Written by E-mail fraud, or what you might better term “fraud enabled by people’s bizarre misplaced trust in e-mail” is absolutely rampant.
The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.
[From FBI Alert: Business Email Scam Losses Exceed $1.2 Billion]
In essence, someone in a company gets an e-mail from someone purporting to be their CEO or head of finance or whatever. This e-mail instructs them to transfer to money to an account somewhere. Often they are told it must be kept confidential because it relates to an acquisition or a new product or something. Now, what interests me about this is is the distribution of liability. I’m similarly curious about the same topic in relation to the telephone fraud against personal customers, also rampant.
An estimated £23.9m has been tricked out of unsuspecting victims in the last year, up from £7m the previous year, according to Financial Fraud Action.
[From Phone scammers ‘net £23.9m in a year’ – BBC News]
So who is responsible when this happens? On the one hand, we are naturally sympathetic to members of the public who fall prey to confidence tricksters. But if a member of the public logs into their Internet banking account and, having used all of the necessary two factor authentication techniques to assure the bank that they are indeed the legitimate account holder, they transfer money to the Crimea, or wherever, what is the bank supposed to do? I suppose you might argue that the bank ought to have some kind of neural network artificial intelligence robo-adviser set up to warn pensioners that transferring their account balance to Somalia might normally be considered rather unusual and that they therefore might wish to reconsider, but then they run the risk of annoying customers who actually do want to transfer money to Kiev for whatever purpose. If the customer tells the bank to do it, then they should just do it, right?
It looked at 200 examples of the telephone fraud, in which account holders lost up to £100,000 each. But it ruled that the bank was liable for those losses in only 37% of cases. In 63% of them, consumers were left without compensation, having, in effect, given their own money away.
[From Banks not liable in most vishing fraud, says Ombudsman – BBC News]
I realise that being slightly unsympathetic to the victims of crime makes me seem callous, but it’s not clear to me why other people should be liable if someone in the full possession of their faculties really does believe that the widow of former Nigerian strongman Sani Abacha wants to send them a million dollars.
A grandmother who was tricked out of £68,000 by conmen has spoken of her “delight” at getting her money back. Jenny Parkinson, 65, from Christchurch, Dorset, was duped into calling what she thought was her bank’s fraud unit and moving funds to two “secure” Barclays accounts, which were then emptied. After she appealed to the Financial Ombudsman Service (FOS), Barclays agreed to a “goodwill” refund.
[From Barclays refunds grandmother’s £68k following vishing scam – BBC News]
Clearly I don’t know the facts of this case, so I don’t know on what basis Barclays agreed to this refund but it does strike me as representing something of a moral hazard to assure customers that if someone phones up and asked them to transfer their life savings to Cyprus then they might as well do it because if it’s a fraud then the bank will give them their money back. This doesn’t only apply to baffled pensioners who are naturally as confused about bank security procedures as I am, who never doubt the authenticity and confidentiality of email communications, who do not understand police methods for the detection and prevention of fraud and so on. It also applies to companies.
The company got this money back after the bank in question was found to be at fault by the French courts. However, the bank is appealing against the decision.
[From The ‘bogus boss’ email scam costing firms millions – BBC News]
I don’t know the facts of this case either, but all of this leaves me wondering… what on Earth are we going to do about this? It seems to be a real dilemma to me. The only way I can see of improving the situation is for society to develop (as you might predict) a workable identity infrastructure. If someone phones you claiming to be from your bank, or the police, or the student loans organisation (which happened to a friend of mine recently), the Scientologists or the Woking Dungeons & Dragons collective, then there ought to be a convenient and cost-effective mechanism for you to test that claim. Let me make a suggestion.
This is where the previously discussed idea of some form of Financial Services Passport (FIN-PASS) would come into its own. Unlike a physical passport, a digital passport allows for symmetric verification and validation. If I had some sort of FIN-PASS on my mobile phone then one of the most important functions that it would be able to perform for me would be to verify other FIN-PASSes that are presented to it. If you phone me up claiming to be from American Express, then I can give you the name of my FIN-PASS (let’s say it’s barclays!dgwbirch) and ask you to send your FIN-PASS to it. If a message pops up on my phone telling me that my FIN-PASS has checked yours out and its kosher, then I can go ahead and press the button to send the money to Bucharest. But if my phone pops up with a big red cross, then I can pass your phone number directly to the police. And if the “bank” phones up my dad and he doesn’t have a FIN-PASS then he can just give tell them barclays!dgwbirch and I’ll verify it for him and give him a call.
As always, if we really want to do something about fraud, then we are really going to have to do something about identity.
The crimes are increasingly subtle, though. You get a call supposedly from your own bank’s fraud team, telling you your account is being attacked. You say you don’t know who they are and call back on the proper bank phone number, whilst the fraudsters hold open your phone line so you don’t realise that you are not in fact calling your bank. (NB – new dect phones etc where people do not listen for a dial tone encourage this….). Then you do something that seems like security, they say they are really concerned and that you need to take action, and here is how – transfer of funds, probably to a UK account, which maybe they tell you they are setting up for you because your old account is of course compromised. It’s pretty nuanced for normal folk to spot and defend against this sort of thing…
David, agree its ALL about identity and the ability to validate it. In a way your description of FIN-PASS reminds me of an chip card speaking to a terminal :-p. Seriously, many feel that individuals should own their identity but do you think they possess the expertise to safeguard it?
No, they don’t, which is why their bank should be doing it for them in my opinion.
Very interesting topic. I work in counter fraud in the banking industry and we’ve been dealing with telephone fraud for nearly 5 years now. We’ve also seen a few examples of CEO fraud. For more than a decade telephone fraud has been a big issue in Japan and the amounts of money stolen by gangs of telephone frausters in that country are mind blowing. In Japan it is known as Furikome fraud. There is some material available on the net in English describing the efforts of Japan’s police to tackle this type of crime; however, this type of fraud is still prevalent in that country. in 2012 Fujitsu tested a telephone with voice recognition which, they claimed, could detect calls of telephone frausters and terminate calls. It’s a very interesting and timely topic, especially now, when new types of banks are emerging (banks in the cloud witj apps instead of retail branches).