Globally, phone fraud is estimated to cost economies US$5 trillion annually, including account takeovers, impersonation, romance scams, SIM swapping, SMS OTP and other scams, all having a dramatic impact on the lives of citizens in Singapore, across the region and globally.
According to research firm Imperva, account takeovers alone, the locking out of your own mobile account, rocketed 121% last year.
But for every act of fraud you read about, many go unreported because people are often ashamed or embarrassed or both to report being scammed, thus allowing the fraudsters to continue their illegal activities.
But with phone fraud a global problem, who or what is to blame? The answer is simple, yet the solution is more complex.
Let’s take a step back and dispel a few myths people may have about phone fraud.
Phone fraud does not occur because of bad luck, being in the wrong place at the wrong time, or because you were at fault for being scammed. The average person on the street is far more vulnerable to fraud than ever before because they do not have the anti-scam resources typically found in companies.
The biggest issue today for banks, online retailers, social media, and other digital providers is trusting the person accessing accounts online is the customer. If you walk into a bank pretending to be someone else, there is a very high risk of being discovered.
Compare that with accessing your account online where the bank cannot see you, and they need to prove your identity with authentication and verification technologies.
The fact is the root cause of phone fraud is technology. Not humans, not mobile providers, not the phone manufacturers, but old technologies and processes used to verify and authenticate genuine customers. Or rather, 20th-century technologies not being able to cope with the 21st-century problem.
We got here because many processes from the physical world were developed and used in the digital world. Passwords and one-time passwords are decades old and not built digitally first. Introduced in the early 1990s, SMS one-time passwords are a relatively newer invention. Yet all are vulnerable to attack by fraudsters.
Further, we live in a world where automation reduces inefficiencies and increases productivity. This is precisely the same approach criminals use in launching attacks against thousands of people at one time, knowing they only need a certain percentage to click on a link for the scam to be profitable.
Yet banks, e-retailers, social media platforms, and other digital providers have invested in anti-fraud software, artificial intelligence (AI), and other advanced technologies to detect and prevent criminal behavior. They have introduced facial, and voice recognition, finger and thumbprints, and iris scans to verify account holder identities.
This caused criminals to pivot to the path of least resistance – you!
Those behind phone fraud are well-organized, highly structured gangs with access to significant resources and stolen personal information. They sell, buy, rent, exchange information, and access underground forums and marketplaces to gain the tools to launch attacks.
They have no regard for the chaos they create when defrauding people because their primary motivation is financial gain.
Criminals know how to trick mobile service providers into transferring customer phone numbers to them and then take control of the account. Because the mobile phone has become a digital work and leisure hub, having someone else take control can devastate you financially and personally.
But the fraudsters are clever and can quickly adapt, adopt and pivot to new attacks, as the pandemic showed. They know humans are trusting by nature, and use social engineering combined with new technologies to hack, trick, steal, and access sensitive information. They will even coach victims on navigating warning and security messages.
Adding to the complexity is how these old technologies used to prove identities are impossible to be discarded because they are ingrained in society and across generations. Unfortunately, criminals know this.
This is the adversary law-abiding citizens are up against.
Good News Is Here
Adding more layers of security is not the 21st-century solution because consumers want convenience and more means complex. Digital providers want customer satisfaction and a way to authenticate and verify genuine customers.
Any solution has to work across generations, and security must be without vulnerabilities to stop criminals in their tracks. Yet consumers are up against sophisticated and well-resourced foes with deep pockets.
This may sound like a high mountain to climb, but changes are taking place and winning acceptance through the combination of 21st century and ‘old’ technologies.
Take the success Thailand has had with banks using facial recognition to prove the identities of new customers—over five million people have opened bank accounts using the technology. Each bank provider must adhere to strict guidelines established by the Thai central bank, covering information storage, security, customer education, international standards, risk assessments, and ensuring continuous service.
In Singapore, giant strides are being made in digital and phone fraud. SingPass is a shining success, with over 3,500,000 people using the app, integrating 2,000 services, and over 29 million transactions made monthly. The government introduced the E-commerce Marketplace Transaction Safety Ratings to protect customers from scams.
In April this year, Singapore’s Anti-Scam Centre reported they had recovered S$200 million and frozen 27,300 bank accounts from scammers since 2019. Although a spectacular achievement in the fight against phone fraud, this announcement showed the sheer scale and size of the problem.
Elsewhere, behavioural biometrics is a technology that understands how a person types, swipes, or holds their phone to prove identity, making it impossible to lose or forget passwords. A behavioral profile is created from thousands of data points, and it is this profile that is used to authenticate identity and does not require any sensitive information being shared with a third party. This behavioural profile is unique to the individual.
Often criminals use a common human trait to their advantage, namely trust and sales tactics such as a sense of urgency or an emotional appeal to lure people into making impulsive decisions and throw caution to the wind. Some technologies can tell if a phone user is under stress or examine in real time if a fraud is occurring.
In conclusion, old authentication and verification processes and methods are primarily to blame for phone fraud and seized upon by criminal gangs who, motivated by financial gain, have left countless victims in their wake. But the tide is turning thanks to Singapore, other governments and the private sector researching, developing and introducing advanced technologies to address this situation with notable successes. The beefing up of government agencies to tackle fraud head-on has resulted in significant wins.
SMS one-time passwords and passwords still have a place in society because of their prevalence and the general adversity to change by consumers. Finding the right balance between security, simplicity, safety, data protection, and convenience is a challenge that requires constant vigilance and review.
By Namrata Jolly, General Manager for Asia Pacific, Callsign