The Top Banking Fraud Types to Watch in 2023

USE THE TABLE OF CONTENTS BELOW TO NAVIGATE THROUGH THE PAGE:

  1. Introduction
  2. The 2023 Fraud Landscape
    1. Fraudulent Payments Initiated by Unauthorized Parties
      1. Bank insider
      2. Phishing
      3. Man in the middle/pharming
      4. Technical support
      5. Mobile SIM swap
      6. Account takeover
    2. Fraudulent Payments Initiated by Authorized Parties
      1. Push payment social engineering
      2. Romance scams
      3. Business email compromise
      4. Invoice fraud
      5. Investment scams
  3. Conclusion
Take this guide with you

1. Introduction

The latest fraud stats make uncomfortable reading. Fraud is growing – relentlessly.

According to a report published in 2022 by the Association of Certified Fraud Examiners (ACFE), up to five percent of corporate revenue is currently lost to fraud every year. That’s estimated at US$4.7 trillion globally.

Sadly, the ACFE’s figure is likely on the conservative side. During global macro-economic downturns – like the one we’re facing today – crime, including fraud, tends to rise.

The ACFE report came out mid-2022. Since then, oil and food prices and interest rates have risen, increasing the cost of living across much of the world. This will be pushing more people toward criminal activity and fraud in the year ahead.

It’s also getting easier to commit fraud. For those without technical computer knowledge, crime- or fraud-as-a-service (CaaS), easily found on the dark web as well as Telegram and other messaging platforms, means software packages can now be rented or licensed in exactly the same way we all pay for Microsoft. Ransomware packages, for example, are available for $1,000 a month. This, too, will help drive up fraud losses throughout 2023.

But it’s not just the economic crisis and CaaS that will fuel growth. Criminals are sticking with tried-and-tested fraud types. Having said that, they are proving adept at adapting their schemes to seize on changing life and work patterns to stay one step ahead, not only of law enforcement and fraud-mitigation efforts, but also of rival criminal gangs.

So phishing scams – where they try to elicit personal information such as date of birth or passwords to help them perpetrate fraud – will remain a threat. Love, investment and delivery scams, as well as deep fakes, will continue to feature throughout 2023. In addition, we expect to see more fraud where criminals try to impersonate work colleagues in emails not only within companies but also in public bodies and institutions. This is a growing trend thanks to the increase in staff working from home as a result of the Covid-19 pandemic and using less secure computer networks.

We also predict a rise in attempts to install malware and efforts to overcome more advanced security measures such as two-factor authentication as well as touch or face identification. Mobile-phone SIM swaps, which we first saw in Africa, have become a growing problem in the rest of the world. As mobile banking and payments continue to rise, so will fraud. Indeed, our ever-larger digital footprints will continue to extend the potential attack vector, making identity theft as a result of hacks more likely. We will also see a rise in criminals hijacking QR codes to redirect users to fake websites or manipulate payments.

Thankfully, just as criminals use technology to try to commit fraud, so companies continue to develop technology that prevents it. 2023 will see the further development of intelligent systems that use artificial intelligence and machine learning to spot and stop fraud without adding friction for the user. Software built specifically for banks that learns over time is proving an indispensable line of defense in the fight against fraudsters. Sharing information about frauds through initiatives such as NetGuardians’ Community Scoring & Intelligence Service will also become ever more important in the battle against the criminals.

As the threat continues to grow, so will demand from banks and their stakeholders for these effective fraud-prevention solutions. 2023 won’t be an open season for fraudsters as far as companies like NetGuardians are concerned.

2. The 2023 Fraud Landscape

Our survey of the 2023 payment fraud landscape classifies frauds according to who initiates the payment – an authorized or unauthorized party. Both types tend to involve a combination of technology tools and efforts to manipulate and dupe the victim.

However, in almost all cases, the fraud is executed by initiating payments or withdrawals from victims’ accounts that are not consistent with their normal patterns of behavior. This is the weakness in such fraud attempts that enables NetGuardians’ AI software to identify and prevent them.

2.1 Fraudulent Payments Initiated by Unauthorized Parties

2.1.1 Bank insider frauds

Insiders can be bank employees or staff employed by IT vendors working with the bank. Because these people have detailed knowledge of the bank’s internal systems, this fraud can be difficult to detect and can continue for long periods unless a robust fraud-monitoring system is in place.

Insiders exploit user privileges to access victims’ accounts directly, or to transfer funds from the bank’s internal payment accounts into accounts belonging to customers. The funds are then transferred to external bank accounts controlled by the fraudster or to pre-paid cards. These types of cards are popular with fraudsters because they are issued with few “know your customer” (KYC) checks and can be used to make multiple currency cash withdrawals. They can also be used for “card not present” transactions which normally have a higher transaction limit.

In its report Occupational Fraud 2022, A report to the nations, the Association of Certified Fraud Examiners found that banking and financial services was one of the top three sectors affected by internal fraud, with the average loss at $100,000.

Case study

Privileged user abuse

An IT administrator at a bank in Tanzania took advantage of back-end user privileges to inflate account balances for an accomplice by a total of $22,000. The intention was to withdraw the funds from ATMs and via mobile banking, but the fraud was detected and the money never left the bank.

Solution: The software detected that the privileged user checked the accomplice’s account several times over a period of days and flagged the behavior as suspicious.

Case study

Phishing-enabled account takeover

A fraudster used phishing to intro-duce malicious code into the Swiss victim’s computer and acquired their e-banking credentials. The criminal then took over the victim’s account and attempted to make an illicit transfer of CHF 19,990.

Solution: NetGuardians stopped the payment as several factors did not match the customer’s profile, including the size of the transfer, the new beneficiary and bank account used, as well as the unfamiliar screen resolution and browser employed by the fraudster.

Phishing is also frequently used to carry out business email compromise (BEC) frauds. Fake official emails or text messages from banks, companies, delivery agents, or even health authorities claiming to send Covid-19 test results, persuade the victim to click on a link. A banking Trojan or malware is then installed on the victim’s device, allowing the fraudsters to take control of the victim’s e-banking.

2.1.2 Phishing scams

Millions of fake official emails or text messages from banks, companies, delivery agents, tax authorities, health services, and many other sources are sent every day. The emails contain links that, once clicked by an unwary victim, automatically download and install a piece of malware on their device which gathers personal information needed for an account takeover.

With phishing rates still on the rise, the likelihood of falling victim to a scam is also rising. According to the UK’s latest census in 2021, half of all adults in the country received a phishing message over email, by text or via social media in the month before taking part in the census. Among those, 3% answered or clicked on a link and 11% provided information that could be used by fraudsters.

Separate research from the National Cyber Security Centre shows that the average amount lost is also increasing – up from £549 between November 2020 and January 2021 to £775 over the same period a year later.

2.1.3 Man in the middle/pharming scams

A hacker obtains sensitive information transmitted between two other parties online. This can happen when the victim is intercepted trying to log in to their online or mobile banking service, allowing their log-in information to be harvested.

Case study

Man in the middle scam uses fake QR code

A client wanted to access her e-banking service. After entering her credentials and scanning the QR code, a message appeared in French and German asking her to re-enter her credentials for greater security. After she did so, an error message appeared saying the site was unavailable. This is likely to have been a man in the middle attack in which the second QR code was displayed by a hacker to recover the victim’s account credentials. The fraudster then attempted a payment of CHF 38,000.

Solution: NetGuardians blocked the payment due to unusual session information, including browser language and screen resolution, and transaction details including the unusual amount and beneficiary bank. The system logs showed three sessions that raised suspicions, suggesting the fraudster accessed the victim’s account several times while attempting the payment.

Case study

Technical support scam

The fraudster impersonated a Microsoft tech support worker and called the victim. Through social engineering, the perpetrator managed to obtain enough information about the victim’s e-banking credentials to attempt to transfer $7,500 to an illicit account in Lithuania.

Solution: NetGuardians’ AI risk models stopped the transaction because its features did not match the customer’s profile, including the unusual currency, type of transaction, beneficiary account details, and country of destination.

2.1.4 Technical support scam

Fake technical support staff call the victim, who is told that there is a problem with their software. The victim is duped into giving the caller control of their computer remotely, sometimes with the help of personal information about them gathered via social engineering. The fraudster is then able to gain access to their computer and steal confidential information. Alternatively, the victim receives an email or is invited to click on a pop-up window.

According to the US Federal Bureau of Investigation, 23,903 people in the US reported falling for a technical support scam in 2021. Losses total over $347 million – that’s an increase of 137% year-on-year.

2.1.5 Mobile SIM-swap frauds

Stealing mobile numbers via SIM swap is a key fraud vector in the developing world, because the primary way most people access mobile banking is via their mobile phone number. Their mobile number is connected to their bank account and is used to verify their identity – most banks also use this phone number as the primary 2FA implementation mechanism.

The victim receives a call from a fraudster pretending to represent a telco to check account details. Using the personal information obtained, the fraudster poses as the victim and contacts their mobile service provider to have their number transferred to a new SIM in a device the gang controls. This gives access to the victim’s mobile wallet and can even allow the fraudster to attempt to reset the victim’s mobile banking security data and access their account. In other cases, gangs work with insiders at telco sales teams to obtain replacement SIMs for “lost phones.” While this scam has been widely reported across Africa, rates are rocketing elsewhere. According to the Federal Bureau of Investigation, SIM swaps netted fraudsters $68 million in 2021 in the US. This compares with $12 million between 2018 and 2020. In one SIM swap-case in Dubai, a court recently ordered a bank to pay one victim Dh9.5 million ($2.5 million) after losing that amount to fraudsters.

Case study

M-wallet fraud in Africa

In one recent case reported in Kenya, a gang targeted well-off people who had recently died, aiming to cancel and swap their SIM to a new device before their family had the chance to access the deceased person’s bank account and establish their exact wealth. Once the SIM was transferred, the victim’s mobile wallet was emptied and the funds transferred to other wallets, from where it was withdrawn. A second SIM-swap gang had more than 10,000 SIM cards when police arrested them in October 2020.

Solution: NetGuardians’ fraud software can spot and prevent attempts to withdraw funds stolen during this type of fraud. Repeated visits to the same ATM in quick succession raises an alert in real time, enabling the bank to check whether or not the attempted withdrawals are legitimate.

Case study

Account takeover

A fraudster impersonating a bank employee persuaded a customer to disclose their e-banking login details through social engineering. The fraudster then took over the account and attempted to transfer £21,000 to an
illicit account.

Solution: AI-based risk monitoring software blocked the transaction due to unusual e-banking and transaction characteristics, including the unusual amount, screen resolution, beneficiary bank and account details, e-banking session language, and currency.

2.1.6 Account takeover resulting from social engineering and telephone scams

Even well-known, unsophisticated techn-iques such as telephone frauds, which date back decades, continue to be extremely effective, especially when combined with basic social engineering using information about the victim that is easily found online.

This type of scam can involve callers pretending to be agents working for a wide variety of organizations, such as the victim’s bank or the tax authorities. Victims are persuaded to disclose their banking credentials, allowing the criminals to take control of their account.

Even well-known, unsophisticated techniques such as telephone frauds continue to be extremely effective, especially when combined with social engineering.

2.2 Fraudulent Payments Initiated by Authorized Parties

2.2.1 Authorized push payment fraud resulting from social engineering

Social engineering and simple telephone impersonation techniques can also be used to dupe victims into making payments to accounts controlled by the fraudsters themselves. For example, victims may be told that their account has been compromised and they must transfer their money to a new account to prevent it from being stolen.

Losses to APP fraud are expected to double across the UK, India and the US over the next four years, according to ACI Worldwide. This suggests it could hit $1.56 billion by 2026 in the UK alone.

Case study

Authorized push payment fraud

Using impersonation techniques, the fraudster convinced the bank customer to transfer ¤125,000 to an illicit account in Spain.

Solution: AI-based monitoring software blocked the transaction because certain variables did not match the customer’s profile, including the date the transfer was initiated, the destination country, beneficiary account, order type, and currency.

Case study

Romance scam

The fraudster introduced himself to the victim as an American soldier based in the Middle East. A romantic relationship began and the fraudster convinced the victim to make three transfers to his bank in Germany – of $1,500, ¤3,000, and ¤11,300.

Solution: NetGuardians’ AI risk models stopped the first and third transactions, spotting unusual variables, including the beneficiary bank account, the destination country, the amount and currency.

2.2.2 Romance scams

The victim is approached via text message, email or social media and convinced to begin a long-distance relationship. Once the victim is drawn in, the fraudster requests money transfers to allow them to come to the victim’s country, clear debts or unlock a frozen bank account. Even after these attempted frauds are flagged up by their bank, victims often insist on authorizing the payments. This demonstrates the power of romance scams to dupe victims, who want to believe they have found a genuine relationship. Banks need to be able to show victims that the payment is going somewhere other than what the victim has been told.

Isolation brought on by measures taken to stop the spread of Covid-19 appears to be behind a sharp jump in romance scams. The UK’s Action Fraud reported that in the 12 months to October 2021, 8,863 romance scams had been reported in the UK, up 27% from 6,968 in the preceding 12 months. One victim, a successful female finance professional, lost £350,000 over the eight months when she was wooed by a bogus lover.

2.2.3 Business email compromise (BEC)

Fraudsters frequently target companies by impersonating a senior executive. An email is sent to an employee, either from the victim’s own email account, which has been hacked, or from a spoofed email address. The email is often followed by a call apparently from the CEO, a senior executive, or from a bogus law firm or consultant, telling the employee who received the email to respond immediately. Deep fakes are increasingly used for video or voice calls. The email usually requests a large payment to a fake account in connection with an urgent or sensitive issue such as an acquisition.

The latest figures from the US Federal Bureau of Investigation show BEC scams in the US netted criminals the most amount of money at $2.4 billion in 2021. Since 2016, they have cost organizations some $43.3 billion.

Case study

CEO fraud

A fraudster impersonated the CEO of a Spanish company and over email convinced an employee to transfer ¤170,000 to an illicit account.

Case study

BEC fraud

The victim received an email from their business partner’s email account, which had been hacked, requesting a transfer of $100,000 to an account in Peru.

Solution: In both cases, NetGuardians’ risk models blocked the transactions due to the unusual variables the transactions exhibited, including the beneficiary account details, destination country, operation type, order type, and currency.

Case study

Invoice fraud

A company received an invoice for US$69,000 payable to a previously unknown account in Singapore. The Singapore-based beneficiary’s name was similar to the name of an existing supplier based in Hong Kong. The IBAN shown on the fake invoice had been modified.

Solution: NetGuardians’ risk monitoring software detected and blocked the fraud due to the unusual amount, destination country, and bank.

2.2.4 Invoice frauds

Invoices purporting to come from a genuine supplier are emailed to the company, along with fake account details for payment. This type of fraud can cause major problems for smaller companies that lack the controls to prevent them and rely on non-specialist, junior staff to make payments.

2.2.5 Investment scams

The number of individuals investing online has grown strongly since the Covid-19 pandemic, partly due to home working. In response, gangs have set up fake investment websites to fool people looking to invest in stocks, commodities, and cryptocurrencies. The sites are marketed to victims using phishing emails and online adverts on social media sites.

Australians were scammed out of A$25.7 million in September this year. This compares with less than A$5 million in February 2020. Many, although not all, are crypto investment scams, where fraudsters say they will invest on behalf of the victim in cryptocurrencies. Earlier this year one Australian man was scammed out of A$240,850 in this way, over just a few months.

Case study

Investment fraud

The victim was advised by a fraudster impersonating a business partner to invest in a fictitious company and ordered a payment of $170,000 to an account at a bank in Bulgaria.

Solution: The monitoring software blocked the payment because several variables did not match the victim’s profile, including the unusual destination country, bank, beneficiary account, amount, and currency.

Gangs have set up fake investment websites to fool people looking to invest in stocks, commodities, and cryptocurrencies.

3. Conclusion

Banking frauds are constantly shifting as criminals find effective ways to get past their victims’ defences. During the Covid-19 pandemic, for example, fraudsters contacted people about vaccination appointments to try to get them to divulge confidential information. The huge rise in home delivery of goods during lockdowns created a new line of attack for fraudsters. Text messages purporting to come from Amazon invited people to click on a link to obtain a refund.

Fraudsters will always “follow the money” and move to those channels where the number of potential victims is increasing.

No matter how mechanisms for executing the fraud change shape, however, they will still rely for their success on the same basic aspects of human psychology. Fraudsters will succeed, as they always have, by exploiting their victims’ fear, anxiety and readiness to trust messages that appear to come from official sources.

Banking fraud continues to increase and
the question of who is liable for the losses that result is becoming a more serious concern. Banks are generally liable to reimburse victims of frauds in which the fraudster initiates the illicit payment. In cases where the victim does so – authorized push payment frauds – banks have usually been able to avoid liability.

This is changing, however. In the UK, ten leading banks have voluntarily signed up to the Contingent Reimbursement Model Code, which allows individuals, microenterprises and charities that become victims of authorized push payment fraud to claim reimbursement from their bank – unless the victim was warned about the potential for scams before making the payment but chose to go ahead in any case. This greatly increases the banks’ exposure to fraud risks and makes it even more important for them to take effective real-time prevention measures that will allow suspect transactions to be blocked and validated.

Although a wide variety of banking frauds are commonly attempted, there is only one reliable way to detect and prevent them: comparing the fraudulent transaction against the historical pattern of behavior associated with the account holder or system user. This is why in creating solutions it is critical to focus not on the different types of fraud but on the usual behavior of the account holders, so that anomalies can be detected and flagged.

NetGuardians’ AI-based anti-fraud software monitors all account transactions and evaluates them against the established behavioral profile linked to the account holder or his or her peers. This enables the system to highlight transactions that are inconsistent with the known user’s profile and flag them to security staff so that fraudulent payment requests and withdrawals can be blocked.

Anomalies and AI algorithms

The system carries out checks on transactions across multiple axes. It tracks unusual access to the bank’s internal systems and monitors internal users’ actions where these are linked to suspect transactions.

The software also uses AI algorithms to identify unusual activity on customers’ accounts that may indicate account takeover. Triggers may include the detection of a different screen resolution than the one expected on the login device, a login from a new device or a previously unknown location, a login from an unknown browser, or use of a different language. “Velocity models” are employed to flag heightened activity on customer accounts, for example when multiple transactions are initiated in quick succession, which may indicate an attempt to empty the account as rapidly as possible.

Reducing false alerts and operational losses

All anti-fraud systems produce false positives that have an impact on customer satisfaction and lead to unnecessary customer call-backs. However, constant R&D efforts are improving the precision of the machine-learning algorithms that power NetGuardians’ systems, leading to improved detection rates and reduced inconvenience for customers.

These efforts have achieved impressive results: a reduction of up to 85 percent in false-positive alerts, a reduction of up to 93 percent in time spent investigating fraud, and a more than 75 percent cut in operating costs related to fraud mitigation.

Ultimately, this approach is the only practical solution to protecting customers, eliminating false positives, and stopping emerging types of fraud that would otherwise be extremely difficult to detect.

If you are interested in taking those information with you:

Download our white paper for free
Contact us
Switzerland

+41 24 425 97 60

info@netguardians.ch

Singapore

+65 6224 0987

Kenya

+254 796 616 263

News