Saturday, June 15, 2024

EXCLUSIVE: “The BIG Sting” – Alex King in ‘The Fintech Magazine’

Could the UK-led purge of the iSpoof site and subsequent arrests across multiple jurisdictions mark a turning point in the detection and enforcement of APP and other fraud? asks Alex King

Anyone paying attention to spiralling fraud statistics since the start of the pandemic might be forgiven for thinking that scammers were being given a free pass at a time of profound financial vulnerability for many people. But on November 24, the UK’s Metropolitan Police revealed it had made more than 140 arrests during the country’s biggest-ever anti-fraud operation, which spanned two continents.

Working in concert with the FBI and Europol, the sting followed an 18-month investigation in connection with a website described by detectives as a ‘one-stop spoofing shop’ that had swindled victims out of more than $120million, earning the service operators an estimated $3,850,000. Going brazenly by the name of iSpoof, it enabled paid-up users to mask their phone numbers with one belonging to a trusted organisation – often a bank – allowing them to conduct phishing, and ‘bank helpdesk’ scams, stealing money, bank account details, and one-time codes.

Using social engineering techniques, criminals had defrauded victims of an average of £10,000 each, with one losing £3.2million, the Met said. iSpoof was used to conduct authorised push payment (APP) fraud, a methodology that tricks victims into making a bank transfer to the account of a fraudster in the belief that they are a legitimate payee. UK losses to APP fraud increased 71 per cent in 2021, and are forecast to continue outpacing the growth of other fraud methodologies worldwide.

The financial and reputational threat that APP fraud poses to banks, and the seemingly unstoppable increase in scams, caused UK Finance to warn earlier in 2022 that it now constitutes a ‘national security threat’. The numbers involved in the iSpoof operation are staggering. At its peak, the service had 59,000 users making almost 20 fraudulent calls a minute, with 40 per cent made in the US, 35 per cent made in the UK, and the rest taking place across dozens of other countries. The Met believes more than 200,000 UK citizens fell victim, although just £48million in losses were reported to Action Fraud – which is testament to how fraud is underreported and possibly how little consumers trust that their experience will be listened to or their crime solved.

“This operation is a very positive step. They have taken down and removed one of the biggest threats of scams globally “

Dan Holmes, Feedzai

The Met’s operation marked a change in strategy by law enforcers, according to its Commissioner Sir Mark Rowley. Speaking to Radio 4’s Today programme, he said: “In the past, we have just closed down [websites like iSpoof] and killed the fraud methodology off. This time, we’ve decided to take out all the people involved… we want to hold people to account.”

This multi-agency, cross-border approach to financial crime with a clear focus on arrest – although there’s been no word yet on the likelihood of recovering the stolen funds – is precisely what the first Financial Action Task Force/Interpol joint mission was set up to achieve. It convened a roundtable of regulators, investigators and representatives from financial services in September to discuss what was needed in terms of a shift in law enforcement perspectives and culture, enhanced international networks and tools, and stronger legislation and global standards, to successful detect and, critically, prosecute financial crime.

“For too long there has been too little focus on the enablers and perpetrators of fraud,” says David Howes, global head of financial crime compliance, conduct, and compliance frameworks at Standard Chartered bank.

“It’s great to see the police forces involved going after a significant and complex case with widespread impact. To tackle the fraud pandemic, however, will need a joined-up strategy, with collective effort from both the private and public sectors, as well as increased awareness among the public to be on alert for scams.”

For many consumers, one nagging question looms large: couldn’t banks do more to prevent this kind of fraud in the first place?

According to Dan Holmes, a consultant at anti-financial fraud technology firm Feedzai, APP crimes are notoriously difficult for banks to detect.

“There is no actual compromise the bank can see on the victim’s account, given it was the victim themselves that made the payment,” he says.

That said, due diligence and confirmation of payee checks would appear to be woefully ineffective, with the proceeds of fraud spirited away before fraudulent behaviour is detected. Due to the pitifully low detection rates, Holmes says, ‘banks typically work with law enforcement in a reactive rather than proactive way’. So, the onus is on the police to investigate, with the banks assisting in two ways: by providing police with data on request, and by reporting fraud through well-established channels such as UK Finance, which passes reports on to the National Fraud Intelligence Bureau.

Banks might well lament that, while fraud makes up roughly half of all crime in the UK, only around one per cent of police resources go on specialist economic crime teams. In an effort to support anti-fraud  enforcement, the banking and finance industry fully funds the Dedicated Card and Payment Crime Unit (DCPCU), a proactive UK police unit tasked with investigating economic crime.

According to a UK Finance spokesperson: “In 2021 the DCPCU prevented a record £101 million from being stolen – the highest amount in the unit’s 20-year history.”

So, it’s clear that collaboration between enforcement and the banks can work.

“There has been too little focus on the enablers and perpetrators of fraud. To tackle the fraud pandemic will need a joined-up strategy from public and private sectors”

David Howes, Standard Chartered

“Closer cooperation can help,” says Holmes. “Advances in technology, like the use of persistent device recognition capability, has been something that law enforcement have benefited from. Often, one compromised account can be linked to many others, not just through transactional patterns, but by access patterns as well, such as device and location.”

Nevertheless, he says, ‘speed of dialogue and action is critical’. To be truly proactive, banks’ detection of APP fraud must increase in frequency and rapidity. That’s where proactive analytics play a critical role. Sophisticated machine learning models can examine the incidental data around large transactions to spot those that present a profile that matches previous cases of fraud.

“Most banks should now be doing this,” says Holmes. The next step, he says, is to deepen that behavioural analysis.

“Banks and firms like Feedzai are researching user behavioural biometrics as a method of scam prevention. For example, how does a user interact with their mobile and PC if they are under duress?”

This speaks to the importance of a feedback loop from the police back to banks. Only the police could covertly access iSpoof, downloading the entire website’s historic data. Only the banks can begin matching phone numbers handed to them by the police with account holders. And, at the moment, only tech firms such as  Feedzai can help examine the behavioural biometrics on those victim accounts, using that data to generate new models that instantly detect APP fraud of this kind. It takes time to land a model that can protect and prevent rather than react and reimburse.

That’s exactly why Holmes believes that speed is key: the banks, and their partners, must act at full-tilt in order to give consumers a fighting chance. There’s another side to the iSpoof story. Such scams cannot take place without encrypted criminal Telegram channels, cryptocurrency exchanges, privacy coins, professional phishers, data brokers, and the dark web forums upon which names and numbers are bought and sold. No wonder the iSpoof investigation was christened ‘Operation Elaborate’ by the Met.

“We should be clear that this operation is a very positive step,” says Holmes. “They have taken down and removed one of the biggest threats of scams globally. But there is a growing notion that there are other players involved in the lifecycle of a scam who also have an accountability to protect customers, including telcos and big tech.”

Mark Rowley said the Met was trying to ‘industrialise’ its response to the industrialisation of fraud, in which banks are victims as much as anyone. Holmes is feeling positive. “The fact that law enforcement have taken decisive action shows,” he says, “that the industry may finally be pulling together as a collective to offer consumers the best scam protection possible across the board.”


This article was published in The Fintech Magazine Issue 26, Page 57-58

People In This Post

Companies In This Post

  1. Doha Bank and Mastercard Announce Long-Term Strategic Partnership to Shape Qatar’s Payments Landscape Read more
  2. eBay Launches Venmo as a Payment Option Read more
  3. CRIF Completes Bond Issue With Another US Institutional Investor Read more
  4. Payzli Announces Strategic Leadership Restructuring to Accelerate Growth Read more
  5. Bank for International Settlements and Bank of Canada launch BIS Toronto Innovation Centre Read more