Sifted Talks

January 26, 2023

The big business of fraud: Manning the digital gates

Fraudsters are storming the internet, pushing startups into a constant state of necessary innovation


Seun Oshinusi, head of financial crime operations - fraud at Mettle, a mobile account provided by NatWest

According to the UK government’s latest National Fraud Initiative Report, fraud is estimated to account for 40% of all crime committed across the UK. 

And as fraud rates soar, so have scammers targeting neobank customers. Data collected by the UK’s Financial Ombudsman Service (FOS) shows that fraud complaints against Monzo, Revolut and Starling have increased over a three-year period.

With these worrying statistics in mind, startups are looking for innovative and effective ways to protect their customers.

Advertisement

In our latest edition of Sifted Talks, we reviewed how digital verification can remain as seamless and non-invasive as possible, how to get inside a fraudulent mindset and strategies for uncovering fraud patterns. Our speakers were:

  • Raphaelina Arthur, head of financial crime and deputy MLRO at digital bank Kroo Bank
  • Jimmy Fong, chief commercial officer at fraud prevention tool SEON
  • Michael Huffman, director of fraud at online payment solution GoCardless
  • Seun Oshinusi, head of financial crime operations - fraud at Mettle, a mobile account provided by NatWest

Here are the key takeaways from the panel:

1/ Calculate your customers’ ‘risk mix’ 

According to Oshinusi, it’s essential to identify which category of risk — or risk mix — each customer falls into. Your risk mix will change, but so will the behaviour patterns of scammers.

“We have a structure in place for how we categorise our customers based on risk, and that is usually determined by the nature of their business,” she said. “Depending on the type of business that you're running, how much money you say you're going to make in the year or how many transactions you're going to do, that information gives us an indication of whether you're low, high or medium risk. Which risk profile you sit in will then determine how we administer and oversee your account.”

Huffman agreed, but noted there was no cookie-cutter example of which businesses will fall victim to fraud, with lower risk accounts still getting scammed.

You have to be nimble and flexible in the tools that you use and understand that those tools will need to evolve and change as your risk mix changes” — Michael Huffman, GoCardless

2/ Assume fraudsters know your process

It’s important to assume there's an understanding by a fraudster about the way your decision tree works. This mindset can fuel your strategy to keep your processes differentiated and consequently safer from scammers. 

Fong noted that the more you need to know that the right person is behind a transaction or payment, the more hoops you should create for the person to jump through in order to pass security checks. Despite this, fintechs need to be mindful of the best way they can achieve this in an invisible way where there's no effect on churn from a marketing point of view.

When we've done dark web scanning, there are instructions about how you open an account, how you answer this question, how you answer another question — they are literally selling this information online about how to game some of these automations” — Raphaelina Arthur, Kroo Bank

3/ Keep customer information updated

The information you collect from customers when onboarding is really useful, but Huffman added that it was crucial to keep this information as up to date as possible so any potential risk changes can be flagged. 

Arthur agreed that fintechs shouldn't be relying on static information from an initial Know Your Customer (KYC) application to decide on a risk score.

It really is about gathering that information progressively throughout the customer lifecycle to make decisions at different risk events, whether that's onboarding, a profile change, creating a mandate or creating a payment” — Huffman

4/ Continually educate customers 

Oshinusi said that customers were being contacted by scammers pretending to be from Mettle, saying they’ve just seen a transaction attempted that needs to be cancelled. She said that a lot of the time, victims think that they're preventing the fraud by interacting with such calls, but what they're actually doing is authorising the transactions. 

In some cases, they're providing their account recovery information in order for the fraudster to be able to successfully download the app on their devices, log into the app and make those transactions themselves. This is why Oshinusi believes continually educating customers about potential fraud risk is crucial.

Advertisement

Arthur agreed. She said that with social engineering and because customers are authorising themselves, Kroo Bank is having to look at different data points to help indicate if a person is being forced to make payments.

It’s key to make sure that we have enough information within the app to alert customers so if they are about to authorise or make a transaction” — Seun Oshinusi, Mettle

5/ Know normal versus abnormal behaviour

Being aware of normal behaviour from an account is essential to finding fraudulent activity. 

Huffman used the example of having a merchant that’s a gym — if you know that their average transaction amount is £10 but suddenly they’re regularly processing £50, you can see that's likely a problem. You can also do pattern deviation to see if transactions close to the normal pattern sum — such as £9.99, if using the gym example — are being tried by scammers in an attempt to circumvent the norm.

I need to be able to find out fraud patterns and changes in normal versus abnormal behaviour almost as fast as the money moves… I didn’t need to do that a decade ago” — Huffman

6/ Sometimes, friction can be okay

Digital banks are trying to differentiate themselves from traditional retail banks by creating a seamless and frictionless experience, but when is a little friction okay? Arthur argued that it was important to strike a balance between operational efficiency — such as using automations or bots to help understand whether they think this payment is risky — and if the customer should be further questioned.

Fong added that fintechs should want to have some degree of friction in the payment process to catch out a fraudster, despite it making it a little bit trickier for the customer to complete their transaction.

There really needs to be a balance between using technology and a human… It's not very easy to find that balance because it really changes depending on your risk appetite. Each bank has their own kind of risk appetite when it comes to fraud” — Arthur

Like this and want more? Watch the full Sifted Talks here: