By Alex West, Leader, UK Banking Fraud, PwC
On the one hand, fraud statistics paint a gloomy picture. Headline rates of fraud are rising across global economies. Fraud rates in the United Kingdom have increased by as much as 25 percent in the period since 2020, with fraud now accounting for 41 percent of all reported crimes. UK Finance’s data shows that fraudsters stole as much as £1.4 billion in 2022. Data released by the US Federal Trade Commission (FTC) demonstrates the rapid acceleration in fraud reported by US consumers, with loss rates up by 70 percent between 2021 and 2022. A 2023 Australian Competition and Consumer Commission (ACCC) report indicates that Australians lost at least AUS$3.1 billion in 2022. PwC’s 2022 Global Economic Crime and Fraud Survey suggests that nearly 50 percent of companies globally experienced fraud in the preceding 24 months. None of these statistics include what were likely significant lending fraud losses, insurance fraud rates or public-sector fraud.
On the other hand, looking at the levels of different types of reported fraud over time shows a more positive trend. Using the UK as an example, while levels of overall reported losses are painfully high, certain individual types of fraud are in decline. Unauthorised card fraud, once the predominant fraud type suffered by the payments industry, has declined every year since 2018, with the declining trajectory being all the more notable when the numbers are adjusted for inflation. Certain sub-types of card fraud have dropped steeply—losses arising from counterfeit-card use and card identity (ID) theft have dropped by double-digit percentages every year since 2018 in the UK. The same trend is evident in data published by the European Central Bank (ECB). While card fraud increased in absolute and relative terms for the first half of the last decade, there has been a significant relative improvement in more recent years as the proportion of fraudulent transactions has declined.
Innovation has been the key driver in reducing card fraud. Increasingly sophisticated monitoring and real-time blocking of suspect transactions, in combination with the adoption of EMV (Europay, Mastercard, and Visa) chip technology and Strong Customer Authentication (SCA) requirements on e-commerce websites, are having measurable impacts on fraud rates, the prevalence of counterfeit cards and fraudulent card-not-present (CNP) transactions, respectively. Card tokenisation and geo-blocking are also contributing to the declining card-fraud rates. The battle is by no means won, and fraud-loss rates remain very high, but the direction of travel is positive, demonstrating the power of sustained focus and investment in evolving fraud countermeasures.
The vast majority of the overall increase in reported fraud in recent years has been driven by the dramatic rise in authorised fraud, through which scammers trick businesses and/or consumers into authorising payments to accounts under the fraudsters’ control. Right now, as a global society, we are on the back foot in tackling this kind of threat, but success in reducing card fraud should give us hope that we can regain the initiative and ultimately reduce authorised-fraud rates. And as a society, it is a type of fraud that we must tackle; behind the numbers are traumatised victims and individuals who have lost life-changing sums of money. In all probability, everyone reading this article will either know someone who has been a victim or will themselves have been scammed at one time or another.
There are myriad factors contributing to the rise of authorised frauds and scams. We increasingly live digital lives in which personal information is more easily found online, which can be used to tailor ever more sophisticated scam messages and social-engineering techniques. The proliferation of communication platforms and online meeting places has created new routes for fraudsters to access potential victims, with regulators having limited ability to curtail the fraudulent use of platforms that operate outside of their purviews.
Organised crime groups have embraced fraud as a lucrative and low-risk form of crime, industrialising the production of scams and playing a numbers game in which only a small percentage of targets must be duped to make payments. Law enforcement globally has struggled to tackle this increasingly complex and cross-border crime, with fraud prosecutions being extremely low compared to the prevalence of this crime in our society.
The cost-of-living crisis is putting pressure on personal and business finances, and it is inevitable that more businesses and individuals will be incentivised or pressured into perpetrating fraud. There are already worrying statistics about the growth of money-mule accounts (through which individuals receive and pass on the proceeds of crime), particularly amongst students who willingly allow their accounts to be co-opted by fraudsters in return for small cuts of their income.
There are significant challenges inherent in preventing authorised fraud. Most challenging is the fact that victims believe they are making legitimate payments and actively authorise the transactions, limiting the ability of payment-service providers to block suspicious payments. Fraudsters impersonate representatives of trusted organisations, using number spoofing to mimic legitimate organisations, and dupe victims into divulging sensitive information.
Victims’ stories highlight fraudsters’ successes at understanding and bypassing banks’ counter-fraud processes by coaching victims through transaction warnings and authentication steps. In evidence submitted to a UK government select committee, one payment-services provider indicated that it believed it could identify 90 percent of payments to scammers, but when it warned customers that the payments were very risky, 85 to 90 percent of them ignored automated warnings. Even when there was direct contact with the accountholders, 80 percent of customers still proceeded with the payments.
Notwithstanding these challenges, there are steps we can take as a society to tackle authorised fraud, and there are reasons to be optimistic. Just as with unauthorised card fraud, innovation is key—not just innovation in technology but also in how organisations collaborate across sectors, how fraud intelligence is gathered and shared, how customer awareness of fraud risks can be improved, and how fraudsters’ access to the banking industry can be further restricted by innovative approaches to customer screening and transaction monitoring.
Banks have critical roles in tackling fraud, but they can’t do it alone. Our collective aim must be to build an innate level of defence by embedding fraud awareness and cross-sector counter-fraud systems, processes and controls across our global society.
The banking and payments industries have already made huge strides in this respect, as evidenced by the reductions in card fraud. The convergence of anti-money laundering (AML) and counter-fraud capabilities will be key, and banks are innovating new transaction-monitoring capabilities leveraging behavioural analytics to detect suspicious transactions (not only outbound payments to suspected fraudsters but also money-mule activities within their customer books). Biometric authentication, behavioural biometrics and device IP (Internet Protocol) address monitoring are also being deployed to detect suspicious activity and bad actors more quickly.
Actively seeking out fraud using proactive fraud-detection approaches is increasingly important in organisations’ fraud defences. Upcoming regulatory changes and intensified focus on authorised fraud have led to the proliferation of counter-fraud vendor solutions, both from better-established players and new startups offering different approaches. Fraud threats are evolving quickly, and whilst preventative measures are still key to limiting losses, they cannot always mitigate against new attack methods. At PwC, we work with organisations to develop proactive anomaly detection to identify fraud threats and provide a feedback loop to enhance preventative measures.
Education for customers is key, and many global organisations have launched consumer-education programmes, such as the UK’s Take Five – To Stop Fraud campaign and the Australian Stop Think Protect campaign. In the UK, Stop Scams UK has launched its 159 telephone short-code service, which can connect customers securely with their banks when they receive suspicious calls about financial matters, aiming to break the scam “journey”. A report by the consumer group Which? highlighted that scams are often successful when victims are especially stressed, tired or distracted. Services such as 159 can effectively break potential victims out of the “hot state” scammers seek to create.
The regulatory direction of travel is to place greater responsibilities on banks to protect their customers from authorised fraud. The UK is leading the charge, with the Payment Systems Regulator (PSR) consulting on introducing mandatory reimbursements for victims of authorised fraud to replace the existing voluntary Contingent Reimbursement Model (CRM). While the operational details of the new regime have yet to be finalised, the debate about the concept of reimbursement has been settled, and other international regulators in the United States and Australia are exploring similar regimes.
A key feature of the proposed UK regime will be requiring banks receiving fraudulent payments to share 50 percent of the reimbursement costs, which is a critical element of driving investment in stronger customer-onboarding and transaction-monitoring controls. Smaller organisations that may have prioritised rapid customer-onboarding experiences at the expense of the robustness of their controls may find themselves exposed to high reimbursement costs, increased regulatory scrutiny and adverse media attention.
Some worry that mandating reimbursements will lead to fraudulent reimbursement claims, embolden fraudsters and encourage customers to be less careful when validating payments. First-party fraud controls will be a critical component of reimbursement-claims processes, but there are divergent views on the question of “moral hazard” and the impacts of a reimbursement regime on consumer behaviour. One UK bank has been particularly vocal about the fact that it has seen no evidence of customers being less careful when provided with a fraud-reimbursement guarantee.
Individual institutions can’t go it alone. A cohesive, whole-system response is needed to tackle fraud, particularly authorised fraud. Collaboration will be key, and innovative data-sharing arrangements will be required to create better fraud intelligence in as close to real-time as possible. As greater obligations are placed on the payments industry, some have asked whether it is fair to place cost burdens solely on financial institutions, given the wide range of organisations enabling scammers to access victims and their money. Proposed legal changes in the UK are starting to bring other organisational types into the counter-fraud world: advertisers, telecoms (telecommunications) companies, internet service providers and social-media platforms are key parts of the solution to scams and will increasingly be required to do more to prevent victim capture by blocking fraudulent advertisements, social-media posts and messages. UK telecom companies are taking action alongside banks to share intelligence and prevent fraudsters from spoofing financial institutions’ telephone numbers.
The changing trends and patterns across different types of fraud demonstrate not only the continuously evolving nature of fraud risk but also the successes achieved in tackling certain types of fraud. I am optimistic. We don’t need to accept fraud as an inevitable part of our society. With innovation and collaboration across sectors, including public and private partnerships, we can make a difference and reduce fraud.