EXCLUSIVE: “The BIG Cheat” – Dan Holmes, Feedzai and Cecilie Fjellhøy, action:reaction Foundation in ‘The Fintech Magazine’

The UK has become a honeypot for financial fraud, and romance scams in particular. Cecilie Fjellhøy is using a painful experience to drive change, while Feedzai’s Dan Holmes says banks need to step up

If you’ve been keeping an eye on Netflix’s greatest hits, you’ll be familiar with Cecilie Fjellhøy, star of the sensational The Tinder Swindler documentary. She was caught in an unbelievably complex international online dating scam that saw her defrauded of hundreds of pounds by a playboy hoaxer that she’d had the misfortune to swipe right on – as had, so it turned out, two other women. Convinced by his jet-setting lifestyle, lavish gifts and impeccable taste, the woman fell head over expensive heels for the purported heir to a diamond fortune – except the family rocks were a fantasy, and each of his victims was footing the bill for his serial seductions.

The story ricochets from penthouse suites to prison stays, heady romance to threats of violence. It is a true-crime rollercoaster that will keep you on the edge of the sofa. Fjellhøy, a UX designer living in London at the time, was victim of a crime for which the UK appears to be the unenviable capital of the world. A recent report from UK Finance claims that 40 per cent of all those looking for love online have been asked for cash.

In the eyes of Dan Holmes, a financial fraud consultant working for Feedzai, an AI-driven technology company focussed on developing financial crime-fighting products and services, the displacement of fraud to the world of dating and other platforms is partly due to the effectiveness of anti-fraud precautions introduced by the banking industry.

“If you rewind back to 2016/2017, the primary threat that the banks were facing were what we call ‘unauthorised fraud attacks’ – finding a way to compromise a victim’s credentials and using these credentials to perform unauthorised spending. Banks reacted to that, and there was wide adoption of a whole new array of fraud technology – like device recognition, location analysis, malware detection and behavioural biometric capability – which allowed banks to get a really strong grip on those unauthorised fraud attacks,” he says.

But once online banking systems brought in methods to clamp down on unauthorised use of accounts, it was inevitable that fraudsters’ focus would change.

“Rather than the bank’s fraud ecosystem and defence mechanisms being the weakest part of the chain, the fraudsters realised that, actually, the weakest part of the chain now was the victim, the customer themselves.”

That was certainly the case with Fjellhøy. Her UK bank account wasn’t compromised, but her trust in others was exploited. As a romance scammer, the perpetrator used tactics that talked to her heart, not her head – claiming he would be in physical danger from criminal gangs if she didn’t help him out financially.

“Back in 2018, I had just moved to a new country, had no family there, few friends, and I met this guy who was promising me this future,” Fjellhøy says. “I was soon to be 30… it was love bombing. Looking back on the messages between us, it’s ‘I’m stressed’, ‘I miss you’, ‘the card is blocked’, and every time the card was blocked, that meant he was in danger. At the time, I was more fearful of him losing his life. That is how you get brainwashed. It felt like a bad movie.”

She applied for loan after loan, using legitimate, procedurally appropriate and financially approved methods, and transferred those loans to him by her own hand. It’s part of the reason that he’s proven so hard to prosecute.

Technology is in place to discern unauthorised from legitimate transactions, but all that is rendered ineffective when the victim is authorising fraudulent transactions on behalf of the fraudster. Holmes believes that in developing the ability to accurately assess authorised transfers, banks have become experts at detecting just one type of fraud, but ‘in the process have almost been a victim of their own success’. So, if the very advances in fraud detection and prevention have left user vulnerabilities exposed, how do financial firms evolve their procedures and technology to close the gaps?

“It was a very clear change in my behaviour… But all the transactions that I did weren’t viewed as a whole”

Cecilie Fjellhøy, action:reaction Foundation

Part of the answer lies with a holistic approach to anti-fraud protection measures inside the bank, believes Holmes. In his view, the progression from branch to card-based transactions, to online banking, to mobile banking has been a neat evolution in consumer finance access, but one that is too siloed to be as effective as it could be.

“In Cecilie’s scenario, you’ve got one decision engine for lending, another for cards, another for transactions made in online banking, another for events in a telephony channel, and there’s no interactivity between all of these different silos within the bank. “It sounds rudimentary, but even things like a lending decision, followed by a full payment out of that lending amount that you’ve just borrowed… if there’s no interactivity between those data sources, then it’s very hard for the banks to recognise it,” says Holmes.And, in his opinion, there should be just as much focus on where the money’s going as where it’s coming from.

“Whenever a fraud happens, somebody is sending a payment from their account to the fraudster’s account; the fraudster’s always got to have control over that beneficiary. So, having a network of ‘mule accounts’, which are essentially the accounts that receive the fraudulent funds, is key. There’s been a lot of talk in the industry recently around what more can be done to A) reduce the amount of mules that come on board at the front end, and then, B) clean-up the bad accounts from a bank’s book. Ultimately, if you can stop the mules, you stop the fraud.

“If we use Cecilie’s scenario, her bank does all the fraud monitoring on that side. But what a receiving bank doesn’t tend to say is ‘does this inbound transaction look normal for that account?’. There’s more we can think about, as an industry, from that perspective, as that’s, ultimately, where the point of compromise is in the scam.”

Having worked in a digital design environment and user interfaces specifically, Fjellhøy has been vocal about not just how banks should have been able to spot her unusual financial activity, but also how they should communicate with someone they suspect of being a victim of an ongoing fraud.

“It was a very clear change in my behaviour,” she says, “taking up so many loans, suddenly travelling all over the world, business cards, expenses of £60,000 in less than a month. But all the transactions weren’t viewed as a whole.”

It’s estimated that only 15 per cent of victims even report fraud – many are too ashamed or, rightly in most cases, don’t think there’s any chance of getting it back. Fjellhøy, who’s left her job to set up the action:reaction Foundation to support people who find themselves in similar situations, is in the minority in owning up to having been conned.

Even so, there’s very little justice out there. The UK Parliament’s Treasury Committee on Economic Crime, reporting earlier this year, said fraud wasn’t seen as a policing priority. It all raises uncomfortable organisational and ethical questions for banks. How do you discern harmful and anomalous spending patterns from unusual but harmless purchases? How do you talk to customers supportively about major changes in their spending habits? And all without being a major drain on your workforce?

For Holmes, solutions like Feedzai’s provide an evolved approach to protecting customers like Fjellhøy.

“We’re involved in consolidation of fraud transaction monitoring across the user lifecycle; so not thinking about the user as a card number, a user ID, or a telephone banking number, but as a holistic user where we can understand what they’ve done, regardless of what channel they’ve executed it on.”

The ultimate vision for this is that banks collaborate and make the connection between potentially fraudulent transactions to build an understanding of what’s really going on. It’s a solution that Holmes believes is best understood by looking at the aviation industry.

“If there’s an accident in aviation, the whole industry comes together to understand what happened, and then they will push fixes out to their respective fleets, to better protect all air travellers. That doesn’t happen in the banking space today. A bank will realise there’s been an attack, it’ll fix it, but it won’t necessarily share that intelligence.”

A holistic approach would also trigger a more detailed, personalised assessment of a potentially fraudulent situation through conversations informed by the identified risk level.

Holmes explains: “It needs to turn into ‘have you done this transaction because somebody has asked you to do it? Have you had a call, out of the blue asking you to send them money? Has somebody approached you on social media, and now they’re asking you to do this?’. That’s a very different, more informative discussion for the bank to have with its consumers.”

And it’s one that could perhaps have prevented Fjellhøy from racking up more than £200,000 of debt.

“The call with the bank was never a long conversation regarding the total spend – just these individual ones,” she says. “Sometimes, I only got a text message. ‘Do you approve this transaction?’ The first company that I had a credit card with, realised after a while that I wasn’t the one using it. And that was good. So they blocked the card, and then they reached out to me. But because I was so scared, because I had lent him my credit card, I felt ‘now I’m the one who has done something I shouldn’t have and they’re coming after me.’

“When they contacted me, unfortunately, I was with the fraudster and he made it feel like it was us against the world. Fraudsters can make you scared of the good people.”

Holmes argues that biometric technology could have raised a red flag had it been employed by the bank.

“You can start to tap into emotions within voice biometrics… for example, ‘yes, this is Cecilie, but can we tell from her voice patterns that perhaps something’s not quite right, relative to what we normally expect to see from her?’. I’m not saying this is a silver bullet, but it’s a step further to better protecting the consumer.”

It seems that a cultural and educational shift will also be important if the UK is to bring down its estimated £3billion fraud bill, where losses suffered per person are higher than in the US, Canada or Australia.Information campaigns have their role, but, as Holmes says:

“It’s difficult to see an advert on Saturday evening, and then recall all that information when you get a call from the fraudster on Thursday.

“But if the bank presents something to the customer at the point of material risk, when they’re about to make the payment, does that force them to remember that advert and say ‘is this a little weird?’”

A national 159 help line was launched across the UK by a number of banks last year, giving consumers an invaluable opportunity to discuss the specifics of any transactions they’re about to approve. Individual banks have also instituted their own hotlines, including Nationwide, with what it calls ‘increased friction’ to slow transactions identified as fraudulent, so consumers can seek reassurance before their payment is too late to stop.

Fjellhøy believes that counselling and discussion has a big role to play in averting future crime as well as removing the shame associated with it.

“The bank will realise there’s been an attack, they’ll fix it, but they won’t necessarily share that intelligence”

Dan Holmes, Feedzai

“It’s so important to support fraud victims, so they can go to the banks and tell them what happened. We need to remove the stigma, so people aren’t worried about being judged – so they can say to each other ‘I fell for this, and I clicked that link’. I think it will be better for everyone if we were a bit more open and it would be more difficult for the fraudsters to flourish.”

A recent report from Transparency Task Force, a social enterprise group that campaigns for greater transparency in UK financial services, found financial crime had ‘devastating financial, wellbeing, social, emotional and support-related impacts’ and called for reform of the regulatory system and better support for victims.And there is evidence that banks are beginning to see fraud less through the prism of the P&L and more as a social harm: consumers have had their lives ruined because it’s not possible for them to get lending again, or to take out mortgages.

Meanwhile, some consumers have lost their pension pot. The UK’s Online Safety Bill, meanwhile, proposes to place a duty of care on online platforms like Tinder that are channels for many of these scams. Simultaneously, the second Economic Crime and Corporate Transparency Bill will enable businesses in the financial sector to share information more effectively to prevent and detect economic crime and allow banks to slow down instant payments if they’re suspicious.

Fjellhøy realised that, in the end, she was never going to get any of her money back. And yet, four years later, the perpetrator is still out there. And, in an ironic twist, Fjellhøy’s attempts to help victims of fraud has itself been exploited by fraudsters.

“There are a lot of fake accounts out there now, pretending that they’re me, trying to defraud people by using my story,” says Fjellhøy. “I get a lot of scam victims contacting me for help and these fraudsters are talking to my followers, saying, ‘if you give us such and such, we can get your money back’. And yet, when I try to have these accounts shut down, the response I get is that the social media platforms receive so many reports, they don’t have time to remove them. There is so much more that institutions – tech companies, not just banks – can do.”

Holmes agrees that more effort needs to be put into bringing ‘different parts of the “kill chain” together to work more effectively as a collective’.“Bringing the telcos, the tech giants, the internet service providers, and the banks into a room together, for them to all work more effectively around how they can better protect their respective countries’ consumers from scams, is something that I’d like to see more of.

“I think there are four key takeaways for me, when it comes to better protecting consumers. First, use the right technology – yes – but use layers of the technology. One piece of the kit isn’t going to solve this.

“Second, educate your consumers, to the best of your ability. Do this frequently, do it at the right time; give them the best chance to recognise that something’s happened, so that even if your technology fails, they still potentially get to stop it.“Third is collaboration, not just across the banks, but all the parts of the kill chain.

“The final one is make sure that whatever authentication strategy you have, whatever conversations you have with customers, reflect the risk that you suspect is in play. “If you can nail those four things, while you’ll never solve the problem, you’ll give yourself the best chance to limit it.”

This article was published in The Fintech Magazine Issue 25, Page 12-14