This month, the UK Government announced changes to the Online Safety Bill to tackle scam advertising and fraud. It’s also launched a consultation on wider advertising regulation. Backed by the Money and Mental Health Policy Institute, and the Financial Conduct Authority (FCA), the bill amends and the consultation are aimed at thwarting fraud and improving the public’s confidence when using the internet.
It comes at a time when fraud is at record highs. In October, the Victim’s Commissioner released research that showed 4.6 million people are affected by fraud each year, and around 700,000 will go on to suffer financial and emotional strain as a result.
These figures seem extraordinary, but when you consider identity theft is no longer the outcome of a criminal going through your bin to steal bank statements and is instead the result of calculated mobile and online scams, it’s easy to arrive at such high numbers.
Today, committing impersonation fraud to access an online bank or shopping account is referred to as Account Take Over (ATO).
It’s a complex, sophisticated crime and sadly a daily occurrence, with the average theft totalling £1000 or more.
One of the most common ways to steal an identity is to use a two-part process of phishing and SIM swapping. In the first instance, criminals will dupe a person into handing over personal info, passwords, or financial details via unsolicited texts or emails purporting to be a company they trust.
They then use this information to access the account, updating contact details and associating a new phone number to it. It’s clever, and fraudsters will regularly swap the SIMs they use to avoid getting caught.
The FBI has made regular warnings about this modus operandi, as the risk posed to people who use their mobiles and the internet to complete day-to-day transactions increases. Recently, the Spanish Police apprehended a SIM-swapping gang that had falsified the identities of hundreds of banking customers, to drain millions from their accounts. The advent of crypto currencies is also fuelling an underworld of criminals intent on extortion.
Around the world, regulators have stepped up. In the UK and EU, the Payment Services Directive (PSD2) and Know Your Customer (KYC) legislation requires banks and financial services companies to verify the identity of a customer. In effect, it encourages the finance industry to add extra layers of security to electronic payments. This might include PINs and passwords, but also fingerprints or the use of one-time passcodes.
However, the acceleration in fraud, especially during the pandemic, has pushed the FCA to turn its attention to the retail industry. From next week, a retailer will only be able to accept an electronic payment if it has verified that the customer is who they claim to be.
Most small value purchases will go through unchecked (or checked in the background), but high value shopping baskets will require identity verification – a PIN, password, one time passcode, or even a prompt to approve the purchase through their banking app.
The new requirements will no doubt come as a surprise to customers. Many will be unaware of the obligation, or even the need. It may require some education on the part of retailers, especially for those where large basket sizes are the norm.
It could also be a point of frustration for customers. Authentication, though essential, disrupts the flow and is sometimes considered an annoyance by people who like a ‘one-click-to-buy’ approach to shopping. Cart abandonment is already a big problem for retailers, with around 20% of abandoned carts the result of complicated check out processes.
Protecting against fraud and customer experience is therefore a double-edged sword. But there are ways and means of achieving both with well-conceived processes and technology.
It sounds obvious but identify the critical points in a customer’s journey that could be susceptible to fraud. Consider everything from how people complete a transaction, to how they update their address details. You can then identify where you need to invest in terms of training, communication, technology, and process.
Review the verification methods already in place and how effective they are. Do they stand up to the test of Strong Customer Authentication? A good benchmark is to include an additional process in the transaction steps and combine it with checking data you have for your customer. This might be to send a one-time password to a mobile number or initiate a phone call to act as verification.
Consider how technology can help you. For example, there are APIs that will detect if a SIM has recently been swapped out of a mobile handset and raise an alert to check for suspicious activity. This eliminates the need for other verification processes and keeps legitimate purchases moving. The banking industry combines verification with their banking applications downloaded onto customers mobiles.
Work with a trusted partner who can guide you on best practice in line with your business model, processes, and budget. Banks and financial services companies are the frontrunners, so use their experience to guide your policies and technical implementations.
If you’d like help assessing your readiness for the new rules, or want to discuss how SIM swap technology can integrate into your existing architecture then contact me at firstname.lastname@example.org or email@example.com
Amy Lomax is a Sales Manager for LINK UK