As the payments sector continues to adapt to the impact of COVID-19, the threat of fraud has evolved over what has been a period of elevated economic turbulence.
We spoke to Sarah Whipp, CMO & Head of GTM Strategy for Callsign, about how the industry has adapted to this threat and what lessons can be learnt coming out of the pandemic.
PaymentExpert: Firstly, can you tell us some of the key trends within fraudulent behaviour that have been caused by the COVID-19 crisis?
Sarah Whipp: While the concept of banking fraud has existed for a number of years, COVID-19 has presented new opportunities for cybercriminals to target vulnerable digital users. A report from Action Fraud found that there have been over 509 cases of fraud related to COVID-19, with a total loss of those targeted estimated at £1.6m. During this pandemic, the dark web has shown that accounts, which previously would have little monetary worth to fraudsters, are now a primary target.
For example, it has been reported that the details of half a million Zoom accounts, hugely popular during the pandemic, are now for sale on the dark web and could easily be exploited by cybercriminals. Cybercriminals of the dark web are also benefiting from the fear and uncertainty that people feel during this time by pushing fraudulent COVID-19 products or services.
In addition, businesses are being left vulnerable to fraud, as with the huge rise in people working from home, cybercriminals have shifted their focus towards them. Remote working makes it harder for companies to monitor the identities of their employees, especially if they are using technology that is outside their security system.
Another major fraud trend that has occurred during COVID-19 is the threat of business payments, where fraudsters create new strategies to intercept a business transaction. Shoppers have also been targeted during this pandemic, as the UK’s National Cyber Security Centre (NCSC) said that they’ve taken down over 2,000 online coronavirus scams in March, which includes 471 fraud online shops selling virus-related products.
PaymentExpert: Have the approaches to login details and verification changed throughout the current pandemic?
Sarah Whipp: As consumers have shifted to more digital solutions during this time, they have now found themselves in the fraudster’s playground and so they need to be more vigilant. Yet, research from Callsign has found that despite the rise in COVID-19-related fraud, banking customers are still not taking the necessary steps to protect their digital identities. 55% of US and UK banking customers have no plans to update their login credentials for banking, despite the heightened risk fraud, with only 19% having updated their banking logins over the last month.
This could come down to users ignoring the statistics, which flag this increased risk, or that they are so overwhelmed by the coverage of the pandemic that they have not thought about updating their login credentials.
However, the rapid rise in banking fraud has also put pressure on financial organisations to implement the necessary identification and verification technology that keeps their customers safe. Merchants also need to be aware that consumers are reusing the same password so that they move to solutions that do not rely on passwords to authenticate.
PaymentExpert: What innovations have we seen in terms of combating fraudulent behaviour throughout COVID-19?
Sarah Whipp: Social engineering is a fraud technique that exploits the human psychology of individuals by tricking them into handing over sensitive information or giving access to unauthorised people. As fraudsters understand that human error is behind most company security breaches, they use this to their advantage by preying on the psyche of their targets to obtain personal information, which compromises the security of the organisation.
Financial organisations now understand that with fraud escalating at a rapid rate, they need to take responsibility whilst encouraging both their customers and employees to take personal security seriously.
As a result, various innovations have come about to combat fraud during these unprecedented times. For example, if a banking customer is setting up a new beneficiary over the phone and the bank finds that the phone line is busy, they’ll ask the customer more questions to double check that the customer is not being socially engineered.
Another innovation coming out of this pandemic is the banking and finance sector have joined forces with the UK mobile industry and the National Cyber Security Centre (NCSC) to stop the use of scan text messages that exploit the COVID-19 crisis. The initiative will locate and block fraudulent SMS texts whilst protecting messages from businesses and organisations.
PaymentExpert: How have regulations been adapted to deal with the current climate?
Sarah Whipp: Given that the deadline for SCA has been pushed back to 14th September 2021, this gives businesses the time to take the necessary steps to implement a compliant solution that protects their customers from COVID-19 fraud in the event we’re faced with a pandemic like this in the future.
As organisations have been adopting technologies to adjust to the current situation, this pushback can give them the time to develop SCA solutions that give customers that extra layer of reassurance when making payments online.
In addition, the UK’s data protection authority, the Information Commissioner’s Office (ICO), have released guidelines for data users on their protection compliance obligations during the pandemic. In their guidelines, they state that before organisations begin to process personal data, they should have clear and accessible privacy information in place to give individuals clarity. The ICO has also provided guidance on working from home to make sure that companies remain compliant with data protection laws.
As the ICO understands the unprecedented challenges that people are facing during this time, the guidance is meant to give digital users answers regarding compliance with GDPR during the pandemic. The guidelines also address the fact that the UK data protection law is flexible enough so that people’s health and safety is prioritised without the need for legislative amendment. This means that organisations will still need to uphold the privacy rights of their customers by adapting their policies to the current times.
PaymentExpert: Coming out of the current pandemic, what lessons can be learnt in terms of combating fraud?
Sarah Whipp: The current pandemic has changed expectations around online security and data protection. Instead of being ‘nice to have’, CFOs need to understand that robust identification is vital when authenticating digital users to protect personal data.
Whilst security should remain a top priority for organisations, they should also remember to provide an excellent level of customer service, as customers can easily switch to other brands if they find themselves having a bad customer experience. Callsign’s research highlights that 20% of consumers switched to another brand due to a bad online shopping experience in April this year.
The current pandemic has clearly highlighted how easy it is for fraudsters to take advantage of digital users in the midst of a chaotic environment. Organisations need to be prepared for ever changing situations and have the ability to adapt their security policies quickly to respond to unexpected situations.