace Fooshee, a strategic adviser at financial and insurance industry advisory group Aite-Novarica.
"The same patterns of activity that the U.K. saw five to 10 years ago are showing signs of emergence in other markets, and I worry about what this could mean for the public’s trust in the financial system more broadly," he says.
Fooshee says scams are very difficult to protect against because, in and of themselves, identity controls are insufficient. "That's because the person who’s initiating the interaction is the legitimate owner of the account or an authorized agent," he says.
Fooshee says that while investment in identity solutions is important, it has displaced investment in other controls, which is a problem.
"The abuse of identity poses a very real and sizeable risk," Fooshee says, but he adds that there is often insufficient investment in orchestrating identity controls - not just with one another but with other controls, including risk engines and risk-based multifactor authentication.
Mitchell says he agrees with Fooshee and that right now, institutions are overspending on the identity front, but are not solving the problem they are actually struggling with - first-party fraud.
Since first-party fraud isn't tracked or reported on much, there is little data to understand the losses from this type of scam on a year-on-year basis. Point Predictive's chief fraud strategist, Frank McKenna, says that 1 in 5 Americans, or 60 million people, were likely targeted by phone scams in 2021 and it is reasonable to assume that these scams will also make their way into the banking system.
Other Types of Fraud Abound
Apart from first-party fraud, which includes muling, synthetic identity, bust-out, loan stacking, and "never payers" - which put banks and customers at risk and represent billions in losses - the following types of fraud incidents also don't make it to the top of the investment list for financial institutions:
- Check fraud: Legacy systems built 30 years ago don't work optimally anymore. Even as the use of checks declines, banks must understand that check fraud is here to stay. To understand why check fraud has risen, one needs to look no further than scams. Scams against Americans have risen dramatically as more people join the digital revolution. And nothing lets the fraudsters scam consumers better than fake money orders, cashier's checks and personal checks.
- Automotive loan fraud: This type of fraud costs companies in the auto sector losses of nearly $8 billion a year, but there has not been widespread adoption of the tools and technology needed to address it industrywide.
- Social engineering: Banks must look at how their own representatives are being socially engineered by fraudsters.
Identity Market 'Overcrowded'
The identity verification market has grown tremendously in the recent past and is forecast to nearly double from $7.6 billion in 2020 to $15.8 billion in 2025, according to a Research and Markets report. This growth comes on the back of skyrocketing public and private sector fraud.
A separate report by Markets and Markets shows that the market size of global digital identity solutions is projected to grow from $23.3 billion in 2021 to $49.5 billion by 2026, recording a compound annual growth rate of 16.2%.
As technology evolves, enterprises become more vulnerable to scams, and thus require a "road map for refinement and continued investment for the future," says Mary Ann Miller, fraud and cybercrime executive adviser at identity solutions company Prove.
"Fraud risk assessments typically point to investment needs across all aspects of an organization, including deposit fraud, card fraud, first-party fraud, etc., making it a higher priority than in the past," she says.
In 2018, there were 20 vendors offering identity verification solutions, according to a research paper by Aite-Novarica Group. This number rose to nearly 50 in 2021. And this is the case in just one segment of the identity market.
The company, in a separate survey, asked executives handling fraud how likely it was for their firms to engage in transforming - making substantive change versus ongoing tweaking - their capacity to mitigate the risk of various types of challenges in the next one to two years.
Fooshee says the question is a way of asking what solutions their companies are prioritizing to fight fraud. "Identity verification and identity authentication solutions have consistently occupied the top two slots for the past four years," he says.
The following is a graphical representation of the survey results from September 2021:
Application fraud solutions encompass a variety of solutions that seek to verify the authenticity of the applicant's identity.
While the identity market is red hot, it is also overcrowded, says McKenna of Point Predictive. “There is simply not enough need for this many identity solution companies to be selling their solutions to a finite number of companies that can use the service,” he says.
The pandemic has resulted in companies racing to invest in new identity solutions, says Jeremy Grant, managing director at law firm Venable. Grant has more than 20 years of experience at the intersection of identity, privacy and cybersecurity, having served in a range of leadership positions spanning government and industry.
Grant also says he agrees that there’s too much capital chasing too few good ideas, and he adds: "There are fewer founders that know how to go execute ideas. It will be interesting to see how some of these investments pan out."
He says many late-stage startups are exploring newer areas of authentication and identity that will cover other kinds of fraud and "exploring acquisitions that can augment their capabilities - looking, for example, at how they can not only conduct identity proofing but also issue a credential that an individual can use in other phases of the identity life cycle."
Preventing a Scam Apocalypse
At its core, a scam is a situation in which the customer has been duped into initiating a fraudulent transaction that they believe to be authentic. Applying traditional controls for verifying or authenticating the activity may therefore fail. But the underlying ability to detect the anomaly remains critical.
"Instead of validating the transaction or the individual, we are going to have to place more importance on helping the customer understand that what they believe to be legitimate is actually a lie," Mitchell of Omega FinCrime says. He says fraud operations teams will need to become more customer-centric, education-focused and careful in their interactions.
Mitigating a scam apocalypse will require mobilization across the market, which includes financial institutions, solution providers, payment networks, regulators, telecom carriers, social media companies and law enforcement agencies.
In the short term, investment priorities must expand beyond identity controls to include orchestration controls and decision support systems that allow financial institutions to see the interaction more holistically, Fooshee says.
"Financial institutions will need much more data from a broader array of providers to place the interaction in the proper context needed to render an accurate risk assessment. That, in turn, requires robust decision support capabilities as well as the means of integrating and coordinating their interactions with one another," he says.
According to Fooshee, behavioral biometrics can be useful in some circumstances, and so can transaction monitoring systems that are well tuned to detect anomalous characteristics of payments.
Grant says the challenge banks face is coming up with security solutions that can cover all channels. For example, if banks put in great security in the digital channel, the criminals may shift their efforts to the call center, where they’ll try to create fraudulent accounts or take over existing ones through social engineering. "It's important," he says, "that banks don’t focus just on digital identity, but rather identity security overall."
The Way Ahead
To get better at arresting scams and other widespread forms of fraud, Mitchell says more data will be key. "The future of fraud controls is going to rely more heavily on ingesting third-party intelligence sources, integrating them into robust anomaly detection engines, and will be won and lost by how they interact with the customer - that may be a victim or a fraudster,” he says. "We are in a new territory of fraud mitigation, where we need to be smarter, better integrated to differentiate the threat and more customer-centric.”