While the tactics may change, the goal of fraudsters in financial services remains the same: Separating hard-working individuals and corporations from their money. The emergence of the internet, and digital financial services, has created a new vector in the fight with criminals and those that engage in battle with this illicit activity. The most recent high-profile digital attack saw a group of hackers, known as the DarkSide, pilfer millions of dollars in crypto via ransomware extortion that caused the disruption of gas pipelines in much of the United States emphasizing the need to be proactive in defending against fraudsters and theft.
Experian (LSE:EXPN) is one of the best-known names in identity and data protection. In business for over 125 years, Experian is a top global firm in consumer and business credit reporting and marketing services. The company supports clients in more than 100 countries, employing approximately 17,800 people in 45 countries providing front line defense against these scams. Of course, the rise of Fintech has compelled the company to up its game and keep pace in the ongoing cat-and-mouse competition with fraudsters and organized crime.
David Britton, VP, Industry Solutions, Global ID and Fraud at Experian, recently shared with Crowdfund Insider Experian’s insight into fraud and what his company is doing to combat nefarious activity in financial services.
What is Experian seeing in regards to Fraud during the year of COVID?
David Britton: During 2020, we saw a tremendous increase in fraudster activity exploiting the pandemic across a couple of fronts.
1) The fraudsters leveraged the confusion in the market about testing, best practices, and vaccines to create a high volume of sophisticated phishing and social engineering attacks. These came in the form of fake websites and emails purporting to come from official healthcare groups, with an intention to trick victims into disclosing personal information, payment details, or to click on links that may introduce malware onto a user’s device.
2) Fraudsters also seemed to temporarily shift their focus away from some of the traditional fraud schemes (Account takeover, Account opening, Card-not-Present fraud) to take advantage of the hundreds of billions of dollars in government-based stimulus and relief packages, which unfortunately saw a tremendous amount of fraud over the year.
It has been reported that the losses in the US alone exceeded $30B+. Much of this was due to poor controls being available, compounded by a sense of urgency to make funds available to the businesses and consumers. As those programs slow down, we believe that now is the time for businesses to be extra vigilant in their fraud practices, as fraudsters come back to attack the traditional targets across industry verticals, particularly the financial services and digital commerce markets.
How has Experian adapted to the rapid digitalization of everything?
David Britton: For Experian’s own workforce, given a need to close offices, we quickly adopted a robust remote work infrastructure, enabling a consistent level of productivity across the enterprise.
As we consider the post-pandemic life, Experian has proactively adopted a flexible work structure across both remote/home-based and in-office options, to enable the best possible approach to meet employees’ preferences, while maintaining safe working conditions for our teams.
From a market perspective, Experian was able to leverage some of the great work we had planned before the pandemic, to help our clients maintain efficient and robust operations, by launching products specifically to help mitigate digital fraud, while simultaneously reducing potential customer friction within their online engagements. This included new capabilities around Synthetic Identity detection and robust solutions to mitigate account takeover.
These were aided in part by launching an updated version of our flagship cloud-based CrossCore Platform, designed to help our business clients manage their Identity verification and Fraud detection needs across their digital consumer journey.
We fundamentally believe that demystifying identity in the digital world lies at the core of enabling great consumer experiences, while also mitigating risk for both business and consumers. As such, Experian has aggregated digital and non-digital data to be able to help identify consumers with greater accuracy than was possible in the past. By adopting the approach we’ve taken, we’ve also made the task of impersonating a consumer much more difficult for the fraudster.
What are the biggest risks facing consumers in financial services fraud?
David Britton: The biggest risks facing consumers in financial services fraud continue to be underpinned by fraudsters stealing consumer data to commit fraud. Virtually any data about a consumer can be of value to a fraudster, with an emphasis on traditional identity data (name, address, national ID/Social Security Number, phone number, etc.) and login credentials (username/password, etc.).
It is important to note that while payment data, particularly credit card numbers, are often what people feel they should protect above other data, the reality is that consumers are very well protected by their credit card companies and banks against illicit use of those payment instruments.
In fact, it is much more problematic for a consumer if their identity data is stolen, as fraudsters can use that information to go apply for brand new credit and payment instruments, which the consumer may not be aware of until many months after the fact.
It is important to point out that the methods that fraudsters use to steal information may be as simple as a phishing email attack, where the user unwittingly clicks on a link and enters personal information, to much more sophisticated attacks using social engineering, where fraudsters engage directly with the consumer by email, phone, text, etc. often posing as a “security representative” from their bank.
Fraudsters may have access to the victim’s social media or online data, may actually have access to their bank account and are able to tell the victim data that “only the bank should know,” thereby earning consumer trust.
At this point, the fraudster may convince the victim to process a transaction online while they are on the phone, and if the transaction requires a one-time passcode (OTP), the fraudster will ask the consumer to read that code to them. This allows the fraudster to execute transactions by using the victim themselves in the process.
It is important therefore for consumers to only communicate using the official contact information for the bank. Often, fraudsters will call victims directly, and the best rule of thumb is for those consumers to hang up that call, and if concerned to call the number for the bank directly, either on the back of a card, or on the bank’s app or website.
The bottom line is, the old adage rings true: “If it sounds too good to be true, it probably is.”
Consumers should realize that the digital world was never designed with security in mind. They should take care to understand how their data may be used when signing up for new services; consider that fraudsters may use any data they publish online; and think twice when they receive emails, phone calls, texts, or social media DMs from people they may not know, or that appear to come from people they know, but seem out of character for that acquaintance.
What about corporates?
David Britton: Some of the biggest challenges for corporates come in the form of ransomware attacks and Business Email Compromise (BEC). The method of the attack is not much different from the challenges facing consumers. The best prevention against most of these attacks is for businesses to implement better robust account takeover protection mechanisms, leveraging device intelligence, network intelligence along with strong employee training on possible vulnerabilities, while also employing best practices around data back up and access security.
As a global firm, where do you see the most fraud? Where does much of this illicit activity emanate?
David Britton: In our work to minimize the risk of fraud for our clients throughout the world, we see fraud from a number of places, but for each region, we find that the attacking groups may be coming from different locations.
In the UK for example, we see that the biggest volume of attacks tends to originate from the US.
In the US, many attacks originate from Eastern Europe, West Africa, and Southeast Asia.
The bigger takeaway is that the digital world has made it incredibly easy for fraudsters to operate on a global scale, where commerce and financial services can be accessed from virtually anywhere, but where legal jurisdictions cause challenges to law enforcement.
Many of the organized fraud groups have different specialties both in terms of their functions, and their locations. For example, one group may develop malware, others may lease out bot farms, others specialize in email compromise or phishing tools, where others may specialize in social engineering on marketplaces or social media platforms.
Experian is an established provider in the financial services sector. What are you doing to update and compete?
David Britton: Experian continues to invest significantly in innovative solutions that enable our clients to safely grow their business while keeping their consumers safe. We are constantly developing new technologies, applying advanced analytics against rich data assets, and creating powerful solutions to prevent fraud across the entire journey of the consumer.
For example, we detect fraud that may occur at the point of account opening. One of the first things we do is to ensure the applicant is who they claim to be by detecting possible account takeover at the point of login. Then we leverage device intelligence and behavioral analytics to ensure that they are in fact the authorized user.
We also use tools to monitor transactions that may occur within the user’s session by looking at the context of the transaction. We tie this all together with the digital insights about the session and the device to reduce fraud.
At the same time as this is being done, we are reducing possible friction for the well-intended consumers. Experian’s CrossCore platform offers clients the ability to integrate the full suite of Experian’s portfolio of identity and fraud capabilities, as well as a host of solutions from third-party vendors all through a single point of integration.
CrossCore employs an elegant orchestration capability to call the right service at the right time, while also employing advanced Machine Learning models to take the complex array of data and distill it down to a simple, singular response.
What about DLT/blockchain?
David Britton: We believe that DLT/blockchain or other equivalent options can serve a useful function as it relates to maintaining integrity of data in a process. However, there are some fundamental concerns related to blockchain, specifically related to the data that gets inserted into the chain.
While blockchain may be able to ensure that the data is immutable over the course of time and process, on its own it does nothing to ensure that the data is in fact accurate, to begin with. This is particularly important when dealing with things like identity and impersonation.
We believe that an adoption of a blockchain capability, without the appropriate regard to authentication of truth, can lead to significant challenges, whereby the mechanism itself establishes a false sense of trust and lead to a breakdown in the trust of the chain itself. However, we do believe that it has a meaningful role to play, provided the overall implementation leverages some of the best practices around data validation and authentication as part of the overall program.