Online identity fraud is a growing worry in society.
The fraudsters are finding new ways of committing fraud, which puts pressure on the good guys trying to analyze the fraud patterns in order to prevent it.
We sat down and had a chat with BankID BankAxept’s Fraud Analyst, David Sæle, about the current situation, how to combat the problem, and what the future holds.
Setting the scene: what is online identity fraud?
Identity fraud is the misuse of a person’s identity, without their authorization, to commit a crime.
When this takes place online, the fraudster might take advantage of the victim’s personal accounts, credit card information or electronic identity.
How are the criminals currently committing online fraud?
“The fraudsters are using more and more social engineering and you don’t need to be a technical genius anymore to commit fraud. Over the last few years, the threat landscape has changed a lot with fraud kits becoming more easily available for less technical criminals.
Lately, a new type of fraud has been detected in Norway. Fraudsters are calling people up pretending to be from their bank. They are then warning the victim that their account is about to be emptied by hackers and convince them to transfer their money to a “safe account”. In reality, this is an account the fraudsters are in control of.
Unfortunately, we are experiencing an increased use of social engineering in fraud cases.”
What are the biggest challenges of online fraud?
“One of the main challenges is whenever we discover a new type of fraud and eliminate that risk, they make changes and come up with another method. There are rapid changes in the fraud landscape and it’s very challenging to keep up with. It is really a game of “cat and mouse”.”
What can we do to prevent online fraud?
“The most important thing in preventing the success of criminals is teamwork. Collaboration with banks and our stakeholders in the financial industry makes us more powerful in detecting fraud, as we can learn from fraud committed to one another.
Sharing methods and weaknesses in our systems that are exploited by fraudsters will make us stronger in the fight against fraud. If we collaborate with each other, we might be able to stop similar fraud going on in each other's businesses. It’s as simple as that.
We also need an ongoing focus on arresting these people. We need to change the mindset that committing fraud is a “high risk, no reward” type of crime.”
What can we do to prevent fraud across borders?
“At the moment, we’re mainly collaborating with banks and merchants in the Nordics, but we’re open-minded to sharing information with the police and international stakeholders. Perhaps in the future we can do more collaborations across borders, but that can be a bit more challenging due to data privacy and regulations.
In the Nordics, we share findings through the Nordic Financial Cert, and we actually see a lot of the same patterns. The collaboration between Denmark, Finland, Sweden, Iceland, and Norway is really strong and valuable.
Økokrim just had a major arrest case in Romania*, where we assisted them with information that made it possible to find the criminals. This case is a good example on how we can collaborate to make sure that fraudsters are caught. In the long run, this helps us as it increases the risk of committing fraud online. In many cases, the fraudsters are not physically located in Norway, which makes it even more difficult to catch them.”
*The fraudsters were located in Romania and had scammed people through a fake Norwegian BankID verification process. This was regarded as a phishing attack that allowed them to acquire the victim’s personal BankID information, and subsequently, access their bank accounts. Read the full article.
What’s the future outlook on identity fraud?
“The fast adaptation of artificial intelligence will definitely be a big part of the fraud threat landscape over the next few years. It can be used to create phishing kits, generate content for phishing emails and even in phone calls where fraudsters can use deepfakes to manipulate their voice.
One of my biggest concerns is the use of deepfakes where fraudsters can manipulate their voice to mimic people that are close to you (i.e your mom or dad) and manipulate you into doing things. This is really scary. Additionally, content (grammar and spelling) in phishing emails can with the help of AI become so good that it will be impossible to distinguish between real communication and phishing.
However, AI is also there for us to use, so we can make use of it to build better systems that can detect fraudulent patterns faster.”
How does BankID work to prevent fraud?
“For any company, it’s crucial to be aware of how criminals can use your product or service to commit fraudulent activities.
One of our most important measures towards reducing fraud is the transition from code devices to the BankID app. It provides a much better foundation for implementing mitigating initiatives to reduce fraud. The app can also be used to interact directly with end users when we see increased fraudulent activity.
In the past few years at BankID, we have started working across teams and departments on how to prevent fraud. Take our UX team as an example. They are very focused on creating fast, simple and intuitive experiences of BankID. Now, they are even more focused on security and how BankID works from an anti-fraud perspective, which ultimately leads to more secure and better solutions.
It’s important to keep on increasing awareness and knowledge so everyone involved at BankID can work towards fraud prevention.”
About David Sæle and BankID BankAxept
David works with analysis of BankID activity where the aim is to detect and prevent fraud. He’s a part of the anti-fraud team and they work closely with banks in Norway when mapping the action pattern of the fraudsters.
BankID is in a unique position to capture an overall picture of fraud. Therefore, they're able to follow the fraudsters' activity across banks, websites and public services. For BankID, it’s important to improve the user experience since it will help end users find it more intuitive and safe to use.