A recent article appeared in the UK’s Guardian newspaper regarding a disturbing new trend where fraudsters pose as loved ones to steal money.
Potential victims are first targeted by fraudsters using “sucker lists” – people who have often fallen prey to scams before. From here, the fraudsters zone in on people of the right age group who might have children at University and may therefore reasonably have had requests for money from their (real) children before. Automated bots are then set up with Whatsapp accounts to impersonate the children and request money. If a victim bites, a human takes over from the bot and uses social engineering techniques to push through the fraudulent transactions.
Such scams are not new. A variation was common in Japan around 10 years ago called “ore ore sagi” – literally translated as “It’s me, it’s me fraud”. In this case the scammer would call an old person, typically someone who lived alone, and start the conversation saying “It’s me, it’s me!”. This would then induce the victim to guess a name as to who the fraudster was. Confidence tricks would follow and result in money being wired to the fraudster – or as the victim had been induced to believe – a long lost relative.
Happily, the Guardian article does show that banks are sensitive to the issue and are refunding victims. The journalist also spoke to Whatsapp who provided helpful tips – one is advising people who receive a suspicious message to ask for a voice note to verify that they really are who they say they are.
Behind the scenes though, scams like this show how certain frauds can be perpetuated by the utilisation of multiple platforms. The fraudster is transacting on Whatsapp to induce a transaction via a bank. Whatsapp and the bank have completely different monitoring systems and check completely different things. Whatsapp checks suspicious behaviour among its phone users. The banks checks unusual payments to new customers. If they were working together, a single phone number (the automated bots) sending similar messages to multiple users which then results in a one-off unusual payment being made should trigger an automated block on that transaction. But the systems are not joined (with good reason) and so the transactions go ahead.
Compliance in the transactional space
Compliance is therefore fighting with one hand behind its back – compliance from Whatsapp and compliance from the bank can only see half the picture each. Both sides may need to over compensate as a result with clunky anti-fraud checks but will be wary of jeopardising user experience.
Managing such gaps is the challenge of our times in the fight against fraudsters. Anti-money laundering techniques can of course assist us – such as checking unusual payment patterns – for example large single payments to hitherto unknown payees, especially when they are abroad. Combining these techniques with additional intelligence of typical user behaviour can allow the alerting to be more focussed.
But perhaps a bigger challenge is a mindset one. We have all grown weary of “big tech” harvesting our data to know all about us. Apple’s recent “app-tracking transparency” (ATT) feature stops device level monitoring and feeds into this trend. It is already bearing fruit – witness Meta’s recent share tumble. This is partly due to ATT contributing to a $10bn reduction in advertising revenue – equivalent to a quarter of its overall profit for the year. But paradoxically perhaps such pooling of device data may help us defeat fraud cases such as this one. If Whatsapp (owned by Meta) and the banks share device level data, the full fraud scenario could be seen and perhaps this particularly pernicious type of fraud could be stopped.
There are of course no easy answers to this dilemma. Fighting the bad guys on their own terms has been a challenge throughout history – its just that the weapons get more sophisticated.