A new report published recently by US Senator Elizabeth Warren has shed light on the failure of several big banks to uphold their obligations to clients by reimbursing them for losses incurred when their accounts are fraudulently taken over.
In April 2022, Warren opened an investigation into fraud related to the peer-to-peer digital payment service Zelle. The company was set up in 2011 and facilitated the transfer of money from users’ bank accounts to a mobile device or a website of another financial institution. It was initially owned by a coalition of banks, including JP Morgan Chase, Bank of America, Wells Fargo, Capital One, and US Bank, before being sold to Early Warning Services in 2016.
Users of the platform can send money directly to other platform users and make easy payments via the websites of those that accept Zelle or are partnered with it. To use the app on a mobile device, users must link it to a Visa or MasterCard that is linked to a bank account. While transactions made via Zelle cannot be canceled, under US law, they are obliged to reverse any unauthorized transaction as long as the victim reports it swiftly.
But the report from Warren found that this was not always the case. The investigation hit several stumbling blocks along the way as a number of the banks behind Zelle refused to hand over data on how many customers they reimbursed after they were victims of fraud. But for those that did, the data was less than impressive.
Of the three banks that provided data and a total of 35,848 cases of scams totalling nearly $26 million in 2021 and the first half of 2022, the banks failed to repay customers in most cases. Out of all the reports, just 3,474-equivalent to around 10%- were repaid. The total value of reimbursed funds during the applicable time frame was just $2.9 million.
Overall, the report found that banks do generally not pay customers back if they are fraudulently targeted by criminals. With more digital banks appearing on the market every year, it’s unclear how these issues can be mitigated fast enough. Those commenting on the report said the issue is that banks struggle to deploy effective methods of detecting fraud that don’t result in lots of false positives. This outcome would be a big problem and quite an inconvenience for customers. But the situation right now is not great either. Warren was clear that more needs to be done to detect and prevent fraud and to help victims when they fall foul.
What exactly is an account assimilation?
An account assimilation or account take over is when an unauthorized individual logs into someone’s account and changes details such as login email or password. This is done to lock out the real owner and the criminal taking full control. Once they have full control, their idea is to use the account to carry out actions without the knowledge or consent of the owner.
In the case of a Zelle account or bank account, this could be making payments and transfers to their benefit or buying products or services. But account takeover fraud can also apply to other kinds of funds, such as a social media account or email address. The criminal can then make posts or engage in communications that could cause material or reputational harm to the actual owner.
For example, the owner of Amazon and the wealthiest man in the world, Jeff Bezos, had his Twitter account taken over, and someone asked followers to send bitcoin to an address, claiming that it would be matched by him and then donated.
So what can companies do to help avoid these in the first place?
But various steps can be taken to mitigate the issue for example, some use seon to prevent ato fraud at a company level to prevent accounts from being compromised and abused. This kind of software, as well as following various other processes, best practices, and procedures such as changing passwords, setting up 2FA such as Authy or Microsoft Autheticator, and constantly logging out of your account, can all help reduce the risk. These specialist programs can automate much of the detection process while offering tools that assist those working in the area. These can include IP analysis to see if traffic is suspicious and device fingerprinting to see whether the person logging in is doing so from a recognized device. Other methods like whitebox machine learning can also provide valuable assistance as the software ‘learns’ and retrains itself based on transactions that occur all day, every day. Combined, these can create a very effective digital response to those seeking to defraud you or your customers.
Advise your employees to reduce risks
Several practical measures can be introduced to mitigate the issue. For example, one is to advise clients on good practices regarding their passwords. This can be as straightforward as providing information, requiring a strong and unique password, and prompting them to change it every couple of months. Other measures include not reusing passwords with other sites, using password managers, and requiring or at least recommending two-factor sign-ins. Suggesting the use of a VPN, and advising you to be cautious when clicking on links or replying to emails supposedly from your company, are also good suggestions.
Last but not least, when they have finished speaking to a customer service agent, you can send emails to confirm the change of important data such as mobile, password, or name. But as a company owner, these suggestions also apply to each of your staff. You can take all the security measures you like, but if your staff are a weak link, this can cause you big problems.
Introducing some of these measures may not result in complete protection, but it might avoid you from being subject to criticism similar to Zelle and other banks and institutions that have failed to take adequate steps to protect customers. While of course, your users have a responsibility themselves, you also do to educate them, provide them with guidance and ensure maximum safety when using your platform.