In the coming months, Project Financial Crime members expect criminals to become quicker at exploiting the government’s cost of living schemes to help the vulnerable.
What is this article about? The Payments Association’s Project Financial Crime discuss the current UK landscape of financial crime and fraud. How are scams and fraud impacting day-to-day businesses? Is enough being done to protect vulnerable consumers?
Why is this important? Account takeover attacks and authorised pushed payment (APP) scams are exploding. The cost of living crisis offers another opportunity for criminals.
What’s next? Quicker exploitation of government schemes to support cost of living and more sophisticated ‘deep face’ and ‘fake president’ fraud.
Project Financial Crime members expect criminals to continue exploiting every loophole because they can react quicker than counter fraud bodies. For example, as soon as a government-issued benefit is announced they exploit it. One recent example is the energy bill support scheme used by scammers to con money out of vulnerable individuals.
[the_ad id=”46926″]
The National Audit Office (NAO) published figures from HMRC indicating that around £4.5bn was lost due to error or fraud when Covid support schemes were rolled out. This is an ongoing estimate so the actual figure could end up being higher. While the report provides a list of recommendations for HMRC and HM Treasury to follow for future schemes, there will be similar exploitation from fraudsters during the cost of living crisis. Although the NAO and Home Office are developing a second Economic Crime Plan, it will be delivered too late to help the most vulnerable during the current crisis.
There will also be more ‘deep fake’-style attacks that are mostly automated. This type of attack has already been used with some success in ‘fake president fraud’, which involves a criminal posing as a company executive and persuading an employee to transfer large sums of money. The first one that shook the industry was in 2019 when a CEO fell victim to a deep fake voice attack, costing an energy firm $249,000. It should be recognised that this technology is now widespread and would be a simple tool for fraudsters to adopt.
The speed at which new fraud vectors are being created is unlikely to slow and the risk of financial crime will always be greater during periods of economic uncertainty. Criminals will try to exploit the uncertainty and anxiety that the current financial situation in the UK will create – from gas and electricity scams to purchase scams relating to paying for Christmas or next year’s holiday to targeting businesses with invoice scams and tax change fraud.
So, what is being done to address the issues?
Card schemes are acknowledging a 30% reduction in gross fraud since the second Payment Services Directive (PSD2) enforcement measures entered into effect, with non-3DS fraud being double that of 3DS (3D Secure Protocol) fraud.
This reduction is , generally agreed by the industry, while there is no governmental source yet. Although fraud reduction rates are showing some promise in the UK, it should be noted that this is partly because fraud levels here were particularly high to start with. This still leaves some margin for improvement when compared to the reduction of fraud in mainland Europe after PSD2 entered into force. Nevertheless, with stronger customer authentication mechanisms in place, criminal attacks will likely be deflected towards the enrolment and re-enrolment of a user.
However, successful enrolment and re-enrolment is the foundation on which strong customer authentication (SCA) is based. As such, fraudsters have understood that with SCA in place social engineering attacks would be more likely to succeed. Account takeover attacks and authorised pushed payment (APP) scams are thus a focus for criminals.
Fraudsters are always innovating and SCA/PSD2 were topics that gained quick popularity on the dark web. For a few hundred dollars, several courses are available to make your own banking malware. Therefore, companies should be ready for more largescale attacks because there are more than 2 billion Android devices without adequate security updates.
Even in post-Brexit UK, the EU’s plans for PSD3 remain of huge interest and importance to those working in payments. PSD3 will support the goal of facilitating cheaper international payments, adopting global messaging standards, and supporting links between payment systems in different jurisdictions. Further statements are expected from the EBA and the European Commission (EC), as well as a detailed proposal for PSD3 from the EC in Q4 2022 or early 2023.
To learn more about counter-fraud measures, listen to the Dark Money Files Podcast.
The picture is not all doom and gloom. APP fraud, which occurs when a person is tricked into sending money by a fraudster posing as a genuine payee, has recently declined with losses down 13% in the past six months. This decline is being attributed to the success of Confirmation of Payee (CoP), although overall figures and the sums involved are still too high.
A PSR policy paper released this month states that CoP hasn’t been the silver bullet on APP fraud that they hoped it would be. Although CoP is useful to prevent impersonation fraud, it is unlikely to tackle romance scams, or purchase scams. In a purchase scam, someone is tricked into believing they are paying for goods or services which they then never receive. In that instance the name on the account will match the details that are given by the criminal so they would pass CoP checks.
It is important to reflect on some of the great work by the Financial Conduct Authority (FCA). It led the in-person APP Fraud Techsprint on 27-29 September 2022.
Members of The Payment Association’s Project Financial Crime attended the FCA’s TechSprint and shared the below key messages:
The PSR also has APP fraud in its sights and will focus on this in 2023. On the final day of the FCA’s recent TechSprint (29 September), the PSR published a consultation document, which proposes measures on mandatory reimbursement, improving levels of protection for scam victims and incentivising banks to prevent APP Scams.
The PSR’s proposals intend to protect consumers against APP scam losses and reduce fraud. Specifically, the reimbursement of victims would – above a minimum threshold – be mandatory and result in more money being returned sooner.
Beyond this, the PSR published on 11 October its response to its Confirmation of Payee (CoP) consultation, which proposes to extend the service. CoP allows the payer to check the name of the account before they transfer funds. Although the service has been implemented by several UK banks, there is a long way to go.
In its response, the PSR has directed 400 payment service providers (PSPs) to implement CoP to help reduce APP fraud. Large institutions have 12 months to implement the changes (by 31 October 2023), while others have 24 months (by 31 October 2024). The PSR hopes to increase CoP coverage from 92% of faster payments transactions to 99% after October 2023.
Finally, new significant legislation is coming to prevent the abuse of limited companies and limited partnerships by transforming Companies House. The Economic Crime and Corporate Transparency Bill was published on 22 September, giving additional powers to seize and recover suspected criminal cryptoassets and encourage businesses to share information to tackle money laundering and other economic crime. New intelligence gathering powers will be granted to law enforcement and more analysis of the legislation will be published once it is passed. In the meantime, The Payments Association will be submitting written comments on this Bill and will ask members to submit their views.
Meanwhile, the House of Commons Justice Committee says the government must design fraud out of systems and disrupt crimes at the earliest opportunity. A report published on 18 October by the Justice Committee states that “a wholesale change in philosophy and practice is needed to the way in which we fight fraud – one that takes it more seriously, gives it greater priority and resourcing, is more proactive in prevention, more aggressive in investigation, prosecution and conviction, and much more focused on its impact upon victims.”
The one thing that has been demonstrated n in the past five years is the ability for fraudsters to adapt to new opportunities and threats and continue to innovate in their ability to exploit any weakness.
Behind every scam and fraud is an individual or business who suffers potential material loss and emotional anguish at the crime committed against them. During times of economic hardship, research indicates that financial crime can increase by 75%-100% on current levels.
With the cost-of-living crisis and expected recession, now is the time for financial institutions to create customer-centric approaches to preventing criminals from exploiting their customers. What CoP has proven is that widescale adoption of modern technology that drives collaboration can have a material impact on financial crime.
Looking ahead, the focus needs to be on similar solutions that enable information sharing, the training of models, which can adapt to fraud innovations, and policies that protect customer interests.
Ultimately, the only way to protect the consumer is to make the UK financial environment, where customers send money, as hostile to criminals as possible by:
Ultimately, this is the time for the financial Industry to invest in financial crime prevention measures to adapt to new regulation and put their customers at the heart of their response to preventing fraud and scams.
There is no silver bullet when it comes to fighting financial crime, however. It will only be reduced by the continuing concerted efforts of all parties – the government and industry working closely together. The Payments Association is determined to do all it can to make its financial crime work effective toward reaching this goal with government.
Have you registered for this year’s Financial Crime 360 Conference on 22 November? It has two streams focusing on fraud and anti-money laundering. Click here to see the agenda and register.
Did you miss the financial crime podcast on scams and fighting fraudsters? Listen now.
As a member of The Payments Association, you can join Project Financial Crime as a contributor. Contact Tom Brewin for more details.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
Development note: Shows when the article IS from Payments Intelligence, AND when a reader is NOT a member of TPA
Development note: Shows when someone IS logged in OR logged out AND we don’t know if they are a subscriber or a member (i.e. no Cookie “role” is set to “guest” and “is_subscriber” is “false”)
Development note: Shows when we know someone IS logged-out, IS a subscriber, but their role is NOT one of the member roles (i.e. Cookie “role” IS set to “guest, customer, non-member” and “is_subscriber” is “true”)
Development note: Shows when we know someone IS logged-out, IS a subscriber and IS a member (i.e. Cookie “role” is NOT set to “guest, customer, non-member” and “is_subscriber” is “true”)
Join The Payments Association and unlock a world of benefits:
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
