UK Banking and the Fraud Landscape – what are today’s three main fraud challenges?
My name is Nick White and for the past eight years, I worked in the fraud department for one of the UK’s leading challenger banks, covering several roles in an investigatory and analytical capacity.
This experience has enabled me to see first-hand how criminals attempt to defraud banks across products such as bank accounts, credit cards, personal loans, mortgages, asset finance and business lending. During my time there, the fraud landscape changed rapidly due to the growth in digital propositions.
The introduction of digital interactions with banks has, in my experience, created three key challenges in their fight against fraud; ID Theft, Card Not Present Fraud and Social Engineering Scams.
Over recent years, ID theft has been on the increase mainly due to the ease of applying for banking facilities online, which provides fraudsters with the opportunity to apply with greater anonymity.
ID theft (also known as impersonation fraud) is where an application is submitted in a genuine individual’s name without his or her knowledge or permission, by someone pretending to be that person.
In most cases, a fraudster opens an account in the victim’s name to be used as a money mule or to gain access to credit such as personal loans, overdrafts, or credit cards – all in the victim’s name. Fraudsters use the accounts as money mules so that fraudulent funds can pass through the account and be withdrawn, or moved on again to hide the original source. The accounts can also be used to access credit in the victim’s name, enabling the fraudster to spend with no intention of ever repaying.
Money mule accounts that are opened via ID theft are providing a big challenge in UK Banking due to the fact their application fraud systems and transactional monitoring systems are separate entities, resulting in vital data not being shared across systems. The ability to share application data within your transactional monitoring system and back again gives you the intelligence to spot mule activity quicker and better.
As you can see from the below CIFAS data (UK’s National Fraud Database) ID theft has seen a record number of loadings to its database in 2016. Over the last eight years, the number of ID thefts recorded has doubled (tweet this), highlighting that ID theft is a fraud type that is continuing to provide challenging for Financial Services in the UK to combat.
Card Not Present (CNP) Fraud
A card not present transaction, also known as CNP, is where a card payment is made to a merchant without the physical card being presented. For example, this could be a keyed transaction via a merchant’s online website. CNP fraud therefore, is where a CNP transaction is completed on a genuine customer’s debit or credit card by a fraudster, who is using the card to make purchases without the genuine customer’s authority.
Fraudsters obtain card details through several different methods. They could be obtained from data breaches, key logging, phishing, etc. Fraudsters will then mainly use the cards to obtain high-value goods or services, for example high-end electronics, flights and hotels.
Since 2011, CNP fraud has been on the increase (tweet this), this was after three years of a declining trend. In 2016, the FFA UK data on CNP Fraud showed losses of £430m – an increase of 9% from 2015. The downward trends prior to 2011 can be mainly attributed to the take up of enhanced online authentication introduced by the two main card issuers, Visa and MasterCard, as well as the development of fraud analytics. However, fraudsters have again been able to adapt and learn which has seen CNP fraud losses continue to rise since.
Social Engineering Scams
Social engineering is a broad term for several different scams or techniques that fraudsters use to deceive or manipulate victims to obtain personal information or account details.
Fraudsters use techniques such as phishing, vishing and smishing on victims by pretending to be banks, the HMRC, insurance providers, retailers, etc. They then use these disguises to trick their victims into sending payments on their behalf, or alternatively, they acquire the victim’s account passwords.
When fraudsters use vishing techniques, they will, for example, call customers perpetrating to be from the target customer’s bank’s fraud department. Under the guise of a security breach, fraudsters attempt to convince individuals that their accounts have been compromised and they need to transfer money to a secure account held elsewhere. If the fraudsters succeed, the monies are transferred to an account where they have access, and swiftly cleared. Once the victim realises, it’s too late.
The FFA UK, in its 2017 Annual Report, pinpointed a shift from previous fraud methods such as malware – which was used to capture card or login credentials, to social engineering scams directly targeting customers.
What can we do to help?
Over the coming months, I will be sharing my views on the technology barriers and our own tech that we can offer via the TruNarrative platform and our partners. All committed to detecting and preventing existing and upcoming fraud trends seen in the industry.