Scams are increasingly sophisticated, making consumers and organizations more vulnerable.
In 2022, the Consumer Sentinel Network Data Book reported that scams resulted in a $2.7 billion loss for consumers, while data from LexisNexis Risk Solutions revealed that every $1 lost to fraud costs U.S. financial service providers $4.23.
Chris Schnieper, Senior Director of Fraud and Identity Strategy, LexisNexis Risk Solutions, believes that standard methods of fraud risk assessment focused only on the user device, location, or credential anomalies, fail to detect scam risk accurately. We spoke with Chris in more depth to learn how fraud has evolved and the proactive measures organizations should take to protect their clients and assets. In your experience, how have scams evolved over the years to become more sophisticated, and what are some of the key challenges they pose to both consumers and organizations?
Scams have evolved and become more sophisticated over time, particularly as we consider the growth in the variety and volume of scam types. This evolution has coincided with the rise in digital or ‘faceless’ interactions between consumers and their trusted brands. While scams are not a new concept, criminals have significantly diversified their methods due to the multitude of contact channels available today, such as email, text, social media and phone calls.
It's worth noting the enduring use of phone calls as a means of deception and manipulation for financial gain. The FTC's 2022 Scam Snapshot Report has reported that phone-based scams record the highest median loss per person. This shows the importance of maintaining vigilance across all forms of contact, as any transaction or interaction has the potential to result in the transfer of value. For example, consumers often face notable challenges when they receive unsolicited calls from alleged call center agents inquiring about one-time passcodes (OTPs) received via email or when they are asked to transfer funds to an unknown account by people posing as unsolicited bank tech support personnel.
On the other hand, organizations encounter their own set of challenges. The initial interactions between scammers and their targets may occur in environments where the organization lacks digital visibility, such as during a phone call or a chat on social media. This absence of visibility may make it more challenging to implement preventative measures, requiring a greater focus on detection closer to the point of a transaction or funds transfer. This, in turn, increases the difficulty of achieving timely detection.
LexisNexis Risk Solutions' data shows that for every $1 lost to fraud, it costs U.S. financial service providers $4.23. What are the underlying factors contributing to this high cost, and how can financial institutions better protect themselves and their customers?
The LexisNexis® True Cost of Fraud™ for Financial Services and Lending Fraud Multiplier shows that the cost of fraud exceeds the actual dollar value of a fraudulent transaction and includes additional expenses related to labor and investigation, fees incurred during the application, underwriting and processing stages, as well as legal fees and external recovery costs. Therefore, true fraud costs are expressed by stating that for every $1 lost to fraud, the actual cost is higher, considering a multiplier that represents these supplementary expenses. (Note: all figures are in USD for a common base of comparison.)
In the LexisNexis True Cost of Fraud study, we observed a few intriguing findings regarding scams. Across the four sub-industries we surveyed, each sub-industry increased the Fraud Multiplier as the variety of scams expanded (see Page 30 of the 2022 Report). The Fraud Multiplier reduced to $3.81 when organizations employed a risk-based multilayer approach that integrated cybersecurity, fraud controls and customer experience (refer to Page 56 of the 2022 Report).
You mentioned that standard methods of fraud risk assessment may not accurately detect scam risks. Could you elaborate on the limitations of these methods and what alternative approaches or technologies can be employed to enhance scam detection?
In both scenarios where the authorized account owner conducts the funds transfer themselves or provides personal identifiable information (PII), credentials or codes for potential account take over (ATO) attacks, we observe a wide array of scam types and contact approaches. Due to this diversity, organizations can no longer rely on traditional ATO tools and must explore more nuanced solutions.
We approach scam mitigation across three key categories: customer coaching, asset transfer and event mitigation. Detecting coaching requires a combination of device behavioral intelligence and signals to better identify ongoing scam coaching activities. Transfer detection involves analyzing various payee and payor signals and data to assess the potential nefarious nature of fund transfers, such as identifying mule accounts.
Once a scam is detected or confirmed, the next step is to contact the authorized account holder to either issue a warning or gain an understanding of the situation, helping to mitigate the transaction. This communication can be carried out by an authorized organization employee or through customized messages delivered via text, email or app notifications.
It's important to note that these three categories may not always be discrete events and are often conducted in parallel, depending on factors like the device used and the type of transaction involved.
What proactive measures can organizations take to effectively disrupt scams and protect their clients and assets?
Customer education and communication are key in combating scams. This is because scammers aim to use emotions to manipulate authorized account holders into taking actions they would not perform if they recognized the fraud, effectively bypassing fraud controls through the manipulation of the account holder.
At the same time, organizations must collect essential signals for scam detection while delivering a smooth customer experience. These efforts involve considerations such as coaching, which includes assessing whether the customer is using a mobile app or a browser and identifying signs of coaching. In the context of transfer, organizations examine factors such as payee addition timing, recent similar-sized transfers to the same payee and evaluating potentially risky payee data. During the mitigation phase, it is essential to determine the customer's preferred contact method and ensure the use of language that is appropriate, non-accusatory and devoid of shaming elements that could create resistance when conveying the message of being a potential scam target.