Identity fraud continues to rise despite technology becoming better at detecting counterfeit ID documents. Fraudsters are adapting with increasing evidence of criminals using social engineering to defeat banks’ defence systems. Ro Paddock, Head of Anti-Financial Crime for digital identity and verification specialists Fourthline tells Douglas Blakey how banks can fight back
Identity fraud schemes are becoming increasingly prevalent, with 47% of the detected financial fraud attempts in Europe involving social engineering. For example, recruiters or ‘pickers’ will seduce or coerce young people to collaborate in fraud via social media (such as, Snapchat, Instagram) by posting “Quick Cash” images.
Indeed, the rise of social engineering fraud is sinister development that merits greater coverage than it has to date.
Ro Paddock is Fourthline’s fraud and risk mitigation expert. With a post-graduate degree in Information Systems and Computer Forensics and a bachelor’s degree in Psychology, Ro is passionate about applying the principles of human behaviour to fraud prevention.
Prior to joining Fourthline last year, Ro was Head of AFC at German neobank N26, where she oversaw KYC, AML and fraud.
She tells RBI that social engineering fraud consists of abusing a legitimate ID obtained through deceptive tactics. The actual owner of the ID is the victim of a fraud scam. Moreover, the individual is not aware that their ID is being used for illicit purposes. The criminal’s goal remains the same: the ID predator tricks its prey into giving up sensitive personal data.
The four steps of a social engineering fraud
Says Paddock, such a fraud strategy typically consists of four steps. First, the perpetrators start to collect valuable information to detect vulnerable targets, providing them access to sensitive data. They then develop a relationship with these targets through various communication channels (i.e., phone, SMS, email, in-person). Thereafter, the target is then persuaded to share personal data such as a PIN, a bank account, or a bank card. And finally, this enables the perpetrators to execute their ID Fraud.
The six principal methodologies of social engineering fraud uses
Paddock says that successful fraudsters will use phishing/vishing/smishing-this happens when the attacker uses impersonation to exploit the target’s trust via email, phone, or SMS.
Pre-texting or impersonation: uses a false identity to gain the victim’s confidence to obtain information or access to a person, company, or computer system.
Phone spoofing occurs when a caller deliberately falsifies the information transmitted to a phone’s caller ID display to disguise their identity.
Victims may also suffer Spear-phishing or Business Email Compromising: phishing custom-tailored to target key employees, particularly C-level ones, via social media or email. This tactic often targets employees with access to company finances and tricks them into making money transfers to the fraudster’s bank accounts.
Other tactics include baiting, such as planting an infected device or some promise to get victims to bite the bait and collaborate. And lastly, Quid Pro Quo attacks promise a form of service in exchange for sensitive, lucrative information, like when fraudsters impersonate HMRC in the UK or the US Social Security Administration.
Fourthline is one of the fastest growing KYC software experts in Europe and participated as a key partner in the Europol 7th European Money Mule Action (EMMA 7) initiative.
Paddock stresses the success of the initiative, with EMMA7 resulting in over 1,800 arrests and the identification of over 18,000 money mules.
Says Paddock: “Bank must adopt a continuous approach to KYC to help combat these schemes. So, banks must verify and authenticate a customer’s identity throughout the entire customer lifecycle.”
Fourthline describes this continuous KYC approach as “Identity Monitoring.”
Identity Monitoring takes a holistic view on fraud detection, creating multiple touchpoints to verify and authenticate a customer’s identity throughout the entire customer lifecycle. The faster that banks appreciate that KYC is not just for onboarding and that KYC compliance is essential throughout the customer lifecycle from start to finish, the better might be the chance of fighting back against the fraudsters.
More on cybersecurity from GlobalData:
GlobalData cybersecurity market forecast & industry insight
GlobalData thematic team podcast: The Colonial Pipeline Cyberattack: one year on:
Ro Paddock, Fourthline speaks with RBI editor Douglas Blakey