Advice to Banks et al

Greg Williams 5 December 2022

I have some advice for banks (and other related parties) when it comes to protecting their customers' money, let's get into it!

The Current Situation

TL;DR

Slow it down

In this helter-skelter world we live in, we want everything to happen immediately, and the scammers are taking advantage of the haste

Bring people back into the conversation

Banks focus on profit, employees cost money, reducing the number of employees saves  money, ie reduce staff levels.  That's the approach we have seen for some time and yes we can blame it all on computers.  Talk to any bank customer and it is very difficult to talk to someone at a bank branch today, especially if you don't live in a major centre.  So you have to contact a call centre and it often takes far to long to get through to a human being.  Try calling a bank Fraud Department to report a bank account being operated by a scammer!  I have personally spent up to 45 minutes waiting to get through so why would anyone bother.  And now we have purely online banks with no branches whatsoever so everthing has to be done by phone or electronic communications which means fertile ground for scammers

First payment to a new payee

Here is where all the trouble starts and stops, every single internet bank transfer to a scammer's bank account is the first payment to a new payee

Banks know!

It's quite incredible that all banks know about pretty much every scam.  They even publish the details of how the scams work on their websites.  And then they rely on old technology to protect us?  That is a madness.

Not to pick on the ANZ Bank, but here is a classic case in point

Drum roll please......

You have got to be kidding me!  It's like the scammers are getting a walk up start.

There are over twenty pieces of scam advice on that page alone, then we have https://www.anz.com.au/security/fraud-detection/types-of-scams/ which lists seven other types of scam and then links to ScamWatch, Stay Smart Online and ACCC’s Little Black Book of Scams, all very helpful but there is simply too much information for anyone to absorb.  There is even advice about Red Flags....

Find a better way than a confirmation SMS text message

All banks know that mobile phones are being compromised by scammers, in which case the scammer gets (and hides) the SMS confirmation, the scam target is encouraged to download and install a remote access app under the cover of a "cancellation number" or "cancellation form" and when the scam target complies, they unwittingly give the scammer complete access to their phone so that when they check their bank account to check a "refund" has been paid, the scammer gains control of their bank account

Improve the confirmation of identity credentials

Incredibly, most, if not all banks, will open online bank accounts without requiring a customer to present at a branch.  Worse still, the documentation requirements are less than they are for opening a bank account in person where your face has to match the ID you provide, typically a driver's licence or a passport.  Many banks use a company like Equifax to match the data provided with multiple databases and if the data matches the account get opened.  However, recently stolen credentials can be used to open accounts where the data matching will pass with flying colours.

Encourage the use of off-line bank accounts

Credit for this suggestion goes to Rob (thanks!) to limit the exposure of internet bank accounts to scammers

Better warnings on internet banking login pages

Most banks are utterly hopeless in this regard, they know about all manner of scams, why no warning at the login page?

Let the customer choose their risk level

It's all done with computer today so banks should get the programmers to try a lot harder

Account Name Matching

I get why banks don't want to do this, it will be hell on earth to implement this feature.  If they do, it will stop pretty much all internet banking fraud as we know it, so there is an incentive.  Except that internet bank scams cost the customer, not the bank.  So there is no financial imperative for banks.  If they won't do it, the Federal Government must.  TWO BILLION dollars lost last year

Make remote access software providers accountable

Scammers are pretending that the "Your Address" number (the Big Red Number) is a cancellation code which you give the scammer thinking you are going to obtain a refund where in reaility you are giving remote access to your phone or your computer without knowing.  If the web page or app was known as Take Control of My Computer it would be more obvious but names like Anydesk or TeamViewer or Client Support etc do not give the scam target a chance

Find out where the money went

It is astonishing but your bank does not care where the money went, they wil just tell you it's "gone".  For every internet banking scam there is the customer's bank which transfer the money to the scammer's bank, both of which are usually Australian bank branches.  The customer's bank, and the customer, knows exactly which bank acciunt the money was transferred to but the customer's bank never asks for an explanation as to why the stolen money is not recoverable.  I have kept track of over one hundred bank accounts operated by scammers and I have never had any advice from any recopient bank as to where the money went after it left the scammer's bank account.  The scammer is hardly likely to walk into a branch and withdraw the money in cash, so it must have been transferred somewhere else?  Why is this never investigated?

Try Harder

It is also astonishing that your local branch has no power to assist you, in fact, they are often prevented from trying to assist you by their fraud team, and the fraud team will lead off with we will get back to you in 30 days ie no sense of urgency!  What they are trying to do is get you used to the idea the money is gone and then if they manage to "retrieve" some of your money that becomes better than nothing.  Worse than that, I have seen local branch managers tell their customers that it is their fault for giving up the confirmation code!  They could at least pretend to help.


Where are the red flags?

I have had some incredible conversations with banks about the failure of their systems to detect unusual spending activity on any given bank account.  All banks have a red flag system which notices when unusual transactions occur, but they are flaky at best, and sometimes non-existent

A $30,000 payment to a scammer out of an account with a typical monthly spend of $1,500? No red flag

Twenty-six payments of around $5,000 over a 4 hour period with a daily transaction limit of $60,000? No red flag

First payments to a new payee at any value? No red flag

All banks need to do better

Credit Cards vs Internet Banking

There is a paradox here.  My 91 year-old mother got a text message from her bank at 10:30 pm on a Saturday night alerting her to a one cent transaction on her credit card.  The same week as a customer of ours walked into a local bank branch and aksed them to pay $23,600 into a bank account operated by a scammer where the obvious question which should have been asked at the branch was why not just do this at home using internet banking.  So the bank staff paid the scammer on the customer's behalf.

Why is it so?  Well, with credit card fraud, the first victim is the merchant who processed the fraudulent transaction where their bank takes th money back unless the merchant cam prove the bona fides of the transaction.  The second victim is the bank, ie it costs the bank if a) they cannot get the money out of the merchant and b) they cannot prove the customer made the transaction.  The customer who owns the stolen credit card for example, is almost never the victim uness there is some criminal level of negligence on the customer's part.  The bottom line is, that credit card fraud hardly 

Contrast that with internet banking which only ever costs the bank if they concede a mistake but don't hold your breath.  They will blame their customer for giving up their SMS verification code in which case too bad so sad and the customer pays.  It is a starkly different approach

How many different scams did you say?

All banks will point to the volumes of scam advice they have on their websites.  In other words, "we told you about scams therefore it's your fault if you get caught".

My response is OK, let's say I read through all of the scam information on their website, how the hell am I supposed to remember all of them?

Then there are new scams appearing constantly, how often should I check back with the bank scam advice? Monthly?  Weekly? Daily? Really?

Australian Phone Number Verification

It's hard to tell who is responsible here but it is discgraceful that any scammer can make a call where the displayed number is bogus

Clearance times

Back in the day, when you paid for something by cheque you had to wait for up to 5 days for the funds to be cleared/approved at the branch on whch the cheque was drawn.  This was a good system, albeit slow if you wanted to take possession of what you were paying for immdiately in which case ou paid for a bank cheque which was pretty much as good as cash.  Until the bad guys started stealing bank cheque books and suddenly you had to wait 5 days even for a bank cheque to clear!

Fast forward to where we are now

OSKO

Here we go, this is the kicker.  OSKO is owned by BPay which is owned by the big four banks in Australia. BPay is completely safe to use and OSKO is an unmitigated disaster because payments are made in under one minute which is great if you need to spot a close contact $100 for a night out on the town (OK, maybe $200) but not if you have just paid a scammer ten grand or more.

Before OSKO, it used to take up to a week for the bank transfer to complete.  Not any more.  And your bank will not only not let you opt out, theye never asked if you wanted it in the first place!

Here are some heartwarming statements by OSKO which are very comforting until a scammer steals your money in under one minute