illustration of the emotional toll of scams through social engineering, fraud

In this second edition of RiskOps Stories, Feedzai’s Richard Harris speaks with Andrew Renshaw about how criminals study their targets' financial habits before striking and why scams take such a personal and emotional toll on victims. You can find the first episode here

Richard Harris: Welcome to the second episode of RiskOps Stories. I’m joined by Andy Renshaw. 

Andrew Renshaw: How are you doing, Rich?

Richard Harris: Great to have you here. In the UK,  scams now outweigh card not present (CNP) fraud as the primary source of fraud for the banks. There’s also an explosion of risk happening around the world. We’re seeing it in APAC and it’s definitely arrived heavily on the shores of North America. Behind the scenes, how’s this actually happening in the background? Because we see this arising as a technical challenge in terms of sifting through data and identities and those things. But it goes way, way deeper than that, doesn’t it? 

Andrew Renshaw: One of the really interesting things about scams is there is this temptation to think of it as a technical and a database problem. My view on scams is sometimes we tend to miss the basics, which is, what is taking place on an emotional level here? What is taking place on a personal level? 

Andrew Renshaw: First, there’s a huge amount of preparation that goes into a scam. We tend to think about it at the moment where the fraud happens, but typically a fraudster will have looked at your account maybe five or ten times. They’ll know when you get paid on a monthly basis. They’ll know whether you’re eligible for a loan or when your mortgage payment is going out. Digital banking has enabled self-service – and that’s brilliant. But it’s also enabled fraudster access, and that’s where fraud tends to start. They will work out that optimum point when they can take the most money from you. 

Andrew Renshaw: The second thing, which is really quite nasty and really quite concerning is, I know of several examples of customers being defrauded on a repeated basis. That’s because fraudsters know that they can target that customer because they’ve built a relationship with them in some way. Unfortunately, the fraudsters are willing to go back, knowing the bank will refund the money to the customer, and target them again. 

Richard Harris: It’s almost like that old school situation from 10, 15, or 20 years ago, where a suckers list was circulated amongst fraudsters. Back in those days, it would be mailing addresses. I had a friend who fell for that and he consistently got physical mail telling him he’d won lotteries, all of that kind of stuff, because he got himself on one of these lists. Now you’ve got a digital version of that. 

Andrew Renshaw: Unfortunately, there’s this really weird juxtaposition. The fraudster is trying to get the customer involved in the fraud. Meanwhile, the bank is trying to get the customer involved in preventing the fraud. That’s completely different from where we were before, when it was the bank versus the fraudster. It was a technology battle. To a certain extent, the customer wasn’t involved at all. They’re just off on their merry way doing what they do. 

Fraud is a moment of truth. Fraud prevention is a moment of truth. All the stats show that if you get it right with a customer, they will stay with you far longer and they will engage with you far more. But if you get it wrong, you will lose that relationship. 

Richard Harris: The customer was basically unaware. Now they’re in the middle of the fight. 

Andrew Renshaw: Exactly. The potential for confusion there is massive. Their perception of reality has become vulnerable. They feel like they’ve been targeted and they no longer trust everything that they probably trusted 24 hours before. How a bank re-establishes that trust with a customer is vital. Fraud is a moment of truth. Fraud prevention is a moment of truth. All the stats show that if you get it right with a customer, they will stay with you far longer and they will engage with you far more. But if you get it wrong, you will lose that relationship. 

Richard Harris: It is an absolute break in a relationship. I’d been with a bank and a credit card provider for a long time. They sent me a credit card to an address where I no longer lived. That got used for roughly £10,000 to £15,000 in the UK. Finally, when the debt collection agency came to me and said, “We need to collect this debt!” I rang the bank. And they said, “Well, we need you to pass security.” How can I pass security on a card that I never asked for and never set up? 

Andrew Renshaw: That’s a great example of what happened to you on an emotional level at that time. What is happening to you on a personal level? How are you feeling? We tend to get a little bit technical, and we sometimes lose the feeling side of it. So whilst technology can help prevent it, I think if you don’t do it with that context in mind, then ultimately scams will continue to grow. And unfortunately, all the trends say they’re continuing to grow. 

Richard Harris: I’ve watched this for years. I used to have access to dark websites and watched fraudsters score each other’s capability with card schemes lists they were selling. People would give them so many stars out of 10. You know, “This guy’s great. His cards work. Don’t buy from this person.” 

Andrew Renshaw: True story. At my local branch, I’m not going to say which bank, the person in that branch was being impersonated by a fraudster who was then calling people because he knew that they had been into that branch that day. He was able to get access to data, and unfortunately I think there was some internal collusion. 

Andrew Renshaw: But imagine you go into a bank at 3 p.m. and you talk to “Dave” in the branch. And you have a great conversation with Dave, and then you get home and you get a call from Dave. Dave says, “Oh, sorry, when you were in the branch, we didn’t quite do it right. That transaction you thought you made? Sorry, it didn’t go through, but I just want to make sure. I can sort you out.” You can see straight away the emotional bonds that are happening there. 

Richard Harris: That kind of scam is not something that you’ve been warned about. It may not feel right. But then again, when was the last time someone randomly called you from a bank branch anyway? You’ve got nothing to compare it to. 

Andrew Renshaw: But we’re potentially talking about great service. Isn’t it great that the person I spoke to is willing to make an effort to reach out because something didn’t go right? And they know I went into the branch between 3 p.m. and 4 p.m. So, that level of specificity just creates trust. 

Andrew Renshaw: We tend to think about the transactional execution, but actually we’ve also seen examples where fraudsters work out which companies you’ve actually paid money to before. So imagine you use a local builder. What they’ll do is they’ll make another payment to the builder. Then they’ll use them to generate a refund. “Oh sorry, I’ve paid you twice. I didn’t mean to pay you twice. Can you send the money back?” In this instance, they are actually scamming the builder.

Andrew Renshaw: Suddenly the customer’s got what they think is a legitimate refund in their account. So again, I can then ring you up and have a conversation about that refund – the trust is implied. It’s all about credibility. And it’s this interesting battle between trying to destroy the credibility of the fraudster whilst maintaining your credibility as an organization. Both of those powers are occurring at the same time. 

Richard Harris: You’ve got a customer who’s potentially emotionally under stress and therefore not in a position to make great decisions. The fraudster’s putting that person in a fight-or-flight or deeply emotional state, worried about losing their finances, their life savings, whatever it’s going to be. That stops people acting rationally. That’s the M.O. How to get someone unbalanced and into that state? It’s deeply nasty. 

We estimate that in about 20% of scams the customer never actually contacted the bank to request a refund.

Andrew Renshaw: Getting people to pause is hugely powerful. It lets their brain catch up with what’s happening emotionally. To your point, let the rational side kick in before the emotion gets there. Sometimes the pauses in processes are where the scam stops. I think one of the things we don’t see is when the scam fails. The customer doesn’t call you to tell you why it failed. You tend to only see the ones where it succeeds. But what you don’t know is they’ve actually had that conversation with 20 to 30 people. We estimate that in about 20% of scams the customer never actually contacted the bank to request a refund.

Richard Harris: Because they’re too embarrassed. 

Andrew Renshaw: Because they’re embarrassed. They’re willing to write off the money just so they can almost emotionally move forward and forget about what’s been a very horrible experience for them. The tendency is to think about, I need 25 data feeds, I need real-time. That’s all true. But in the end, don’t be afraid to just step back as a fraud analyst, as a risk practitioner, and make sure you really understand the dynamic of what is going on from a people standpoint. Sometimes it’s about asking a better question rather than about having better data.

If you are looking for a fraud solution that provides strong protection from scams, we’d like to help you. Schedule a demo with us today to see how our experts and our technology can help establish digital trust for you and your customers.