What simple techniques can banks adopt to prevent fraud? A digital scam expert sheds light

With the advent of AI-based technologies such as ‘deep fake’, the world of scamming is becoming increasingly sophisticated, with Australians falling victim to $3billion worth of digital fraud last year as a result.

In this landscape, banks could be forgiven for thinking scam prevention requires an equally technical response. But as ethical hacker and digital fraud expert Simon Smith reveals, even some simple, common sense approaches have not yet been explored.

Ahead of the Scams Summit, Simon, who provides independent expert witness services to the judicial system in fraud disputes, gives his take on what banks could be doing to help tackle the issue.

Get banks to ask simple questions before authorising transactions

Having worked directly with fraud victims for more than ten years, Simon has seen firsthand the damage they can cause. He has also seen how easy it was for victims to be tricked; and how few safeguards were in place when the fraudulent transactions took place.

He is calling for all financial institutions to train their staff on how to recognise fraudulent transactions and says almost all could be prevented by asking a series of simple questions.

“If I were a bank teller, and I was face to face with a customer who was just about to transfer large amounts of money, I am confident I could prevent 100 percent of fraudulent transactions that came under my radar, simply by asking:

• Do you know, have you met, or have you been to the offices of the person you are transferring money to?

• Have you physically spoken to them?

• Do you have a product disclosure statement for what you are purchasing; and is that governed by Australian law; have you dealt with a publicly known contact from that organisation and verified its contents directly with them?

• Is someone guiding you through this transaction; if so, who and why?

• What is the purpose of this transaction and where do you think your money is being sent, and for what purpose?

“If any of these answers raise alarm bells then we should not authorise the transaction – or do so with caution – no matter how much it irritates the consumer at the time.

“It is no different to a doctor declining a script for an addictive pharmaceutical, if they believe that drug will cause harm. They have a duty of care to do so.”

Simon says the existing approach of asking consumers ‘are you being scammed?’ is inadequate and that banks need to step in and use their own discernment.

“I’ve dealt with a 75 year old woman who sent $50000 AUD to Vietnam on the assumption she was assisting a national security service. Of course, she didn’t realise she was being scammed, but to the bank teller it should have been so obvious.

“In the legal dispute, the bank in question blamed this woman and cited the fact she had been asked if the transaction was a scam, in their defence. Never mind that she had never before used internet banking, or performed a transaction like this.

“The bank should have spotted the unusualness of this transaction and blocked it instantly, but they didn’t. Technology these days is clever enough to spot this type of deviation in customer behaviour deviation and flag it as a concern.”

Recognising inappropriate BSBs

Simon says banks should also block their customers from transferring money to BSB numbers that deal solely with B2B customers, if the customer is claiming they hold an individual account with the recipient bank.

These bank accounts have long been used by fraudsters to directly fund cryptocurrency accounts unbeknownst to the victims. The criminals then use these to launder money into an exchange before making a large crypto transaction.

The victim is tricked into believing this bank account is their own, even though the bank in question only deals with corporate clients.

“There are specific BSB numbers that banks would need to be aware of. It is such a simple solution to flag these BSBs and stop everyday consumers transferring money to them, in the event they claim it to be their own bank account.

“I have personally witnessed people losing millions of dollars to this very scam technique, so it would have a profound impact.”

Blocking overseas IP addresses

Simon has seen countless cases where a fraudulent bank transaction made abroad has been permitted by the bank, despite the consumer having just used their bank card in their home country.

He says it is “mind-blowing” that with today’s technical capabilities this type of scam is still prevalent.

IP origin server variables have existed since the birth of the internet and can instantly be linked to a geographical location. At the very least, the IP and user agent can be deemed to be ‘different than usual’.

“When you track the location of IP addresses, it is so easy to prevent this type of fraud,” Simon said.

“I have questioned banks on this in numerous legal disputes. I’ve asked them straight up, ‘how do you think your customer teleported themselves 500,000 kilometres across the planet within eight minutes to make transactions in two different continents?’

“However, since there is no legal obligation for them to disclose how they use their internal systems, many don’t; and fraudsters continue to get away with it.”

Systemic change is also needed

Along with these simple fixes from financial institutions, Simon is also calling for a reshape on how the scam prevention landscape is currently structured.

He says the ‘user pays’ system that finances the ombudsman, AFCA, limits the degree to which fraud victims can get a fair hearing.

“In recent times, the same initial decision maker of an AFCA complaint is the conciliator in ‘without prejudice’ discussions. If you liken it to a criminal court system, that is no different to having one single person as the judge, jury and the mediator in confidential discussions.

“In my experience of being a nationally accredited mediator and dispute resolution practitioner, this seems wrong on so many levels and not in the best interest of fraud victims.”

Sharing more thoughts on how industry and government can work together to lessen the impact of digital fraud, Simon Smith will present at the Scams Summit, hosted by Informa Connect.

This year’s event will be held 15-16 August at the PARKROYAL Darling Harbour Sydney.

Learn more and register your place here.

About Simon Smith

Simon Smith is Chief Executive of Official Intelligence. He is an independent Australian Cybercrime, digital forensics, software, systems, and lifecycle management expert witness who has given evidence in State and Federal Courts in Australia, including Tribunals, County, District and Supreme Courts.

He specialises in analysing, developing, auditing and reverse engineering software applications, computer and mobile programming and methodology, and digital forensics in online fraud and high-tech crime cases.

Simon has more than 23 years of industry experience – first and foremost as a computer programmer, reverse engineer and ethical hacker. He has devoted eighteen of those years to information and cyber security.