Role of Banks in Fighting Consumer Financial Scams

Background

It is 2025 and consumer financial scams continue at an unabated pace. GenAI has unfortunately given the fraudsters a powerful tool to interact with victims with the ability to freely translate between the fraudster’s language and the victim’s language, create interactive audio/video sessions with the scammer looking like the picture of the victim’s new friend, and more. Scam losses will continue to grow each year. In the US, the Federal Trade Commission estimates $158 billion in scam losses in 2023. Around the world, GASA estimates “The financial toll of scams is staggering, with an estimated $1.03 trillion lost globally in the last year”.  One bright spot involves banks and payment systems providers.

And why is that?

We see three countries, the UK, Singapore and Australia, adding banking scam controls under the direction of regulators and voluntary codes. And we start to see a reduction in scams. In a recent Australia scam stats report (National Anti-Scam Centre in Action Quarterly update April to June 2024): “losses reported by the public to (Australia’s) Scamwatch decreased by 41.0% from $559.9 million between 1 July 2022 and 30 June 2023 to $330.0 million between 1 July 2023 and 30 June 2024.”  In the UK, Pay.UK recently reported a reduction in Authorized Push Payment (APP) scams as well: “there was a 16 per cent decline in cases and an 11 per cent fall in losses in the first six months of 2024 compared with the same period in 2023”.

So, my straightforward message today is that banks need to realize that banking safety and soundness is at risk with all of the scam money being pulled out of banks because the scammers can convince the bank customers into a relationship for romance or investing scams, as well as impersonation and help desk scams. The common thread in most of these scams is that customers are transferring funds or removing cash from banks for induced bogus purposes. Yes, we know these scams often start with a phone call, text message, meeting someone on a dating site, or a bogus search ad. And yes, these telco/Internet companies need to participate in helping to reduce scams. But what is it banks can control directly to help? Banks can work to control its customers transaction activity to help ensure the customers do not get scammed AND prevent the money from leaving the bank.

Action Plan

So, what should banks do? First, they need to realize that the bank (and credit unions, fintechs, etc.) have a moral responsibility to help prevent suspicious money movement across the banking payment rails. When a bank customer is scammed, the bank also loses deposits and the customer can blame the bank for not having done more. The scammed customer may even leave the bank. In talking to a recent victim, she said in effect “why didn’t the bank do more to quiz me on the withdrawals. Maybe I would have listened. Now, I am devastated and I blame the bank for not doing more. Afterall, they know all about these scams and how they work.”

What I recommend is banks replicate what they have done for fraud (unauthorized transactions initiated by the fraudster) for scams (authorized transactions initiated by the customer under deception), plus a bit more. I like the Boom concept that Ken Westbrook at Stop Scams Alliance recommends. Boom is when the money starts to move to the scammer. Ken’s point is to do as much as possible before the “Boom”. But banks can also be active at the “Boom” and after the “Boom”. See Graph 1.

Here are the steps banks can deploy:

• First, take 90 days and track your customer scam losses. Categorize them by scam type (romance, investment, impersonation, grandparent, help desk, etc.). Consider using one of the fraud/scam typologies from the US Federal Reserve or from the European Bankers Association to track scams. Track the number of instances and the value of the losses, as well as how much was saved (not lost), lost and recovered (lost but recovered). Continue this scam tracking.

  
  

• Next, create a scam strategy. Use your bank’s scam statistics to generate support at the C-Level to proceed with the scam strategy. Most banks are truly amazed at their customer scam volumes. Creating a scam strategy was one of the first actions all Australian bank completed as part of the voluntary Australian Banking Association and the Customer Owned Banking Association Scam-Safe Accord, which was initiated in late 2023. The scam strategy is similar to a fraud strategy, but the focus is on the consumer financial scams (authorized transactions and cash withdrawals) impacting the bank’s customers. The scam strategy should cover customer education, special staff training on dealing with scam victims, scam controls to detect and mitigate scam transactions and how to help customers with reporting to law enforcement and with the potential for recovery of scammed funds.

• Third, create a business case to support the funding required for the scam strategy activities and projects. The business case needs to include the following:

  • Why there is the need to support the customer.

  • The financial impact to the bank. Discuss how the banks do not typically lose money from bank scams, other than possibly on impersonation scams in certain countries.

  • Discuss the financial and emotional impact to the customer.

  • Discuss how scams impact bank reputation and banking safety and soundness.

  • Discuss how the scam strategy will reduce bank customer scams.

The Knoble, an alliance to fight human crime, is creating a pro-forma Scams Business Case for banks in Q1 2025. For more information, contact lora@theknoble.com

With a sound bank scam strategy, the bank effort to fight consumer scams can look like Graph 2

Discussion of Key Steps to Fight Consumer Scams

Left of Boom

We have already discussed creating the scam strategy and tracking customer scams (initially to generate the interest in addressing consumer scams at the bank and then the on-going tracking of scams to be able to assess the impact of the scam strategy).

The bank needs an effective customer education program. Just putting out warnings about scams is not very effective. The bank needs to understand how these scams occur in order to craft effective education. And the understanding needs to take into account the psychological aspect of these scams. For examples of how to offer good education, look at what the UK banks have done. As an example, they have added humor to their warning materials, including videos. They have targeted and customized notices at the time of suspicious transactions.

One of the next steps is to educate the bank staff in how to interact with scam victims. This includes staff with customer facing roles such as tellers, personal bankers and fraud analysts. The training needs to take into account how the scammer uses psychology to interact with the victim and in effect convinces the victim about the urgency of the scam (e.g. bank or government impersonation) or the emotion of the scam (e.g. romance scam or investment/pig butchering scam). The bottom line is the customer really believes in the interaction 100%. And it will require the bank to include custom psychological training of staff so they understand the scammer’s technique, in order for the employee to then be able to build a relationship with the customer to help resolve the customer’s scam transaction being held by the bank.

UK’s Santander Bank is a good example of training its staff for customer interaction in scam situations. This Guardian article talks about “The 23 staff on the Break the Spell team deal with customers who have been so thoroughly taken in by a scam that they refuse to accept that they are being defrauded”. The frontline staff refer customers to the ‘Break the Spell’ team when “ordinary interventions fail to persuade them that their transactions are suspect”. This is an effective and meaningful solution.

Implementing scam controls will be the most difficult for the bank as this will involve the largest percentage of the scam strategy funding. The good news is that there are a number of good and effective scam controls that have been rolled out in the UK, Australia and Singapore. And some of the controls are not overly expensive. Below is a brief list of possible scam controls

• Behavioral biometric alerting- several vendors offer the ability to detect behavioral biometric changes when a customer is doing a transaction online at the direction of a scammer. This has proved very effective with a number of banks in the UK and Australia.

  
  

• Conformation of Payee- this where the sending bank verifies the name and account number with the receiving bank and returns a ‘no match’, ‘full match’ or ‘partial match’ to the customer initiating the transaction. This solution is in use in the UK, New Zealand and soon in Australia and the EU (for instant payments in the EU market).

• Data sharing- There are a number of initiatives underway to allow banks to share data about fraud and scam activities. The best examples are in the UK and Australia. Spend time with your peer banks and trade associations to help get this underway.

• The Biocatch Trust™ data sharing program- This is an innovative program in Australia with a number of the large banks. It is a behavior- and device-based, fraud and scams intelligence-sharing network. Trust™ will be analyzing both sending and receiving bank accounts. What is important about this solution is we are starting to see information being shared between the sending and the receiving bank before the sending banks executes the transaction. The UK is also developing a solution to share information between the sending and the receiving bank. This is being initiated by PAY.UK as part of its Enhanced Fraud Data (EFD) program.

• “Money Lock”-Singapore banks added a “Money Lock” feature. This lets customers set aside an amount of funds in an account that cannot be transferred. This can be helpful in an impersonation scam, where the scammer is creating urgency for action.

• “Is the customer phone in session”- Several vendors have the capability to tell the bank if the customer is on an active mobile call. This is important because often for bank or government impersonation scams or grandparent scams, the customer is interacting with the scammer on the phone while the customer is executing the transaction online or withdrawing cash from the branch. As part of making this solution available around the world, GSMA, a global organization unifying the mobile ecosystem, has created a standard API for this solution. In the UK, the API is called the Scam Signal.

• “Is my bank calling me?”- A number of banks have created a way for the customer to know it is actually the bank calling the customer with a fraud/scam query. The bank uses the mobile app to inform the customer. Here is a screen shot from UK’s Starling Bank.

  
  

Helping to block scam calls and text messages can be part of the bank’s role. Some vendors are introducing mobile apps that banks can offer to their customers to help block this activity. Some of the vendors in this space in US are RangersAI (note: I am an advisor to this firm) and Scamnetic and Ask Silver in the UK.

Also, in the US several states have laws that allow banks to hold transaction for elderly and vulnerable customers. There is a hold harmless component to these laws. The Federal Trade Commission has compiled a list of these state laws as of October 2024.

To see what happens when banks add controls to help reduce scams, I recently wrote a white paper on the one-year anniversary of the Australian Scam-Safe Accord. This paper includes many of the controls the Australian banks added in just a twelve-month period. The paper also addressed the fact that scam losses are dropping as a result of the bank actions and other actions by telcos and the regulators removing fraudulent web sites.

Note on Money Mule Management

Another important area of concern is the proliferation of money mules used in fraud and scams. As a result, banks should seriously consider having controls around money mule detection and mitigation. This involves doing analysis on inbound transactions and anomalous behavior around quick outbound transactions from this ‘receiving’ account. Behavioral biometrics can also be used here to detect anomalous behavior around online activity against this receiving account (e.g. fraudster constantly logging on to check for inbound activity and other ‘odd’ behaviors). For more information on money mule controls, please see a paper I wrote last year. Plus in 2023, the UK’s Financial Conduct Authority issued a report identifying best practices for money mule controls and also mandated UK banks to have strong money mule controls, including strong account opening controls. For more details on account opening controls, please see this blog I wrote.

Boom

This is where the action is for banks. Staff has been trained and scam controls have been deployed. Now an online transaction is alerted upon real time or a customer walks into the branch requesting a wire or asking for a cash withdrawal. The online transaction offers a real-time warning to the customer, and if they have ignored it, they do the transaction. Now the fraud team is alerted and must contact the customer. Or the teller, with maybe help from the fraud team needs to talk with the customer. At this point, this is where banks are sometimes deploying specially trained staff for this interaction. This is the moment of truth for the bank and the customer. Can the bank effectively explain that the customer is being scammed. And the customer 100% believes in the transaction and has probably been told that the crusty old bank will want to stop the transaction. It is true theatre at this moment.

Who will win?

Sometimes to help the customer understand it is a scam, the bank team will try to show the customer the person they are interacting with is not real. They can do this by getting a copy of a photo the victim has and do a reverse image search on the internet.

Right of Boom

The “Right of Boom” is a fast pace period of trying to recover funds send to the receiving bank. The sending bank will need to get a signed hold harmless agreement from the victim. The bank will need to have a thoughtful explanation for the customer, who by now is probably traumatized over the possible loss.

The banks need to explain to the customer about notifying law enforcement and, in the US, reporting the crime to the FTC and IC3. Other countries will have different reporting requirements.

The bank will work to try and get the funds returned from the receiving bank. Some countries have kill-chain processes to help recover the funds from receiving banks. The FBI and Interpol are examples of this type of support.

If the money has moved to crypto accounts (either to a crypto exchange or cash entered into a crypto ATM) there are ways to identify the location of the funds (tools like TRM Labs, Chainanalysis and Ellyptic can be used by trained personnel) and get law enforcement to subpoena the funds. Banks need to assess what help they provide here or not.

If the cash withdrawal was then used for the purchase of gift cards, there are other steps to recommend to the customer.

Finally, the banks need to decide if it will refer the victim to a support group for scams. The victim needs emotional help at this point and the bank needs to decide if it will help them identify a source.

Summary

We have covered a lot of ground and unpacked what it takes for a bank, credit unit, fintech to jump in and start to protect their customers from scams. This is more of an art than a science and it involves a sharp understanding of the customer’s emotions to help “break the spell” to prevent the money leaving the bank. Understand the customer is being attacked by transnational organized crime and possibly nation states. And they are very good!! So, when the bank detects a suspicious transaction, it will be a battle to convince the customer it is a scam. And make no mistake about that.

One thing we strongly recommend for banks, is don’t go it alone. Get very active with your peer banks and trade associations. Share what you can. Work with your country FS-ISAC. Be organized in this fight.

Be very empathic with your customers. They are in a bad mental state and you need to understand this.

The good news is that in Australia, with a ‘whole-of-ecosystem’ approach (involving the government, banks, telcos, and digital platforms), the consumer financial scam levels are dropping. A key part of this success so far is what the Australian banks have done.  The same is true in the UK.  So, adding banking controls does help reduce scams. So much so, I think we may see scammers move their efforts to those countries that are not adding scam controls and also increase their attacks outside of consumer financial scams in countries that do add scam controls.

Yes, we need to get telcos and digital platforms involved in this fight. But first, let’s get our own banking anti-scam strategy in place. Then, we are in a better position to argue that the digital platforms and telcos need to share in this fight. This is where the UK banks are now. They have spent hundreds of million pounds on adding controls for several years now. And they now have a stronger voice in saying that the other key players that help facilitate these scams must share in the effort to reduce these scam losses.

Putting a banking anti-scam strategy in place is the right thing to do. It is important for banking safety and soundness. It is mandatory in the UK, soon in Australia (but even a voluntary code for banks exists today) and levels already exist in Singapore. In some countries like the US, there is already existing regulation to protect the elderly and vulnerable from financial scams. See my recent report on the US and elderly protection.

If it is not yet a regulatory requirement in your country, voluntarily step up to protect the banking system and your customers. And convince your fellow bankers to join the fight. This is a battle we must win.

About the Author

Since 2005, Ken Palla has been in Online Security. He was a Director at MUFG Union Bank, retiring in early 2019. He helped shape the initial responses to the U.S. 2005 and 2011 FFIEC Regulatory Guidance to improve online security for US Banks. He is an early adopter and has selected and implemented a number of online security products. Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference. He is currently on The Knoble Scam Committee.

He has published many white papers—on the need to focus on online customer safety, on online authentication and on how to select a multi-factor authentication solution. Most recently, his white papers and blogs have been on consumer financial scams. These recent white papers and blogs focus on controls to reduce scams and what countries are doing about scam reimbursement.

He also was the editor for the complete list of definitions of financial scams, published by The Knoble in 2022. In 2019, he received the Legends of Fraud Award at the 3rd annual FraudCON conference in Israel. He is currently consulting to banks and to online security vendors.