E-mail fraud, or what you might better term “fraud enabled by people’s bizarre misplaced trust in e-mail” is absolutely rampant.
The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.[From FBI Alert: Business Email Scam Losses Exceed $1.2 Billion]
In essence, someone in a company gets an e-mail from someone purporting to be their CEO or head of finance or whatever. This e-mail instructs them to transfer to money to an account somewhere. Often they are told it must be kept confidential because it relates to an acquisition or a new product or something. Now, what interests me about this is is the distribution of liability. I’m similarly curious about the same topic in relation to the telephone fraud against personal customers, also rampant.
An estimated £23.9m has been tricked out of unsuspecting victims in the last year, up from £7m the previous year, according to Financial Fraud Action.[From Phone scammers ‘net £23.9m in a year’ – BBC News]
So who is responsible when this happens? On the one hand, we are naturally sympathetic to members of the public who fall prey to confidence tricksters. But if a member of the public logs into their Internet banking account and, having used all of the necessary two factor authentication techniques to assure the bank that they are indeed the legitimate account holder, they transfer money to the Crimea, or wherever, what is the bank supposed to do? I suppose you might argue that the bank ought to have some kind of neural network artificial intelligence robo-adviser set up to warn pensioners that transferring their account balance to Somalia might normally be considered rather unusual and that they therefore might wish to reconsider, but then they run the risk of annoying customers who actually do want to transfer money to Kiev for whatever purpose. If the customer tells the bank to do it, then they should just do it, right?
It looked at 200 examples of the telephone fraud, in which account holders lost up to £100,000 each. But it ruled that the bank was liable for those losses in only 37% of cases. In 63% of them, consumers were left without compensation, having, in effect, given their own money away.[From Banks not liable in most vishing fraud, says Ombudsman – BBC News]
I realise that being slightly unsympathetic to the victims of crime makes me seem callous, but it’s not clear to me why other people should be liable if someone in the full possession of their faculties really does believe that the widow of former Nigerian strongman Sani Abacha wants to send them a million dollars.
A grandmother who was tricked out of £68,000 by conmen has spoken of her “delight” at getting her money back. Jenny Parkinson, 65, from Christchurch, Dorset, was duped into calling what she thought was her bank’s fraud unit and moving funds to two “secure” Barclays accounts, which were then emptied. After she appealed to the Financial Ombudsman Service (FOS), Barclays agreed to a “goodwill” refund.[From Barclays refunds grandmother’s £68k following vishing scam – BBC News]
Clearly I don’t know the facts of this case, so I don’t know on what basis Barclays agreed to this refund but it does strike me as representing something of a moral hazard to assure customers that if someone phones up and asked them to transfer their life savings to Cyprus then they might as well do it because if it’s a fraud then the bank will give them their money back. This doesn’t only apply to baffled pensioners who are naturally as confused about bank security procedures as I am, who never doubt the authenticity and confidentiality of email communications, who do not understand police methods for the detection and prevention of fraud and so on. It also applies to companies.
The company got this money back after the bank in question was found to be at fault by the French courts. However, the bank is appealing against the decision.[From The ‘bogus boss’ email scam costing firms millions – BBC News]
I don’t know the facts of this case either, but all of this leaves me wondering… what on Earth are we going to do about this? It seems to be a real dilemma to me. The only way I can see of improving the situation is for society to develop (as you might predict) a workable identity infrastructure. If someone phones you claiming to be from your bank, or the police, or the student loans organisation (which happened to a friend of mine recently), the Scientologists or the Woking Dungeons & Dragons collective, then there ought to be a convenient and cost-effective mechanism for you to test that claim. Let me make a suggestion.
This is where the previously discussed idea of some form of Financial Services Passport (FIN-PASS) would come into its own. Unlike a physical passport, a digital passport allows for symmetric verification and validation. If I had some sort of FIN-PASS on my mobile phone then one of the most important functions that it would be able to perform for me would be to verify other FIN-PASSes that are presented to it. If you phone me up claiming to be from American Express, then I can give you the name of my FIN-PASS (let’s say it’s barclays!dgwbirch) and ask you to send your FIN-PASS to it. If a message pops up on my phone telling me that my FIN-PASS has checked yours out and its kosher, then I can go ahead and press the button to send the money to Bucharest. But if my phone pops up with a big red cross, then I can pass your phone number directly to the police. And if the “bank” phones up my dad and he doesn’t have a FIN-PASS then he can just give tell them barclays!dgwbirch and I’ll verify it for him and give him a call.
As always, if we really want to do something about fraud, then we are really going to have to do something about identity.