The Global Scampocalypse – Fraud Rules the Day
Learn how AI-driven tactics are reshaping financial security, protecting banks and customers alike.
The global scampocalypse is upon us. Iain Swaine, director EMEA, global advisory at BioCatch discusses the specific factors driving this onslaught of fraud in the financial world and, further, how technology can help to protect banks and their customers better.
In recent years, apocalyptic movies have dominated pop culture– from The Last of Us to The Walking Dead and everywhere in between, we’ve seen zombies, aliens, and other monsters emerge as the next threat against human existence.
But as we look toward the future of digital banking, it’s not fictional creatures that are top-of-mind for companies worldwide. Instead, we’re seeing the next generation of targeted fraud via the “Global Scampocalypse” – an onslaught of criminal activity that promises to disrupt how we bank with our money as individuals and companies.
Here are the reasons behind this growing Scampocalypse, including the steps to protect ourselves from these threats.
1. Uniformity due to regulation
In recent years, we’ve seen a push for regulation in the financial industry. As banking standards become uniform, so has also created a paradoxical relationship for financial security. Due to regulation, criminals now understand that they face a similar set of challenges no matter which bank they target– leading to more opportunities to defraud consumers and exploit weak controls successfully.
As an example, look no further than the EMEA market. To improve safeguards, the European Banking Association (EBA) has mandated strong customer authentication (SCA) as part of the Payment Service Directive 2 (PSD2) for all financial institutions across Europe. As part of this push, banks must deploy two of three authentication options to protect accounts– possession (e.g., device), inherence (e.g., fingerprint or voice), and knowledge (e.g., password). While the reasoning appears sound, in retrospect, we’ve seen that this mandate has not truly made a dent in fraud losses and has increased customer friction, in some cases even discriminating against vulnerable customers due to the complexity of the authentication solutions deployed.
As regulation further percolates in EMEA, the U.S., and beyond, we must measure the effectiveness of these rule changes, especially as they pertain to security, customer experience, and overall operations.
2. Business changes
Increasingly, business changes– how banks operate– conflict with the threat landscape. Compared to years past, most business and personal transactions now occur online, with untold amounts of confidential information being shared daily. Customers are used to receiving payments in minutes rather than days and expect a fully digital experience that seamlessly works across multiple platforms.
The benefits of this transformation are clear, but they also open up significant avenues for criminals. As banks try to make their website, mobile apps, and procedures customer-friendly, they often inadvertently make them fraudster-friendly, too. Attackers can send and receive money in a fraction of the time it used to take. In addition, young people are savvy message app users (SMS, chats, app messaging, WhatsApp, etc.), which makes it easier for attackers to pretend to be someone else, especially with powerful new tools like ChatGPT.
Recently, financial giant Barclays reported that social media is the source of 87% of scams. People, including employees at major financial institutions, have never been more transparent online about their personal lives and associated sensitive information. As a result, scammers have gained the ability to scrape this data– voice, text, passwords, etc.– and use them to defraud individuals and perpetuate attacks against financial players. As we live our lives online, we have also given attackers the means to learn more about us– and deploy this information in various malicious operations.
3. Changes in the threat landscape
As businesses have changed, so has the threat landscape, both positively and negatively. On one hand, the proliferation of data breaches has given hackers many new assets to work with. From emails to passwords and usernames, criminals can now target individuals with a degree of specificity more than we’ve ever seen before, using their information against them.
At the same time, we’ve seen improved security from operating systems, emphasizing shutting down malware and phishing sites. Further, governments worldwide have cracked down on the availability of criminal tools on black market sites, reducing the availability of malware, criminal RATs, and other ways of bypassing detection. Combined with device profiling capabilities, it has become increasingly challenging to impersonate user devices. These factors have considerably limited what kinds of technical attacks are possible, which is why so many criminals are now relying on social engineering schemes to defraud users.
Ultimately, criminals have realized that committing sophisticated attacks against the weakest point – the bank customer – is the simplest and best chance at beating the bank controls.
4. Changes in attacker behavior
One factor fueling the Scampocalypse is the ongoing evolution of attack behavior, which shows how criminals have adapted to defeat traditional security controls.
Early Attackers: In the past, fraudsters often possessed high technical capabilities, undertook entire attack kill chains, possessed lower foreign language capabilities, and operated in lower numbers. They could automate attacks by technology, such as creating malware or botnets, but were generally restricted by how much one – or several people – could accomplish.
Current Attackers: Conversely, today’s attackers now possess lower technical capabilities but higher degrees of specialization across the attack kill chain (e.g., emails, voice calls, cashouts, and money laundering). They also have higher local language capability and operate in more significant numbers. They operationalize attacks by outsourcing and throwing more (low-cost) bodies at a problem to scale. Simply put, while they might not be doing the “grunt work” themselves, they can attack more people, more successfully, and in less time– leading to the onslaught of fraud we’re currently witnessing.
Future Attackers: Artificial intelligence is on the horizon across all industries. Unfortunately, this includes fraudulent criminals and their toolsets. As we look to the future, it’s near-certain that AI will allow attackers to automate further and scale up operations, minimizing manual labor while boosting the efficacy of each attack. As AI for these purposes becomes more sophisticated, social engineering scams will evolve to help further blur the line between human and machine, making it difficult for the average user to differentiate between fraudulent and legitimate operations.
See More: PhaaS and AI Enable Anyone to Be a Cybercriminal. So What?
The Future
This may seem like a dire outlook– after all, any article with the word “apocalypse” is rightfully less than sunny– but the good news is that financial companies and their security partners have never taken security more seriously. This includes both preventative measures and keeping pace with the attackers who seek to undermine us at every turn.
When we look to the future of security across the financial landscape, what we’re seeing is an increased emphasis on separating genuine human/user behavior from fraudulent or AI-driven tactics. Many of today’s attacks are run at scale, preying on “wetware” via social engineering and other targeted schemes. Therefore, the human factor is equally essential for detecting, deflecting, and mitigating these attacks. New technologies have adapted to utilize behavioral biometrics to protect users from predatory schemes while also recognizing and shutting down attacks in progress.
While this technology might not inspire an HBO show, it does represent a legitimate hope in combating the Scampocalypse and its impact on banks and their valued customers.
How can AI shield banks in the Scampocalypse? Why is the human factor crucial in combating fraud? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON FINANCE
