The use of social engineering to dupe consumers out of their money is rising. In some instances, one really thinks the consumer should have been aware that they were being scammed, but at other times the criminals are quite sophisticated. In the UK, these cyber thieves are using faster payments to get their funds instantly and then disappear:
As explained on Financial IT, one factor that contributed to the new type of fraud is that online interactions lack the usual cues that help customers tell whether a bank is genuine. Criminals use sophisticated social engineering attacks that create a sense of urgency, combined with information gathered about the customer through illicit means, to convince even diligent victims that it could only be their own bank calling. These techniques, combined with the newly irrevocable payment system, create an ideal situation for criminals.
UK Regulators are considering new rules that will require banks, in some instances, to return stolen funds to consumers that were caught up in one of these scams:
The human cost behind this epidemic has persuaded regulators to do more to protect customers and create incentives for banks to do a better job at preventing the fraud. These measures are coming sooner than UK Finance, the trade association for UK based banking payments and cards businesses, would like, but during questioning by the House of Commons Treasury Committee on October 9, 2018, their Chief Executive conceded that change is coming. They now focus on who will reimburse customers who have been defrauded through no fault of their own. Who picks up the bill will depend not just on how good fraud prevention measures are, but how effectively banks can demonstrate this fact.
Even banking/security leaders are not confident their organisation could detect and prevent the constantly changing types of fraud. With that in mind, the regulators accept that customers can’t be expected to spot every type of fraud. Those who take reasonable measures but still fall victim should be refunded.
In these cases, who will pay for the reimbursement will depend on whether the customer was given adequate warning, whether bank fraud prevention systems were effective, and whether the bank that received the stolen funds could reasonably have done more to prevent the stolen money leaving the account.
Overview by Sarah Grotta, Director, Debit and Alternative Products Advisory Service at Mercator Advisory Group