Follow Us! ThumbsUp
info@seon.io
Global Banking Fraud Index 2023

The past fiscal year has sailed across some of the most tumultuous seas the banking industry has seen since the 2008 financial crisis. The US experienced its second- and third-largest bank failures ever within just days of each other. Meanwhile, Brazil’s Nubank managed to ride the largest waves of all and ultimately cemented its status as the world’s largest neobank by both customer base and valuation. This is amidst an industry that grew by over $20 billion in the last year.

It’s major players like Nubank that are nourishing consumer attitudes, showing them that financial services can be a right, rather than a privilege. In doing so, these neobanks are pulling the whole industry towards accessibility and financial inclusion. Inevitably, though, this digitization also means more bad actors are finding digital ways to get included – 71% of financial institutions, for example, reported a security breach from business email compromise (BEC) last year. This is driving a need for financial services providers to implement market-leading fraud detection software not just as a security measure and a means of complying with regulatory and legislative requirements, but also to reassure customers that their data – and their finances – are safe.

As the world turns increasingly towards these fully-digitized banking experiences, fraudsters aren’t wasting time hanging around the legacy brick-and-mortars with scams and hope. Rather, they’ve adopted digital lockpicks to crack all the new electronic locks. These locks appear when accessing, buying, and exchanging money online, and criminals are always developing new ways to go about circumventing them.

In addition, the threats these criminals pose to the larger payment ecosystem mean that regulators are monitoring the whole banking system with a fine-toothed digital comb, regardless of whether or not the bank in question has updated its business channels to digital. Research undertaken by LexisNexis shows that fintechs and banks falling within the regulatory perimeter are often spending more on compliance than they are losing to the fraud itself – LexisNexis notes that this is likely a byproduct of increasing customer due diligence (CDD) costs as companies scale, as well as a general unwillingness to fall below the letter of the law (and incur the attenuating fines). This may lead some financial institutions to go above and beyond for fear of incurring these massive fines, a situation known as “gold plating”.

Regardless of whether or not the institution has gone to these lengths, the average financial institution spends over 50% of its compliance budget on CDD checks through lookup costs and labor.

From the pervasive banking fraud trends of today, to the specific methods, locations, and actors that get employed – as well as the overall impact that fraud has on the face of the banking sector – SEON has compiled a comprehensive index of today’s fraud pain points and solutions. Though most data sourced refers to UK and US sources, compliance with these regulatory frameworks applies to most jurisdictions, especially those maintaining any business operations or relationships in those regions.

In terms of the sea of changes the banking world is experiencing, the shift towards digitization is certainly the most important when it comes to predicting fraud patterns. When banks and money services cast this much larger net over a previously underbanked population and normalize a purely digital experience in doing so, they create new attack vectors for fraudsters, as well as new techniques to exploit.

Holistically, those new vectors and techniques can be characterized as either:

  • Fraudsters fully submerging themselves in the digital
  • Fraudsters fully committing to the analog

Exemplifying these two angles of attack, JP Morgan’s annual payments fraud survey showed that, on the digital side, card-related fraud types rose by an alarming 10% over 2022, with businesses overall showing lower volumes of digital fraud. However, those attacks ultimately got away with more money.

Meanwhile, on the analog side, the report shows that the volume of business email-related attacks that targeted poor awareness training and process management was on an obvious rise, with 71% of fintechs reporting they had a BEC breach in the past year. Also prevalent was authorized push payment (APP) fraud as a result of successful phishing scams on legit account holders. We’ll take a more granular look at the pervasive threats below.

The banking sector has also faced particular shakeups in terms of consumer confidence. The recent failures of Silicon Valley Bank and Signature Bank, as well as Credit Suisse, one of the international banks considered “too big to fail”, has caused ripple effects that are still threatening smaller business now.

Meanwhile, in 2022, the financial impact of the Russia-Ukraine war forced the US Federal Reserve to adjust interest rates seven times to control mounting inflation.

At an individual level, these factors inevitably push citizens to look for alternative streams of income to meet the rising cost of living. Money laundering and phishing are increasingly facilitated by both witting and unwitting citizens who, in times of financial downturn, are more willing to commit to ignorance when offered lucrative, if suspicious, opportunities to make money. Hence money mules are an impactful issue for financial institutions wanting to steer clear of money laundering noncompliance fines.

Additionally, the recent turmoil in the financial sector – particularly as huge scandals like the collapse of FTX still have ramifications in the economic landscape – has caused regulators to increase scrutiny on financial institutions. Oxford Economics published a report this year quantifying that the spending on compliance in financial institutions outpaces the actual loss to fincrime itself, with this spending anticipated to increase through 2025.

Even at this macro level, the seas are obviously stormy. Businesses being mindful of their return on investment (ROI) will address the emerging issues individually, as each has the potential to steer businesses’ growth plans off-course.

Key Findings

In terms of the raw data from surveyed financial services, the most notable outliers revolve around:

  • the prevalence of business email compromise as a huge security flaw
  • the rise of neobanks and other digital banking platforms
  • the increase in social engineering scams that lead to BEC and APP fraud
  • the expense of anti-money laundering (AML) compliance and the understandably large number of institutions still on the path to meeting it
  • the continuing problem of flawed account opening processes
  • the unique identity validation challenges offered by Buy Now Pay Later (BNPL)

Data found in this index’s images were sourced from ACI Worldwide’s Prime Time for Real Time report, Cutting the Costs of AML Compliance published by LexisNexis, Neobanks: The Bumpy Road to Profitability from Aite-Novarica, and the 2023 AFP Payments Fraud and Control Survey Report underwritten by JP Morgan and executed by the Association for Financial Professionals. Additional statistics came from The World Economic Forum, Retail Banker International, and Oxford Economics. Data was compiled by SEON, informed by our own fraud analysis.

What Kinds of Fraud Are on the Rise in 2023?

As mentioned previously, pervasive banking fraud threats that did quantifiable damage to bottom lines can be thought of in two ways: the low-tech and the high-tech. In reality, successful scams often involve a mixture of the two.

Notably, 2023 sees the medium-tech fraud exploits that plagued fintechs in previous years becoming more approachable for fraud teams – LexisNexis reports that, for the first time, US lenders actually saw a 1% drop in automated bot attacks. These attacks, which execute credential stuffing or rapid transactions, are becoming easier to detect as fraud technology becomes more advanced. The statistics suggest that companies are also finally getting around to implementing those solutions, with 45% of all US financial services reporting they had fully integrated digital fraud prevention solutions in 2022, up from 28% in 2020.

Low-Tech Fraud 2023

As the standard for state-of-the-art fraud prevention measures goes up, fraudsters are hardly being discouraged from crime; instead, they’re looking for new channels with fewer safeguards. Low-tech scams – those that rely on con artistry, scams, and phishing techniques – are on the rise, and the resulting BEC and APP fraud can be damaging beyond simple revenue flow.

Business Email Compromise (BEC)

Though broadly referred to as email compromises, BEC can come in many mediums, but the end result is work-related login credentials being exposed and exploited. Depending on the level of access granted to a criminal with those credentials, the worst-case scenarios could all become realities: sensitive data leaks, misappropriation of funds, and snowballing phishing with high-level email addresses. CEO fraud seems to be mostly a buzzword rather than a massive threat according to the data, but its existence as a term at least suggests that even executives are being targeted, sometimes with success.

Failure to implement robust training and awareness programs internally can cost banks and other fintechs immense amounts of revenue, reputational damage, and fines. These training programs should be looking beyond the most common faces that BEC fraudsters wear, and seeking to instill a reasonable amount of skepticism when navigating through comms channels, be they email, social media, websites, or even search queries. Note that high-level BEC may be more likely to be personalized by the fraudster for a higher success rate. As the data suggests, fraudsters seem to be spending more time crafting individual attacks, resulting in a lower number of overall fraud instances that ultimately get away with more money.

Authorized Push Payment (APP) Fraud via Phishing

Banks and money services have to contend with essentially the same issue on the other side of the digital teller window. Authorized push payments are payments made from a customer account which, from the institution’s perspective, are authorized by merit of having the correct security details. They are more common in ecommerce when it comes to unauthorized purchases, but when they occur in banks, the fact that only money is moving can cause even greater fallout for the institution due to the regulations the vertical must adhere to. Real-time payment services such as Pix are compounding these problems by merit of the small timeframe in which to catch the criminal and the low friction of those services.

In general, APP fraud is harder to catch, as the fraudster will have the correct username and password combination. It is, however, imperative to guardrail ROI, as US lenders reported that 75% of all fraud losses were related to consumer phishing, with other financial services reporting those cases at 66%.

The increased digitization of the overall banking landscape can make these phishing attempts harder to spot. If your bank is purely digital, it seems more reasonable to trust an official-sounding email, phone call, or SMS that requests information. Similarly to BEC, these scams must be fought on the ground, with educational information built into the app or website.

High-Tech Fraud 2023

While some fraudsters take to the ground level to scam away their illicit money, others choose to fly over the technology. More fintechs and banks are doing a better job of not only implementing but also investing resources into better fraud detection software.

SEON’s own data found that scaled fraudsters hit a ceiling when attempting to circumvent modern fraud prevention tools. At a certain point, it is no longer cost- or time-effective for a fraudster to invest the time and energy needed to beat solutions like SEON that employ device fingerprinting and password hash scrutiny, at least at scale.

Similarly, legacy digital security implementations like one-time passwords or two-factor authentication sent over SMS were previously seen as foolproof. Then they were just “good enough”. Now, though, they’re looking positively outdated, with some independent security analysts now downgrading banks that rely on those methods which have been proven fallible in the face of highly sophisticated ploys like SIM swapping and man-in-the-middle (MitM) attacks.

Fraudsters not willing to take to the streets to carry out their crimes have to find a way to get themselves over these hurdles in order to pick the best, highest-hanging fruits.

Fraud-as-a-Service (FaaS)

Just as business models worldwide incorporate software-as-a-service (SaaS) platforms like SEON to fill out their workflows with robust solutions, fraudsters have also evolved to integrate purchasable fraud “solutions” bought online. These services can include snippets of code that execute credential stuffing and other bot-driven attacks, whole executable fraud packages, end-to-end phishing ploys that spoof website portals, and internal programs that organize stolen login credentials.

The accessibility of these services certainly informs the face of modern fraud, particularly those executed by individual users over a mobile device.

The Unique Challenge of Buy Now Pay Later Fraud

The success of Buy Now Pay Later (BNPL) across ecommerce channels has inevitably led to the microlending model being accepted by banks for various transactions. As of July 2022, more than two-thirds of US banks and credit lenders either accepted BNPL transactions or planned to within the next 18 months.

BNPL offers customers a unique way of democratizing financing and spending, but it comes with a unique set of challenges. These challenges will surely scale in the coming years, as Apple and Mastercard are currently rolling out their own BNPL products: Apple Pay Later and Mastercard Installments.

Compared to other regulated lenders, BNPLs and other real-time payment providers are less likely to introduce friction that would lead to even a single road bump in the customer journey to checkout – about 20% more BNPL lenders reported that they were “extremely focused” on optimizing risk in the customer journey than other financial services. Accordingly, partnering banks report that common methods of fraud prevention are harder to implement, as BNPLs may be able to provide less transactional data with which to assess risk. As well, compliance strictness may be lacking, both exposing the bank to its own compliance issues and damaging the ability to assess risk when the lenders loosen risk thresholds to cut down on false positives.

Costs of Fraud

The number of monthly fraud attacks on banks earning more than $10 million in annual revenue has shown a consistent increase year-on-year. In 2022, all US retail services, including banks, saw a 4.2% uptick in the overall cost of fraud per dollar. Fraud losses across bank payments totaled nearly $1.6 billion during that time.

Every $1 of fraud costs the US financial services $4.23, Canadian $3.78. These fees are inclusive of the legal, processing, investigation, and recovery expenses.

The channels through which these fraud costs rolled in are a reflection of the changing market. According to LexisNexis’ 2022 True Cost of Fraud Study for Financial Services, US-based financial and lending services saw outsized increases in the proportion of mobile banking fraud among all fraud costs. Respectively, financial institutions and lenders, including BNPL providers, reported that mobile fraud accounted for 32% and 37% of all fraud, representing upticks of 5% and 12% from the previous year.

Unfortunately, there is also a negative correlation between the diversity of fraud methods and the overall cost of fraud. Financial services providers in the US, including banks, investment firms, mortgage firms, and lenders see fraud costs vary from between $2.92 per dollar to $4.81 as the variety of scams increases. Companies beset by BNPL fraud, automated bots, and BEC will have to output significantly more than those that do their utmost to close specific security gaps.

Costs of Compliance

In the UK this year, the money that regulated companies will spend on compliance alone will cost about three-quarters of the country’s entire defense budget. According to a survey from LexisNexis, the main driver behind that spending isn’t even to stop money laundering and fincrime, rather it’s simply to meet regulatory expectations.

Similarly, the costs associated with compliance are more often justified internally with the increased AML scrutiny, rather than the need for more rigorous AML checks.

Which US States Experience the Most Fraud?

As with international compliance costs, fraud and fraud-fighting enforcement can vary from region to region, and in the US, state to state. 

States Most Affected By Online Crime

The Most Common Types of Banking Fraud in the UK

Check, Plastic, Card and Bank Account: 336,707 reports

Check, plastic, card, and bank account fraud made up the largest proportion of total reports in 2021 in the UK – a whopping 336,707 cases, equating to 38.45% of all reports.

Online Shopping and Auctions Fraud: 103,254 reports

The second most common fraud was online shopping and auction frauds, which accounted for 11.79% of all fraud cases in the UK over 2021.

Application Fraud (excluding mortgages): 91,593 reports

Application fraud saw over 91,000 reports in 2021 in the UK, and this is excluding mortgage fraud.

The Most Costly Types of Banking Fraud in the UK

Other Financial Investment: £318m/$381m lost to fraud

Financial investment fraud was the most damaging in the UK in 2021. A whopping £318/$381 million was lost in the UK through this type of fraud.

Check, Plastic Card, and Online Bank Accounts: £184m/$221m lost to fraud

Check, plastic card, and online bank accounts – the most common type of fraud seen in the UK – saw UK citizens, organizations, and banks lose a total of £184/$221 million over 2021.

Share Sales or Boiler Room Fraud: £171m/$205m lost to fraud

Share sales or “boiler room” fraud, also known as call center fraud, cost the UK £171/$205 million in 2021.

How to Avoid Banking Fraud: The Best Fraud Prevention and Detection Features

Though it has always been a good idea for best practice fraud prevention, now more than ever the need to scrutinize digital identity markers is paramount for robust cybersecurity.

Fraud pain points commonly reported by banks and financial services in the past year can be largely addressed by implementing:

  • a multi-layered approach that offers risk assessment across multiple channels and with different strategies
  • identity validation that pushes technological data points such as device fingerprinting and browser hashing
  • distribution of security touchpoints not only to safeguard the process of account creation but also to protect endpoints and monitor mid-journey behavior with biometrics and velocity checks
  • an AML tool to help teams both maintain compliance and detect sanctioned entities

Create Layers of Protection

Complete digital footprint analysis at onboarding easily blocks customers who attempt to use stolen, synthetic, or fake identities, including fraudsters armed with legitimate personal credentials stolen via phishing scams. In the face of threats like APP fraud or BEC, however, this is obviously not enough, as these kinds of scams will be exploiting accounts that have gone past the onboarding stage. Allowing fraud prevention software to create touchpoints at different stages across the customer experience will allow fraud teams a better win rate when it comes to preventing costly phishing scams from turning into huge reputational and regulatory damage.

Monitor Device Risk

As more customers turn to mobile apps like Pix for their financial services, businesses should be increasingly leaning on device fingerprinting to remove as much anonymity from the mobile space as possible. Generally, device configurations are individualized enough to be nearly unique, and a strong indicator that a user is the same across multiple journeys. This will mitigate the damage done by synthetic ID fraudsters, business email compromises, and APP fraud.

Automation

The adoption of a fully automatable fraud management platform is crucial. Not only does it cut down on human resources devoted to the fraud detection process, but automated solutions like SEON can also introduce less friction as they find more useful data that is impossible for a human counterpart to discover, at least with any time efficiency. BNPL providers that want to optimize the customer experience for minimal friction should certainly be automating their risk assessment. This way, inspecting identity attributes that aren’t obvious to the naked eye can be detected, and those determinations can then inform the overall risk score.

Education and Awareness

Employees throughout the corporate infrastructure should have regular training and awareness for the fraud scams of the day. Software cannot be installed to detect every possible instance of social engineering, low-tech as this method tends to be. From executives to entry-level staff, anyone with credentials to access sensitive internal data should know things like basic password security, including the main tenet: Don’t give your password to anyone.

AML Compliance

Financial institutions wishing to cover all their bases in terms of compliance should be integrating an AML solution into their fraud prevention. Sanctions laws dictate that facilitating or participating in financial transactions with sanctioned entities will result in fines or even worse penalties. Complete AML compliance should also be considering things like politically exposed person (PEP) list checks, adverse media screening, and processes to determine the ultimate beneficiaries of transactions.

Sources

Prime Time for Real-Time Global Payments Report

Cutting the Costs of AML Compliance

Neobanks: The Bumpy Road to Profitability

Payments Fraud & Controls Report JP Morgan

Discover the True Cost of Fraud

Share article

Speak with a fraud fighter.

Click here

Author avatar
Tamas Kadar

Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.


Sign up for our newsletter

The top stories of the month delivered straight to your inbox