March 30, 2022
By Pavel Jiřík in Blog
We have never before faced as many problems with cybercriminals as we do now. Fraud is now a "national security threat" according to Britain's main banking body, with £754m stolen from customers in the first half of 2021. That's an increase of 30% compared to the same period in 2020. The situation isn't much better in other parts of the world either. In India, more than 83,000 banking frauds amounting to Rs 1.38 trillion took place during 2020-2021.
If banks and other financial institutions want to spot and prevent financial scams from happening, then staying up to date with the methods that cybercriminals use and how they can stop them in their tracks is essential. We have compiled below a list of the 5 most common banking scam types to look out for in 2022 to show you which methods are preferred by criminals when it comes to stealing both from individual customers and organizations.
Why Has Banking Fraud Increased?
Over the past year, nearly everyone has been forced to change their routines. The way we work, shop, communicate, and reach out to customer support - everything has moved online. And that, unfortunately, has created ideal conditions for many types of financial scams.
With remote work becoming more common, many employees have gotten accustomed to working from home. Consequently, they have started accessing company databases from devices other than their secure office computers, making it far easier for hackers to try and attack. For superiors, it's also far harder to enforce internal standards and confidentiality requirements when most of their employees work from home.
In addition, since the majority of stores, banks, and offices were shut down due to the restrictions, companies had to immediately switch to phone and digital communication channels. Unfortunately, as they rushed to become available to their customers as soon as possible, organizations sometimes neglected security measures, making them easier targets for criminals.
Add to this the boom in online purchases and home delivery, as well as the massive growth of online payments, and we can see just how many new opportunities for phishing scams fraudsters are now presented with. But even though the pandemic has increased the number of opportunities available to criminals, their main methods haven't actually changed that much.
Most techniques involve social engineering and well-known psychological tricks to persuade the victims to do what the criminals want. What are some of their favorite methods?
Bank Insider Frauds
In the past, managers and supervisors could regularly keep an eye on their employees' actions relating to customer data or bank accounts, since everything went through the bank's main network. However, when the world went remote, supervisors lost some of those controls and some unscrupulous employees saw this as an opportunity that was too good to pass up.
According to PwC's Global Economic Crime and Fraud Survey 2020, 37% of scam cases that affect businesses are committed by insiders. That is, by a bank employee or a business partner who both has access to the customer data and knows exactly how the bank's internal systems work.
With such knowledge, they may be able to directly access victims' accounts, for example, by exploiting user privileges. That way, they could transfer money directly from the bank's internal accounts to their customers' accounts and then to an external bank account or a prepaid card. The latter is especially popular as these cards are easy to obtain, involve fewer security checks, and can also be used to withdraw cash in multiple currencies.
According to the Association of Certified Fraud Examiners, organizations globally lose 5% of their revenues to fraud. This amounts to nearly $5 trillion lost every year.
It is no secret that phishing is on the rise - who hasn't at least once received a suspicious email to their personal or work email? A 2021 study by Tessian found that employees received an average of 14 malicious emails annually. The retail industry is particularly hard hit, with workers in this sector receiving 48 on average.
What even is phishing? It’s a social engineering attack used to steal user data, including login credentials and credit card details. An attacker, pretending to be a trusted entity, convinces the recipients to open an email, instant message, or SMS and click on a link inside. Once an unsuspecting victim does that, they are lured into installing a "necessary" application (with malware hidden inside) on their device or sharing their personal information such as login credentials.
Attacks like this can be devastating. People who fall victim to them often find that their bank accounts have been emptied, there are unauthorized purchases made using their cards, or that loans have been taken on their account.
But for businesses, the situation can be even worse. They may lose not only money but also critical business data, resulting in reputational damage and disruption of their daily work. In fact, phishing ranks as the second most expensive type of data breach, costing businesses $4.65 m on average according to IBM.
Vishing and Smishing
96% of phishing attacks are sent by email, but that doesn't mean it's the only channel that cybercriminals use to steal our data. They might also use phone calls and texts – "vishing" is a method of scamming in which a fraudster uses the former to pose as a representative of an organization.
Meanwhile, smishing uses text messages that appear from trusted senders, such as banks and online retailers. These text messages typically contain URLs or links that trick recipients into visiting websites that download viruses and malware onto their mobile devices or into revealing their personal information. To seem more credible, smishers and vishers often also create fake caller ID profiles that make the phone numbers they use appear legitimate.
The methods and excuses given by the scammers might differ (they may mention that there's a security problem on the recipient’s account or pretend to be the head of a trusted organization), but their end goals are exactly the same as with email phishing - money. In the US, Americans have lost over $100 bn because of "Covid Aid confirmation" mails and calls that, instead of helping people get federal support, resulted in their bank accounts being hacked.
Technical Support Scam
During the pandemic, we relied on our laptops, tablets, and phones far more than usual, which gave cybercriminals a great way to try and attack our devices. Specifically, by pretending to be a tech support service.
A tech support scammer may call and claim to be a computer technician from a well-known company and say they have found a problem with your computer or noticed suspicious activity on it. Then, they request victims to give them remote access to the computer and pretend to run diagnostic tests.
Sometimes they might also try to lure the victim with a pop-up window that looks like an error message from their operating system or antivirus software. The message in the window warns of a security issue on the computer and says to call a phone number to get help or to install a special program to reach out "for free" to tech support from a well-known company,
Based on a Microsoft study, 3 out of 5 consumers have fallen for a tech support scam in the previous 12 months. While on average, most of them lost around $200 by paying for "tech support," some even lost in the order of thousands of dollars.
Authorized Push Payment (APP) Fraud
In the first half of 2021, APP fraud increased by 71%, reaching £355 million, according to banking trade body UK Finance. This number is only expected to grow with the increasing popularity of online payments.
APP fraud occurs when a customer or an employee is tricked into sending a payment to the scammer’s account. There are many types of authorized push payment schemes. For example, victims may be told that their accounts have been compromised and so they must transfer their money to a new account to prevent it from being stolen. They might also receive an invoice that looks exactly like one from their main supplier but actually turns out to be from a fraudster.
As the victims make these payments themselves and thus easily pass all security checks, getting the money back is a serious problem. Most funds lost to APP fraud are never recovered, which leaves consumers and businesses out of pocket.
How Can Voice Biometrics Prevent Financial Scams?
Considering all of the above examples of common scams, it's pretty clear that banks need to work on securing their systems more than ever. They have traditionally used knowledge-based authentication methods such as PINs, security questions, passwords, and one-time phone keys. Yet using multi-factor authentication helps to prevent most attacks made using stolen credentials.
However, knowledge-based authentication is extremely dependent on user vigilance. Users must take the time to choose strong login credentials, preferably different for each account, and update them regularly. Knowledge-based authentication also takes a lot of time, as bank employees must ask security questions - the more sensitive the issue, the longer it takes to verify the caller.
It makes many people feel frustrated when they are forced to come up with passwords that meet security standards but which they can’t remember, or they have to spend minutes on the line just to be verified by a support employee. How can voice biometrics be a solution here? When combined with multifactorial knowledge-based authentication, it provides near-impenetrable security while also contributing to a much better user experience.
Voice biometric authentication relies on voice pattern analysis since each person has a unique phonetic and morphological profile. You can ask a user to say a phrase that the system will use to identify them or the check might happen naturally in the background using passive voice biometrics, which can verify a person's voice regardless of what they say.
What's more, voice biometrics doesn't need any complicated equipment. The only requirement for using the system is to complete a one-time voice enrollment process, which generates a unique customer profile based on the characteristics of their voice. If you use passive voice biometric identification, the whole process can happen seamlessly during a regular conversation without the customer even noticing and without them having to remember a passphrase or PIN, for example.
To verify a caller's identity, the voice biometrics system will compare the way a user speaks with their stored voiceprint while on a call with them. If it doesn't match, the system marks the caller as having failed the verification process and alerts employees. This technology can be especially useful in dealing with vishing scams, as it can prevent criminals from using stolen information to bypass security checks. But it can also prevent someone from mimicking or using a recording of someone's voice for fraud purposes.
Voice biometrics can also be extremely useful for re-verifying users, say if they switch devices and lose access to their account. Because voiceprint samples aren't tied to a specific device or number, they can be immediately used to authenticate each caller and confirm whether or not they are the real owner of the account. If a device is stolen and someone tries to use it to impersonate the owner, voice biometrics can also spot the fraudster and warn the company of a suspicious call.
Because of all those benefits, voice biometrics is quickly growing in popularity as a verification method. HSBC UK is one of the major banks that has adopted voice authentication as a way to combat fraud. Since its launch in 2016, the technology has prevented nearly £1 bn in customer funds from falling into criminal hands, and the number of fraud attempts has been falling 50% year-on-year as of May 2021.
What Else Can Be Done to Prevent Banking Fraud?
Of course, you shouldn't rely only on technology to help prevent scams. Since the majority of fraud attempts rely on social engineering and manipulation techniques, you need to constantly remind customers to be cautious if they receive emails or texts containing links, or calls asking for personal information.
Users should never share their login details, bank account data, social security numbers, or any other personal information without first verifying the identity of the person asking, and double-check all invoices they receive before sending payment. Passive voice biometrics can make your customers more alert to vishing attempts as they know the bank can detect their voice as they speak and doesn’t need to ask for additional information when they call about some issue.
When it comes to insider fraud, unfortunately, it can be one of the toughest challenges for a bank to handle. It is best that companies limit the opportunities for such scams by, for example, having more than one signatory for bank transactions, several people to count cash collections, or requesting customers to verify payments. Regularly reviewing user roles and privileges and restricting access to certain parts of the system can also help prevent and uncover fraud within financial organizations.
The methods used by fraudsters to get past their victims' defenses are constantly evolving. Scammers are quick to notice any vulnerabilities or opportunities and won't hesitate to attack, so it's more important than ever to stay vigilant, especially, when responding to emails and phone calls.
The use of voice biometrics can be incredibly helpful here. With voice biometrics software, companies can detect suspicious behavior and prevent bad actors from getting their way by comparing a person's voice with that of an account holder or a system user's data. Scam cases and the damage they can cause can be reduced significantly simply by knowing straight away when there's a suspicious person on the line.