For many years, banks have promised not to send their customers correspondence that looks like scams. They would never ask consumers to click on a link and provide information or ask them for one-time pass codes over the phone.
But those strategies aren’t working anymore. Scammers are starting to mimic what bank professionals have been doing. As a result, the correspondence banks are sending increasingly looks like scams, confusing consumers. In a new study from Javelin Strategy & Research, Avoid the Fake: How AI Can Stop Bank Impersonation, Javelin Senior Analyst in Fraud Management Jennifer Pitt examines why this problem is so pernicious and how emerging technology can help rectify it.
A Message or a Scam?
Legitimate bank correspondence now asks customers to type in their account number first, so the bank knows that they are legitimate. Or it asks users to call the bank and provide the one-time passcode they had been sent. Both of these requests resemble traditional scams.
Banks are doing this for a couple of reasons. They want to eliminate customer friction, making it as easy as possible for potential victims to report fraud. Having customers click on a link or respond to a text message is much easier than making them contact a call center. The problem is that customers have been trained to regard such overtures as scams.
“If banks are going to send text messages or emails for fraud alerts, they should never ask customers to click on any link or to provide any sort of information, whether it’s your bank account number, your name, a one-time passcode, anything like that,” Pitt said. “If you’re going to send out fraud alerts that are text message or email-based, it should always provide the transaction information and direct the customer to contact their bank at the phone number they already have. Sometimes organizations will say it’s the number on the back of your debit or credit card, or visit the website and log into your account. There should never be an actual link provided for them to click on.”
Email vs. Text
Historically, scam education efforts drew heavily on protecting against email phishing. For a variety of reasons, text messages have become a common way for banks to communicate with their customers.
It’s harder for consumers and technology to detect whether a text message is fraudulent. Because the messages are so short, it can be harder to detect red flags than it is with an email.
“Because people are shifting from email to text message, it leaves these scammers with a wider victim pool,” Pitt said. “They are not leaving any gaps anymore. They’re going to use all the resources and basically hit every channel, every consumer base at one time.”
Banks now provide some of this correspondence in the form of in-app push notifications. These notifications may be the most secure method of delivering information because the person has to be in the app to receive the message. But many customers do not use the banking app, whether because of a lack of comfortability or perceived security concerns.
“You can’t just tell banks just go through the app, because you’re essentially eliminating a lot of your customer base,” Pitt said. “There are some customers that still only do business through mail or email or text message. You have to address fraud alerts and fraud prevention education on all different channels.”
Confusing the Customer
Many banks have already trained consumers to call and verify whether any communication is legitimate. While that can be an important safeguard, it can also lead to conflicting impulses in the customer’s mind.
“The customer hearing that education says, OK, I received this scam correspondence. I’m going to call my bank,” Pitt said. “They call their bank and the bank says, no, that particular correspondence is actually from us, and it’s legitimate. In the mind of the customer, they can’t separate out this correspondence from a fake one, so now any correspondence they get is now legitimate. If they get a scam correspondence, they can be easily deceived into providing some sort of information or money or making a transaction.”
The ramifications of scenarios like this go beyond customers losing money to scammers. Now they don’t trust their bank to protect them. When their bank sends a legitimate fraud alert, warning them that they need to act now, customers will ignore it.
Banks are not only confusing their customers but also losing their trust—and risking eventually losing them as customers.
How AI Can Help
With the emergence of AI, nothing is 100% foolproof, not even an app. There have even been instances of scammers setting up fake apps in the app stores. If nothing is impenetrable, how can banks protect themselves and their customers?
One possible answer isrule-based alerts. If a behavior or a transaction is out of the norm for a customer, the bank could flag it as a potentially fraudulent transaction, then send manual alerts to the customer.
AI can help power not just the technology sending out the alert but also the technology gathering the information, looking at different behaviors of customers. Are the transactions unusual for this behavior of this customer? Is it different from what the customer said they would do? If the customer says, for example, I will never send wire transfers, the AI-powered technology would flag any wires as potential fraud.
By using AI to send out the alert, the communication could be tailored to the customer and thus more likely to get attention. It could say, “We notice that you typically don’t make transactions in Saudi Arabia, and we see a $900 transaction in Saudi Arabia. Is that yours?”
Pitt also recommends being upfront with customers when they’re onboarding about what will happen if they become a fraud victim. They will be better prepared, and there’s real value for hearing such information when they’re not in the midst of a fraud or other kind of attack and feeling like they need to react immediately.
Looking Worldwide for Solutions
Cooperation and collaboration are also key parts of the solution. Other countries are ahead of the United States in detecting and preventing these scams as well as in helping victims with reimbursement. Australia is at the forefront of such technology with its scam checkers.
“In the U.S., scam checkers essentially allow customers to type in or copy/paste text messages or images to see if it’s a scam,” Pitt said. “The difference is in other countries it’s already integrated in some banks, and they have procedures in place on regulations for scams. We don’t have that in the U.S., and we need to get on board.
“Regulators need to get into play here. But banks also need to start cooperating with other organizations like social media companies, telcos, and their customers, shifting the liability and taking on reimbursements. We need to build back customer trust.”
