The typical image of digital fraud is that of criminals forcing their way into systems and secretly stealing money or data without victims’ knowledge. Some fraud is even more brazen, however. Social engineering scams rely on tricking individuals with fraudulent interactions that appear legitimate, thereby ensnaring them into becoming active participants themselves. There are many ways for this deception to occur. Criminals use fake websites, phishing emails, malware-infected ads and a range of other online tools to gain then exploit a victim’s trust.
Faster payment rails and peer-to-peer (P2P) platforms are particularly vulnerable to social engineering scams, since they allow people to send and settle transactions at lightning speed, well before the victim realizes fraud has occurred. The U.S. Faster Payments Council surveyed its members and found that over half of respondents had experienced fraud related to their faster payment products, with the majority citing social engineering and account takeovers. Cryptocurrency is also at risk. The leading causes of crypto fraud center around fake investment opportunities and romantic scams, both classic social engineering ploys.
This month, PYMNTS examines why social engineering scams, including authorized push payment (APP) fraud, are difficult to combat and how companies, consumers and governments are responding.
Social Engineering Defies Detection
Because social engineering involves deceiving someone into doing something ostensibly willingly, stopping it is a formidable challenge. The victim’s involvement makes it hard for financial institutions (FIs) to tell if the behavior is suspicious. In effect, the criminal is using the victim to circumvent security measures designed to thwart criminal actors.
When a victim authorizes a payment to a criminal, the latter can easily navigate around banks’ standard security practices to complete the process, exactly as if it were a genuine transaction. From the victim’s perspective, it is a genuine transaction. It is only after the transaction is completed that the victim realizes fraud occurred.
Social engineering scams are also hard to stop because they come in a variety of forms, and criminals are getting ever more creative. They can leverage the abundance of personal information floating around the internet along with spoofing capabilities or emerging technologies such as deepfakes to make compelling and personalized fraud schemes. Fraudsters are impersonating friends, family members and colleagues as well as governments and banking institutions.
The FBI recently warned that attackers are deceiving victims over the phone by spoofing banks’ legitimate 1-800 support numbers and, under the guise of undoing fake money orders, tricking victims into sending payments to the criminals.
APP Fraud Escalation
The widespread use of P2P payment platforms and social media is causing APP fraud to proliferate. In 2021, the amount of money lost to APP fraud in the U.K. surpassed losses from unauthorized transactions for the first time. The rapid growth of APP fraud is raising difficult questions over who is on the hook for covering the losses. Banks will typically cover losses due to unauthorized payment fraud, but with APP fraud, the customer authorized the transaction, so many FIs view the victim as responsible for it.
Policies such as this can seem unfair and unreasonable to the defrauded consumer, and many are insisting that banks and payment platforms do more to help, with some arguing that banks should be fully liable. The mounting pressure puts FIs in a tough position because there is a tension between preventing APP fraud and providing open banking functionality.
Allowing consumers to connect their bank accounts to external platforms and services creates vulnerabilities outside the bank’s control. When APP fraud occurs on P2P platforms, banks are often third parties to the transaction and involved only at the end. By the time banks enter into the equation, the criminal has already exploited vulnerabilities elsewhere. Some industry leaders are therefore calling for cooperation between different business sectors, from social media to payment platforms, to address the problem.
APP Fraud Prevention
The U.K.’s government is a leader in using legislative efforts to tackle APP fraud. New rules and regulations require banks to put safeguards in place that make it harder for consumers to send money to the wrong person accidentally. The government is also pressuring search engines and social media platforms to better identify and remove fake advertisements and other scams. The U.K. is also considering proposals to hold FIs liable for APP fraud losses, but it is important that governments strike the right balance between protecting consumers and encouraging banks’ participation in open banking.
Companies also have a role to play. They can invest in machine learning (ML) and artificial intelligence (AI) tools to better authenticate users, identify fake accounts and detect suspicious behavior. Since many social engineering scams begin on social media, it is especially important that tech companies address these scams. Companies should also educate consumers about potential scams and commonsense protections. FIs should encourage customers to update their passwords frequently and use unique passwords for each site. Eighty-five percent of Americans reuse passwords across websites, so there is much room for improvement. Companies should also encourage customers to secure their accounts with multifactor authentication. Although social engineering scams will never go away entirely, better consumer education, improved fraud detection tools and intelligent government policy can help keep the fraudsters in check.