Fraud Risk Management: Staying one step ahead of fraudsters

Social engineering fraud has become a norm in recent years. Stories of people losing money, life savings even, to fraudsters have become common in the news, and you would be hard-pressed to find someone who has not received a phishing call and text message before.

Fraudsters have become increasingly sophisticated, incorporating various technologies into their schemes. And despite the increased public awareness, many high-profile scam cases continue to occur.

One such recent high-profile case happened in December 2021. Fraudsters targeted the customers of Singapore’s second-largest bank, the Oversea-Chinese Banking Corporation, or OCBC, leading to at least 790 people losing approximately SGD 13.7 million (USD 10.2 million)¹ in only a matter of days.

Long gone are the days when phishing scams are easily identifiable. Today, these scams are rapidly evolving – constantly changing to beat the fraud prevention measures set in place by banks.

SMS phishing scams, for example, now look so genuine and legitimate, fooling even the most aware individuals. Victims of the December 2021 OCBC incident were fooled into believing the phishing texts and sites were real. The criminals had impersonated the bank by sending the victims SMS messages that appeared in the same SMS thread as the legitimate bank’s messages. The scam messages led the victims to believe that there were issues with their accounts, prompting them to click on a link, which led them to the malicious replica of the bank’s online portal. When the victims attempted to log in, they inadvertently gave away their credentials and One-Time Passwords (OTPs), allowing criminals to take over their accounts.

As these messages and sites are so convincing, the victims’ guards are down. It is only when they start receiving a slew of messages informing them of increased transaction limits and bank transfers that they realise their accounts have been compromised.

The criminals have also become opportunistic with the time they choose to target their victims. The recent incident with OCBC showed that a surge of cases happened during the Christmas weekend from 24 to 26 December 2021. A total of 186 OCBC customers lost up to SGD 2.7 million (USD 2 million) in those three days alone.²

The criminals have chosen a period when many of the bank’s staff were on vacation, leaving the bank inadequately staffed to deal with the influx of cases, as indicated in reports showing that many customers were unable to report the breach to the bank in time.

Worldwide, reports of such scams are common. In Hong Kong, fraudsters absconded with HKD 29 billion (USD 3.7 billion) from victims through Hong Kong bank accounts and cryptocurrency wallets in the past four and a half years.³ Online romance scams, commercial email fraud, and phone scams were amongst the methods employed, and police were only able to recover the crime proceeds 31% of the time.⁴

In the Philippines, central bank Bangko Sentral ng Pilipinas (BSP) received over 42,000 fraud complaints in 2020 and 2021.⁵ Losses from 2019 to 2021 amounted to PHP 2 billion (USD 30 million), with PHP 540 million (USD 10 million) reported in 2021 alone, and 45% of the scams occurred on the internet and mobile banking platforms.⁶

With these scams happening in increasing frequency, the debate around whether banks should be held responsible for the losses is one that is ongoing.

Since the OCBC incident in December 2021, the public backlash against the bank has been intense. Stories of individuals left “broke and starving” on Christmas Day,⁷ and couples and retirees losing their life savings⁸ were reported in the media. Online, there were calls to boycott the bank, demands from the public for the bank to take responsibility, and pleas for banks and the government to do more.

It is often agreed that victims misled into giving out their banking credentials are often responsible for the funds lost, especially when the bank’s systems were not compromised. However, in the case of OCBC, the negative public sentiments have led to OCBC taking the initiative to commit to offering full goodwill pay-outs to all victims.

Separately, Singapore’s central bank, the Monetary Authority of Singapore (MAS), revealed that it was considering supervisory action against OCBC after the bank conducts a thorough probe to identify deficiencies in its processes and implements the necessary measures.⁹

In response to the incident, MAS reiterated that it expects banks to have robust measures against fraud and adequate resources to handle incidents and customer service effectively.¹⁰ It laid out immediate steps banks must take to better secure customers’ accounts, such as removing clickable links in emails and SMSs and lowering the threshold for transaction notifications. Longer-term preventative measures, including a framework for equitable sharing of losses arising from scams, are being evaluated for implementation in the coming months.

But the question remains – should banks be held responsible?

Indeed, there is an inherent moral hazard when customers have the expectation that banks will provide compensation for losses arising from fraud. With lesser customer accountability, some may not make the same effort to secure their accounts or may demand that banks reimburse them for any fraud that occurred due to their negligence. On the extreme end, it may even result in a new fraud trend, where customers deceive the bank about being defrauded in hopes of obtaining a goodwill payment.

Nevertheless, regulators have taken the stance that banks are responsible for protecting their customers from fraud. They have been stepping up enforcement by introducing guidelines to protect end-consumers. In early 2021, Singapore’s MAS released its Technology Risk Management guidelines, stating that financial institutions ought to be able to identify and block fraudulent transactions.¹¹ Similarly, the Hong Kong Monetary Authority’s (HKMA) TM-E-1 guidelines,¹² which was released in 2019, addressed similar concerns.

With regulators upgrading its measures to protect end-customers from fraud, banks need to step up their game or be faced with the possibility of incurring substantial losses, regulatory action, and reputational damage. While banks have measures in place to address such risks, some have obviously fallen short.

The solution would require a concerted effort to address fraud risk every step of the way.

Banks must be able to identify account takeover scenarios, where a fraudster is accessing an account, and prompt for additional authentication. In scenarios where customers are duped into transferring funds on their own accord, banks must be able to spot these unusual transactions and remind the customer to be vigilant or block the transaction outright.

These translate into the need of having systems and processes in place to present a credible safeguard against fraud.

Some examples of what banks can adopt include:

• Real-time detection systems, which rely on rule-based detection or machine learning models to flag and block suspicious transactions without requiring human intervention
• Machine learning-based customer profiling capabilities, which can establish baselines for each individual, against which irregularities can be benchmarked
• Device intelligence with real-time behaviour analytics, which can identify fraud, such as account takeover based on anomalies in user behaviour and interaction as well as suspicious devices
• Network link analysis to identify suspicious flows of funds or abuse of a bank’s account, such as a money mule

• Adaptive authentication and imposing varying levels of verification based on transaction risk profile (to balance risk versus customer experience)
• Multi-factor authentication as a more robust form of authentication (as opposed to SMS OTPs)
• Account-level controls, such as implementing transactions limits for newly added payees and adding a time delay before a new token can be activated
• Multi-channel notifications, so that customers are kept alerted of transactions
• A dedicated team to contact customers to pro-actively verify unusual transactions

• 24/7 fraud team or call centre to receive fraud complaints and take timely actions
• Continued customer education efforts
• Quick analysis of spikes in complaints to determine large-scale fraud being perpetrated at the bank
• Active monitoring of the fraud landscape and information sharing amongst banks to identify and adapt to emerging trends

Even with the latest technology, banks must remain vigilant against all threats, as fraudsters will continue trying to find new ways to circumvent the controls implemented. Effective fraud detection systems must continuously be enhanced and maintained to keep the fraudsters at bay in this game of cat and mouse.

^{Featured services}

^{Fraud Management | Synpulse}

^{Fraud Risk Management | Synpulse}

^{Modern Fraud Detection | Synpulse}

^{Intelligent Automation Assessment | Synpulse}

^{RPA / Intelligent Automation Enablement | Synpulse}

^{1 "Bolstering the Security of Digital Banking" – Ministerial Statement by Mr Lawrence Wong, Minister for Finance and Deputy Chairman of the Monetary Authority of Singapore (MAS), on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-charge of MAS (MAS, 15 February 2022).
2 OCBC phishing scam: Police say they rushed to take down fake bank websites, trace lost cash (Channel News Asia).
3 Scammers launder nearly HK$29 billion from victims through Hong Kong bank accounts, cryptocurrency wallets over past 4½ years (South China Morning Post, 24 January 2022).
4 Ibid
5 P2 billion feared lost to scams, fraud – BSP (Inquirer.net, 18 January 2022).
6 Ibid
7 OCBC phishing scam left victim broke and starving on Christmas Day (Today, 10 January 2022).
8 2 OCBC SMS scam victims share losing life savings within minutes (AsiaOne, 17 January 2022).
9 MAS will consider supervisory actions against OCBC for phishing scam, adds all customers should be treated fairly (Channel News Asia, 17 January 2022).
10 MAS and ABS Announce Measures to Bolster the Security of Digital Banking (Monetary Authority of Singapore, 19 January 2022).
11 Guidelines on Risk Management Practices – Technology Risk (Monetary Authority of Singapore, 18 January 2021).
12 (SPM): Revised module TM-E-1 on “Risk Management of E-banking” (Hong Kong Monetary Authority, 24 October 2019).}