Regulators Should Exert Enough Pressure to Protect Consumers

Regulators Should Exert Enough Pressure to Protect Consumers

20 July 2024

8 minutes read


Key trends in fraud follow the money. Fraudsters focus on areas where they can make the highest profits with the least effort. The digitization of payments naturally directs fraudsters towards schemes targeting weak points in processes, with the most common and painful being Account-Take-Over (ATO), Authorized-Push-Payments (APP or known as pig butchering), and cyber frauds often resulting from malware infecting the end device.

These are the current topics discussed by Goran Angelov, founder and CEO of IBS Bulgaria and member of the Advisory Board, on DIGIPAY's blog.

The European Payment Council compiles statistics on prevalent threats every year. In our region, there are no significant differences, and fraudsters exploit identical processes and system weaknesses.

It is characteristic that nowadays the weakest link is the consumer, and fraudsters often resort to social engineering as part of their scam scheme.

The Most Current Threats for 2023:

Remote support scam: This technique combines with social engineering to deceive customers into calling fake phone numbers displayed in search results as bank customer support numbers. When the customer calls this number, a fake representative answers as a support engineer and convinces the customer to install a remote support tool or enter a code on a specially created phishing site.

New forms of smishing: Criminals use web tools to send mass SMS, Viber messages, or other communication platforms. The texts include the bank's name in the SMS text or as the CallerID of the initiator when possible, making spoofing the initiator/authentic bank CallerID number less necessary. Phishing through SMS has also been observed, where the real name of the client appears in the SMS text to gain trust.

Various forms of smishing can lead customers to websites where the bank's website is cloned to collect identification data. The attack can be combined with fake support phone calls from fraudsters, directing victims to operations ending with the full activation of two-factor authentication on the fraudster's device.

Safe account scam: Using classic social engineering methods, fraudsters convince customers that their account is at risk and they must approve the transfer of money to a "safe" account, which is actually controlled by the fraudster.

Fraud through fake auctions or e-commerce sites: This is a simple modus operandi involving payment by credit transfer for goods advertised on fake auctions or e-commerce sites.

The goods are obviously not delivered, and the received money is quickly withdrawn as cash using debit cards or transferred by accomplices located on other continents.

Malware such as "banking trojans," especially on mobile devices. New features include: remote control of the infected device, interception of SMS, and real-time replacement of the payment beneficiary; remote access sessions (RAT), relying on native Android code or directly hiding malware from Google Play Store (e.g., initially through legitimate applications, but the malware is installed through updates), evading Google's detection techniques.

Malware delivered as malicious SMS managers on mobile devices: configured with access to two-factor authentication codes.

Interception of credit card renewal letters: The card is replaced with a fake card, and the letter contains instructions for phone activation, requesting the victim to provide the card number and PIN code.

Interception of B2B correspondence and account substitution: The fraudster inserts themselves as the payment beneficiary after compromising the real beneficiary's email system and using social engineering to replace the actual account with their own.

Most schemes aim either to intercept the user's account or redirect large payments to fraudsters' accounts. Significant changes occur in card transaction frauds, where the card is often used simply as a means to extract financial assets – emptying the account or credit limit through transactions to various wallet applications, ATM withdrawals, or purchasing goods and/or crypto assets.

Financial institutions are under continuous pressure to establish adequate monitoring and fraud prevention measures. Unfortunately, this process is too slow and always a step or two behind the fraudsters, Angelov comments. My personal opinion is that regulators do not exert enough pressure to protect consumers, he adds.

A simple example of this lack of regulatory control is the widespread lack of end-device monitoring tools and malware checks in online and mobile banking.

This is something that can easily be verified and audited, and is an imperative requirement from the PSD2 directive, which has also been transposed in our country.

There are many things a financial institution can do to better protect its customers, but we must realize that fraudsters mainly exploit the weaknesses of consumers – fear, the desire to help, and above all, greed for easy profits. If any of us identify that we are being manipulated through one of these three factors, especially if an element of urgency is added, we should immediately assume that we have encountered a scam.

Financial institutions often neglect such risks.

Not because they do not identify them, but because they seek a balance – not to disrupt the user experience to avoid annoying and losing the customer.

On the other hand, there are measures that banks and payment operators can apply to improve their services without risking the user experience.

Some of our clients take advantage of intelligent system capabilities and interactive communication with the client, Angelov shares. Notifications and messages are sent, feedback is consumed, and an adequate decision is made; analysis between channels is conducted – you used mobile banking in a certain country, there's no reason to stop your card payment; engaging in conversation through a chat-bot (intelligent assistant, as they prefer to call them) and consuming the entire conversation (Generative AI is very helpful in this case).

Not only do these measures increase security and customer trust, but they also significantly reduce the load on the financial institution's call center.

Why are we in such a position?

According to FATF monitoring, Bulgaria must fight against money laundering, terrorist financing, and arms proliferation

As far as I know, there are no legal obstacles to implementing measures against money laundering or any financial crimes, Angelov replies. On the contrary – the laws are in place, and in many cases, their violation can lead not only to significant fines and sanctions but also to the revocation of the financial institution's license. The EU continuously strengthens this legislation, but the role of local regulators is to ensure it is applied thoroughly.

The FATF assessment is extremely negative precisely regarding regulation. The respective authorities should take adequate measures because this assessment inevitably affects every Bulgarian financial institution, and thus every customer. We are all affected by the neglect of these laws.

Serious attention should also be given to complying with all sanction regimes, especially in light of the military conflict between Russia and Ukraine. There are too many interested parties with solid capabilities seeking mechanisms to circumvent sanctions, which can be fatal for the financial institution that becomes part of the chain, even if misled. The process is far from simple and requires thorough analysis, a systematic approach, and appropriate organization from each financial institution to ensure it has not become part of such a scheme.

The mass introduction of instant payments is a huge challenge for both transactional fraud and compliance with regulations for financial crimes and sanctioned individuals and organizations.

Reengineering and the implementation of new technologies are required to help financial institutions respond to threats in real-time, Angelov further comments.

Instant schemes are subject to the same threats and fraud means. However, there are specific characteristics – the transaction is much faster than the standard scheme. The initiator's account is immediately debited, and the funds are immediately made available in the beneficiary's account. It is executed within seconds (up to 10 by regulation), and the following consequences or challenges can occur:

  • During the initiation and authentication stage, fraud techniques based on social engineering and malware are carried out in the same way as with standard payments, but the initiation is immediately followed by execution, and the fraudulently obtained funds are instantly available for cash withdrawal or physical purchases.
  • The overall speed of transactions to/from "money mules" is much higher, so this type of monetization channel is expected to be used more intensively with Instant schemes.
  • At the execution stage, the fraud detection mechanism and transaction blocking need to be executed in real-time, which is a challenge for many older monitoring and prevention systems.

Instant transactions must be processed continuously, 24/7, making it impossible to use batch processing time to perform checks against financial fraud (AML/Sanctions), which is the current business process in most financial institutions. This necessitates a complete overhaul of the systems and processes responsible for these functions if the financial institution wants to comply with regulatory requirements.

On the topic of PSD2, I think we are all awaiting PSR1, which should be adopted next year.

The new regulation addresses many of the shortcomings of the current directive and will avoid local interpretation by member states.

PSR1 is expected to be an evolution of PSD2 and to develop the guidelines for Open Banking towards Open Finance, further strengthening the regulatory foundations in the field and introducing common standards for the entire European Union. The EU is a leading example worldwide for a regulated approach to the development of payment systems and the financial industry.

How will other European regulations like DORA and the adoption of the digital wallet, the first artificial intelligence legislation, impact the market?

At this stage, I do not expect regulations like DORA or AI restrictions to impact the market, Angelov comments. These are frameworks that everyone simply has to comply with. The EU digital wallet, on the other hand, is an excellent opportunity for many digital services to reach the mass consumer in a unified way. This can be a good basis in the future for quality service to every EU citizen, helping to build us as the community we should be.

Raya Lecheva

Founder and General Manager

+359 878 160 610

raya.lecheva@digipay.bg

Petya Veleva

CEO

+359 889 527 212

petya.valeva@digipay.bg

Inter Expo Center Sofia, 147,
Tsarigradsko shose blvd

DIGIPAY 2024 All rights reserved