Moving money has never been easier. We no longer need to go into a bank, fill out a slip, and hand it to a teller to receive our money. We can now transfer money instantly. Scammers are taking advantage of unfamiliar technology to either hack in and take our money or to deceive you into sending it to them yourself. Deciding if the bank is responsible for the loss is becoming more and more of a conversation.
Today’s guest is Uri Rivner. Uri has been fighting financial crime for 20 years working closely with the world’s largest banks on developing strategies against online fraud and scams. Prior to founding Refine Intelligence, Uri was co-founder and Chief Cyber Officer at BioCatch, the global leader in behavioral biometrics for fraud detection. Earlier, Uri served as Head of New Technologies at RSA. Innovations Uri spearheaded, such as risk-based authentication, are now saving the industry billions of dollars each year in fraud.
“If it’s fraud, you’re trying to protect the account. If it’s a scam, the victim is the one moving the money. The account is going through an authorized payment.” - Uri Rivner Share on XShow Notes:
- [1:19] – Uri shares his background in fighting fraud for the last 20 years.
- [3:43] – The companies Uri has worked for, founded, and co-founded work with banks and financial institutions to help protect against fraud.
- [5:10] – In a fraud situation, people are tricked through social engineering to hand over their information, but the fraudsters move the money.
- [6:41] – Fraud is unauthorized. A scam is an authorized payment.
- [7:39] – Uri describes some of the history of frauds changing over to scams.
- [10:42] – Although there’s a difference between fraud and scams, the lines can be blurred.
- [14:10] – Remote access malware became a real problem.
- [17:13] – What are the differences between how the banks handle fraud and how they handle scams?
- [19:08] – Banks can look at data and account action to determine if a criminal moved money or if the victim did it for them.
- [20:36] – It is much more difficult for banks to detect scams.
- [23:29] – If banks see something unusual, they typically reach out to the customer to hear the reason. This doesn’t always work due to social engineering.
- [28:13] – Engaging customers is tricky because people don’t typically answer the phone or criminals are coaching the victim through what to say.
- [30:17] – This year, in the UK, banks will be held liable.
- [33:17] – By design, banks are supposed to know their customers. But that’s not the case these days.
- [36:48] – For banks, it is harder now to connect with customers to find out exactly what happened.
- [39:31] – Uri explains what happened with the US introduction of instant money transfers through Zelle.
- [41:50] – There is an increase in Zelle scams, but banks were able to offer some support and reimbursement.
- [43:59] – Scams are the most effective tools criminals have.
- [46:45] – Uri describes what we can look out for and how to best prepare ourselves to prevent scams.
- [49:19] – When money is moved from a bank account, it is the end of a chain of events that led to it. What is the responsibility of the platform that transferred it?
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Uri Rivner on LinkedIn
Transcript:
Uri, thanks so much for coming on the podcast today.
Hey, Chris. I'm happy to be on the podcast.
Looking forward to it. Can you tell me a little bit about who you are and what you do?
Sure. Twenty-something years fighting online fraud back when online fraud was mostly phishing, later on Trojans, and more advanced and sinister things like remote access attacks and social-engineering attacks. Throughout all of that period, I was working with startups and working very closely with banks in the US, in the UK, globally, because the banks were trying to protect their customers against those nefarious attacks. For some reason, the customers were giving away their password or getting infected with Trojan, et cetera, so the banks needed a technology to defend those accounts.
At some point, it shifted into scams. Fraud and scams are not exactly the same thing. I was working for RSA that acquired a small startup that was developing anti-phishing, taking down services, risk-based authentication, fraud intelligence services, and things like that. RSA, at the time, was working with a lot of the banks around those attacks—phishing, Trojans, and things like that—when I came across a very interesting new technology called behavioral biometrics.
Behavioral biometrics is the science of analyzing the way you move the mouse, the way you tap information into your phone. The notion is that you do it in a very individual way. Also, criminals operate differently than good people,… Share on XBehavioral biometrics is the science of analyzing the way you move the mouse, the way you tap information into your phone. The notion is that you do it in a very individual way. Also, criminals operate differently than good people, and I thought it's fascinating. At some point, that team that founded the startup that approached us at the RSA said, “Hey, Uri, do you want to join us, become a co-founder, help us spread the word, and make it something that every bank globally is going to use?” This is BioCatch.
I'm the co-founder of BioCatch and joined BioCatch in 2012. BioCatch is working with many of the banks globally to help with account-opening fraud detection, account takeover fraud detection, and scam detection as well. BioCatch and these companies are working with the banks to protect the end users, to protect the end customers.
More recently, I decided that another adjacent field, which is anti-money laundering, needs a lot of help. The banks are spending so much resources in just people that go through alerts every day. Most of these alerts are genuine customer activities, like you're just buying a house, selling a house, doing a home renovation, or paying international tuition.
It's not actually any kind of financial crime or money laundering, but the banks don't have the context to understand and decided to set up Refine. I'm CEO and co-founder of a company called Refine Intelligence that helps the banks around those scenarios. Essentially, we call it catching the good guys. It's not trying to detect the bad guys, it's trying to say, “Hey, what you see here is a good activity. It's actually not the bad activity that you might see from all of the red flags.” Overall, many years fighting online fraud and specifically in the banking sector.
Essentially, we call it catching the good guys. It's not trying to detect the bad guys, it's trying to say, “Hey, what you see here is a good activity. It's actually not the bad activity that you might see from all of the red… Share on XInteresting. For the audience and for our discussion here, can you define the difference between fraud and scam?
Right. In a fraud situation, customers are somehow tricked using social engineering or some technology to provide their information to the criminals, but the criminals are the ones that go into the account and move money out of their account. I'm talking about the banking fraud situation. That's a classic fraud; it’s known as accounting over fraud. However, in scams, the customers are being tricked to move money to the bad guys. They're the ones that go into their bank account and move the money out, or they're the ones that do a Zelle payment to criminals and things like that.
The person that is moving the money is the scam victim. The whole thing is if it's fraud, you're trying to protect the account. If it's a scam, the account is going through an authorized payment now. You're not trying to protect that, you're trying to say, “But is it a scam? Will the customer regret it later on?” That's essentially the main difference. Fraud is unauthorized and scams is an authorized payment that the customer is doing, but they don't realize that that's a scam. It's not going to be a good thing that they move the money.
Fraud is unauthorized and scams is an authorized payment that the customer is doing, but they don't realize that that's a scam. -Uri Rivner Share on XWhen did you start seeing it going from fraud to scam?
Chris, that's a fascinating question. Let me give you a little bit of a history. I think the best way to look at it is the UK market. I was working with a lot of the UK banks. I was working with a small startup called Sayota that provided anti-phishing services and transaction monitoring focused on online fraud and things like that when they were really being hit by phishing attacks. I'm talking about 2003-2004.
These are major banks. For a bank to be hit by the phishing attack at those times, this was a massive incident. They really didn't know how to cope with those things, because their customers all of a sudden started to give away their passwords. Then someone would go in with the password and just move money from the customer's account. That was a classic type of fraud. This is when online banking fraud started to surge. Then the banks in the UK said, “OK, enough is enough. We're going to do strong authentication.”
By 2007, all of the banks in the UK moved to something called strong authentication. What is strong authentication? Hey, no passwords. You want to log in, there's going to be a very complex device. It's a smart card that you put into a device. Sometimes you have to type something, then you get the one-time code, and you enter the one. It's a very, very complex thing either for login or for payments. This would kill all of the fraud.
In 2008, the UK market moved to something called faster payment. We have to understand that fraudsters really like fast money. This is their sweet spot. The faster it is, the more they like it. Back then in the UK, you could move money within a day, within a few days, et cetera. But no, 2008, the entire country moves into faster payment, meaning that you move money instantly between banks and very, very high limits.
The bank said, “Look, we need to do something.” This is why they did this strong authentication. Indeed, in 2007, you see the fraud beginning to drop. In 2008, it skyrocketed because the criminals from all over the world flocked into the UK because of faster payment and started to hit the UK market. Phishing was something that they were doing, but then they started using Trojans.
Within three years, fraud tripled compared to the period before a strong authentication. Strong authentication did not stop the fraud. Nothing that the bank would do that the criminals could see did stop the fraud. These were all invisible lines of defense, things that were happening behind the scenes, looking at the device of the customer, looking at the location of the customer, trying to find out whether there is some malware in the middle between the customer and the bank, things like that.
These were the effective controls. By the year 2015, it was more or less under control. The banks in the UK had a lot of fraud defenses. Then something shifted a little bit because criminals started to use remote access. Remote access is interesting, because you can get remote access either as part of malware that the customer is just infected, or their computer is actually infected with malware, which includes remote access. Once you have that capability, it means that you can connect into the customer's computer and then do the fraud from their computer, so the bank sees a trusted device. Remote access can also happen on your mobile phone.
Another way of doing this is to trick people to install remote access. This is not a scam in the sense that it's still an unauthorized payment, but lines are beginning to blur. I wanted to tell you about something that happened in around 2015 or 2016, which edges towards a scam like a full-scale scam, but it's still defined as fraud. I'll explain the situation.
I was at BioCatch at the time. We were working with a bank in the UK. The UK has one of these banks where the queen manages her money, the royal family. In order to become a member, you need to deposit £1 million. It's that sort of thing. Think about high-net individuals.
One of them received a phone call from the bank because we detected something weird going on in their account. They said, “Yeah, I know, you called me an hour ago. You told me that there is something wrong in my account. You told me to give you my computer so you can fix it or something. I said, ‘Guys, I'm not going to do that.’ Then you said, ‘All right, so we can help you do it online.’ I said, ‘Look, I'm […] years old. I don't understand much about computers and things like that.’ You guys said, ‘No, don't worry. It's going to be fine. We're going to help you understand what to do. You know Google?’ I said, ‘Sure, I know Google.’ ‘OK. Google TeamViewer. Just google TeamViewer.’ ‘OK, I googled TeamViewer, and I found this application called TeamViewer, which allows you to help me remotely. I downloaded that TeamViewer, and then I installed TeamViewer, and then you told me how to set it up. It was very complex. I was on the phone for 30 minutes. At the end of the day, you were very successful. You helped me understand what was going on.’”
“‘I gave you a way to help me remotely and check my computer.’ Then you said, ‘Look, you've been so helpful. You can go away. We'll do some checks in your account.’ That was 30 minutes ago. You're calling again, but you're not the same people, so I'm a little bit confused. I don't understand what's going on.”
Behavioral biometrics is monitoring the way you log in. How do you move the mouse? How do you type your password? Things like that. You paste your information, or you type your information, that sort of thing. -Uri Rivner Share on XWhat we have to now understand is that he was tricked by criminals to install remote access. What they did was actually ask him after doing all of these to log into his account. Behavioral biometrics is monitoring the way you log in. How do you move the mouse? How do you type your password? Things like that. You paste your information, or you type your information, that sort of thing. That's the level of understanding that a bank has when they look at your login process.
The thing is that the login was done by the actual customer. Because of the remote access, they said, “Hey, you can go away. We're going to run some tests in your account.” At that point, they started moving money like crazy. Behavioral biometrics detected it because their behavior was different. First of all, the mouse was moving like crazy. It's very erratic.
If you ever had the situation where a help desk is assisting you and you see the cursor moving, it's jumping. This is because of the internet lag. Essentially, this is something behavioral biometrics can detect and say, “This is remote access.” We're actually seeing remote access as you are making payments to a new beneficiary. That's highly incriminating. That was something that was picked up, plus the way they were moving, scrolling, and all of that was very off and not in line with past behavior for that customer.
The bottom line is this was a semi-scam, because the original login was done by the criminal, by the real user. But the payment was done by the criminal, therefore it's still defined as fraud. A year later—I still remember it—in 2016, an amazing case where one of the banks in the UK told us, “Guys, we have something weird that we haven't encountered before.”
One of our customers had a call from her mobile provider, and she was asked to pay a bill, like £60, and she pays with her debit card. Five minutes later, she gets a call from the bank. “Hey, can you explain what this £60 transaction is?” She said, “Yeah, it's my mobile provider.” “No, it's not the mobile provider. We see it goes to this weird account. You should know that your debit card is connected to your bank account number. Unfortunately, we have to move you to a new bank account number. Can you please log in online, and then we'll give you a new bank account number and start moving all of your money to this new bank account now?”
She logs in and then she's being told, “OK, this is your new bank account number, your safe new bank account number, and start sending money to that safe account. But actually, there's a problem because you have too much money in your checking account. How about you move £9000, then we'll tell you everything is fine, and then you can move more money? How about that?” “Fine, let's do it right now.”
That was the first online banking scam known as authorized push payment, or APP fraud, that the bank encountered and I encountered. I said, “Look, it's so much trouble for the criminal to actually do. So much social engineering involved, it will never fly. It will never be a big attack.” By now, it is the number one attack that banks in the UK are suffering from, and I'm talking about probably 70% or 75% percent of their online banking fraud losses are actually not fraud. They are scams.
The customer is moving money either because of this impersonation and scams, which were very popular a few years ago, or other types of scams. It could be Roman scams, it could be other types of scams. The UK is also interesting because of the liability shift in the UK. I'm not sure that we want to talk about it, but the banks really need to reimburse customers unlike in the US, for example. There are some differences between that market and what's going on in the US. Some of that global scamdemic is coming to the US, and we begin to see it as well.
Let's talk about it theoretically here and country unspecific. What are the differences in the way that banks handle fraud versus how they handle the customer being scammed?
OK. It's a huge, huge difference. If you think about scams—by the way, the first question is, I'm the bank, “Do I even care about this? Obviously, it's my customer and all that. Maybe I catch it. I'm going to be nice to the customer, and tell him, ‘Hey, maybe there's a scam.’ But why should I be able to detect it to begin with?”
“It's an authorized payment. The customer is doing this. They come from their trusted device, they come from their trusted location, and they go through all of the authentication. They're initiating the transaction, not the criminal. How do I defend the customers from themselves, basically?” That was the main question that banks were asking themselves when they started to look at those scam situations.
You get into regulation. There is a big difference between fraud and scam in terms of regulation because again, in a scam situation, let's take the US. Right now, banks are not liable. Banks are not supposed to make the customer whole if they're being scammed and move their money. There are a few exceptions, but that's a general rule.
In the UK, come October, 100% of the scams, any type of scam, including Roman scam, investment scams, crypto scams, buying puppies online scam, whatever, the banks have to reimburse customers. This is already a difference between fraud and scams in terms of, “I'm a bank; what should I do?” But in terms of detection, in a fraud situation, someone is now moving the money and it's not the real customer.
You can check, for example, is it coming from the trusted device? Is it coming from a trusted location? What do we know about the behavior of the customer? This is behavioral biometrics, which is the most powerful signal that a bank can deploy for account takeover fraud or the classic type of fraud, because it doesn't look the same.
Maybe you scroll differently, like scrolling up and down might be different. The way you move between the field is different, the way you type numeric data. You normally use the keypad. All of a sudden, you see that someone is using the numpad, which the real customer may not even have a numpad. What is it that is going on here? Or the mouse is different, the motion is different.
If it's a mobile, most people do mobile banking these days. The way you hold it is different. The scroll, the swipe, the tapping, the press size, all of this is different. This is something that banks can do when they try to say, “Hey, something about this is off. This might be a fraud situation.”
Again, all of this goes away when we talk about the scam situation. Really, Chris Parker going to his bank account and moving money because he wants to move money, because he has a friend that is in need, or whatever the social engineering around the scam is, impersonation scams, and things like that. That's the first thing to understand. It's much more difficult for the banks to detect scams.
I want to go back to 2016. I shared this example of the UK bank customer that has been hit by that scam. Initially, we were doing behavioral biometrics. I can tell you that our score, the risk score for that specific transaction, was rubbish. It didn't detect anything, but our data science team started to look at the parameters of that activity. All of a sudden, they detected some interesting things.
For example, remember that the customer was told to wait for several minutes because, “Hey, move £9000; we will check that it's in your safe account, and then we will tell you to move more money.” Who was in front of the online banking? She was doing something very interesting, which most people don't do when they are in front of online banking.
She was wiggling the mouse for five minutes, just moving the mouse randomly on the screen. She was doing that to keep the session live because she was bored, because she didn't have anything else to do, because she was waiting for them to confirm that everything is fine, but that's not a normal reaction. It basically suggests that the user is heavily distracted, so that was a signal.
Another thing was hesitation. You look at the fact that most people click on the submit button and release the finger within 200 milliseconds. She was doing it at about 500-600 milliseconds, which was much slower the average. She was more hesitant. It's a very stressful situation as well. You might find signs of duress.
Another thing that you might find in those sessions is the sign of being guided, especially if you're being guided over the phone. You hold the device and someone tells you, “OK, your new bank account number is 552-35.” “No, just the way.” “OK, 552,” and then you move the device. You can type 552. “OK, what's the next?” “332.” “OK.” You move the device. As you type your new bank account number, meaning that someone is dictating information to you. This is a sign of you being guided.
By the way, another signal is the fact that there is an active call as you move money to a new beneficiary. That's another signal. All of these signals, the banks can now begin to deploy. But back then, when it all started, they had nothing. The industry slowly adapted and tried to ask, “How can we detect the scams?” Behavioral biometrics was one of those ways of doing that.
Another interesting thing is when the bank is suspicious that you are being scammed, they can do an introduction. They can actually present a message. It says, “Chris, we see that you're moving money internationally or just did a new account. Can you tell us a little bit about this? Are you moving it to a friend, a business associate, family? Who are you moving the money to? What's the nature of the activity? Is it investment? Is it crypto-related? What is it?” If you actually answer honestly, the bank might get some clues. Unfortunately, some of the criminals just guide the customer to lie, to just give the bank some answer that is not real. It has some effect in certain cases, but not in other cases.
Generally speaking, it is difficult to detect scams much more than detecting fraud. Let's say that you want to detect 50% of the fraud or the scams. You will have a huge amount of false positives if you try to detect scams because you have signals, you can use them, but it's not as effective. Also, you have some scams.
Think about Roman scams as opposed to impersonation scams. Impersonation scams or other types of scams that try to put you under duress and pressure will have some signals that the bank might be able to observe in your online banking session. When you're in love, and the story is I need to move money, et cetera, and it's not a stressful situation, it's more like, “Yeah, I want to help my friend.” That's different. It's not going to be exactly the same, it's more difficult to detect any kind of long-term scam.
Obviously, if it's like an investment scam, a crypto scam, or if those scams where you just think that you want to invest your money, it's not a stressful situation. It’s actually very exciting. It's very difficult for banks to detect the scams.
It's interesting because you were telling the story about sending money to a friend. I think I've told this story on the podcast before. My wife is from another country. Traditionally, you send money to help relatives once in a while. The primary bank that I was using does not do any international business, they only do domestic business, so we can't do an international wire.
I opened up a new bank account with a bank that does international wires, deposited money, let it season, so to speak, and then went in and transferred out like 80% of the money. Within an hour, I got a phone call from the bank asking almost those exact same questions. “Hey, this is so-and-so from the bank. We noticed you just did a large wire transfer. Can you tell me who you were sending it to, why you were sending, and all that?” Part of me was like, “Oh, this is really annoying that I have to have this conversation.”
The podcast Chris Parker was going, “Oh, this is awesome. This is what every bank should do because if you look at it, every single warning flag was being waved and jumping up and down: brand new account, no activity, all the money's being sent out. It's being sent out overseas, a round number. Everything was reading red flags.”
Exactly. You were a celebration of red flags. Sometimes you don't have as many red flags, but you still want to do something. You have a detection system. You have something that says this might be a scam. Try to engage customers as they do the online transfer. That's one best practice. If they're not responding or if you don't trust their response, yeah, engage them.
Engaging customers is tricky, because a lot of people don't even answer phone calls. If they get a phone call, they're suspicious that they're not saying anything, or the criminal is actually telling them exactly what to tell the bank. Sometimes the bank would know that this is a scam. They'll be 100% sure this is a scam.
For example, they know that the money goes to a mule account, an account that they are pretty sure, because it's based on some repository, is a bad account. It's set up for that purpose of scams. A customer says, “No, no, no, it's a colleague of mine or a business associate.” Sometimes they say something that they're being told what to say, and it's a very difficult conversation because at that point, you are annoyed that the bank is stopping you from doing something that you really, really want, like investing your money, helping a friend, or doing something that you need to do and they're just in the way. That thing is happening.
Customer outreach over the phone is completely inefficient. Some of the banks are beginning to look at digital customer outreach, trying to engage the customer not via the phone, via other like digital communication channels. The response rates are much higher. You can ask more questions. You can gamify the process. It's like a much more easier experience for the customer.
Another thing is you can look at benchmarks. For example, if the customer says, “Yeah, I'm sending it to a friend.” OK, you just sent 80% of your money to a friend. How do other people send money to a friend? How do they behave? What is their age? How much are they moving? Stuff like that. This is an anomaly. It's not the thing that normally happens when you move money to a friend.
When you systematically engage people digitally, it's very helpful because you can then do it more efficiently and get the response quickly. Also, you do it in a structured way because they basically select things, and you collect the information. You can then do benchmarking and say, “Does this make sense? Maybe they were guided to say something.”
I want to say one more thing, which is in the UK, I mentioned this new liability shift. The banks are liable for scams, which again in the US, if you are scammed, good luck. Talk about the bank. There's very, very little protection at the moment, but the banks are trying to stop the scams and just not liable for anything.
In the UK, come October, banks will be liable. The interesting thing about that is that in the UK, 50% of that reimbursement is coming from the beneficiary bank. If you're not moving money to another bank in the UK, let's say it's a new beneficiary, the question is, what does that bank know about that new beneficiary? That's a way to share responsibility at least within the banking community and make sure that when a bank receives money, they also do some monitoring.
That would seem to make sense because the receiving bank should go, “Gosh, this account is just receiving money from all these other wire transfers. That's really unusual for a consumer. Maybe it's normal for business bank account, but it's not normal for a consumer account.” It's an interesting twist on the way to share the liability.
Right. I do want to caution the audience, though. It's still difficult. Actually, if you think about it, it's even more difficult than when you look at the outbound. When you look at the outbound transaction, remember you can look at the device, the location, and their behavior. You can do this interdiction, like asking customers as they move money, “Hey, can you tell me what this is?” Et cetera.
When you receive money into your account, there's nothing. All the bank knows is that you just received a lot of money to your bank account. Now, if it's a new account, that might be more suspicious. These are known as mule accounts; not all of them are new. Some of them are, some of them not. It's very difficult for the receiving bank to actually detect it using some sort of a monitoring process. If you are trying to do it, you will have a lot of false positives, meaning that a lot of the good activity, you describe the good activity. You are moving money to your wallet.
Most of those will be good activities. I'm talking about 99.5%. You look at, I don't know, 100 alerts, almost all of it will be good people, not someone that receives and they were criminal. That's something to understand, and then again, you want to do a very quick outreach to that customer. You want to find out whether it's a good customer and understand what they're doing versus, “Hey, you don't really trust their explanation, so let's do more investigation.” It is going to be difficult for the banks.
The other thing is there is an assumption that banks know their customers. There’s actually a regulation called KYC that says know your customer. The banks are supposed to know your customers. You know what? They don't know the customers anymore. I want to explain why because it's interesting.
If you think about banks, they've been around for centuries, and it was always face to face. You would walk into an establishment, and the banker would recognize you and say, “Hey, Chris, how are you?” What's with your wife and saying that you're now moving internationally or whatever the story, they knew the story because you needed money for that. You didn't do it online. You were just moving money, they would ask you questions, and they will be interested in your life stories.
The other thing is that was actually good for you because they would say, “Oh, we didn't know that you sold your old house. What are you going to do with all of the money? Do you know that we have this great investment account, deposit account, or whatever?” The customer received something from that interaction. It wasn't just one-sided.
The other thing is there is an assumption that banks know their customers. There’s actually a regulation called KYC that says know your customer. The banks are supposed to know your customers. You know what? They don't know the… Share on XIt was a conversation. The bankers would recognize customers and obviously know their customers, but also know their life stories. They know their kids, they know the family, they know where they live, they know everything. That was the way banks handling those things for centuries.
Something happened called digital transformation, meaning that now it's all digital, you have an app, and you tell the bank what to do. You say, “Hey, I want to move money.” That's it. “I don't need to explain myself. Just move my money.” It's no longer a conversation. You don't have an engagement with the customer. It's a service station.
Online banking, mobile banking, it's a service station. It's like an ATM, but providing a digital experience or call center providing a digital experience. The bottom line is because there is no interaction, the banks don't know their customers the way they used to. We actually have some interesting statistics about that. If you're an AML officer or an anti-money laundering officer, you look at that account belonging to a guy called Chris Parker. It’s a weird account because they just set up an account, they moved a lot of money into that account, and then they move the money out. So many red flags.
You don't understand what's going on. It's OK. Let's call the customer or let's do something. Actually, the investigation team never calls the customer. It's not that you talk to the investigation team. What they do is they talk to the branch, if it's a small bank or a call center if it's a bigger bank, but let's say it's a branch.
In Refine, one of the things that we're doing is helping the banks manage all of this: engage customers or engage the branch if there is some sort of information that is being requested. We were monitoring for one of the banks if the AML, the anti-money laundering team was asking about a specific customer, and it went to someone in the branch. Would the branch know the answer, or they will have to contact the customer like in your case?
We actually tracked it, and 12% the branch would know, 88% the branch doesn't know. They don't know why you were doing this. They have to contact you to ask, meaning that the banks no longer know their customers. This is very, very important when you think about scams, because it's difficult to get into the customer's head and understand the intent behind the transaction. Very, very little context that the bank can use, and they don't know the customers the way they used to. The online environment helps the criminals and makes it much more difficult for the bank, because they don't have the same level of understanding of their customers the way they used to.
The online environment helps the criminals and makes it much more difficult for the bank, because they don't have the same level of understanding of their customers the way they used to. - Uri Rivner Share on XQuestion: Once they start becoming liable, is there a fear that we're just not going to open new accounts? I'm being extreme in that and that banks will interact with their customers in a much more unfriendly way. It's not going to be a local banker friendly because their money's on the line now, so they're going to exert their level of control, not what the customer's used to.
It might be, “Hey, you look suspicious. We’re not going to let you open a bank account.” Is there a fear of things going that way or people starting to send money from other platforms and just stay away from the bank altogether?
Yeah. Banks need to have this fine balance between fraud controls, good usability, and not imposing too many limitations. But sometimes the fraud is so intense that you just have to put some limitations in place. I wouldn't say that you try to drive the customer away, but it's certainly not a very neighborly approach like, “Yeah, do whatever you want to inside your account.”
I want to give you the example of Zelle. US has been traditionally this huge economy. It's the biggest economy this side of the Milky Way. It's a big economy. It was never a faster payment market, meaning that you can move money, but it's not instant. I'm talking about big chunks of money.
Until the banks decided, “Hey, we see Venmo, we see a Cash App, we see all of these instant payments between people who want to be part of that. We're banks for God's sake. Let's do it ourselves.” Then they launched Zelle, which is like the major banks own early warning systems, which is operating the Zelle network. By now, most of the banks support Zelle, which is a way to move money, typically limited to $2000-$3000 transactions.
When Zelle was initially launched, and customers started to see that they can do Zelle on their mobile phones and their online banking, the fraud levels were simply horrible because it was a faster payment rail. You can move money instantly. The banks were totally unprepared because the marketing team said, “Hey, we have this great new product; let's market it to everyone.” And then banks started to have a huge amount of fraud.
When I'm talking about fraud, fraud teams talk in terms of basis points. One hundred basis points is 1% of the value of transactions. Most of the banks operate between five basis points, 10 basis points, 15 is pretty high. Twenty, you probably need to do something because it's a little bit off. If it's over 30, probably you want to fire the entire team. They had 700 basis points when they started Zelle. Immediately you say, “Oh, my God. What can we do?” And then you start imposing limitations.
For example, “Oh, you just enrolled to Zelle; you cannot move money for a week,” like a cool-down period, you can move only $500 just to limit the losses, or stuff like that. But when you have something that is so significant, you start doing some of those controls.
In the UK, because of this liability shift, the banks are starting to talk about slowing down payments. The market is faster payment. No, it starts slowing down the payments because we're going to be liable for a lot of losses. You want to balance this. You don't want to be overly aggressive. You want to protect customers, your own bottom line, and not suffer from fraud.
At the same time, you are a bank. You are competing with fintechs. The fintechs are like, “Oh, what do you want to do? Done.” There's absolutely no friction. This is the way for banks to actually do this balancing act.
I want to mention one thing. I mentioned Zelle. This thing happened a few years ago. Right now, Zelle losses are far, far lower and actually are under control. Scams are beginning to happen in Zelle and escalate. There was a big outbreak, specifically around Zelle scams, and the bank started to offer some level of reimbursement for customers around Zelle. Not a complete one, but a chunk of scams. Specific impersonation scams are now being reimbursed, by the way, on the beneficiary bank.
Remember we talked about either outbound or the inbound? In those specific Zelle scams, it's the inbound responsibility, but something bigger is happening than Zelle that I wanted to mention, which is called FedNow.
FedNow is this federal reserve initiative of moving money instantly between banks up to $100,000. If I'm a criminal, I'm just waiting for this to happen. It was officially launched in July. You do have some banks that potentially support it, but not everyone. Out of the big five, you do have two banks that don't support it yet.
I don't want to mention specific names. I'm just saying three banks support it, two banks don't support it. Because of that, you cannot go to Chris Parker and say, “Hey, Chris, hey. You can move money, et cetera. But except if you want to move money to that one because they're not part of that program.” It's going to be very confusing.
At some point, when all of the major banks support that FedNow program, it will become available. Like Zelle became available, it will become available. Your bank will say, “Hey, Chris. Do you want to move $50,000 instantly to Uri? Hey, just push a button.” When this happens, it's going to be interesting. I think at that point, we will see a lot of scams hitting the US.
Scams are the most effective tools that the criminals have. They do need to invest a lot in order for the scam to happen. They invest in social engineering. It's a long-term thing, but it's extremely effective, extremely difficult to detect. If you can move money instantly, these amounts, it's worth it. It's much bigger than anything that happened in the banking sector globally since day one.
Scams are the most effective tools that the criminals have. They do need to invest a lot in order for the scam to happen. They invest in social engineering. It's a long-term thing, but it's extremely effective, extremely difficult… Share on XThe criminals really wait for this to happen, and I'm pretty sure that scams will be a big part of it. Let's not forget one more thing, which is all of the techniques that we talked about so far, you get calls, you get text messages with some information. You get all sorts of other communication channels, but it's not that high tech.
Nowadays, you have deepfake, you have gen AI, you have so many new tools, and the combination of something like FedNow, which is again, the biggest economy on the globe finally doing faster payments at scale, plus scams, plus all of these new tools that the criminals can use. Again, it's going to be interesting to be in fraud team at that point. This is what makes it so exciting for the fraud-fighting community.
With FedNow, is it being branded as FedNow, or are they just going to call it something different? If I go to my bank account, there's an option to send money via Zelle. There'll just be another option to send it via FedNow?
I don't know, because at this point, you don't have a critical mass, meaning that the banks that support it say, “We are ready. If we see a transaction, we will accept it.” What they don't do is put it in online banking and mobile banking and say, “Hey, you can now move money,” because they wait for that critical mass to happen. I don't know after a critical mass occurs, whether it will be branded FedNow, instant payment, or they will find another way to brand it, because FedNow doesn't seem to be very customer-centric.
Nobody wants a federal government knowing what's going on with the money.
Yeah. You could say that Zelle is like a fast animal. It reminds me of Zelle. Yeah, you're right. Not sure it's going to be FedNow, it might be something else.
From a consumer perspective, what would be the advice to give to customers as FedNow starts to roll out? What should they be watching for? This is a little bit of prognostication forecasting. What should they be watching out for, specifically for FedNow?
I don't think that there's any specifics to protecting yourself against scams other than just common sense. Be careful specifically about basically two types of situations, where someone is trying to stress you into doing something very fast.
Remember, it could be your family that is calling you and saying, “Oh, Chris. We need right now to move money. Don't ask; it's a crazy thing. I need you to move.” It's going to be the voice that you recognize. The reason is that they have recording of that from social network, and they use deepfake to do that. That would be an example.
My point is that there's nothing specific to FedNow. These are scams. FedNow is just a way for the criminals to hit big. That's the only thing. From a private customer's consideration, it's the same thing as any other type of scams.
Are there situations where there's a lot of pressure for you to do something related to moving money? That's one red flag. Or those long-term things where you begin some relationship. It could be romantic, it could be financial, or it could be anything, but it's someone that you don't know to begin with. Right. It's a matter of trust. At some point, you begin to trust them. The comments are extremely good at gaining that trust.
Chris, you tell me, what should people do in those situations? You've been talking to the entire world around this. One thing that I did come across, there is a startup that has some resources that if you are a little bit suspicious, you can try to consult with that and see maybe the text message or the email that you received is actually a scam, or things like that.
Another thing, which people are beginning to talk about, is when money is moved from the bank account, this is the end of a very long chain that typically starts online in some platform. What is the responsibility of those platforms? What is the responsibility of your telco that sent you that text message, that initiated the whole thing? Can they understand that this is bad? Can the social media platforms understand that this is bad? How about those sponsored ads that you click?
You don't know, but actually you think you're in a certain website. No, it's actually a sponsored ad. All of the big platforms—Google, et cetera—the way they do it is it looks so much like the real thing. That's where they get the revenue from. They make it a natural part of the engagement that you don't even notice that you clicked on the wrong thing. It’s an ad that you didn't really notice. It's an ad or things like that.
The bottom line is a lot of people can protect the customers. It could be the social media, it could be the telcos, the banks, if they have liability, will start to care about this much more. They already care, by the way. The banks really want to stop those scams, even if they're not liable.
A lot of the fraud teams, the big mission that they have right now, because then it's also a matter of trust, reputation, and trust in digital banking, so they have an interest in any case to help even if they're not liable. But at the end of the day, there's always the question about, can customers protect themselves from this thing?
I've seen so many examples of scams. You've seen so many examples. You've talked to so many people. It's an ever-changing battle. It's so difficult to educate people that this is wrong, this is wrong, don't do this, and don't do that. I like an easy answer. It's not that FedNow or any of those new types of payments have something special. It's just that's something that you need to be mindful of that scams exist. Maybe you can detect it on your own.
That's always going to be the challenge. If we were to say, “Well, if you just see this, this, and this,” well, then the scammers aren't going to do this, this, and this. They'll switch it over to that, that, and that. The checkmark approach goes away, unfortunately.
I think everybody has to take more responsibility. The phone companies that know that the caller ID is being forged, the calls originating from outside the United States, claiming to be inside the United States. OK, maybe the phone company should be not accepting that call through their network and things like that.
Right. I've seen at least one example where I received the scam text message. I recognize it as a scam text message. Immediately afterwards, I got another one from the telco saying, “Hey, the prior message, you may not want to trust it.” This is great because it means that someone takes responsibility.
Scams can happen to anyone. Scams are changing all the time. They leverage the basic human nature. -Uri Rivner Share on XScams can happen to anyone. Scams are changing all the time. They leverage the basic human nature. I think that banks are doing a lot in order to defend the customers. Even if the customer gets hit by a scam, the banks want to fight for that customer, they are deploying a lot of cool technology, operations, and things like that. But, you’re right, it's not just the banks that need to do something here, it's everyone. Scams will be with us forever, probably, and continue to shift and morph.
Exactly. Uri, if people want to be able to find you online, where can they find you?
LinkedIn. The best way is Uri Rivner at LinkedIn. Happy to connect with people, exchange experiences. Let's fight those scams together.
Awesome. Thank you so much for coming on the podcast today.
All right. Thanks, Chris.
Leave a Reply