Digital fraud interventions are failing scam victims
Fraud is now the number one crime reported in the UK, and in 2022 victims lost hundreds of millions of pounds to authorised push payment scams. Banks and EMI’s can obviously play a crucial role in reducing these numbers.
Obligations on banks and EMIs to detect potential fraud
As a start, banks and Electronic Money Institutions (EMIs) are expected to have effective procedures and controls in place to prevent foreseeable harm to their customers. This includes protecting customers from losing money to scams.
To do this, they first need to be able to identify customers who could be the victims of fraud. There are natural touch points with staff where this can be identified, such as when a customer makes a payment over the phone or in a branch. The majority of scams are identified through the use of data that relate to payments.
Banks and EMIs have access to sophisticated systems that can learn from fraud trends and use behavioural data, biometric data and transaction analysis to identify that someone could be the victim of a scam when trying to make a payment.
However, identifying fraud is only one part of the process. Once a bank or EMI has identified a potential scam, it needs to have the appropriate controls and procedures in place to stop it. We refer to the process of actually trying to speak to the potential victim, confirming it’s a scam and educating the potential victim as the ‘intervention’.
What we are seeing at Refundee
At Refundee, we see a range of approaches to scam interventions across banks and EMIs. Some banks rely more on “manual” controls such as suspending or blocking payments until a member of staff gets a chance to speak to the customer. If done effectively and staff are appropriately trained, this can be very effective in stopping scams. Other firms we see place more focus or even a complete reliance on ‘digital controls’ such as in-app warnings, disclaimers or in app chat.
At Refundee, we think there is a place for both digital and more manual controls but they need to be used appropriately. Technology allows you to try and protect as many people as possible at a lower cost, however, one concerning trend we see is that some firms are placing a huge over-reliance on digital controls. These do not involve the bank speaking to the potential victim over the phone, and instead push them into automated questions, warnings, or scripted in-app conversations. They do this even when all evidence shows it’s not working given the nature of the scams. In fact, in its recent ‘Dear CEO’ letter, the FCA states that EMIs need to ensure they have enough channels to meet their customer's needs in a clear nod to the lack of non-digital offerings.
Below, we list some of the most common mistakes we see banks and EMIs are making by placing an over-reliance (or in some cases a 100% reliance) on digital controls.
Mistake 1: Ignoring the nature of how scams work
One of the consistent themes through every scam type we see is just how convincing the scammers are and how they manipulate their victims. Take the example of a “safe account scam” which is where fraudsters call you pretending to be from your bank and they explain that your account has been hacked and is under threat. They convince the victim to give away security codes or move money to a new “safe account”. These scams are extremely convincing because they typically include some or all of the following:
Phishing texts: The completion of a “phishing text” by the victim is the perfect way for scammers to set the scene before the scam. By responding to the SMS the victim has given away personal details and the scammers use this as a perfect excuse to call the victim from “their bank” to protect them. It’s the perfect “in” as victims are not surprised to receive a call from “their bank”.
Spoofing numbers: Scammers are able to spoof bank numbers, so will call from the legitimate bank number. Most people don’t know this is possible.
SMS threads: Fraudsters can send SMS’s that appear to be from the bank in the same thread as previous messages from that bank. Again, most people don’t know fraudsters can do this.
They know your personal details: They know lots of personal details about you that you think only your bank would know.
They attempt transactions before or during the call: If they got your card number through a phishing text they will attempt a transaction in advance to make you feel your account is under attack and create a sense of urgency
They mimic bank processes: They take you through verification checks in advance in the same way your bank would, they get you to write down reference numbers and they will often pass you around “departments”.
They use social engineering tactics: The scammers are patient, they keep you on the phone for a long time and exhaust you. They make you scared and you believe they are the only thing stopping fraudsters from stealing your money. By the end of the scam, people are convinced they are speaking to their bank
Therefore, by the time it comes to transferring the money to your new “safe” account or providing authentication codes to the scammer, victims are persuaded they are speaking to their bank and the bank is on the phone with them directing them what to do.
Scammers know bank and EMI’s apps inside out and know exactly how the payment journey works, what warnings will pop up and when they will appear. Therefore, it’s easy for scammers to dismiss in-app warnings or get customers to click through without reading them and banks know this. Customers are often scared, rushed and don’t have time or the capacity to read warnings by the time they appear. Also, so many warnings are easy for the fraudsters to dismiss. For example, If a victim is transferring money to a new “safe account”, often scammers will tell them to use their own name as the payee and the victim will get a warning if the name doesn’t match. It’s easy for scammers to dismiss this warning by telling the victim in advance that they will get this warning and saying something like “it’s because it’s a new account and it takes 24 hours for it to update on systems”. This is a plausible and convincing explanation.
In this type of scam, we believe that digital interventions are currently extremely ineffective and not a substitute for a phone call. This is why we get a huge number of cases against banks or EMIs that use only digital controls to try and stop this type of scam, whereas the numbers are much lower for firms that pick up the phone to speak to the potential victim.
In this type of scam, if the bank won’t release the payment until you’ve spoken to them, it almost always stops the scam because it becomes clear to the victim straight away when they speak to their real bank that they weren’t actually speaking their bank before.
Therefore, at Refundee we consider a digital only approach to safe account scams and many other scams to be inappropriate and it is resulting in huge numbers of people losing life-changing sums of money. We do not believe the approach taken by some firms aligns with current regulatory expectations, and it certainly won’t align with the new FCA Customer Duty which makes it abundantly clear that firms need to prevent foreseeable harm.
Mistake 2: Failing to recognise the prevalence of remote access
Most banks and EMIs have software that recognises when remote access is being used. Even if firms don’t have this software (they should), it’s often sensible to assume that in certain scams, it’s likely that remote access is involved.
At Refundee, the most common scam we see is cryptocurrency investment scams. In most of these cases, victims are persuaded to give remote access to their devices while making the investments through remote access software such as AnyDesk.
Therefore, it’s inexplicable that some banks or EMI’s would rely solely on digital controls, knowing that fraudsters will be able to click through warnings for victims or answer chats for them. Even where fraudsters have ‘view only’ access, they can explain to customers why digital warnings can be ignored or tell them how to answer the banks questions.
At Refundee, we simply see these controls as extremely ineffective and we find it disappointing that some firms seemingly turn a blind eye to the role of remote access in scams.
Mistake 3: Ignoring the fact that fraudsters are easily able to learn what digital controls are in place
Fraudsters are extremely clever and often understand banking apps and payment journeys better than staff at the bank do. Banks and EMI’s need to stay one step ahead of fraudsters because fraudsters will learn what digital controls or warnings are in place and come up with ways to avoid them or clever stories to dismiss them to customers.
The nature of digital controls means that they can’t react to the situation the way that a person can. For example, a well trained member of staff can pick up on the tone of a customer or sense that something isn’t quite right in the way that can't be done via digital controls or even in app chat.
On calls by comparison, well trained staff can sense when something is wrong and adapt. They can listen to the tone, ask probing questions, identify vulnerability and have a much better opportunity to expose the scam. When staff on calls do identify a scam, they also have a much better chance to engage with victims. explain how scams work and ultimately get them to understand why they should stop sending money.
Mistake 4: Ignoring victim demographics and fraud trends
Each customer is different and if a customer is elderly, it doesn’t necessarily mean that a customer isn’t “tech savvy”. However, it’s more likely that they will be less familiar with digital only services and struggle to use them and this should be recognised.
EMIs in particular often fail to recognise this, even in the face of obvious scam trends. For example, scammers frequently get elderly customers to set up digital only apps due to the relative ease of opening an account, sending payments and in particular, sending money to crypto exchanges. New accounts being opened should be monitored more closely due to existing fraud trends, especially when opened by elderly customers who then attempt to send large sums of money into cryptocurrency.
Digital interventions here ignore the obvious fact that they are much less likely to be appropriate for elderly customers who are more used to engaging on the phone.
What Refundee expects to see
We welcome that the FCA recognises that digital only communication channels are failing some of the most vulnerable people in society - scam victims. We expect the Consumer Duty to put a clearer obligation on firms to adapt their interventions which will ultimately stop victims from losing their money to scams. We expect firms to mix digital and non-digital controls in a way that protects the most people.
Unfortunately, as it stands, too many banks and EMIs in particular are failing to get the balance correct and as a result, are not protecting their customers from scams.