Scampocalypse now?

It could be a text telling you to click a link to reschedule delivery of a TV you certainly haven’t ordered, or a handsome shirtless man you’ve never encountered in your life suddenly sliding into your DMs with a “Hello, beautiful.” You may not know exactly what’s going on, but you’re pretty sure of one thing: It’s a scam. Fraudsters are trying to convince you to part with your personal information, your financial data or your money itself.

We may be on the verge of what fraud expert Trace Fooshée, in a new Aite-Novarica report, is calling a “scampocalypse.” In the U.K., losses due to authorized push-payment fraud — in which people are tricked into authorizing payments from their accounts, as opposed to when fraudsters take over someone’s account to steal money — grew 71% in the first half of 2021.

In the U.S., romance scams, already pervasive, are now one of the fastest-growing cons around, abetted by the growth in online dating as well as COVID-fueled isolation. In 2021, there were record losses of $547 million — an 80% increase over the previous year, according to the Federal Trade Commission. These online scams are much easier to pull off at scale than face-to-face fraud, and the rise in e-commerce and other digital interactions has significantly increased our exposure.

But it’s hard to pin down the overall growth in scams, because U.S. data comes from a wide variety of agencies and includes a broad array of criminal activities that are often poorly defined. And that’s part of the problem, Fooshée says.

The circumstances of each scam impact liability if the victim can’t recover his or her money, and the lack of clear and consistent categorization also makes it difficult to track trends and deploy appropriate countermeasures. If left unchecked, Fooshée says, it can result in “profound damage” to the trust upon which banking institutions rest.

Fooshée, who will be speaking today at Mastercard’s annual Cybersecurity & Risk Summit in Key Biscayne, Fla., discussed the growth in scams and the challenges they pose with the Mastercard Newsroom.

Your research indicates that in the U.K., certainly, scams evolved from minor irritations to a plague about a decade ago. What happened — and why are scams about to get worse?

Fooshée: If I had to condense it down to a single phrase, it’s because they’re terribly effective for the fraudsters. Convenience in general is what’s working for the fraudsters. If it’s easy for you to make payments, that’s less of an obstacle to deceive you into making the payment, or less of an obstacle for them to get you to reveal the keys to get into the account.

That’s why there has been so much investment in authentication controls, to make sure that when you do make it a lot easier for customers to do business with you, you’re upping your security game. You’re compensating for that risk. You’ve now made it very costly for fraudsters to attack the account directly. These are businesspeople in a very loose sense of the word. They do think about things in terms of “What is my margin? I have to invest a certain amount of money to commit the fraud and I have to invest a certain amount of time. I want to maximize my return on my attack.” If it’s really hard to penetrate a bank’s authentication controls, they’re going to increasingly turn to the customers themselves. They’re going to go to the weakest list in the chain. Oftentimes the weakest link in the chain is the password. In scams, however, it’s often the person themselves.  

You argue for a more structured model for defining scams. Why is this important?

Fooshée: If scams happen, then you’re going to have to have some kind of a policy and some kind of a way of dealing with the exhaust of it, the treatment of it. Someone gets victimized by a scammer, they’re going to want to have restitution. They’re going to want to have their funds reimbursed, because they obviously didn’t want this to happen. Then the question becomes, well, what did happen? Under the law, it matters a lot whether or not the payment in question was authorized or unauthorized. If it was authorized — if she was deceived into calling her bank and issuing instructions to wire $5,000 to another person abroad — the bank has a fiduciary obligation to do so. At a very basic level, when you tell the bank to jump, effectively the bank’s primary duty is to say, "How high?," and then to execute the instruction with reasonable controls. Later when you call back and say, "Yeah, but I didn’t mean it," the bank’s like, "I’m sorry, we did our part. We met our obligation."

That’s different from an unauthorized payment, when someone gets your username and password to log in to your online banking account and send your payment to someone abroad. Well, that wasn’t you. But this is where a lot of the rubber meets the road. Historically, a lot of banks have relied on certain conditions in their terms-of-use contracts. That contract has conditions: If you give away your credentials to someone and they make a payment, we’re not going to reimburse you. Now the regulators are coming out and saying, “That’s not a sufficient condition for overcoming your obligation to reimburse the victim. In these circumstances.”

So what is being done in the industry?

Fooshée: In the U.K., they’ve done a far better job of creating a taxonomy that is consistent across the entirety of the market. We in the U.S. and everywhere else, the terminology that we use is very inconsistent. There are as many different definitions of what a scam is as there are banks. What I would propose is that we do a much better job of coming together under a consistent taxonomy about defining what scams are and how they are categorized.  

As fraudsters are turning to less technically challenging methods, like social engineering, banks are relying on transaction monitoring and increasing awareness among their customers. Are there better solutions on the horizon?

Fooshée: A number of them are emerging. One of the ones that is notable in the U.K. is confirmation of payee. Effectively what it does is matches the payee with the title of the receiving bank’s beneficiary account. If it gets anything other than an exact match, it will be flashing a warning to whoever is sending the payment that says you may be sending it to someone you don’t want to send it to. It introduces a little extra friction, but it’s risk-based. But there’s a lot of alert fatigue. As you might imagine, there’s a lot of mismatches. It’s just another pop-up that people are just clicking through.

Some of the others that are emerging are trying to put more context around the payment. It’s no longer enough to just look at the payment outside of a pretty rich history of past payments. If I’ve never sent money overseas before and this is the first time, that should maybe put that in a high-risk category.

Risk models have to be a lot more nuanced. The more contextual the model, the better suited it would be for these edge cases like scams. What is meant by contextual is you’re having to piece together a lot of different signals, not just the transaction payload or past transaction profiles. You’re going to have to start taking into account now whether there are certain behavioral biometrics indicators that might reveal a customer is under duress or acting in a more hasty fashion than they have before. A third part is what I’m calling network-based or consortia-based reverse-mule detection systems, either through social network analysis or by way of known rings.

If you factor that in with a very weak predictive yellow flags of what you get from the transaction-monitoring payload, then those things are bigger than the sum of their parts.