By Penny Dunn, Partner, PwC Australia
with Tom Gunson, Financial Services Leader, PwC Australia
Share this article
Australia is facing an epidemic of scams. So far this year Australians have lost upwards of $425 million and losses have more than doubled compared to 2021. At the same time, the number of scams reported to Scamwatch has decreased by 15%, suggesting scammers are becoming more sophisticated and effective.
Scammers are constantly looking for new ways to deceive victims. This includes creating fake websites (which appear disturbingly genuine); spoofing caller IDs to mask a phone number and mislead customers about the origin of a call; and using company call centre hold music to sound authentic. It’s no wonder it’s becoming increasingly difficult for customers to identify what is a scam and what is legitimate.
And even as scams continue to be reported by consumers, many more go unreported. The Australian Competition and Consumer Commission (ACCC) estimates only about 13% of victims report to Scamwatch.
For those who do report losses due to scams, few will recover their lost funds or get justice. Police and financial institutions face huge challenges when attempting to prosecute and/or recover funds because scammers rarely use their real identities and often operate across multiple jurisdictions.
Customer fraud is emerging as the greatest risk driver
PwC’s Global Economic Crime and Fraud Survey 2022 (GECS) found customer fraud (including scams) is the greatest risk driver for Australian financial services respondents, with 54% experiencing scams associated with customer fraud in the past 12 months.
PwC’s 2021 Customer Banking Survey, meanwhile, shows the COVID-19 pandemic has accelerated the use of digital banking channels. (Use of bank mobile apps and digital payment platforms, for instance, is up by 29%.) Increased digital adoption has enabled new forms of fraudulent activity (evidenced in GECS 2022), and we’re seeing scam attempts across the board as scammers no longer discriminate between ages, digital assets, or digital platforms.
What does all this mean for financial services organisations?
Amidst an increasingly complex fraud landscape, it's more important than ever before for them to balance risk controls with customer demand for seamless services.
Australian financial services organisations are experiencing an increase in the number of fraud attempts and scams targeting their customers, coupled with heightened monitoring requirements resulting from recent major data loss events. This is creating a perfect storm particularly for financial institutions which are becoming overwhelmed by the increased volume of customer contact and alert volumes and is driving an unprecedented need for banks to invest in the growth of their fraud teams. Additionally, we are observing an increased focus across financial services organisations on disruptive and preventative measures to reduce scam losses and minimise the impact of scams on customers, including active focus on better education and awareness across their workforce and customer base.
The Australian Banking Association (ABA) has also taken action in response to the increase in scam activity impacting the industry, launching an awareness campaign in September as well as leading a wider program across the banking sector to support enhanced intelligence sharing across law enforcement agencies, and working with Australian Financial Complaints Authority (AFCA) and regulators to ensure legislation is keeping up with evolving scams.
Pending regulatory reform spells increased responsibilities
The Albanese government is expected to build on measures in the 2020 cyber security strategy announced by Scott Morrison in August 2022. Labor will look to introduce a greater focus on cyber security awareness and education, tougher penalties for cyber criminals and protecting Australians from scams and online fraud.
Also on the table for Australia is a proposed policy package for a national anti-scam centre (based on the UK’s model), as well as more funding to support retrieval of stolen identities and new industry codes for banks and other agencies to clearly define responsibilities for protecting customers and online businesses online.
This (pending) regulatory reform is expected to bring increased responsibilities for financial institutions.
Coupled with shifting vulnerabilities, thanks to increased digitisation and a rise in customer data theft, it’s clear financial institutions need to be more alert and proactive in:
So, how can financial services institutions tackle this?
Five steps to improving scam prevention and detection
Australian financial services organisations must have the right technologies, tools, and education measures to protect against fraud. Based on our experience working alongside market leaders, we recommend these best practice steps:
1) Understand your fraud risks and the effectiveness of your controls
First, understand your risks by completing a fraud risk assessment. Your assessment should accurately identify risks that are specific to your organisation, with consideration given to your strategic priorities. Also, it should assess the effectiveness of your fraud risk management controls. This assessment should be monitored on an ongoing basis to help you identify where controls need to be improved, while highlighting controls that may be introducing excessive friction in the customer experience.
2) Maintain rigorous identity verification and authentication processes
A rigorous identity verification process is essential in the fight to prevent scammers from infiltrating your customer base. Our research found Know Your Customer (KYC) failures are the most disruptive issue for a number of financial services organisations, despite growing regulatory scrutiny in this area. Because we’re seeing a rise in identity theft and synthetic identity fraud in financial services, it also poses the question: How can financial services organisations better protect their customers, and quickly identify anomalous behaviour, when records don’t have accurate and up-to-date customer information?
Robust customer onboarding processes and authentication controls are critical in the design and delivery of your fraud risk management framework. This can be achieved by combining a multi-layered approach to customer verification and authentication, incorporating:
- multiple verification checks (such as documentation and biometric verification checks at onboarding);
- multi-layered authentication checks (such as behavioural biometrics and customer behavioural analytics); and
- machine learning (ML) technologies to enable effective fraud prevention and detection of suspicious behaviour.
When implementing these measures, it’s vital to also keep sight of the need to minimise friction and deliver a positive customer experience.
3) Invest in a cohesive detection toolset
For too long, Australian financial institutions have lagged other regions when it comes to investing in fraud prevention and detection technology. This trend is finally improving as illustrated by the ABA who have reported that Australian banks spent an estimated $19 billion on technology in 2021; however, our PwC survey shows cost is still the number one reason that organisations hesitate in adopting or upgrading technologies.
Consequently, some organisations are falling behind in the maturity of their technology-enabled controls and are falling victim to attacks. Fraud is now so sophisticated that organisations can’t rely on the traditional rule-based approach to fraud detection. Instead, there’s a need for detection platforms to incorporate analytics capabilities such as artificial intelligence (AI) and ML, as well as industry intelligence and customer intelligence such as authentication, transaction patterns and biometric data. Together, these enable a behavioural analytics approach in the detection of unusual behaviour and emerging fraud threats.
Having the right supporting analytics is fundamental to the effectiveness of an organisation’s fraud control strategy. Not only will this improve the detection of fraud, but it will also help reduce the impact of customers falling victim to scams.
4) Introduce auto-blocks for high-risk scam activity
Customer demand is driving fast payments infrastructure. But new payment platforms and real-time transactions haven’t just sped up transaction times – they’ve also raised the security stakes by giving scammers faster access to authorised payments and the ability to move payments through accounts at speed, making recovery more difficult.
Automatic blocking of online payments that are deemed to be at ‘high risk’ of scams (i.e. payments to online retailers known to be linked to scams) allows financial services organisations to alert a customer of a scam concern and then check if they want to proceed. This can be an effective control to mitigate scam events and, as a by-product, provides an opportunity to build customer awareness, too.
5) Educate your staff and customers
In addition to the use of technologies to prevent and detect fraud, one of the greatest tools available in the fight against scams is customer awareness and education. But how many of your staff and customers know how to respond when they fall victim to a scam event? And have you equipped them to minimise their risk of falling victim to a scam in the first place?
Education should be twofold:
i) Employees
The value of your frontline staff as a first line of defence against scammers should not be underestimated. While many organisations focus effort on education programs for customers, employee education is also vital.
Scalable online employee education campaigns on current scam and fraud scenarios can help reduce customer susceptibility and/or impact. When your people are fluent in early identification and timely reporting, more scam and fraud events can be stopped in their tracks.
When considering employee education, ask:
ii) Customers
No organisation is immune from scams and fraud so don’t fear communicating with your customers about the risks. In fact, talking with your customers about scam risks and prevention strategies shows you are proactive – which helps build customer trust and confidence. Your customers want to be assured of your fraud risk management controls and fraud awareness education is a key part of this.
We’ve even seen some financial institutions use scam communications as a competitive differentiator for their brand. (See UK bank, Santander’s ad paying homage to MC Hammer’s ‘hammer pants’ with fraud-detecting ‘scammer pants’.)
Provide specific guidelines to your customers detailing how they can protect themselves from falling victim to scams (i.e. remind them never to share passwords or authentication codes with a third party). Also, explain how to identify a scam early by sharing common risk indicators to look out for. These are great tools and resources to arm your customers with.
In the event they do get scammed, your customers need clear guidelines on what to do to report the fraud, plus they need to know what support is available to them. This will ensure timely reporting to your organisation. It will also ensure your customers feel supported during a potentially stressful time and this sense of support can go a long way to strengthening your connection with your customers and earning their trust.
The most effective education programs have current messaging and share the latest news around scams (including details about scam scenarios) so customers know what red flags to look out for and are clear on what their providers will and will not request from them.
It’s also important to consider how you communicate with your customers. Customers are looking for trusted information sources and reliable resources to protect themselves. Leveraging push messages and updates via digital channels (such as banking apps) is recommended. As is the use of opt-in device-based alerts notifying customers of suspicious or high-risk activity on their account.
Whilst all customers are at risk, financial institutions should pay particular attention to supporting and educating elderly and vulnerable customers, who are especially at risk of falling victim to scams.
Invest today to prosper tomorrow
While the upfront cost for fraud detection and prevention technology can be daunting, the operational costs to recover funds (think: investigation, remediation, recovery) far outweigh any initial tech investment. And that’s before you consider the reputational damage that weak fraud controls can wreak on a financial institution’s brand. And while financial institutions are likely to have increased responsibilities, it will take a coordinated effort from financial institutions, government and our regulators to help protect customers. This includes better sharing of data between stakeholders and collaboration across the industry.
However, the return on investment for everyone is potentially huge. Your organisation and your customers will be safer, and that’s worth its weight in gold.
Penny Dunn
Partner, Assurance, Forensics and Financial Crime, PwC Australia
Tel: +61 407 367 561