Skip to content

How Banks Combat Fraud and Scams (and What That Means for You)

Uri Rivner talks about how banks handle fraud and scams and what that means for consumers.

Moving your money around has never been easier. With online banking, mobile banking, and the proliferation of financial apps, you can move your money almost anywhere, often instantly. This technology is extremely convenient for us, the consumers. But unfortunately, it’s also extremely convenient for scammers. Banks and fraud have been locked in battle for a long time. New advancements keep changing the game, but some of those might tip the scales in our favor.

See Fraud vs. Scam: What’s the Difference? with Uri Rivner for a complete transcript of the Easy Prey podcast episode.

Uri Rivner has been fighting financial crime for over twenty years. When he started, it was mostly phishing attacks. He saw the evolution into more sophisticated and sinister things like social engineering. At that time, Uri was working with cybersecurity company RSA. Banks wanted tech to help defend their customers’ accounts, and Uri did a lot of work around anti-phishing services, risk-based authentication, and fraud intelligence.

Then he came across an interesting new field of technology called behavioral biometrics. It’s the science of analyzing how someone moves a mouse, taps on their screen, or otherwise interacts with a device to determine if the person logging in is really the account owner. The idea is that everyone uses their device slightly differently. He was fascinated by this tech. The team behind the startup that introduced him to the concept asked if he wanted to join. He became co-founder of the company, BioCatch, in 2012. More recently, he decided to take on an adjacent field, money laundering, and launched Refine Intelligence, which helps banks look at transaction activity and filter the money laundering from legitimate activity.

How Banks Define Fraud and Scams

Banks draw a very clear line between fraud and scams. And the distinction is actually pretty simple. In fraud, you’re tricked into giving account access to the bad guys. This could be social engineering or some sort of hack or virus. But the criminal gets access somehow, and then criminal then moves your money out of your account.

In scams, though, you’re tricked into sending money to the criminal. They probably never have access to your account. They use some sort of ploy, trick, or lie to get you to log in, set up the transfer, and press the confirm button. Whatever the story or whatever they said you were doing, you were the one sending the money.

If it’s a scam, the account is going through an authorized payment, so [banks aren’t] trying to protect that.

Uri Rivner

The big distinction is whether or not the customer authorized the payment. If the customer didn’t authorize it – whether it’s because someone got into their account or someone stole their debit card – that’s fraud. If the customer was the one actually doing it, but they were doing it under false pretenses or because of a lie or threats, that’s a scam.

It’s much easier for banks to protect against fraud than against scams. If it’s fraud, they’re trying to protect the account. That’s what tools like two-factor authentication help with. But in the case of a scam, it’s much harder. The bank at that point isn’t trying to keep someone out of the account. They’re trying to determine if it’s done for fraudulent reasons. And that’s much more challenging to determine.

From Mostly Fraud to Mostly Scams

When Uri first started in this field, banks were mostly dealing with fraud. Now, much more of what they deal with is scams. To understand why, we have to look at some history. A great example is the UK market.

Uri has worked with a lot of UK banks. In 2003 and 2004, several major banks were hit by phishing attacks. It was a huge incident. Customers unintentionally gave away their passwords, and criminals would use those passwords to get in and move money to themselves. That’s a classic example of fraud. The banks in the UK said enough was enough. By 2007, all of them had moved to something called strong authentication. It didn’t use passwords; instead, logging in required some combination of a physical security key and/or a one-time code. Fraud incidents started to drop.

But in 2008, these same banks moved to something called faster payment. Before that, it took up to a few days to move money between banks. But with faster payment, people could move money between banks instantly and with very high limits. Fraudsters love fast money, so they flocked to the UK. Fraud incidents went right back up.

Fraudsters really like fast money … the faster it is, the more they like it.

Uri Rivner

By 2015, fraud was more or less under control in the UK. The banks had a lot of fraud defenses. But then criminals started using remote access. Once they could get into the customer’s device directly, especially if they could convince the customer to log into their account, they can commit fraud. But it’s type of fraud that blurs the lines between fraud and scam.

Blurring the Lines between Fraud and Scams

In 2015, a customer got a phone call that there was something strange going on in their account. They responded that it was weird the bank was calling them again, because they’d just called half an hour ago. Someone claiming to be from the bank had called, told them there was a problem, and offered to help them fix it. They guided the victim through installing Teamviewer to access their device remotely, had them log into their bank account, and then told the victim they could hang up while the “bank rep” did some checks.

Some tricks to get money out of your bank account blur the lines between fraud and scam.

In this case, the bank spotted that the mouse movements were different from the customer’s normal movements because of the lag from the remote access software. And the money going to a new account also came up as suspicious. Since the original login was done by the customer, it’s very close to being a scam. But because the customer wasn’t moving the money, the bank considered it a fraud.

In 2016, a different customer got a call telling her there was a suspicious charge on her debit card. They claimed because her debit card was compromised, so was her account, and they needed her to move her money to a new, safe account. They had her move it in small batches, starting with just a few thousand pounds. Luckily, the bank caught it after the first transaction.

That was the first incident of the online banking scam called authorized push payment, or APP. When Uri first heard of it, he thought it was way too much work for any criminal to go through. He didn’t think it would ever take off. But now it’s the most common attack on banks in the UK.

How Banks Handle Fraud and Scams

There’s a huge difference between how banks handle fraud and how they handle scams. The first question the bank always asks is, do I even care about this? In the case of scams, it’s unclear. It’s an authorized payment, the actual customer authenticated themselves, and it’s coming from a trusted device or location. It’s extremely hard for a bank to figure out your motivation to know if it’s a scam.

How do [banks] defend the customers from themselves?

Uri Rivner

There’s also a big difference between fraud and scams when it comes to regulations. Banks are liable for fraud. But if it’s a scam, banks have no obligation. In the UK, that will change in October 2024. That’s when a new regulation will come into play that will require banks to reimburse 100% of scams, whether it’s a romance scam, crypto scam, pet scam, or anything else.

In terms of detecting and preventing fraud, there’s a lot banks can do. Behavioral biometrics is one of the most powerful options. The technology can look at things like the way they scroll, how they move between fields, their mouse motion, if they use the keypad or number pad to type numbers, and more. With mobile banking, there’s even more options – the way you hold your phone, scroll, swipe, press, and tap can all indicate you are who you say you are.

However, none of these work for scams. In a scam, it really is you going into the account. How does the bank tell the difference between Uri logging in and sending money to a friend in need and Uri logging in and sending money to a scammer? That’s the challenge.

Spotting a Scam

Let’s go back to the bank customer who was told to move her money to a new account. That bank was using behavioral biometrics, but the risk score for that transaction didn’t raise any red flags. It got caught because the data science team happened to look at the transaction and detected several warning signs.

The customer was told to wait a few minutes to make sure the first transaction went through, then the scammers would tell her to move the rest. She was using online banking, and doing something that most people don’t do – just wiggling the mouse. She was doing it because she was bored and trying to keep the session alive while waiting to be told to move the rest. That’s not a normal reaction, and suggests the user is distracted. Another signal was the submit button. When most people click the submit button, they release it within 200 milliseconds. This customer took 506 milliseconds to release it. She was hesitating, which can be a sign of something suspicious going on.

Being scammed is a stressful situation. Behavioral biometrics can sometimes find signs of stress. For example, if someone is telling you an account number over the phone, the way you type it into the box could indicate that. An active phone call while you’re transferring the money is also a warning sign. These are all things banks can look for to indicate that a scam might be happening.

How Banks Can Respond to Scams

Fraud sends up fairly reliable signals that banks can detect. When looking at scam signals, there are some you can use, but there are a lot of false positives. And a lot of the signals come from the person being under stress. But if it’s something like a romance scam, where you feel like you have a relationship with this person and want to send the money, the signals will be different. It’s much harder to detect any long-term scam, or scams like investment scams where you are excited to invest, not under stress.

It is difficult to detect scams, much more so than detecting fraud.

Uri Rivner

When they apply their fraud detection methods to scams, too, banks have a better chance at detecting them. One of the things they can do when they suspect something strange is to provide a pop-up message asking for more details. We see you’re transferring money to a new account, can you tell us more about this? If you answer honestly, the bank may get some clues as to what’s going on. Unfortunately, some scammers guide customers on how to lie to the banks, so the answer isn’t honest.

Banks have methods they can use to spot fraud; those methods don't always apply well to scams.

Sometimes banks try to call customers when they identify a possible scam. But that’s tricky because a lot of people don’t answer the phone. It’s also a difficult conversation because the customer is annoyed that the bank is stopping them from doing something that they think they want to do. Because of this, customer outreach over the phone isn’t very efficient. Digital communication channels are better.

The Challenge for Receiving Banks

As hard as it can be for a bank to spot when a customer is sending money to a scammer, it’s even harder for a bank to determine if an incoming transaction is suspicious. With outgoing transactions, the bank at least has the customer’s actions to identify fraud or scams. For incoming transactions, all the bank knows is that an account received money. A new account might be suspicious, but not all the accounts scammers use are new.

Let’s do more investigation, but it is going to be difficult for the banks.

Uri Rivner

A bank trying to monitor incoming transactions would get a lot of false positives. There’s a lot of good activity at banks. Any monitoring activity that a bank does would send up a lot of alerts, and more than 99% of them will be on perfectly legitimate activity. What would help most would be quick outreach to the customer. The bank needs to find out quickly whether it’s fraud or a good customer, and then if they have a good explanation or if their reasoning is suspicious.

Banks Don’t Know Their Customers

There’s a regulation in banking called KYC, or Know Your Customer. Banks are supposed to know who their customers are. That’s why you have to show ID when you open an account. In that sense, a bank knows your name and your identifying information. But banks don’t really know their customers anymore.

Banks have been around for centuries, and they’ve always done their business face-to-face. You would walk into an establishment, and the banker would recognize you. They’d know your life and your family. If you wanted to make an international transfer, the banker could ask questions and find out the story. It was actually good for you because they can not just spot scams and fraud easier, but they can also recommend financial products and services that meet your goals. That’s the way banks handled everything for centuries.

Then the digital transformation happened. Now everything’s all digital. You have an app, you tell the bank what you want to do, and you don’t have to explain yourself. There’s no conversation or engagement. Any interaction is digital or through a call center. So there’s nobody at the bank who really knows you at all.

Because there’s no interaction, the banks don’t know their customers they way they used to.

Uri Rivner

There are actually some very interesting statistics about that. If an anti-money laundering (AML) officer saw a brand new account opened by some guy named Uri Rivner that got a big deposit, then moved the money out, that would be suspicious. But it turns out if that AML officer asked a local branch about a specific customer, they wouldn’t know that person 88% of the time.

Why Not Knowing the Customer is a Problem

If the bank itself doesn’t know you the customer, they have to contact you to resolve any red flags. That causes delays, which can cost you money. But it also makes it harder for banks to detect fraud, and especially scams. An important part of the bank’s side of detecting scams is getting into the customer’s head and understanding their intent. Without knowing their customers, they don’t have as much context. That makes it harder to detect when you might be getting scammed – and therefore harder to protect you.

The online environment helps the criminals and makes it much more difficult for the banks.

Uri Rivner

Banks, Fraud, Scams, and Looking Forward

As a consumer, be careful. Be especially careful in situations where someone is trying to stress you into doing something quickly. And it could be a family member calling and saying they need money right now, and it could be a voice you recognize. AI and deepfake technology is so good at that right now. Uri doesn’t have any specific warning signs to watch out for, since scams are always changing.

I don’t think there’s any specifics to protecting yourself against scams other than just common sense.

Uri Rivner

Another thing that people are starting to talk about is where the responsibility lies. When the money goes from your bank account to a scammer, that’s the end of a very long chain that typically starts somewhere else. What’s the responsibility of the phone company that allowed the text message that started it, or the social media platform where the scammer first contacted you? The bottom line is that there are a lot of people who can protect the consumer.

Banks are doing a lot right now to defend their customers. Even when they aren’t liable, it’s also a matter of trust and reputation. But it’s not something that just banks need to do. Everyone needs to be involved in stopping scams and fraud.

The best place to find Uri Rivner is online LinkedIn, where he’s happy to connect.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
  • Uncategorized
How to Protect Your iPhone

How to Secure Your iPhone Against iMessage Vulnerabilities

Have you heard about the Operation Triangulation attacks that targeted iPhones from 2019-2023?  According to Kaspersky, a…

[Read More]
How to Free Up Space When Your Android Slows Down

How to Free Up Space When Your Android Slows Down

For many of us, an Android smartphone holds all of the crucial details of our lives. You…

[Read More]

Protect Your Online Privacy: How to Hide Your Friends List on Facebook

Social media can be a double-edged sword. Platforms like Facebook allow us to connect with friends and…

[Read More]
Kathy Stokes talks about the AARP Fraud Watch program and why reporting scams is so important.

Fraud Watch and the Importance of Reporting Scams

Many people assume that scammers target older people. But that couldn’t be further from the truth. Scammers…

[Read More]
Scheduling Texts on an iPhone

Scheduling Texts on an iPhone: Step-by-Step Guide

In a digital era that zips by at the speed of a click, mastering the art of…

[Read More]
Tips for Making Your Phone’s Battery Last Longer

Extend Your Phone’s Battery Life: Top Tips & Tricks

Dealing with a constantly dying phone battery is so frustrating! When you first bought your phone, you…

[Read More]