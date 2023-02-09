Business Day TV talks to David Shapiro from Sasfin Securities and Wayne McCurrie from FNB Wealth & Investments
Over the past year the UK has experienced a 41% increase in payer manipulation fraud (or as they call it, authorised push payment (APP) fraud), and unless the country’s banks take a proactive approach they could soon face stiff regulatory pressure.
According to the UK’s annual fraud report, there was a “notable”, 39% rise in impersonation scams, with impostors masquerading as banks and police staff, and a 33% rise in fraudsters pretending to be other officials. UK communications regulator Ofcom reported that eight out of 10 surveyed people had been targeted with scam texts or calls, which the regulator said were intended to convince consumers that they were from trusted organisations such as banks, the National Health Service or other government departments.
There is no doubt that this is an attack vector worldwide now. Our usual methods of protection are being tested by the human form factor. We know that traditional two-factor authentication protects the customer from typical phishing attacks in which the fraudster has stolen a username and password. However, with payer manipulation fraud the fraudster actually uses customers themselves to perform and “bypass” all the multifactor authentication protection put in place by the bank — and coaches them through the full journey, including advising them to ignore all the warnings the bank might have put into the customer journey.
By adding a sense of urgency customers do not pay that much attention to what they’re doing — they are just following the direction of a person they trust, who they believe is protecting them. These calls sometimes go on for hours as they convince the account holder to add a beneficiary or transfer their money into a “safe account”, which is actually one the fraudster uses to steal the money from. This manipulation is causing untold damage to people and families, and banks are expected to take action.
SA banks and their partners are seriously applying themselves to addressing this issue. We are now exploring a number of ways to address this, including looking at ways to detect dubious actions. For instance, when you see money moving between accounts in a suspicious manner or being cashed out into crypto accounts after some account switching, you could delay the transaction and reconfirm the payment with the client a while later. Destination account verification offerings are another way local banks are trying to protect their customers.
Additional risk
APP fraud has risen in the UK since it introduced real-time payments via a faster payments scheme in 2008. One of the problems with these immediate payments is that they are irrevocable, which means victims of APP fraud can’t reverse the payments when they realise they have been tricked.
SA banks are now implementing our own rapid payment system (RPP) and having it exposed to additional risk at the outset could affect its uptake. Regarding the RPP there are a number of potential pitfalls. Fortunately, the work already done by the UK banks and their regulator gives us good insight into how to tackle the challenges ahead.
It is also comforting that the collaborative work by local banks, and their focus on building strong fraud prevention into the system from the start, should also give local consumers some confidence when the RPP goes live. Furthermore the initial amount supported on RPP is set to R3,000 to prevent one incident from causing large losses.
The UK is not sitting idly by, and while most banks are working to address the issue the lack of consistency and action from some has forced the UK Payment Systems Regulator to implement many measures to combat the growth in these scams. These include mandating banks and other payment providers to make reimbursement to victims, placing the responsibility on the banks to refund the loss.
Among the proposals on the table from the regulator is a mandatory name-checking service, confirmation of payee (COP), and consumer reimbursements for all banks, as well as active monitoring. The regulator is also determined that when a bank does not use COP it should not be allowed to use the faster payments scheme.
We need people to trust our payment system. SA needs a collaborative, industry response to this, and we need more context with pooled data to see trends. We are working together to find ways to consolidate data and get ahead of the fraudsters by learning from other markets, and applying our own SA technology to solve this problem.
Our team is already working with various global and local players to try seeing how we can further protect clients. The takeaway is that fraudsters steal from everyone, and this type of attack can only be solved by industry collaboration and innovation. These types of attacks are enabling us to start accelerating that.
• Oosthuizen is CTO at authentication specialist Entersekt.
GERHARD OOSTHUIZEN: Banks probe ways to thwart rising manipulation fraud
The institutions and their partners are looking at techniques to detect dubious actions amid a worldwide increase in the crime
