A recent article appeared in the UK newspaper The Guardian about a disturbing new trend where fraudsters pretend to be loved ones to steal money.
Potential victims are first targeted by scammers using ‘sucker lists’ – people who have often fallen prey to scams before. From there, the scammers focus on people in the right age group who might have children in college and therefore may reasonably have already received requests for money from their (real) children. Automated bots are then set up with Whatsapp accounts to pose as children and ask for money. If a victim bites, a human takes over the bot and uses social engineering techniques to push through fraudulent transactions.
These scams are not new. A variant was common in Japan about 10 years ago called “ore ore sagi” – literally translated as “it’s me, it’s me the cheat”. In this case, the scammer would call an elderly person, usually someone who lived alone, and start the conversation by saying “It’s me, it’s me!” “. This would then prompt the victim to guess a name to find out who the fraudster was. Trust towers followed and resulted in money being transferred to the fraudster – or, as the victim had been led to believe – a long-lost relative.
Fortunately, the Guardian article shows that the banks are sensitive to the issue and reimburse the victims. The journalist also spoke to Whatsapp which provided some useful advice – one advises people who receive a suspicious message to request a voice note to verify that they really are who they say they are.
Behind the scenes though, scams like this show how some frauds can be perpetuated through the use of multiple platforms. The fraudster makes a transaction on Whatsapp to induce a transaction through a bank. Whatsapp and bank have completely different monitoring systems and check completely different things. WhatsApp checks suspicious behavior among its phone users. Banks check for unusual payments to new customers. If they were working together, a single phone number (the automated bots) sending similar messages to multiple users, which then results in a single unusual payment, should trigger an automated blocking of that transaction. But the systems aren’t joined (for good reason) and the transactions continue.
Compliance in the transactional space
Compliance therefore fights with one hand behind its back – Whatsapp compliance and bank compliance can only see half the picture each. Both parties may have to overcompensate accordingly with clumsy anti-fraud controls, but be wary of compromising the user experience.
Managing these shortcomings is the challenge of our time in the fight against fraudsters. Anti-money laundering techniques can of course help us – such as checking for unusual payment patterns – e.g. large one-off payments to hitherto unknown recipients, especially when overseas . Combining these techniques with additional intelligence of typical user behavior can allow the alert to be more targeted.
But perhaps a bigger challenge is one of mindset. We are all tired of big tech collecting our data to know everything about us. Apple’s recent “Application Tracking Transparency” (ATT) feature stops surveillance at the device level and fuels this trend. This is already bearing fruit – evidenced by the recent fall in Meta shares. This is partly because ATT contributed to a $10 billion reduction in ad revenue, equivalent to a quarter of its overall profit for the year. But ironically, perhaps such pooling of device data can help us beat cases of fraud like this. If Whatsapp (owned by Meta) and banks share device-level data, the full fraud scenario could be seen and perhaps this particularly pernicious type of fraud could be stopped.
There are of course no easy answers to this dilemma. Fighting bad guys on their own terms has been a challenge throughout history – it’s just that weapons are getting more sophisticated.
About the Author: Antony Bellingall is co-founder and director of Idenfo, a comprehensive suite of compliance solutions and services for financial institutions worldwide. This includes transaction monitoring advisory services. Transaction monitoring is all about effectively mitigating risk. Idenfo also specializes in industry practice and tailors its advice to the bespoke nature of each institution’s unique set of risks.