Credit fraud is one of the main risks that financial institutions face daily. With the dynamic development of remote transaction channels, the threat from cybercriminals using increasingly sophisticated and refined fraudulent techniques is growing. The question arises, which of these techniques become particularly significant today, in the era of the triumphant march of artificial intelligence?
Konrad Machowski interviewed Wacław Majka, the business solutions architect at VSoft SA, for Bank.pl.
Fraudulent attempts certainly pose a huge challenge for financial institutions and the entire economy. It is difficult to estimate the scale of this phenomenon, partly due to the confidential nature of the data, reluctantly disclosed by banks and law enforcement agencies. Moreover, many such activities are thwarted at a very early stage by algorithms used in the financial sector. There is undoubtedly a connection between changing customer service formulas and the schemes used by criminals. Currently, more processes take place in remote channels, without direct contact between bank employees and customers, which was the standard a few years ago, before the outbreak of the COVID-19 pandemic. Nowadays, obtaining a positive credit decision is much easier; there is no need to provide a plethora of documents, and, additionally, for lower amounts, the decision is often made automatically or even using authentication systems provided by third parties. This is the case, for example, with instalment purchases through e-commerce platforms, where customers apply for credit from the platform, often without even being aware of which financial services provider cooperating with the portal will grant them credit. In such situations, we deal with the integration of both partners through API interfaces, whose development has accelerated significantly after the introduction of the PSD2 directive. This creates entirely new possibilities; in the traditional economy, it would be difficult to imagine a scenario where a customer bidding for a bike or a TV on an auction platform applies for financing to purchase the item by entering a separate bank application. Today, this is possible, allowing the financial sector to gain new sources of revenue. However, it is crucial to strike a balance between security and convenience in such situations. The purchase of an item for a few hundred zlotys should be quick and made with a one-click model, as modern consumers expect. The security procedure should be constructed in a way that does not create a significant gap in these expectations while securing financial service providers against fraudulent attempts.
So, what strategy should banks adopt to counter increasingly sophisticated fraudulent attempts, especially in the face of growing consumer pressure for simple, intuitive, and “one-click” purchases?
Fighting credit fraud in banks should now be multi-stage, starting with user identity verification. This no longer includes only authentication but also involves analyzing customer behaviour to detect any anomalies indicating that we may be dealing with someone else. For example, if a customer who has never left their place of residence suddenly attempts a transaction from a distant country, that is already the first signal that we may be dealing with fraud. This suspicion turns into certainty, for example, when it is established that since the last transaction, the person has not physically been able to move so far. In such cases, the financial institution can apply a full range of security mechanisms, starting with a phone call to the customer to confirm whether they initiated the transaction, and ending with blocking the transaction. The latter option is not always optimal; it must be considered that it may lead to the prevention of payment for a completely legal transaction, e.g., at a restaurant or gas station, which, in turn, frustrates the user and negatively impacts the financial institution’s image. A more advanced solution is the use of biometrics, especially behavioural analysis. This involves recognizing the unique way a user interacts with a device: typing on a keyboard, mouse movements, or touching the screen on a smartphone. During the use of an application or electronic banking system, it learns this individual pattern, and any deviations from it, especially in risky situations, such as taking out a loan or making high-value payments, provide a very reliable indication of a fraudulent attempt. The most important thing from the perspective of customer and financial institution security is that behavioural analysis also allows detecting attempts at fraud involving social engineering when manipulated by fraudsters, the user initiates a transfer to a foreign account or fills out a credit application. Scientific studies have shown that in such cases, people behave differently than when making these decisions independently, and this discrepancy can be identified using behavioural techniques. As we can see, modern technologies benefit not only fraudsters but also legally operating entities, allowing them to provide protection at an unprecedented level.
This is a particularly important observation, especially when considering that the damage caused by fraud or data breaches is not only of a financial nature; the institution may also be penalized by regulators or suffer reputational harm…
In fact, all these situations ultimately result in financial losses. Fines imposed by supervisory authorities reach millions of złotys, equivalent to the losses incurred due to a serious fraud. Similarly, reputational damage leads to a loss of trust among customers and often their departure, implying damages that are difficult to estimate but generally higher than even a significant credit fraud. While in the latter case, we are dealing with a one-time, undoubtedly impactful event that can be easily secured against using the benefits of modern technology, a tarnished reputation can haunt an entity for years or even decades, effectively restricting the influx of customers, sometimes irreversibly. The consequences, in some situations, may even lead to the bankruptcy of institutions, especially financial ones, which are traditionally treated as entities of public trust. Hence, thwarting fraudulent attempts to the detriment of customers is a crucial task for contemporary banking institutions, even if they involve relatively small amounts. For the consumer, the decisive factor in such situations is not the loss of a few hundred PLN but the fact that the bank, which should ensure complete security for the entrusted funds, has betrayed their trust.
The point is that cyber fraudsters’ best “accomplice” is often their victim. How many users of electronic or mobile banking approach security issues with disregard, believing that the bank should ensure the protection of their money. So can we really talk about effective protection of the client’s resources if the client himself does not feel obliged to exercise due caution? Especially in a situation when regulators favor such a shift of responsibility to banks, to mention, for example, the recently published draft of the EU PSR regulation and its approach to unauthorized transactions…
In this area, a lot depends on the specificity of the consumer himself. Other mistakes will be made by seniors who are not familiar with the functioning of modern solutions or even have problems with remembering credentials. In their case, the main problem is writing down passwords or logins, either in a traditional form, as a piece of paper carried in a wallet next to a payment card, or in an application mobile or electronic banking system. On the other side, we will have cases of obvious carelessness, such as in the case of people succumbing to fraudulent attempts such as the so-called Nigerian fraud or transferring savings to alleged investments in cryptocurrencies or the FOREX market, which turn out to be fraud. Each of these situations requires a slightly different measure. While in the case of seniors, their specific age-related limitations should be taken into account and, consequently, they should be offered another form of authentication that does not require memorizing complex strings of characters, such as biometric authentication such as face ID or a fingerprint, “investment” frauds should be limited. can only be achieved with consistent education. We are unable to influence the user differently because not only does he consciously and voluntarily transfer funds to the account indicated by the fraudsters, but he also does so in the blissful belief that he has made the investment of a lifetime.
Awareness will always be the first priority, especially as new fraud schemes emerge, of which many users of remote channels are not even aware. A request to pay an outstanding utility bill, information about a bailiff’s seizure, where you just need to click on the link to the alleged debt repayment to be redirected to a website run by fraudsters, or even SMS messages, popular especially during the pre-Christmas period, asking for an additional payment for the ordered shipment or paying customs duties – in each of these cases we are dealing with criminals who want to take over our funds or take out a loan using our personal data. Hence, there are so many warnings not to click on suspicious links, as this may result in the installation of the so-called remote desktop, through which thieves can have constant access to our resources. Of course, we need to demand caution from people, but at the same time we need to make them aware of what behavior may be suspicious. Not in every case, inappropriate behavior will be a manifestation of insolence or carelessness. If someone is actually waiting for a foreign shipment and receives information from an alleged customs agency to settle all fees, then unless he or she is aware that such messages are sent by fraudsters, he or she will certainly get caught. Similarly, in the case of fake bank websites, which are distinguished from the original by one typo or the use of a character not found in the Polish alphabet, but confusingly similar to the one found in the bank’s address. In parallel, anti-fraud mechanisms should, of course, be used, including behavioral analysis, but this should not be done at the expense of education. The thing about the electronic economy is that it requires developing certain behaviors to feel safe. If we do not educate consumers, despite the use of sophisticated security systems, the threat will always increase.
Banks have been exchanging information about threats for a long time. In the face of new risks related to market digitization, does this process provide new opportunities for prevention?
Intra-sector information exchange is crucial to minimizing the risk of fraud. If a given institution identifies the source of the threat, either in the form of a criminal location or a unique way of using the device by a fraudster, and then forwards it to an entity dealing with the exchange of threat data, it significantly facilitates anti-fraud activities of other banks. They do not have to perform complicated analysis every time, it is enough to first filter out actions taken from compromised addresses or by suspicious people. Such solutions also have a preventive effect on the perpetrators themselves – if they are aware that knowledge about identified fraud attempts is available to all entities in the sector, then they will be less inclined to use the same resources for subsequent frauds. Needless to say, this makes life much more difficult for criminals, to the benefit of banks and their customers. Then, even an institution with weaker anti-fraud tools is protected at the highest level.
The effectiveness of anti-fraud platforms is greater, the more entities integrate with them and provide them with data, not only about frauds, but also, for example, about loan servicing by individual users. Based on the collected data, we can detect symptoms that a given person may have a problem with servicing the obligation after some time, then the bank is able to react early enough, for example by proposing consolidation, credit holidays or other support mechanism, to prevent a situation where the data the obligation will no longer be serviced. Of course, we are also able to identify cases when a given client begins to behave unconventionally, for example by bombarding particular entities with loan applications. This may be a manifestation of an attempt at fraud, but at the same time it may herald a situation when a person has fallen into financial trouble and is making ill-considered moves to obtain funds for further operation or running a business. This is where credit reports come in handy, as they are able to indicate all activities undertaken in a given period by a specific person in all institutions exchanging data via such a platform. In the same way, it is possible to detect small mistakes made by criminals attempting fraud. For example, submitting false employment certificates for the same client to different financial institutions, each of which will refer to a different place of work. There is an old saying that there is no perfect crime, perpetrators usually make some small, sometimes almost imperceptible mistake, and the exchange of information and the use of innovative tools available on such platforms increases the chance of detecting anomalies.
In this context, I would like to ask a question about the connectors that are in the VSoft offer. What is this solution and to what extent can its use increase the effectiveness of anti-fraud activities at the bank, or even increase the effectiveness of detecting fraudulent attempts in the entire sector? Finally, can the use of connectors result in a noticeable improvement in the quality of service also for the consumer?
Our company offers a whole set of connectors for various institutions. Their use primarily simplifies the implementation process itself. Let us remember that access to data from external institutions is not easy, especially in the banking industry, where all resources are strongly separated from the outside world due to the threat of fraud and data theft. Connectors help integrate this banking fabric with data from external sources, including anti-fraud platforms. Exchanging data using a connector significantly increases the speed of this process, which again translates into a real level of security, not only of a given institution but of all users of a given information exchange solution. Let me remind you once again that perpetrators are also playing for time, so faster transmission of information about the threat to other institutions may prevent further fraudulent attempts. Connectors also allow you to automate data verification processes; through the available API interfaces, we can automatically send a request for information and receive the result in the same way. This, in turn, is particularly important in the case of the already mentioned mass products, such as installment loans or cards, where, due to the user’s experience, the entire verification process must be carried out as quickly as possible and 24 hours a day. Just as it is difficult to imagine manual processing of an application for installments for a scooter worth several thousand zlotys, it cannot be assumed that the client would have the patience to wait several or several dozen minutes for the application to be redirected to BIK in the traditional model. It must be a dozen or so seconds at most, and using the connector we are able to achieve this result. In this respect, connectors allow us to achieve not only a higher level of security, but also improve the quality of customer service, which is particularly important in the current market, where banks compete with agile fintechs.