For many years, banks have promised not to send their customers correspondence that looks like scams. They would never ask consumers to click on a link and provide information or ask them for one-time pass codes over the phone.
But those strategies aren’t working anymore. Scammers are starting to mimic what bank professionals have been doing, which is resulting in correspondence from banks increasingly looking like scams and confusing consumers. In a new study from Javelin Strategy & Research, titled “Avoid the Fake: How AI Can Stop Bank Impersonation,” senior analyst Jennifer Pitt examines why this problem is so pernicious and how emerging technology can help rectify it.
A Message or a Scam?
Legitimate bank correspondence now asks customers to type in their account number first, so the bank knows that they are legitimate. Or it asks users to call the bank and provide the one-time passcode they had been sent. Both of these requests resemble traditional scams.
Banks are doing this for a couple of reasons. They want to eliminate customer friction by making it as easy as possible for potential victims to report fraud. However, customers have been trained to regard such overtures as scams.
“If banks are going to send text messages or emails for fraud alerts, they should never ask customers to click on any link or to provide any sort of information, whether it’s your bank account number, your name, a one-time passcode, anything like that,” Pitt said. “If you’re going to send out fraud alerts that are text message or email-based, it should always provide the transaction information and direct the customer to contact their bank at the phone number they already have. Sometimes organizations will say it’s the number on the back of your debit or credit card, or visit the website and log into your account. There should never be an actual link provided for them to click on.”
Email vs. Text
Historically, scam education efforts drew heavily on protecting against email phishing. For various reasons, text messages have become a common way for banks to communicate with their customers.
It’s harder for consumers and technology to detect whether a text message is fraudulent due to the shorter nature of these messages. This makes it easier for scammers to bypass detection mechanisms.
“Because people are shifting from email to text message, it leaves these scammers with a wider victim pool,” Pitt said. “They are not leaving any gaps anymore. They’re going to use all the resources and basically hit every channel, every consumer base at one time.”
Banks now provide some of this correspondence in the form of in-app push notifications, which may be the most secure method because the person has to be in the app to receive the message. However, many customers do not use the banking app due to a lack of comfort or perceived security concerns.
“You can’t just tell banks just go through the app, because you’re essentially eliminating a lot of your customer base,” Pitt said. “There are some customers that still only do business through mail or email or text message. You have to address fraud alerts and fraud prevention education on all different channels.”
Confusing the Customer
Many banks have already trained consumers to call and verify whether any communication is legitimate. However, this can lead to conflicting impulses in the customer’s mind.
“The customer hearing that education says, OK, I received this scam correspondence. I’m going to call my bank,” Pitt said. “They call their bank and the bank says, no, that particular correspondence is actually from us, and it’s legitimate. In the mind of the customer, they can’t separate out this correspondence from a fake one, so now any correspondence they get is now legitimate. If they get a scam correspondence, they can be easily deceived into providing some sort of information or money or making a transaction.”
The repercussions of such scenarios extend beyond customers losing money to scammers. They also lose trust in their bank to protect them, which can lead to ignoring legitimate fraud alerts.
How AI Can Help
With the emergence of AI, nothing is 100% foolproof, not even an app. Scammers have even set up fake apps in app stores. If everything isn’t impenetrable, how can banks protect themselves and their customers?
One possible answer is rule-based alerts. If a behavior or transaction is out of the norm for a customer, the bank could flag it as a potentially fraudulent transaction, then send manual alerts to the customer.
AI can help power both the technology sending out the alert and the technology gathering information by looking at different behaviors of customers. For example, are the transactions unusual for this behavior or customer? Is it different from what the customer said they would do?
“By using AI to send out the alert, the communication could be tailored to the customer and thus more likely to get attention,” Pitt said. “It could say, ‘We notice that you typically don’t make transactions in Saudi Arabia, and we see a $900 transaction in Saudi Arabia. Is that yours?’”
Pitt also recommends being upfront with customers when they’re onboarding about what will happen if they become a fraud victim. This can help them be better prepared for such situations.
Looking Worldwide for Solutions
Cooperation and collaboration are key parts of the solution. Other countries, like Australia, are ahead in detecting and preventing these scams as well as helping victims with reimbursements through scam checkers integrated into some banks.
“In the U.S., scam checkers essentially allow customers to type in or copy/paste text messages or images to see if it’s a scam,” Pitt said. “The difference is that other countries have regulations and procedures for scams integrated into their banks. We need to catch up.”
Regulators need to play a role, but banks also need to start working with social media companies, telcos, and customers to shift the liability and take on reimbursements. Building back customer trust is crucial.