Skip to content
Regulators need to exert sufficient pressure to protect consumers

Key fraud trends often follow the money, with fraudsters concentrating their efforts on areas where they can maximize profit with minimal effort. The digitization of payments naturally steers fraudsters towards schemes that exploit weak points in processes. Among the most common and damaging are Account Takeover (ATO), Authorized Push Payments (APP, now known as pig butchering), and cyber fraud, often resulting from malware infecting end devices. 

That are the most significant financial fraud trends, which shares to DIGI PAY BLOG Goran Angelov, Founder and CEO of IBS Bulgaria and Advisory Board Member of DIGI PAY 2024.

The European Payment Council compiles statistics on prevailing threats every year In our region, there are no significant differences, and fraudsters take advantage of identical processes and weaknesses in the systems.

Characteristically, nowadays, the weakest link is the consumer, and fraudsters most often resort to social engineering as part of their fraud schemes.

If we were to list the most current threats for 2023, here is a sample list:

Remote support scam: This technique combines social engineering to trick customers into calling fake phone numbers found in web searches, such as bank customer support numbers. When the customer calls this number, a fake employee poses as a support engineer and convinces the customer to install a remote support tool or enter a code into a specially created phishing site. 

New forms of smishing: Criminals use web tools to send bulk SMS, Viber messages, or other communication platforms. The texts may include the bank's name to enhance credibility. Phishing via SMS has also been observed, where the customer's real name appears in the text to gain trust. 

Various forms of smishing can lead customers to websites that clone the bank's website to collect credentials. This attack may be combined with fake support phone calls from fraudsters directing victims to operations that result in the activation of two-factor authentication on the fraudster's device.

"Safe Account" scam: Using classic social engineering methods, fraudsters convince customers that their account is at risk and they must approve the transfer of money to a "safe" account that is actually under the fraudster's control.

Fraud through fake auctions or e-commerce sites:Criminals advertise goods on fake auction or e-commerce sites and receive payment by credit transfer.

The goods are apparently not delivered, and the received money is quickly withdrawn as cash using debit cards or transferred by accomplices located on other continents.

Malware , such as banking Trojans, especially on mobile devices: New features include remote control of the infected device, SMS interception, real-time payment beneficiary replacement, and remote access sessions (RATs) relying on native Android code or directly hiding Google Play Store malware. Malware may also be delivered as malicious SMS managers to mobile devices configured with access to two-factor authentication codes.

Malware may also be delivered as malicious SMS managers: to mobile devices configured with access to two-factor authentication codes.

Interception of credit card renewal letters:The card is replaced with a fake card, and the letter contains instructions to activate the phone, asking the victim to provide the card number and PIN code.

Interception of B2B correspondence and account replacement:The fraudster impersonates the beneficiary of the payment after compromising the email system of the real beneficiary and, through social engineering, replaces the actual account with his own.

Most schemes aim to either hijack the user's account or divert large payments to fraudsters' accounts. The most significant changes are in fraud in card transactions, where the card is often simply used as a means of extracting financial assets - emptying the account or credit limit, through transactions to various wallet applications, ATM withdrawals or purchasing goods and/or crypto assets.

Financial institutions are under constant pressure to establish adequate monitoring and fraud prevention measures. Unfortunately, this process is too slow and is always one or two steps behind the scammers. My personal opinion is that regulators are not applying enough pressure to protect consumers, stressed Angelov.

Financial institutions are under constant pressure to establish adequate monitoring and fraud prevention measures.

Unfortunately, this process is too slow and is always one or two steps behind the scammers. My personal opinion is that regulators are not applying enough pressure to protect consumers, stressed Angelov.

A prime example of this lack of regulatory control is the widespread lack of end-device monitoring and malware scanning tools in internet and mobile banking.

Something that is easily authenticated and audited, and is an imperative requirement of the PSD2 directive, which has also been transposed in our country.

There are many things a financial institution can do to better protect its customers, ала трябва да си дадем сметка, че измамниците експлоатират най-вече слабостите на потребителите – страх, желание да помогнат и най-вече алчност за лесни печалби. Всеки от нас, ако идентифицира, че го манипулират чрез някои от тези три фактора, особено, ако добавят и елемент на спешност – трябва веднага да предположи, че е попаднал на схема за измама.

Financial institutions often overlook such risks. Not because they don't identify them, but because they are looking for a balance - not to disrupt the user experience, not to annoy and lose the customer.

On the other hand, there are measures that banks and payment operators can implement to improve their services without risking the user experience.

Some of our customers benefit from the intelligent capabilities of the systems and for interactive communication with the customer. Notifications and messages are sent, feedback is consumed and an adequate decision is made; An analysis is made between the channels - you used mobile banking in a certain country, there is no reason to stop your card payment; engaging in a conversation through a chatbot (intelligent assistant as they prefer to call them) and consuming the entire conversation (Generative AI helps a lot in this case).

Not only do these measures increase customer security and confidence, but they also significantly reduce the burden on the financial institution's call center.

According to FATF monitoring, Bulgaria should fight to counter money laundering, terrorist financing and weapons proliferation, but this is not

At least I don't know of any legal obstacles to implementing anti-money laundering measures or any other financial crimes. On the contrary – the laws are available and in many cases their violation can lead not only to significant fines and sanctions, but also to the revocation of the license of the financial institution. The EU is constantly strengthening this legislation, but it is the role of local regulators to ensure that it is implemented in depth.

FATF's assessment is extremely negative precisely with regard to regulation. The relevant authorities should take adequate measures, because this assessment inevitably affects every Bulgarian financial institution, and hence every client. We have all suffered from the neglect of these laws.

Compliance with all sanctions regimes should also be taken seriously, especially in light of the military conflict between Russia and Ukraine. There are too many stakeholders with solid capabilities to seek mechanisms to circumvent sanctions, and this can be fatal for the financial institution that has become part of the chain, even if it has been misled. The process is not at all simple and requires thorough analysis, a systematic approach and the appropriate organization by each financial institution to ensure that it has not become part of such a scheme.

The mass adoption of instant payments is a huge challenge for both transactional fraud and compliance with financial crime regulations and sanctioned individuals and organizations.

Reengineering and implementation of new technologies is required to help financial institutions respond in real time to threats.

Instant schemes are subject to the same threats and means of fraud. However, there are specific features here - the transaction is much faster than the standard scheme. The originator's account is immediately debited and the funds are immediately credited to the beneficiary's account. It takes seconds (up to 10 by regulation) and therefore the following consequences or challenges can occur:

  • While in the initiation and authentication stage, fraud techniques based on social engineering and malware are performed in the same way as in a standard payment, but initiation is immediately followed by execution and fraudulently obtained funds are instantly available for withdrawal in number or physical purchases.
  • The overall transaction speed to/from "money mules" is much higher, so this type of monetization channel is expected to be used more intensively with Instant schemes.
  • At the implementation stage, the fraud detection mechanism and blocking of transactions need to be performed in real time, which is a challenge for many of the older monitoring and prevention systems.

 

Instant transactions must be processed continuously, 24/7, this makes it impossible to use batch processing time to perform anti-financial fraud (AML/Sanctions) checks, which is an ongoing business process in most financial institutions. This necessitates a complete overhaul of the systems and processes responsible for these functions if the financial institution is to be in compliance with regulatory requirements.

On the subject of PSD2, I think we are all waiting for PSR1, which should be adopted next year.

The new regulation addresses many of the shortcomings of the current directive and will avoid local interpretation by member states.

PSR1 is rightly expected to be an evolution of PSD2 and to develop the guidelines from Open Banking to Open Finance, further strengthening the regulatory foundations in the field and introducing common standards across the European Union. The EU is a leading example worldwide for a regulated approach to the development of payment systems and the financial industry.

How will other European regulations such as DORA and the adoption of the digital digital wallet, the first piece of AI legislation, change the market?

At this stage, I don't expect regulation like DORA or AI restrictions to affect the market, commented Angelov. These are frameworks that everyone just has to comply with. The EU's single digital wallet, on the other hand, is an excellent opportunity for multiple digital services to reach the mass consumer in a unified way. This could be a good basis in the future for a quality service for every EU citizen, helping to build us as the community we should be, told to DIGI PAY BLOG the top professional Goran Angelov.