96% of all e-commerce businesses report some form of fraud attack at their organization, with account takeover landing in the top three. – Merchant Risk Council 2019 Global Fraud Survey results
Some fraud types have dropped over the last few years due in part to better identity and fraud tools that help businesses recognize their good customers. But that does not mean that fraudsters are not looking for other ways to take advantage of millions of compromised usernames and passwords.
Account Takeover (ATO) is a type of fraud where attackers obtain a legitimate user’s credentials to take over their online accounts, which enables access to financial, retail, loyalty, and other accounts that can be exploited for fraud. Because ATO fraud can look like activity from a trusted customer, detection can be tricky. That’s why businesses need to employ layered controls and ensure that they are interacting with their good customers, not someone impersonating them online.
In an industry survey by the Aite Group, 89% of financial institution executives pointed to ATO fraud as the most common cause of losses in the digital channel.
In this #ExperianLive event, Nick Barratt from PwC discusses ATO trends and what businesses – and consumers – can do to help combat this ever-shifting type of fraud.
In this episode, Nick shares:
To learn more about business fraud, download the Experian Global Identity & Fraud Report here.
Mike Delgado: Friends, welcome to Experian Live, a show featuring leaders talking about technology, innovation and ways to improve business. Today, we’re chatting with Nick Barratt about fraud, and the business of account takeovers. Nick Barratt is a Senior Manager of Financial Crime at PricewaterhouseCoopers. And before we get started, I’m going to let you know that the latest experience fraud report is available, and the URL to get the free download is at ex.pn/fraudreport. Again, the URL is just ex.pn/fraudreport. Nick, thank you so much for being on our show today.
Nick Barratt: No worries, Mike. So, yeah, good to be here. And, yeah, glad I can be of some assistance.
Mike Delgado: Awesome. So, Nick, before we get into this, can you share a little bit about your background and how you found your way into working in financial crime?
Nick Barratt: Yeah, so I started off actually in IT security about 20 years ago. And so then it was all about building up the castle walls, protecting everything from external people. From there, moved into cybersecurity and did a lot of work around dark web research, industrialization of hacking, and that type of stuff. And then from there, actually came to work for Experian, and really followed the shift in cybercrime and how cybercrime leads to financial crime and more specifically fraud. And then from there, spent 12 months working for a bank, heading up their financial crimes strategy and technology. And then, yeah, most recently, moved into PwC, where I act as a consultant working with a range of financial services organizations to get help them protect themselves against the impact of financial crime.
Mike Delgado: When you were focused on cybercrime, how is that different from what you’re doing now? What sorts of tasks were you doing back then?
Nick Barratt: The way that I would explain it and keep it nice and simple, cybersecurity and cybercrime are about bits and bytes, whereas financial crime is about dollars and cents, basically. So one ultimately leads to the other. Most notably, cybercrime or cybersecurity incidents lead to financial crime losses. But, yeah, one’s really focused on the data, and how that data can be monetized, and then the fraud or the financial crime is the monetization of that data.
Mike Delgado: Are there any projects you could speak about that when you’re working just on cybercrime that was really interesting to you?
Nick Barratt: So I think it’s the prevalence of attacks that really is most interesting to me when I was doing that. So for the organization I work for, we actually set up a number of honeypots in China. And this was a time, as still today, there’s a lot of state-sponsored espionage, and like anything, a Western company pretending to be on the ground in China is going to attract attention from the Chinese government. But it was really interesting to see the handoff procedure in terms of the way that they conduct in an attack. So being able to watch them attack in real time, shows you that these organizations, now that was state-sponsored, but very much rings true for other types of criminal gangs that they have different types of capability within, just like we would have different types of capability within our businesses. And those organizations will handoff hacking types and activities through their organization. And you could see that through monitoring these attacks.
I think the other thing that’s quite prevalent is really just around… and we keep talking about this a lot, is the prevalence of malware and botnets, and how those are still used to conduct all manner of crimes. Now, the statistics back then that we saw, again, through running these honeypots is if you put a new device on the internet with no antivirus or malware protection, it will be scanned from the internet within 12 seconds.
Mike Delgado: Whoa, 12 seconds?
Nick Barratt: 2 seconds. So we’re talking about billions of devices on the internet, especially with the Internet of Things. And you can see why now all of these companies that are offering Internet-connected devices, smart TVs, smart fridges, and smart kettles, these are all devices that are being recruited into these botnets.
Mike Delgado: That’s fascinating. Okay, so you mentioned the term honeypots several times, my mind immediately went to Winnie the Pooh. What is a honeypot?
Nick Barratt: So a honeypot is a deliberate trap used within cybersecurity or financial crime prevention, where you put a soft target on the internet that is deliberately exposed so that you can gain information intelligence about your adversaries.
Mike Delgado: So can you give me an example of that, maybe something I might’ve seen?
Nick Barratt: From a military perspective, a good idea might be sending fake messages to send the enemy off of the scent as it were. So effectively, you’re putting something out allowing it to be attacked. But because it’s a dummy target, you’ll get a far more intelligence about the people that are attacking you and how they might attack you by capturing this information.
Mike Delgado: Oh, that’s fascinating. So a good example might be like the military sets up some sort of database that is meant to be found by the enemy. And the goal was basically to help them get access and then through that, we’re getting intelligence on them.
Nick Barratt: Yeah, correct. So in a financial crime perspective, you might set up a fake internet banking site and make it deliberately weak or less secure than it would usually be and allow cybercriminals to attack it so that you can gain intelligence on the malware that they’re using or the techniques that they’re using maybe through cross-site scripting or something else to breach the security within the site, and so that you can use that information to harden your actual proper internet banking.
Mike Delgado: Wow. Oh, Wow, that’s fascinating. So over the years as you have like especially in the cybercrime area, are there any things that you saw that you were like, “Well, that’s really, really smart. That’s a really interesting tactic that they’re using”?
Nick Barratt: So the one that I mentioned, which is clearly skills based. So these organizations will have different capabilities within their team. So you’re going to have your privates and who are out who are doing the initial reconnaissance and data finding, and some initial low-level work. But then when they get up against the barrier, they’re going to pass it over to a lieutenant or someone higher up the food chain that’s got a little bit more skills that is going to then do the next part of the attack, and then all the way through to the really senior guy that house much more skills in his arsenal, that once they really got through, this is the guy that steps up to the plate when the bases are loaded and hits the ball out of the stadium. He’s your money man.
And that to me, I’m still surprised at the complexity that these organizations go to, and the resources that they can recruit. These aren’t guys just sitting in their bedroom doing it fun or doing it for their own personal gain. These are well-organized businesses in their own right. They just make their money through illicit illegal activity. And they will put back in all the money that they make for R&D and things like that. So I think that’s a critical play here in that these organizations are sophisticated. And I think the other one that always shocks me is the persistence of these individuals and how long they are prepared to play the waiting game.
I did some work around forensic investigations. And these individuals will sit and will monitor inside of networks for months, if not years. Look at the TJX incident when they had all their card data stolen a few years ago now. But those cybercriminals were in that network for 18 months. Were moving their way around trying to locate where the data stores are, trying to locate where the data is that they want to steal. So they’re prepared to put back, play a waiting game. And I was at an event just last week and was talking to someone. And he was saying that today, data, personal identifiable information, they’re stolen through cyber attacks. We’re finding out now that these criminals are sitting on data for up to three, four, five years. And actually, the longer that they sit on it, the more valuable it becomes.
Mike Delgado: That’s so scary because you think that after some sort of breach or crime like that, you’re going to be hypervigilant about checking your bank accounts, your credit, whatever accounts that they were breached. You’re going to be staring at that for a while. But then like a year passes, two years passes to your point, you become a little bit more, “Oh, I feel protected. I feel like nothing’s going to happen to me.” But you’re saying that kind of the longer the data sits out there, the more comfortable people get, that’s when the attacks are most likely to?
Nick Barratt: Exactly, exactly. And the fact of the matter is by once our data is stolen, we can’t really do anything about it, we can’t change our name. People generally don’t tend to change their email address. They don’t move address very often. And even if they do, the cybercriminals who still got their previous addresses, who are, in your case, your social security numbers, they don’t change that. That’s your social security number for life. So once a lot of this data’s out there is, it’s valuable as long as you continue to be alive.
Mike Delgado: That is scary. Okay, so you were in the cybercrime space for a long time, and you said a lot of that is like focusing on the data aspect of it, and then you transitioned to focus specifically on financial crime. What was your draw there? Why did you make that switch over?
Nick Barratt: So I think cybersecurity was starting to mature. And organizations that held a lot of the data, retailers, hospitals, and government institutions were starting to get their act together from a cybercrime perspective, and we’re starting to get their defenses in much better aligns. And however, what I saw with that, that wasn’t transitioning into the financial crime prevention space. Organizations were still looking at traditional types of financial crime, first policy fraud committed by an individual against the financial institution. And that they weren’t connecting the dots that data were stolen, a consumer-facing business might result in fraud to them. And they just didn’t have the right understanding, risk awareness of that. So I really wanted to come into that space and help educate the community that they needed to elsewhere a much wider than where they were today.
Mike Delgado: What have you found, Nick, as being one of the big challenges of educating the community as technology evolves?
Nick Barratt: I think it still shocks me that there are so many people that work in financial crime and fraud that don’t appreciate the scope and the complexity of fraud attacks that take place. In the UK in the UK last year, and these were some stats from an actually a report that was released yesterday, and 31% of all crime now in the UK is fraud. And that goes from anything from traditional boiler room scams or for dating apps scams, and all the Nigerian prince letters, all the way through to quite highly sophisticated internet banking in an account takeover incidents, and everywhere in between. And the loss to the industry and to the economy is significant. And the unfortunate situation is that it continues to grow.
Mike Delgado: When I think about the first kind of fraud, types you mentioned, especially like the dating app ones, that seem to be very, very manual, where someone’s had to build a relationship with somebody else through emailing, through conversations, video chats, whatever, through some sort of dating app, where the whole goal is really to build trust with that person and eventually try to get money out of that person. Seems like a very manual task. Are you noticing that as fraud gets more sophisticated, that’s becoming less manual, more bots, more technologies involved, or is it you think it’s just as the same amount of manpower, womanpower is needed?
Nick Barratt: So I think ultimately, it comes down to how big is the target, and how much research do you want to put into it? So if you want to commit a highly sophisticated scam that’s potentially worth a lot of money, then you’re going to have to put time and effort into it. And the cybercriminals are persistent enough that they’ll do that. I think the benefit that they have, and think back 15, 20 years ago, if I wanted to commit a crime against certain individual, I would have to go through quite a lot of processes to find out enough information to commit that fraud. I might have to go down to the registry office to try and get a copy of a wedding certificate. I might have to go down to the county offices to get information about property records, or business records, or that sort of thing. And guess what? Today, all that’s digitized. It’s all on the internet.
So I don’t even have to get changed out of my pajamas. I can build a database on someone. And with social media, that adds even more power to that. And I know you had a recent Experian Live on phishing. That’s a precursor to other types of financial crime events. And the information that I can use to make my phishing emails, or letters, or phone calls far more sophisticated is easy for me to find. But it’s not just digital means and mechanisms. In the UK, people still get scammed by physical mail coming through the door. And a lot of this is being sent from overseas. And I think whilst has a consumer community, people still continue to fall for this, people still continue to try and exploit them.
Mike Delgado: Yeah, and I think about, gosh, the… it’s really sad to see that the mail fraud is happening, the letters, postcards, things that are being sent out in the attempt to get money out of people. And, yeah, that’s the offline method. You’re using some online data to then using offline methods to try to scam people.
Nick Barratt: Yeah, totally. And it is sad. You look at these instances of fraud that occur, and it’s not just financial loss by, we’ve got a big push at the moment globally on my mental health, and the impact that a financial loss could have on someone’s mental health, but all the way through to instances where people have sadly committed suicide as a result of those sort of things. So it has much deeper connotations to individuals, but also the fact that this financial crime that’s being committed, yeah, it goes out of the country initially, but it comes back in, but the money doesn’t come back in as money. It comes back in through people trafficking, or the sex trade, or drugs. And these criminal gangs, again, they’re multifaceted. They’re the dark web version of a Walmart. And if you will, they’ve got lots of different things that they’re selling and pedaling, and they’ll make money wherever they can make money.
Mike Delgado: [inaudible 00:20:39] Nick, you mentioned account takeovers. And can you talk a little bit about what means or what that looks like? How people can recognize when an account takeover is?
Nick Barratt: Yeah, so I generally tend to classify account takeover into two parts. And the first part is the direct accounts takeover, whereby through either phishing, or manipulating your details, or potentially using a stolen username and password that maybe I bought from the dark web, I get direct access to one of your accounts. Now, that could be a financial account, but that could also be a social media account or an email account. And the account itself doesn’t really matter to me, or you have what I would term as indirect account takeover. So this is where I’m socially engineering you to make payments out of your account to an account that I have access to. More recently, that’s often come by the name of CEO fraud or authorized push payment fraud, where effectively you’re manipulating someone else to effectively control… you are effectively using them to control that account and get money out of it.
Mike Delgado: Can you give me an example of that? Like how that happens, how someone can be manipulated, they got to hand over that information?
Nick Barratt: Yeah, so let’s say, you’re the finance director of a large organization. So I might research on Facebook, I might get the details. Typically, your email address, generally, is going to be pretty easy to guess, the email@example.com, or maybe first initial plus your last name. So genuinely, emails follow a pretty standard format. But again, I can ring into reception and get that pretty easily. So what I’m going to do is drop you an email and say, “Hey, Mike, a lovely dinner I had with you and your wife and the other day. The stew we had was great, and I really enjoyed that bottle of showers that you got out of the cupboard for us. And as you know, I’m away on business now for a couple of days, but I’ve completely forgotten that I’ve got to get some money sent over to a charity, who I promised that I’d have the money in their accounts this morning. Here’s all the details, their bank account number and the routing code. Can you ensure that you get $10,000 over to them this morning, and I’ll speak to you when I get back.”
So it’s that level of intimacy that you can build up through what has been shared on social media. And that way I think for me is the killer today in the way where we don’t buy from a business perspective and a personal perspective, link the two together, and what I built in my personal life could be used to manipulate me at work. In something like that, you’ve got acknowledgeable details and it’s going to… these criminals are sophisticated enough that the email was going to look like it’s coming from the CEO, and with the finance director even pick up the phone and ring him and ask him and say, “Are you sure you want me to make this payment?”
Mike Delgado: Wow, wow, that is crazy. That’s crazy. I never knew that it was even happening.
Nick Barratt: Yeah, and I think that’s the CEO now. You think about that in the case of an ordinary individual. Yeah, some of us that are a little bit more security-minded probably don’t go sharing their information on Facebook left, right, and Center. But there’s people that I see, now you log on and every day you’re going to see someone that’s posted a picture of the meal that they’re eating, or linking themselves in a location with the person that they’re with. And all of that information can be used to socially engineer someone, either directly or indirectly to get access to their accounts.
Mike Delgado: Wow, I think I can even see like we’ve finished the state of talk and potentially I’ll get an email from a Nick Barratt, “Hey Mike, great chatting about account takeover and Facebook live, blah, blah, blah. Hey, my son’s going to be in this upcoming race and we’re looking for sponsorships. Could you potentially throw a couple bucks his way.” And I’m thinking I’m donating to your son’s charity or fundraiser. In reality, it’s just a big scam.
Nick Barratt: Yeah, totally. And that again is another type of account takeover, that if I get into your social media accounts, I think I can facilitate that type of attack to your associates and people that you’re friends with or the things in LinkedIn. And account takeover doesn’t necessarily mean a business account. It can mean another type of account. Fraudsters are very good at making money from building those links to get what they want at the end of the day, and they can very, very easily move, and know what? If I get this piece of data, that will help me get that piece of data, and that will help me get that, and then that’s when I can cash out. So it’s well planned, well rehearsed. They’re not just going straight for the price. They’re planning what they want and they’ll play that out.
Mike Delgado: Wow, that is fascinating. When we were chatting on the phone before today’s show, you talked about cross-account takeovers. Can you talk a little bit about that?
Nick Barratt: Yeah, so that would be in a situation whereby I would get access to, let’s say, your email account, and then I would use your email account to do something to another account that would then allow me to take over that other accounts. So let’s take an example. And this is one that everyone will be familiar with. You log on, and now most organizations that have the consumer-facing portal, whether that be a retailer or an airline, will ask you for a username. Now, most of them support email address’s username, because guess what? We all remember our email addresses.
Mike Delgado: That’s right.
Nick Barratt: So it’s a pretty good assumption that if I’m asking for username, I’m typing in my email address. So emails are publicly available, loads and loads get breached in attacks. So, yeah, well, I’ll just try this. So I type in an email, and I then type in effectively a junk password. It doesn’t at that point really matter what it is. I type in that junk password, and I basically get an error message back saying, “Your username and password, or the password doesn’t align to this user account, please try again, or click here if you’ve forgotten your password.” So I click on the link to say, “I forgot my password.” I’ve got access to your Gmail or your Hotmail. And so I click on that, I get an email come through saying, “Please reset your password.” Oh, by the way, if this isn’t you that’s done that, please contact us. Well, guess what? I’ve got access to the email account.
So I click on the link, I reset the password, and then I delete that message and out of the email accounts. So the owner of that is completely unaware that it’s taken place. And guess what? I then got access to… oh, I’ve reset the password on your mobile phone account. I can then use that to requesting new sim. And then from that, I can download your internet banking app, and guess what? I can get a new six-digit security code, sent via SMS to the new sim I’ve ordered, and bang, I’m in your account. So that connected account takeover is really what I referred to before about jumping from one account to another, to another, to ultimately facilitate the fraud.
Mike Delgado: Nick, as we see more companies beginning to use biometric data, things like my phone, I can turn it on with my thumbprint, I was sharing with you on our phone call that when I call up my investment account for retirement, they were asking me recently, would you like to be able to authenticate who you are through voice? And then we see this increase in voice technology and people have been able to use voice assistance to be able to log in to financial accounts. I’m kind of curious in your view on that, on how biometric data might be leveraged by fraudsters and specifically around voice because that, to me, concerns me. I’ve always said no because I’m like, “Well, someone maybe can replicate my voice and be able to have access.” But I’m wondering like is biometric data voice the same data points as a username and password?
Nick Barratt: Yeah, so I think a lot of these technologies are really dipped. However, the weak point in whatever you use, two-factor authentication is securing and is a strong technology. The challenge that you have with all of this is the enrollment of the individual into that scheme, and how do you verify someone’s identity when they enroll. So if I come along and say, “Hey, I’m Mike Delgado, and I want to use my thumbprint to access my bank account to my phone.” Well, firstly, I’m tying that thumbprint to my phone itself. It doesn’t have a link back to the bank itself. So all I’m doing is just to start associating my thumbprint with that device. Now, what the bank has done in the background is a number of typically knowledge-based checks to ensure that the phone is associated with you because you possess knowledge-based checks. Therefore, if the thumbprint is displayed, because you own the phone, the thumbprint must belong to you, which is a little bit nonsensical in some ways.
But it’s the same with voice. You set up voice access so that you can make money transfers by Alexa, or Google Assistant, or whatever. And you’re still only tying the voice to the identity of that individual based upon them passing either a series of knowledge-based questions or keying in a one-time passcode that you’ve sent them to facilitate that. Ultimately, are you truly verifying the biometric that you have, or the voice that’s being presented? Is that the individual? No. And, yeah, coming back to your question on using these voice assistants, those technologies don’t do any detection capabilities. So if you’re allowing your bank accounts and payments to be made by a third party, well, who’s actually then responsible for the security of that? Is that the provider? So the Google, Googles of the world, or Amazons, or is it the bank, or is it me as a consumer? And I think that isn’t particularly clear certainly in the situations I’ve seen where that technology is attempted to be used.
Mike Delgado: Yeah, it’s interesting how as technology evolves, there’s just more and more data points. And then the goal really is to make sure that the individual who wants to make a financial transaction or whatever, data transfer is that actual individual, whether it’s through those identifying questions that could be answered only by an individual, or by facial recognition, voice, whatever it is. The whole goal here is to try to remove fraud. What you’re saying is there’s a lot of still questions around if fraud happens. Who’s at fault? Is it the device that you’re using? Is it the bank? Like who’s really going to be at fault here?
Nick Barratt: Yeah, and I agree. And I think this is why, in my opinion, we need to have a sort of fundamental shifts in the way that we are looking at for prevention. Data points allow us much greater insight than we’ve ever had about individual activity. And we penalize, and we say, “Oh, big brother watching, and why is Facebook and stuff collecting all this data and stuff.” But actually, if you look at it in a financial crime context, it’s like, “Well if I could take those data points and build a pattern of how Nick lives his life and how he operates financially, then actually I can build up a pretty good profile of what Nick does. Nick buys a train ticket once a month. Nick generally tends to shop at these types of organization. Generally, he spends his money at this time of day and that time of day. He generally uses these limited selections of ATMs, and guess what? Those ATMs are either close to where he lives or close to where he works.”
So if I can understand what good looks like and build a proper around that, the minute that I try make an ATM withdrawal from the center of Paris, when it’s a Tuesday, and I should be sat in the office in London, well, that’s abnormal behavior. So I might get a block on that, and I might then look to step up the challenge. The problem is we’re so focused historically in financial crime prevention of trying to look for the bad, as the frauds do get more sophisticated and can better merge themselves in with good traffic, supporting the bad becomes harder and harder to do. So it’s almost you end up chasing your tail, or looking for a needle in an ever-increasing haystack. Whereas actually, if we can identify, well, that’s how Nick generally operates, so for Nick, that transaction is outside of his normal pattern of behavior, I’m going to challenge it.
Now, if I challenge it and I get it wrong, so will take it on the chin. But actually, 9 times out of 10, I’m actually going to be right. And the more that I do that, and the more that I looked for good, the actual better the behavioral profiling is going to be, and the more effective my outcomes are going to be. And that has a significant impact both in the reduction of costs of technology to detect fraud, and less time, and less resource. It reduces the amount of false positives that we have to deal with. And ultimately, it will reduce our broad exposure to business and individuals of fraud.
Mike Delgado: Yeah, that actually comforts me. I guess the more data points they have about me, like knowing that, “Oh, Mikey, he likes to use coupons, he likes to save money, he usually lives in this circle, this is where a lot of transactions happen,” and all of a sudden, there’s some weird financial requests being made that’s not in the norm, like I want that flagged, like I would appreciate that phone call and why that’s being rejected and totally verified. So that’s something that actually… the downside is there could be a minor inconvenience, but who cares? Like if you’re protecting my finances, I’d want you to stop it and ask me.
Nick Barratt: Yeah, very much. And there was a very interesting L’Amour case here in the UK within the last month, where there’s been going on for 12 to 18 months, but a lady was hit by a scam. She had a small business account. And she lost close to $350,000 out of this account. And she effectively took the bank in question to court, and whilst, the financial ombudsman took a significant amount of time to rule on the case. Now, they have eventually found in her favor, and she had argued that the bank in question should have had better security and detection controls to effectively pick up on this type of fraud. And they were ordered by the ombudsman to pay back all the money in full.
Now, they had recovered around about a quarter of what had been stolen. So whilst it was effectively… she’d been instructed, again, through one of these scams to transfer the money out, she wrote that the bank should have had better controls in place to look at the destination to be able to have identified that it was unfortunately account if it wasn’t connected. And yet, they were ordered to repay it. So what does that mean in terms of the future? There are more and more individuals that have effectively been duped. Are they going to be able to go and claim the money back from the bank because the expectation is that the bank should have those controls in place to stop that?
Mike Delgado: Well, I’ll tell you sometimes the most devious fraud for me is the one where I think it’s coming from the financial institution that I actually bank with or do business with. And I shared the example in the last show around… my web host provider sent me a note saying that there was a data breach that happened and it said, “Make sure you sign in right away and just authenticate your site. We know that you’re there, you got our message.” And so I immediately looked at the email. I had the logo, the web host, and all the details I’d expect. And I immediately just like had a fear. I’m like, “Oh my gosh, something got hacked. I need to protect my site.” I clicked on the link, and next thing I’m like, “What did I just do?”
I just logged into the unsecured website and gave my username and password to a third party. And thankfully, I got it resolved, but that kind of freaked me out. And then a couple of months later, I got a phone call from my bank saying that there was a financial transaction that was happening and I needed to verify whether that was a true charge. And it kind of freaked me out. And then I was like, “Well, I don’t know if I’m really talking to the bank.” And so then I hung up the phone, and I called up the phone number that I had in my car to make sure I’m actually talking to the bank. And in that case, it was legitimately the bank calling me, but now I’m just really on guard because I was taking advantage of. And so now, whenever I get a phone call from a bank or anybody, I will never give information over the phone, unless I’m making the phone call, and I know that the number that I dialed.
Nick Barratt: Yeah, and I would concur with that, and I would certainly encourage that behavior. But to your point, I’m going to show you this on my other phone and that hopefully, here we might be able to see it, but it might be backward. But this basically is a text message I go out of the blue about my worries while we three months ago now. And I’ll read it to you. And it basically says that DVLA… so the DVLA in the UK is the Driver and Vehicle Licensing Agency, so issues all of the driver’s licenses and all of your vehicle tax for the road. And then it basically says, “We have identified that you still have an outstanding vehicle tax refund from an overpayment. Please follow at to process.” And the email that’s given is https://gov.uk-refund.com/[crosstalk 00:44:30].
Mike Delgado: So that sounds totally legitimate with that URL there.
Nick Barratt: But the URL, when you know what you’re looking for is fake because it’s basically it’s a .com site, it’s not a .gov site in the UK, and then it is yet gov.uk-refund.com. So the dot in there is actually part of the name. And again, it’s a phishing site and clearly, people fall for the logo, and they are putting their details. And that might even be your government passwords that they’re asking for. And clearly, that then would give them access to your tax returns and all of that. So as we touched on persistent, creative, and they’ll play on the fact that people will get it. And like you did, they’ll react instantaneously without pausing for thought. And if they do, it’ll only be after the event and go, “Oh, maybe I shouldn’t have done that.”
Mike Delgado: Yeah, it’s that fear-based stuff that really makes you take action because you’re like, “I need to protect myself.” And you just click on the link.
Nick Barratt: Yeah, and that’s quite a rare one, but I’ve had several from pretending to be Apple. “You got to reset your Apple ID, or can you log back in again because we’ve had an issue with your account.” So again, they’re preying on… it’s a numbers game. If I get 100,000 phone numbers, I might get 1,000 people to click on. But 1,000 people against 100,000 numbers is probably a good return.
Mike Delgado: Nick, as you’ve been studying all this and been tracking it, what are things that organizations can do to protect their clients? And also, what are things that consumers can do to make sure that we’re being vigilant about taking precautions?
Nick Barratt: So I will start with the consumer one first. So education is critical by. And fraudsters are only going to get ever more sophisticated. As they get access to more money, and they put it back in, it allows them to make even more complex scams. So I generally tend to live by the… if it seems too good to be true, it probably is. And don’t accept anyone that you don’t know for who they say they are, who always have that of suspicion. Take five, think about it before you just jump into something. Do your research. If you’re unsure, do a Google search for scams, or as you said, if you get a strange text message or an email, pick up the phone, ring the supposed sender on the number that you find from the internet and confirm it with them, which you have sent this out? Is this the type of correspondence you would’ve sent out?
And generally, if you’re still unsure, and you can’t confirm, I would ignore it because if someone really wants to get hold of you to do something, then they’ll try and they’ll try again, and they’ll try again. And then generally, if it’s a scam, you’ll get it once and you won’t hear back. So that was on the consumer side. On the business side, I think, again, education is critical, education of staff, and making sure the staff do get the right level of training to help them understand what is happening and also what’s going to happen in the future, and trying to be a little bit more forward-looking, have collaboration, and trying to work with other peer organizations and cross-sectoral organizations, I think is critical. You’ve all got a lot of data that you can share, and that data is certainly very helpful in supporting abnormalities and helping to fight crime.
I think there can certainly be a mindset shift in terms of how we look at fraud. And as I said, can we use that data to actually build up a profile of individuals and what good behavior looks like within the business? We are humans, and we are creatures of habit. And if we can build up and understand what a good activity is, then anything that’s abnormal becomes far, far easier to spot. And I think, finally, is really understanding what the risk is actually to our business, and making sure that we understand that culturally from a jurisdictional perspective, and then also based upon either the products and services that we’re offering to our clients.
I think too many organizations make a broad sweeping assumption of where their fraud risks are going to be. But actually, if you’re operating multi-nationally, that’s going to differ from country by country. In Ireland, you can only have, well, you have to pay to have a credit card, you have to pay to have a bank account, therefore, there’s less prevalence of that type of activity. So you certainly see more account takeovers and that type of thing that you would do applications for the new credit cards and stuff because people don’t generally like to do that. Again, in Germany, it’s a very anti-debt society. They don’t like credit. So they don’t want to put themselves into this life situational borrowed debt. So there’s a lot more cash, there are a lot more instant-based payments than you would find in the UK. So you need to understand what good and bad looks like in the context also of the countries that you’re operating in. And I still think businesses don’t really have a true handle on that.
Mike Delgado: Well, all the different examples you’ve shared, the very creative ways that fraudsters are looking to deceive people, and as technology evolves, they’re just getting more and more creative. And so I want to thank you, Nick, for sharing these various ways with us so that we can all better protect ourselves as consumers, as well as organizations. Thank you so much for sharing your advice. For those listening in that want to keep up with the work that you’re doing, what’s the best way for them to follow you?
Nick Barratt: So probably LinkedIn. And you’ll find me on LinkedIn under Nicholas Barratt. Yeah, we can distribute details afterward, my contact details at PwC.
Mike Delgado: Okay, wonderful. And for those interested in learning more about fraud, the latest Experian fraud report just came out. And if you’d like to get the free download, the short URL is just ex.pn/fraudreport. Again, that’s ex.pn/fraudreport, or you can just do a Google search for Experian fraud report, and you’ll find it there. Thank you so much for sharing your insights with us today.
Nick Barratt: Mike, it’s been great talking. Thanks very much.
Mike Delgado: Thank you.
About Nick Barratt
Nick Barratt is an experienced consultant covering customer security, financial crime, and fraud extending to KYC, AML, sanctions, and payments.
He is the Senior Manager, Financial Crime at PWC and formerly Head of Technology and Strategy in customer security, financial crime and fraud at Bank of Ireland. Nick was also a Senior Business Consultant in cybersecurity, financial crime, fraud and risk solutions at Experian.
Experian is the world’s leading global information services company. Learn more.