Date: 02/03/2022

Title: Fraud Risk Management: Staying one step ahead of fraudsters

Teaser: Social engineering fraud has become a recurring theme. Recent high-profile cases have shown how sophisticated fraudsters have become, fooling even the most aware individuals. We explore how these scams have evolved in complexity, and what banks can do to better manage their fraud risks.

Button: Read More

Image:

Fraud Risk Management: Staying one step ahead of fraudsters

Author: Farhad Patel and Shilton Tan

Social engineering fraud has become a norm in recent years. Stories of people losing money, life savings even, to fraudsters have become common in the news, and you would be hard-pressed to find someone who have not received a phishing call and text message before.

Fraudsters have become increasingly sophisticated, incorporating various technologies into their schemes. And despite the increased public awareness, many high-profile scam cases continue to occur.

One such recent high-profile case happened in December 2021. Fraudsters targeted the customers of Singapore’s second largest bank, the Oversea-Chinese Banking Corporation, or OCBC, leading to at least 790 people losing approximately SGD 13.7 million (USD 10.2 million)¹ in just a matter of days.

While fraud is certainly not a new threat, current measures that have been set in place are falling short. In this article, we explore how such phishing scams have evolved and gain prevalence, and how banks can better manage their fraud risks.

Scams – an evolving threat

Long gone are the days when phishing scams are easily identifiable. Today, these scams are rapidly evolving – constantly changing to beat the fraud prevention measures set in place by banks.

SMS phishing scams, for example, now look so genuine and legitimate, fooling even the most aware individuals. Victims of the December 2021 OCBC incident were fooled into believing the phishing texts and sites were real. The criminals had impersonated the bank by sending the victims SMS messages that appeared in the same SMS thread as the legitimate bank’s messages. The scam messages led the victims to believe that there were issues with their accounts, prompting them to click on a link, which led them to the malicious replica of the bank’s online portal. When the victims attempted to log in, they inadvertently gave away their credentials and One-Time Passwords (OTPs), allowing criminals to take over their accounts.

As these messages and sites are so convincing, the victims’ guards are down. It is only when they start receiving a slew of messages informing them of increased transaction limits and bank transfers that they realise their accounts have been compromised.

The criminals have also become opportunistic with the time they choose to target their victims. The recent incident with OCBC showed that a surge of cases happened during the Christmas weekend from 24 to 26 December 2021. 186 OCBC customers lost up to SGD 2.7 million (USD 2 million) in those 3 days alone². The criminals had chosen a period when many bank staff on vacation, leaving the bank inadequately staffed to deal the influx of cases, as indicated in reports showing that many customers were unable to report to the breach to the bank in time.

*Figure 1: How did the OCBC SMS phishing scam happen?*

Worldwide, reports of such scams are common. In Hong Kong, fraudsters absconded with HKD 29 billion (USD 3.7 billion) from victims through Hong Kong bank accounts and cryptocurrency wallets in the past four and a half years³. Online romance scams, commercial email fraud, and phone scams were amongst the methods employed, and police were only able to recover the crime proceeds 31% of the time⁴.

In the Philippines, central bank Bangko Sentral ng Pilipinas (BSP) received over 42,000 fraud complaints in 2020 and 2021⁵. Losses from 2019 to 2021 amounted to PHP 2 billion (USD 30 million), with PHP 540 million (USD 10 million) reported in 2021 alone, and 45% of the scams occurred on internet and mobile banking platforms⁶.

Should banks be held responsible?

With these scams happening in increasing frequency, the debate around whether banks should be held responsible for the losses is one that is ongoing.

Since the OCBC incident in December 2021, the public backlash against the bank has been intense. Stories of individuals left “broke and starving” on Christmas Day⁷, and couples and retirees losing their life savings⁸ were reported in the media. Online, there were calls to boycott the bank, demands from the public for the bank to take responsibility, and pleas for banks and the government to do more.

It is often agreed that victims misled into giving out their banking credentials are often responsible for the funds lost, especially when the bank’s systems were not compromised. However, in the case of OCBC, the negative public sentiments have led to OCBC taking the initiative to commit to offering full goodwill pay-outs to all victims. Separately, Singapore’s central bank, the Monetary Authority of Singapore (MAS), revealed that it was considering supervisory action against OCBC after the bank conducts a thorough probe to identify deficiencies in its processes and implements the necessary measures⁹.

In response to the incident, MAS reiterated that it expects banks to have robust measures against fraud and adequate resources to handle incidents and customer service effectively¹⁰. It laid out immediate steps banks must take to better secure customers’ accounts, such as removing clickable links in emails and SMSs and lowering the threshold for transaction notifications. Longer-term preventative measures, including a framework for equitable sharing of losses arising from scams are being evaluated for implementation in the coming months.

But the question remains – should banks be held responsible?

Indeed, there is an inherent moral hazard when customers have the expectation that banks will provide compensation for losses arising from fraud. With lesser customer accountability, some may not make the same effort to secure their accounts or may demand that banks reimburse them for any fraud that occurred due to their negligence. On the extreme end, it may even result into a new fraud trend, where customers deceive the bank about being defrauded in hopes of obtaining a goodwill payment.

Nevertheless, regulators have taken the stance that banks are responsible for protecting their customers from fraud. They have been stepping up enforcement by introducing guidelines to protect end-consumers. In early 2021, Singapore’s MAS released its Technology Risk Management guidelines, stating that financial institutions ought to be able to identify and block fraudulent transactions¹¹. Similarly, Hong Kong Monetary Authority’s (HKMA) TM-E-1 guidelines¹², which was released in 2019, addresses similar concerns.

How do banks better manage fraud risk?

With regulators stepping up measures to protect end-customers from fraud, banks need to step up their game or be faced with the possibility of incurring substantial losses, regulatory action, and reputational damage. While banks have measures in place to address such risks, some have obviously fallen short.

The solution would require a concerted effort to address fraud risk every step of the way.

Banks must be able to identify account takeover scenarios where a fraudster is accessing an account, and prompt for additional authentication. In scenarios where customers are duped into transferring funds on their own accord, banks must be able to spot these unusual transactions and remind the customer to be vigilant or block the transaction outright.

These translate into the need of having systems and processes in place to present a credible safeguard against fraud.

Some examples of what banks can adopt include:

Real-time detection systems, which rely on rule-based detection or machine learning models to flag and block suspicious transactions without requiring human intervention
Machine learning-based customer profiling capabilities, which can establish baselines for each individual, against which irregularities can be benchmarked
Device intelligence with real-time behaviour analytics, which can identify fraud such as account takeover based on anomalies in user behaviour and interaction, as well as suspicious devices
Network link analysis to identify suspicious flows of funds or abuse of a bank’s account, such as a money mule
Adaptive authentication and to impose varying levels of verification based on transaction risk profile (to balance risk versus customer experience)
Multi-factor authentication as a more robust form of authentication (as opposed to SMS OTPs)
Account-level controls, such as implementing transactions limits for newly added payees and adding a time delay before a new token can be activated
Multi-channel notifications so that customers are kept alerted of transactions
A dedicated team to contact customers to pro-actively verify unusual transactions
24/7 fraud team or call centre to receive fraud complaints and to take timely actions
Continued customer education efforts
Quick analysis of spikes in complaints to determine large-scale fraud being perpetrated at the bank
Active monitoring of the fraud landscape and information sharing amongst banks to identify and adapt to emerging trends

Even with the latest technology, banks must remain vigilant against all threats as fraudsters will continue trying to find new ways to circumvent the controls implemented. Effective fraud detection systems must continuously be enhanced and maintained to keep the fraudsters at bay in this game of cat and mouse.