We sat down with Ilona Balsiukaitė, Fraud Manager at ConnectPay, to talk about the intricacies and varieties of fraud that fintechs have to contend with on a daily basis. In this wide-ranging conversation, we break down the main types of fraudulent behaviour, ways in which fintechs deal with them and where they fall short, as well as the long-standing issues around education, and what to expect from PSD3 and other short- to medium-term future developments.
What are the most common types of fraud that fintechs should be concerned about? How could they combat them?
There are many different types of fraud, such as using a brand without permission, attempting to damage its reputation, hijacking the website for unauthorised purposes, or stealing funds. The specifics here are quite diverse. One popular example is CEO fraud, whereby a fraudster hijacks the relevant executive’s identity. In addition, there can be cases of fake invoices and communication takeover, whereby a fraudster wedges itself in the middle of a payment being made to a provider and redirects the funds to its own account.
Even when fraud takes place via banks, fintechs can sometimes be implicated, provided they’d been involved in the relevant transactions at some point or other by a round-about way. Essentially, a fintech may only see a part of the transaction and thereby become party to fraud unknowingly. This makes it crucial to have in place a robust protocol designed to prevent the onboarding of money mules.
The most popular forms of fraud today are phishing and, even more so, smishing (SMS phishing), which primarily affects banks and other financial institutions. Fintechs, on the other hand, are targeted somewhat less frequently due to their lower market profile. Larger fintechs, however, get hit pretty hard, as well.
In addition, there are cases where clients themselves become fraudsters, which is quite tricky. It is pretty hard to identify and measure a client’s intentions during an application. Sometimes a completely regular client, with no fraud indications might turn out to be a criminal. There are also cases, when fraudsters intentionally open accounts with Fintechs, expecting that opening an account there will be easier with them compared with traditional banks. Preventing and managing this requires strong KYC and ongoing monitoring of client behaviour.
When it comes to victimised clients, most of the schemes being used can be classified under social engineering – just like with the first two categories. For instance, we’re now beginning to see fraudsters making clever use of deep fakes, and AI more broadly, but these are just new tools deployed under the same time-tested strategy – convincing people to make a transaction voluntarily. From fintech’s end, it’s very difficult to see which transactions are authentic, and which have been made under the influence of a fraudster.
There’s been a lot of talk about fraud lately, and it may therefore seem that most people understand how it works – that it’s become common sense. But that’s just not the case. Old strategies remain effective because people are still quite naive when it comes to fraudulent behaviour. And once their trust has been hijacked, the specific tool a fraudster may deploy is of purely secondary importance.
For this reason, responsibility for this should devolve not only on fintechs, but on all financial institutions generally. We need more education for our clients, and that education should be clearer, e.g., really driving it home to people that disclosing sensitive information online is exactly the same as giving away their house key to a stranger.
Tell us a little bit about the latest tricks used by the more advanced fraudsters.
Well, there’s now such a thing as Fraud GPT. Based on a souped-up version of the original, it enables fraudsters to freely exchange information via the darknet. And this, in turn, is part of a broader phenomenon we might call Fraud-as-a-Service. Odd as it may sound, fraudsters have now built their own diffuse quasi-community, where valuable target data and operational methods are traded for money.
This is quite a worrying development, which empowers fraudsters to act in tandem with each other. Needless to say, they’re not affected by the GDPR or any other piece of legislation designed to regulate the exchange of data. However, those who are tasked with combating such behaviour have their hands tied, to some extent, by regulatory compliance.
Luckily, this regulatory honeymoon, which has enabled such widespread criminal behaviour, might now be nearing its end. The upcoming PSD3 contains a section on encouraging the exchange of data and know-how between companies and institutions for the purposes of combating and preventing fraud. It even stipulates a prospective mechanism for such data exchanges to happen smoothly, securely, and without violating anyone’s privacy.
Should education be adapted to demographic and other cohorts or should it be uniform across the board?
I think it should differ. In our case, it’s got less to do with age groups, as it does with corporate and private clients.
Fraud is also, to a degree, stigmatised, as people victimised by it often feel ashamed of having been fooled in such a way. It’s not always obvious to them that fraud affects everyone – it’s got nothing to do with intelligence. To combat it, we need to find ways of communicating with people that don’t feel like pointless spam or information they supposedly already have.
How should fintechs navigate the thorny issue of delimiting areas of responsibility in cases where a client has been defrauded?
The first, most obvious, thing is – avoid jumping to any conclusions. In cases of fraud, it’s important to reflect on whether you’ve really done everything in your power to protect the client, and to collect as much information as possible. This will enable you to give them a detailed explanation of how that happened, and will ultimately benefit your business in the long run, as you’ll gain some insight into how fraudsters operate – and where your own vulnerabilities may lie.
With that information on hand, you should do everything you can to make sure the client recovers the lost funds. Time is of the essence here. If you move quickly, there’s a much greater chance of success. For instance, the funds may still be on the way between different banks and could therefore be prevented from being deposited in the fraudster’s account. If you wait a week or a month – that money will likely have been already spent.