At a time when more consumers are being tricked into giving fraudsters access to their money and accounts, Valley Bank’s Milliesia Armogan explains why customer education is a bank’s best weapon in the fight against increasingly sophisticated social engineering fraud.
Though the banking industry’s struggle to prevent fraud is as old as banking itself, a new chapter is opening as banks face off against one of the most formidable fraud types yet: social engineering scams. In this type of scam, especially with authorized push payment (APP) fraud, criminals trick their victims into sending them money instead of breaking in and stealing it themselves. Social engineering fraud is not only costly and difficult to stop, but it is also becoming exceedingly common.
“I have cases every day,” Milliesia Armogan, Valley Bank’s assistant vice president, digital fraud investigations manager, fraud risk management, told PYMNTS in a recent interview. “I deal with digital banking fraud, so handling social engineering scams is my day-to-day responsibility.”
Armogan explained that social engineering fraud had its start in the physical world, perhaps with the criminal mailing a letter to the intended victim. Now everything is digital, and in most of her cases, the customer received either an email or a phone call from a fraudster claiming to be someone else. Though the scams often begin this way, there is no single type of social engineering fraud.
“The fraud can spiral from there along many different paths,” Armogan said. “These can include job offer scams, romance scams and even puppy scams.”
This last type, she explained, refers to the case in which a criminal poses as someone selling a puppy.
A Real-World Example
To help unpack what social engineering scams look like — and demonstrate just how complicated they can be — Armogan described a recent scam that ensnared one of Valley Bank’s customers.
It began when the customer received an email advising him that there was an issue with the payment invoice for his purchase of a new phone. Knowing that he did not buy a phone, the customer, concerned, called the number embedded in the email. This phone call sent the scam spiraling into motion.
Unbeknownst to the caller, Armogan explained, the person who answered the call was the fraudster. They assured the customer that there was a mix-up and that the customer could receive a refund if he provided his banking information, and the customer obliged. Then it appeared as if the refund was issued, but it was for a sum larger than was owed.
Citing the overpayment, the fraudster now advised the customer to go into his branch, withdraw cash from a teller, then deposit these funds into two cryptocurrency ATMs. Still unsuspecting, the customer obliged again.
It was not until after making the payment that he realized something was wrong, and he then contacted law enforcement and the ATM operators. Although he was able to reclaim his money from one ATM operator, he is still working with law enforcement and the other ATM operator to retrieve the second half of the deposit.
“In this particular situation, since the customer authorized the withdrawal from the branch and took the cash, he had no choice but to file a police report because the bank can’t control authorized transactions,” Armogan said.
Detection Is Difficult
Valley Bank, like other financial institutions (FIs), deploys a suite of monitoring and detection technologies to apply certain risk and revenue thresholds to suspicious activities. When a transaction is deemed sufficiently suspicious, the bank will freeze it until the customer confirms it is legitimate, a process quite effective for stopping unauthorized fraud. With APP fraud, unfortunately, the situation is different.
There are opportunities to stop APP fraud before it is too late, but these typically require the customer to report the issue to the bank prior to authorizing the payment, said Armogan. Even if the bank flags the transaction, a deceived customer may authorize it anyway. It is precisely the victim’s authorization that makes stopping social engineering-fueled APP fraud so difficult for banks.
“When you share your information with an unknown source, we cannot control that,” she said. “We cannot control whether you click on a link embedded in an email. Likewise for authorizing a payment — if the customer authorizes it, it is processed.”
Prevention by Education
Luckily for banks, they do have a tool for combating social engineering fraud: customer education.
“One thing banks can do is just continue to educate customers about the importance of safeguarding their banking and personal information and knowing who they are doing business with,” Armogan said. “If you don’t know the source, don’t do business with them. If it’s an email, verify the email. If you are on the phone with someone that you don’t know, do not share information.”
For its part, Valley Bank is working to educate its customers in a few ways. To protect them from hackers posing as the bank, Valley Bank stresses to customers that it will never call them asking for personal and banking information. Customers are also encouraged to visit the bank’s website, where they can find educational resources offering descriptions of common fraud schemes and tips for digital security.
It can be difficult — and sometimes impossible — for banks to stop socially engineered scams once the customer gets sucked into the fraud spiral. Banks’ best bet is to teach customers how to avoid falling in.