Fraud is running rampant across the world, affecting individuals and companies in all sectors. Both established and emerging typologies pose threats, and combatting these will take some careful thought, writes Phil Taylor.
The UK has suffered heavily from the rise of economic crime, including fraud, over the past few years, and earlier in 2023 was labelled the “fraud capital of the world”. Years of underinvestment plus the wide-ranging effects of Covid have led to some fearful statistics and doubts as to how soon the government can get the situation under control. In Asia, the problem is no less serious. A survey conducted in 2022 found that one-in-four consumers in Asia Pacific had become the victim of online fraud, with those in China and India faring worst. Zeroing in on just one jurisdiction, over the past three years financial services firms in Malaysia saw their fraud costs increase by 15.4%, while fraud attacks on the sector grew by 22%.
The ever-increased prevalence of fraud has a silver lining, albeit a faint one: firms may be more familiar with, and to an extent, comfortable in dealing with, some of the more well-known typologies. But fraud has increased in breadth, too, with many new fraud typologies to get to grips with, many of them enabled by accessible, sophisticated technologies. Identity fraud is itself a wide area encompassing many sub-types. Then there are data thefts, cyberattacks, phishing scams (probably the most prevalent type of fraud aiming to cause a direct financial loss), spoofing attempts … the list goes on.
“The sophistication and range of typologies of fraud have been getting more varied and complex, and fintech firms have to continually monitor developments and evaluate the capabilities of their systems, software and protocols to ensure full-fledged and multi-layered defence,” says Grace Chong, Head of Financial Regulatory (Singapore) at the law firm Gibson Dunn.
Although technology can be a force for good in this world of fraud, it has also served to exacerbate the problem. Cheap, accessible and extremely powerful computers, easy-to-use applications and widespread access to fast internet connections – a macro-level digital transformation – mean that almost anyone could now commit a fraud, if they were minded to.
“Cyber criminals are becoming increasingly sophisticated, using advanced techniques like artificial intelligence and machine learning to bypass security systems,” says Katherine Lee, Global Head of Legal and Compliance, Regulatory at BDx Data Centers in Hong Kong.
Rising strains of tech such as generative AI are only likely to make this worse.
“It is likely that phishing will be turbocharged by use of AI bots from now on,” notes Lee.
However, in trying to hit these moving targets, it is vital that firms and their security and compliance teams do not lose sight of the more well-known attack pathways. Experts say that despite concerns about frauds arising from hacking and cybersecurity challenges, the most prevalent – and often most costly incidents – to deal with remain those where an entity or institution is tricked into sending funds to a bad actor masquerading as a financial service operator or customer, or else fooled into providing security credentials or log in details sufficient to allow a fraudster to extract funds.
A recent report by LexisNexis Risk Solutions notes that the frequency of ransomware and email compromise attempts targeting businesses showed a significant increase in 2022.
Paul Haswell, a Hong Kong-based lawyer with a particular interest in tech- and data-related issues, describes some other patterns which are rife in the region.
“Another common type of fraud involves disreputable investment firms, typically offering investment returns which are too good to be true, which fool customers into investing (usually via cryptocurrency) and then seek to extract as much money from that customer as possible,” he explains. These typologies have led to losses of millions of dollars and show no sign of abating.
“Unfortunately I expect such unsolicited communications will become ever more convincing as fraudsters use artificial intelligence as part of their attacks,” Haswell adds.
The LexisNexis report backs this up, describing the emergence of ‘Fraud as a Service’ (FaaS) – fraud-related services, tools, and infrastructure provided by cybercriminals to others who want an easy way to make money from crime, and who may not have the necessary technical expertise themselves. The concept of FaaS is deeply concerning, as it capitalises on the popularity of social media, and the willingness of many members of the public to trust what they read there. The report notes, “The use of advanced tools and automated attacks such as botnets and malware are expected to increase in 2023, thanks to fraud services readily available on the dark web. Among the concerning array of services are oven-ready ‘blue-ticked’ fake social media accounts run by bots, ready to launch impersonation attacks, phishing campaigns or recruit unwitting mules.”
Protection as a first step
Firms will of course be keen to protect themselves as best they can in this hostile environment, and in some jurisdictions this may in fact be a regulatory requirement.
“The Monetary Authority of Singapore has required firms to regularly review new technology solutions (eg. biometrics technologies, liveness detection, document authentication),” notes Chong.
According to Chong, the Singapore regulator expects the board and senior management of regulated financial firms to maintain effective oversight of the management of such risks and controls for remote onboarding.
Whether voluntarily or under regulatory or legal compunction, experts say firms should begin with technology and process audits to identify gaps in fraud prevention and plan adjustments workflow to address new risk.
Large companies will have the resources to build their own cybersecurity infrastructure, and should see this as a vital area in which to commit resources. Smaller firms should invest in appropriate cybersecurity protection from a reputable provider.
Here, Lee points to advanced security technologies such as two factor authentication and biometrics. She also notes that AI and machine learning, as well as posing a thread, can be used to help in the detection and prevention of fraud. The tech behind ChatGPT, for example, could be used to detect phishing scripts as well as defects in software.
Tackling FaaS requires some creative thinking, and a joined-up approach from compliance, security, customer service and marketing teams. For example, tracking a firm’s own social media mentions could allow it to gather intelligence and even spot attacks before they are launched; while careful monitoring of a CRM system can allow fake or compromised customer accounts to be frozen or blocked.
Another important step for firms to take is to ensure robust and thorough oversight from an expert and sufficiently senior individual. Unfortunately, this can be overlooked as a company builds its C-suite. While most if not all companies will appoint a Chief Financial Officer, as well as leaders responsible for human resources, IT and compliance, the critical role of the Chief Information Security Officer is less common.
With strong leadership in place, the next step will be to ensure that all staff are aware of the risks facing the business and are appropriately trained to be vigilant, looking out for potential frauds and – vitally – flagging any issues that arise. Crucially, training should be ongoing, not a one-off.
Writing for The Paypers, an online news site aimed at payment professionals, Chen Kirsch, a business consultant at NICE Actimize emphasises the importance of individuals and organisations fully understanding risks and proactively taking appropriate measures to protect themselves, in addition to the company implementing technical solutions.
“This includes promoting subject matter awareness through education, keeping software updated, being cautious of responding to unsolicited emails and messages, and maintaining vigilance when providing personal information online,” he writes.
Lee agrees. “Employees often serve as the first line of defence against fraud,” she says.
Education of customers in relation to risks and fraud trends is equally important. Customers should be taught not to share security credentials and to be wary of unsolicited communications, as well as how to spot a fraudster masquerading as the firm itself, says Haswell.
The role of the FS guardians
Financial services is a sector with which most consumers have frequent interactions, even if passively, when making purchases as well as when making use of banking services. It’s no surprise then, that the public expects financial services firms to fight back against fraud. According to a June 2022 report by Experian, 80% of consumers in Asia Pacific “expect businesses to take the necessary steps to protect them online”, slightly higher than the global proportion (75%).
“FS firms should undoubtedly play a significant role in fraud prevention. It is not just a matter of regulatory compliance but also a matter of trust and brand reputation,” says Lee.
Haswell shares this view, pointing out that FS firms rely on the trust of their customers and investors to succeed.
“Just one incident of fraud, or even a suspected or reported one, can be enough to destroy confidence in a firm, or leave it open to penalties from regulators or law enforcement officials,” he says. “Therefore it is in the interest of FS firms, as well as the general public, for FS firms to take the lead in the detection and prevention of fraud. Much of this lead will rely on being focused on the deployment of technology to protect and educate customers.”
As well as the commercial imperatives behind keeping customers safe, in many scenarios firms in the sector hold a duty of care towards their customers, including to protect them from fraud.
“They are expected to have robust controls in place to prevent, detect and respond to fraud,” says Lee.
Experience matters
Of course, in many ways the FS sector is well-placed to take on this role. It’s well funded, and high pay rates mean it employs top talent. Financial services firms, and their regulators, have ample experience developing and rolling out significant advances in technology. The rapid implementation in the UK of the “chip and pin” payment system, replacing magnetic strips on debit and credit cards, and the development of open banking systems allowing for rapid payments as well as improved information sharing are good examples.
Fintech is also already playing a part by using technology to provide trusted credentials to protect customers from falling for a potential fraudster’s request for funds.
Of course, there is always more that could be done to protect customers.
“Since most financial business is now conducted online (and so is most fraud), whilst fintech providers are doing plenty in the cybersecurity space and most of the systems of a reputable fintech firm should be secure, they could do more in terms of customer facing tech, using it to properly verify transactions,” Haswell notes.
Lee suggests that as fraud becomes more sophisticated, FS firms should take a proactive approach in developing more advanced anti-fraud measures.
“They should also partner with technology providers, lawyers and regulators and government authorities, and participate actively in knowledge sharing on emerging fraud threats and innovative prevention strategies,” she says.
Some companies are making use of today’s more integrative technologies to do this, no doubt seeing a strong commercial upside for doing so, too. In February 2023, it was reported that Mastercard and Vesta (an end-to-end fraud protection platform) were entering into a strategic partnership through which they would deliver “state-of-the art fraud management solutions for merchants in Asia Pacific” A combination of the two firms’ technologies will, the companies say, provide merchants in the region with 100% fraud chargeback protection.
In an area of high uncertainty, what is clear is that the challenges will continue. Where there is business being done, and money changing hands, there will be those seeking to make a dishonest gain for themselves. It is the way of the world. But what is also clear is that for every group of bad actors, there are good actors fighting back: from anti-fraud or cybersecurity professionals, to front-line customer service workers, and customers themselves. While fintech may not be the silver bullet, it can and should make up a strong part of the arsenal of weapons to help in the battle.
