This article is part of our collection on Cyber Security
The banking industry has teamed up with the government, the police and other regulators to present a united front to prevent and combat fraud – and it seems to be working.
Last updated: 21 Jul 2020 8 min read
UK banking security systems prevented fraud on an estimated £1.4bn scale last year. Scam losses on payment cards fell to their lowest level since 2012, with cheque fraud losses plunging to 28%.
Every thwarted scam motivates criminals to find ever more sophisticated ways of slipping through the system. So what is Britain’s financial sector doing to keep one step ahead of the crooks? How do banks ensure they can accurately verify the identity of their customers?
“The fraudsters are forever developing new routes in to target institutions and their clients,” says Mike Haley, chief executive of the Credit Industry Fraud Avoidance System (Cifas). “As technology makes banking systems more secure, conversely it also opens up new ways for criminals to exploit them.”
Today’s scams are a world away from the emails from the “overseas prince” who wanted you to share his fortune. They have become so sophisticated that even the biggest companies can fall for them.
So where are the current threats coming from?
According to Cifas, around 175,000 cases were reported in the UK last year – a 125% increase in the last decade. But robust banking systems cannot prevent this from happening – not on their own, that is.
“Banks’ defences are now significantly stronger than they were, so crooks are now stealing IDs through less protected targets such as insurance companies, store cards and mobile phone contracts,” says Haley.
And this can provide enough ID to open online bank accounts. Many banks no longer demand documents to be uploaded or presented as proof of ID (Royal Bank of Scotland is an exception) – yet a recent study conducted by consumer review service Which? found half the participants had insufficiently secure personal details online that would have enabled the researchers to open bank accounts in their names.
“The basis of electronic checks [are] your full name, address and date of birth, as laid down by the Joint Money Laundering Steering Group (JMLSG) guidelines,” says Which? senior researcher Faye Lipson. “Nearly all ID finance product frauds are committed using a real person’s identity.”
This targets the consistently weakest point in any security system – a human being. Manipulation to divulge information or transfer money is arguably the single biggest challenge facing anti-fraud teams. Phishing (convincing scam emails), voice phishing (scam calls, also called vishing), smishing (scam texts), persuading someone to reveal security/password details – all fall into this category. Basic human nature makes us all – including bank staff – vulnerable, says Dr Jessica Barker, cyber-security expert and co-founder and socio-technical lead at cyber-security organisation Redacted Firm.
“We all think, ‘I’ll never fall for that; I’m far too sensible’,” says Barker, also founder of Cyber UK. “But our brains have two halves, one thinking fast and one thinking slow. Criminals know if they get into the fast part, we’re more likely to fall for what they say.”
“As technology makes banking systems more secure, conversely it also opens up new ways for criminals to exploit them”Mike Haley, chief executive, Cifas
Barker believes three main areas make us weak: “Authority – you don’t want to disobey an email if you think it’s from your boss; curiosity – if you get a message supposedly from a friend showing a picture of a great party, you’ll take a look; and temptation – if you think looking at an email will get some sort of reward.”
Criminals are increasingly using artificial intelligence (AI) to go phishing. “We are starting to see AI so sophisticated that it actually ‘learns’ your writing style,” says Dave Palmer, director of technology at Cambridge-based cyber security experts, Darktrace. “It knows how the turns of phrase you use differ depending on who you’re contacting – and mimics accordingly.”
Criminals don’t need social engineering to defraud banks or customers – data breaches give cheats the information they need to open new accounts in a customer’s name without him or her knowing. And, as it has apparently been opened by an existing customer, it does not immediately raise the suspicion of the bank.
Victims are often persuaded to allow access to their bank accounts for the transfer – ie laundering – of money accrued from serious crime. The targets tend to be cash-needy young adults between the ages of 18 and 24, recruited through texts or social media, to allow access with the reward of keeping some of the money for themselves.
The posts are often advertised as a ‘finance manager’ or ‘UK representative’ who receives the money and who is then asked to withdraw it to wire it to a different account. “Often those who sign up are completely unaware they’re laundering proceeds of crimes such as terrorism or drug smuggling. But that is no excuse – they would still be prosecuted.”
Crooks could return to a much more traditional money crime this month – thanks to General Data Protection Regulation (GDPR). “I think we’re inevitably going to see hackers approaching an organisation saying: ‘I’ve hacked you’,” says Barker. “They’ll say: ‘You could go public, you could disclose this and face the reputational damage and the fine, or you could pay me this lesser amount.’”
The good news is that the industry is fighting the fraudsters on a number of fronts – in many cases with fintech and other tech firms leading the traditional banks into innovative solutions. Call centre authentication specialist Pindrop is helping some of the UK’s major banks identify fraudulent calls using technology that distinguishes 147 features from a voice conversation.
The Bank of England’s internal accelerator is working with nine fintechs on AI and blockchain security, including testing technology from Mindbridge Analytics to spot abnormalities in transactions, and cryptocurrency firm Ripple to test robustness of transactions.
“We are putting a lot of protection in on how people bank on their devices,” RBS Group CEO Ross McEwan recently told magazine Which?. “Our technology is stopping hundreds and hundreds of thousands of payments on a weekly basis. We’re doing it through key strokes, voice recognition – there’s a series of voices we’ll block payments on.”
Les Matheson, the bank’s personal and business banking chief executive, added: “We monitor people’s accounts, particularly vulnerable customers, so we see if something looks strange. Every week I have reason to thank some of my colleagues for stopping, say, £20,000 or £40,000 from going out of the bank. But it also comes down to dialogue with our customers. If a request doesn’t feel right, don’t do it – but do report it to us.”
In addition, Financial Fraud Action UK, a partnership between the government, the police and the finance sector, has co-ordinated banks, fintechs and other institutions across the sector through a range of initiatives.
These include the Banking Protocol , a “ground-breaking rapid response scheme”, which educates branch staff in how various scams work, enabling them to immediately alert every police force in the UK; the police’s Dedicated Card and Payment Crime Unit , which tackles organised financial fraud crime; and Take Five , a public information campaign outlining the security measures individuals can take to prevent being scammed, such as never giving out personal or bank details, checking the authenticity of any suspicious calls by returning the call from a different phone and ‘taking five’ to think before taking any action.
In addition, the Bank of England’s Prudential Regulation Authority recently announced a new set of rules to be implemented later this year. These will “set out the level of operational resilience we expect of firms” and are aimed at bringing all financial institutions to a similar standard, while adding to the security of firms that already have Bank of England cyber-resilience requirements in place, such as the Royal Bank of Scotland.
The Financial Conduct Authority (FCA) is also leading the charge, planning to introduce rules from August that will require banks to publish details of major security breaches. This will be completed in order to compel honesty about the state of systems and therefore prioritise the need to strengthen them.
“Fraud has devastating effects that are felt right across society,” says Katy Worobec, head of economic crime detection at UK Finance. “But the entire finance industry is committed to cracking down on fraud and rooting out the criminals responsible.”
RBS Mentor offers expert business advice on employment law and HR, health and safety, and environmental management.
Cyber Security, Tech and Innovation