Banks Should Work Even Harder To Fight Impostor Fraud

It was a sunny Saturday afternoon when I got a phone call that looked like it came from my bank.

The caller said there seemed to be suspicious activity on my checking account. Could I provide my login credentials to this helpful man safeguarding my funds so he could review the transactions? Cheering my bank’s proactivity, I did not question why he wanted the credentials. I hung up the phone, satisfied and carefree.

Little did I know that I had just become a victim of account takeover fraud, or ATO, as we in the industry call it. That’s right—I’m in the industry. In fact, I’ve been a banker for over 20 years, not that it mattered in that moment.

Like so many other victims of this pernicious scam, I was operating from a place of trust. I trusted that my bank could identify suspicious transactions, and my confidence was well-founded. For decades, banks have successfully identified fraud through our sophisticated fraud detection models. When the Financial Crimes Enforcement Network (FinCEN) first warned banks about account takeover fraud in December 2011, we heeded the call. We built automated transaction monitoring systems to flag “irregularities,” such as when a domestic customer suddenly starts buying items in a foreign country or withdraws piles of cash from an ATM they’ve never used before.

Our monitoring has not been perfect, and sometimes we flag above-board transactions as suspicious. Our customers have tolerated this nuisance. Like accepting holiday traffic stops to catch drunk drivers, our customers see the greater good in the occasional blocked transaction. Our investigations engender trust, as they show that the bank is trying to protect its customers and accounts from thieves.

Another Cautionary Tale

But the trust we built through these automated detection tools has been turned against us. In one reported case, a bank had successfully identified and blocked two fraudulent transactions targeting a customer. So, when a scammer, posing as the bank, texted the customer about a suspicious charge, she thought it was just another example of her bank being proactive.

It was instead a typical impostor scam. The fraudster claimed that a transaction in the thousands of dollars was on her account. Did she recognize this charge? No, she didn’t, and that’s because it didn’t exist. To make the imaginary transaction believable, the crook demonstrated their knowledge of other seemingly private information, including her name, new home address, and the last four digits of her bank account number.

At this point, the customer reasonably believed that the bank could identify fraudulent transactions but mistakenly thought that only banks have access to customers’ addresses and the last four digits of account numbers. So, when the scammers said she would need to Zelle them the same amount that was “fraudulently” taken, she believed them. Her bank had previously gained her trust, which these fraudsters were now exploiting.

After completing the Zelle transaction, she realized her mistake. But by then her money was gone.

What We Don’t Know

This customer was vulnerable because she lacked information. While most people suspect a romance scam when they receive an overly friendly text from a stranger, few realize that a text that appears to be from our bank could also be a scam. According to data from the Federal Trade Commission (FTC), more people file fraud reports on business impostors than on any other impostor type (see Figure 1). Not knowing that business impostor scams are a thing could be a reason why so many people are falling for them.

The victim also lacked information on what can and cannot be shared. She’s not alone. Who among us knows the difference between personally identifiable information, or PII—like your Social Security number and date of birth—and the non-risky personal information, like your home address? After all, we give our date of birth to companies all the time, and sometimes,

By giving our customers information they need to protect themselves, banks can counter the impostor threat. 

Of course, most institutions already know this. Banks have information on their websites explaining how to identify an impostor. Along with the FTC and the Federal Bureau of Investigation (FBI), banks tell people never to click links in emails or text messages, give away their login information, or send money to a stranger.

But are banks doing enough? Folks in the know, like me, can still be duped.

Answers Abroad?

In our search for solutions, answers can come from far and wide. The Singapore Police Force (SPF) is doing much more than I’ve seen other banks or law enforcement agencies in the United States do to educate their populace about the fraud threat, as reported in a recent Economist podcast, “Scam, Inc.” What SPF does differently from most financial institutions is that it treats fraud education like a marketing campaign. “Everyone is vulnerable to scams,” said Jeffrey Chin, deputy director of the Scam Public Education Office in Singapore.

The SPF uses different communication channels to tailor anti-scam messages. Under the brand ScamShield, the office has a dedicated scam helpline, a downloadable app, a website, and a weekly scams bulletin. This user-friendly newsletter is published in multiple languages and provides “bite-sized information on the top five trending scams in the past week,” according to Chin. The bulletin is shared with partner networks, including banks, but also through WhatsApp and other social media platforms. 

The outputs can be overwhelming. The correspondent for the podcast notes a steady stream of alerts that pop up when she books a yoga class, boards the subway, and sits down for a coffee.  But like the signs reminding us to wash our hands before leaving the bathroom, messaging that drives individuals to act in ways that protect us and our communities can never be too much.

Investing in the Payoff

If we invested as much in fraud education as we do in marketing, our efforts would undoubtedly pay off. According to the FTC, impostor scams were the top fraud in 2023, causing $2.7 billion in losses. Mitigating these losses has a direct impact on a bank’s bottom line. Furthermore, a bank-led anti-fraud campaign can counter the image of banks that sometimes appears in the press.

Saturating public awareness with how scams work can be an effective means of combating fraud. Just as we’ve all learned to delete urgent emails from Nigerian princes, we can also be trained to detect financial scams.

Redemption

A few weeks ago, I answered another call from “my bank.”

The caller said there appeared to be suspicious activity on my account and asked if I had time to review the transactions. They assured me this call was being recorded. “That's good,” I replied, “because I think this call is a fraud.” And I hung up the phone. 

I immediately checked my account, and all was well—and still is. This time, I knew what was afoot, and I avoided their tricks. My knowledge gave me the confidence I needed to stop the scam.

FinCEN defined ATO fraud in 2011 as a “computer intrusion.” Today’s ATO fraud is much more than that–it’s a trust intrusion. Banks can build a trust barrier by investing in customer education that raises their awareness. If we don’t, unwelcome experiences may be the only way our customers learn to spot fraud.