Unmasking Financial Scams: Questions from India FinTech Forum 2023

Which are the latest financial scams that you are seeing?

In a scam, a customer makes an authorized transaction either under coercion or duress from a fraudster. Scams often fall into two distinct emotional buckets: fear and greed.

On the fear side, some of the latest scams we’re seeing involve a scammer contacting the victim, claiming to be a bank representative. They’ll convince the victim that there’s been a suspicious-looking transaction on their account and urge them to transfer their money to a “safe” account. Of course, once the victim does that, they never see the money again, and they never hear from the criminal again. This type of scam is known as an Impersonation scam and often yields a very high average loss per case.

Scams that play on the emotions of greed can include investment scams that promise guaranteed high returns for a small deposit. For example, scammers may pretend to offer a new cryptocurrency coin or a high-yield bond and promise a 20% return on the victim’s investment. The victim feels pressured to make the investment or miss on an easy money opportunity. This type of scam is known as an Investment scam.

Another way scammers exploit human’s propensity for greed is to pretend to sell valuable items online that don’t really exist. This could include an expensive smartphone, jewelry, or an appliance. After listing them on a digital marketplace, a victim purchases but never receives the goods. This is known as a Purchase scam and is one of the most frequent scam types reported by victims.

As you can see from these examples, fear and greed are the most appropriate ways to categorize some of the most common scams we currently see.

How will behavioral biometrics help banks if a customer is unknowingly involved in a scam?

Behavioral biometric solutions analyze how a user interacts with their device. This includes keystrokes and mouse movements on desktop and laptop computers. It can also measure how users touch their mobile device’s screen as well as gyroscopic data to understand what angle a device is normally held.

The traditional way behavioral biometrics technology has been used is to analyze the way a customer normally interacts with their device. From there, banks can compare that baseline of data in real-time with the behavior of the current user to assess if it’s the genuine customer logging into their account or a fraudster committing account takeover fraud.

Behavioral biometrics can also be used to determine if a user is unknowingly under the sway of a scammer. Instead of comparing data from the user’s current session with their baseline, banks can consider if any signals from the interaction indicate the customer is acting under the direction of a scammer.

For example, when someone is being scammed, it’s common for banks to see a long time pass between the login time and the payment. Normally, when someone logs into their account, they have a very clear intent. But if they’re hesitating, the delay in the user’s behavior could be a red flag that they are being scammed. They may also hesitate as they enter new information for a beneficiary.

In other words, behavioral biometrics enables banks to go beyond asking, “Is this the real user?” and instead ask, “What is the intent of the user?” Behavioral biometrics for scams is an emerging technology that is an important add-on for a fraud ecosystem. It adds an additional layer of security to improve decision-making by resting on top of a bank’s existing security stack.

How do you see the financial scam landscape changing amid the advent of powerful AI tools? Which AI tools can banks use to fight fraud?

With the advent of powerful AI tools, financial scams are likely to increase as a result of the scammers’ approach becoming more sophisticated. 

Take voice or vishing scams, for example. Fraudsters can use downloadable software from the web and train a voice-cloning program based on just 10 or 15 seconds’ worth of audio of a real person. The sound could originate on Youtube, social media, or even a voicemail recording. After cloning a person’s voice, they can contact the person’s loved ones and demand ransom in return for a safe release.

That’s an extreme example of someone using advanced AI to clone an individual’s identity and convince a victim to make an authorized transaction. But the increasingly sophisticated nature of AI is likely to mean more victims fall for scams, and therefore process more fraudulent payments on behalf of the criminals. 

For banks, the priority will be to continually innovate the way in which they’re looking for and detecting scams. This means banks will need to re-think how they’ve traditionally tried to stop fraud. AI, and in particular machine learning, has always been considered a defensive mechanism used to spot anomalies and risks. But fraudsters are using it in an offensive way, so banks must rethink their approach. 

Instead of a rules-based approach to fraud monitoring, banks should shift to a machine learning-first approach. A machine learning-first approach to fraud detection is more effective than simply relying on rules. Feedzai is very adept at this approach and is leading the market today.

How can we tackle the growing menace of money mules?

I can’t emphasize this enough: if you stop the money mule, you can stop the fraud.

Every digital fraud relies on a money mule account. By definition, a mule account is an account that receives illicit funds sent from a victim or a fraud perpetrator. 

Mules have received intense focus in the past 12 months, largely due to the rise of the scam threat. The reason for this is in an unauthorized fraud, a compromise has occurred on the sending bank’s side. In the case of a scam, which is authorized, the compromise is on the receiving bank where the mule account resides.

Banks are therefore rethinking their approach to detecting money mule accounts. Best practice dictates that there are three key opportunities to stop a money mule.

1. Block money mules at account opening

Banks need to recognize that money mules come in different shapes and sizes. Stopping money mules begins at the account opening stage to stop mules from entering the front door. Having a rigorous account opening process is a critical step to stopping mules from onboarding, to begin with.

2. Practice ongoing account monitoring

Stopping mule accounts at onboarding is the ideal stopgap. But sometimes legitimate customers fall victim to money mule recruitment. Banks need to practice ongoing account monitoring to look for signs that the customer is in financial distress. For example, if the account suddenly shows a spike in interactions with gambling merchants, it could be a red flag that the customer is acting or is willing to act as a money mule.

3. Inbound payment monitoring

Banks shouldn’t just look at payments leaving an account. Banks also need to understand where the funds are being delivered. Consider if the payments coming into a bank account are normal or if they raise red flags.

Following these three pillars is critical to understanding if money mules are active in a bank’s system.

In India, faster payment services like UPI and Aadhar Pay are experiencing fraud. What steps can Indian banks take to reduce their fraud risk? 

Like all regions that have launched a faster payment scheme, fraudsters are among the earliest adopters. India is no exception. Unfortunately, any region looking to implement a fraud prevention strategy after a faster payment scheme launches is already behind the curve. That said, there are still steps banks in India and around the world can take to make faster payments secure.

Prepare early

Understand how faster payments stand to disrupt the financial services sector. Banks and financial institutions that prepare early will be in a stronger position to manage fraud threats. Learn important lessons from the UK and other regions where faster payment schemes have been launched. Trying to react with your fraud strategy once real-time payments are already the norm will be costly.

Implement machine learning

Machine learning technology gives banks the opportunity to spot patterns in data that the human eye would overlook. Machine learning models can be trained on historical fraud data. Even if a bank is launching a new product and no historical data is available, banks can start using a rules-based approach before adding machine learning to it.

Think of the broader context

It’s tempting, but banks can’t just think about the payment. They must also think about the real-time risk decisions that are required during faster payments. In the real-time payment reality, banks won’t get a 2-hour delay, let alone a 24-hour one, to make an informed fraud decision. Make sure to have the best and most relevant data available to make a decision. For example, a customer normally transacts through a bank’s app but today is logging in from a laptop. Put information like this into context when making fraud-related decisions.

Get a 360-degree view of the customer

Much like looking beyond the nature of the payment, banks should also look at how their customers use the rest of their bank’s services. For example, a customer might be making an instant payment now but already made an unusual-looking traditional payment two hours earlier. Getting a 360-degree view of the customer will allow banks to better understand them and make better decisions when anomalies are uncovered.

Constantly care for and iterate the system

Once a bank’s fraud prevention system is implemented, banks should make sure it is constantly cared for and iterated appropriately. For example, when a new fraud prevention system is implemented, it may be effective at first. But as fraudsters shift their tactics, their effectiveness will change. Banks must ensure their fraud strategy evolves constantly and is agile enough to respond to new conditions.

Scams, fraud, money mules, and other threats constantly evolve, so banks must always be vigilant. Working with an experienced partner to stay ahead of a constantly-shifting fraud landscape is critical to keeping customers safe.