Back to blog
The financial sector is one of the most targeted industries for fraud. From spoofing and phishing attacks to artificially inflated traffic (AIT) and SIM swapping fraud - criminals will try pretty much everything to scam businesses and their customers out of their money. Preventing these fraudsters from succeeding starts with recognizing the scams, and knowing what to do to help minimize the risks.
1. Spoofing and Phishing
Cybercriminals will impersonate financial services or businesses (Spoofing) through emails (phishing), SMS (smishing), social media channels like WhatsApp and Messenger (social media phishing), or Voice services (Vishing). They will send fake invoices or payment links, hoping to trick customers of those businesses into revealing login credentials, card numbers, or personal information by redirecting them to fraudulent links. These attacks often mimic legitimate communication channels, and can be hard to intercept for consumers.
Awful, right? Loyal customers risk losing their personal details - and possibly a lot of money- while thinking they are talking to a legitimate business. Not only does this harm them financially, but the trust between the customer and the organization will also take a big hit! It may even harm the brand image of a business when customers cannot tell the difference between the legitimate messaging and the phishing attempts. So, what can be done about this?
Combat Spoofing and Phishing
Phishing scams prey on unsuspecting customers who -often- aren't that tech-savvy. Those who know what to look out for will often recognize the fake messages, but the signs are easy to miss. A weird phone number or an odd account name can often be overlooked, and when your customers trust the wrong messages it gets messy. There are certain steps a business can take to help customers distinguish between legitimate messages and messages of criminals trying to impersonate said business.
Guidelines for Communication
It's important that businesses set clear guidelines and expectations for their customer communication. Let customers know what type of messages they can - or cannot- expect to receive, and give them guidelines on how to react should they suspect the messages are fraudulent in nature.
Is there currently a known wave or increase in phishing scams? There's no harm for businesses to repeat their communication protocols to their customers to make sure the information is top-of-mind!
Dear customer, there has recently been an increase in fraudulent messages under our business name. We would like to remind you of the fact that we will never ask you for any of your personal details, or send you payment links. If you receive messages about these topics, flag them as spam.
Verified Business Profiles
Choosing communication channels that offer verified sender profiles, like RCS, can help increase customer trust. How? Well, customers will see the business logo at the top of the message conversation, as well as an official company name with a verified checkmark, brand colors, and business details such as website, email address and telephone number. These visuals are important cues for customers to know that the messages they are receiving are legit and that the sender can be trusted - and, equally important, that the absence of these cues means that they should be wary.
2. Account Takeovers (ATO)
Using stolen credentials (often gained through data breaches or phishing), fraudsters gain unauthorized access to customer accounts. And once they have access, they'll sluice money away to their own accounts via unauthorized transactions. Regaining control over these hacked accounts can be a hassle, and the more time it takes to identify the fraud and block all assets, the more money is lost. So, what preventative measures can be taken?
Combat Account Takeovers
Criminals manage to hack into accounts by gaining access to user- or log-in credentials. While it can't always be prevented that customers (unknowingly) share sensitive or personal data to scammers, we can make it more difficult for the criminals to use that information. How? By upping the login and verification processes of user accounts.
Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA)
MFA (Multi-Factor Authentication) or 2FA (Two-Factor Authentication) can greatly reduce the risk of account takeover fraud, because it requires users to identify themselves through multiple means of authentication. Whereas customers would usually log in via single-factor authentication (just a password), multi-factor authentication requires at least a combination of two or more factors of authentication:
Something a user knows, like a password or a PIN number.
Something a user has, like a mobile phone, that can receive a verification code (such as One Time Passwords) or physical tokens like USB keys or product numbers.
Something a user is, like fingerprints and facial recognition.
It sounds more complicated than it is. In fact, most people are already very familiar with MFA in their daily lives! For example, think about entering your password to access your social media and then getting a verification code or One Time Password (OTP) via text message to finish the login. Or using a fingerprint to confirm payment after logging into an online account.
So even if criminals manage to retrieve passwords, it still doesn't mean they can enter the online accounts. And to top it all off - the second verification request or OTP will tip the customer about suspicious account activity.
Hello Anna, this is your verification code for logging into your bank: 1234. Did you not request this code? Please click here and let us know.
Silent Verification
Silent verification, also known as Mobile Identity verification or Number Verify, is a new verification method that leverages the unique characteristics of the SIM card in mobile devices to authorize and verify user in mobile apps.
The user will be asked to enter their telephone number, and nothing else, and the authentication will happen in the background via the mobile operators that supply the SIM verification. Hence it is often referred to as a 'silent' authentication method. Because most of the verification happens in the backend, without any external actions needed. This way, businesses can trust that the person they are engaging with is the legitimate owner of the mobile number, which helps combat ATO and identity theft.
SIM Swap Detection
But what if criminals commit fraud with SIM cards? SIM swap fraud occurs when a fraudster tricks a mobile carrier into transferring a user’s phone number to a new SIM card. They will pretend to have lost the SIM card or the phone when they contact the mobile carrier, asking to have the phone number registered to a new SIM card. This can give criminals access to the account.
SIM swap detection, or Takeover Protection service, helps prevent SIM swap fraud by monitoring and detecting changes in the SIM card. Before executing a transaction, businesses can perform a SIM Swap check which returns the last date the SIM was swapped or activated. And then a business can act accordingly.
3. Artificially Inflated Traffic (AIT)
Actively trying to prevent phishing and account takeover scams with 2FA by sending One Time Passwords (OTPs)? Then watch out for Artificially Inflated Traffic (AIT)!
AIT, SMS pumping, or traffic pumping is a type of fraud in which criminals exploit automated log-in systems to trigger sharp spikes in traffic (messages or calls) toward numbers they own or to a range of numbers controlled by a specific mobile network operator (MNO) with whom they conspire. Criminals reap a share of the revenue generated in this way, but the business gets to foot the bill.
This fraudulent activity not only inflates costs for businesses but also undermines the reputation of the messaging channels as trusted communication options. According to industry research, OTP traffic accounts for approximately 35-40% of all SMS traffic, with an estimated 1.5 trillion OTP messages sent annually—a figure expected to reach 2 trillion by 2028.
Combat AIT
AIT can often be recognized by a spike of messages sent to a block of consecutive numbers (i.e. +1234567890, +1234567891, +1234567892, +1234567893 and so on). These numbers are most probably controlled by the same MNO. A telltale sign for fraudulent use of OTPs is an incomplete verification cycle. Unfortunately, advanced fraudsters even have the tools to fake a completed verification cycle. So, what can a business do?
Monitor and Manage Traffic
To address the AIT challenge, it is important to monitor and manage messaging traffic - CPaaS provers will sometimes offer software suites that help combat this type of fraud.
CM.com introduced Safeguard to its customers, specifically to combat AIT fraud. Safeguard has two iterations, both aimed at AIT prevention:
Destination Blocking: Customers can now selectively block messaging traffic to specific destinations, where they have no business activities or interests. This capability provides customers with granular control over their messaging traffic, ensuring that resources are allocated efficiently. Our CM.com experts will help determine the risks for each destination, and will advise you accordingly.
Allow-List: For even tighter security, customers can implement an "allow-list" approach, where all messaging destinations are blocked by default, except for those countries explicitly added to the allow-list. This stringent setting adds an extra layer of protection, safeguarding customers from unwanted traffic.
IP Restrictions: When fraudsters obtain a client's secret token, they will try to abuse it via their own servers. By setting IP restrictions, you can prevent unauthorized activities on servers that are not yours.
Rate Limiting: Set rules for a maximum amount of messages that can be sent within a determined time frame. This will help manage and temper unexpected costs that result from AIT attacks.
Safeguard Plus:
Real-Time Traffic Profiling: Using machine learning, Safeguard Plus creates a dynamic profile of each customer’s traffic, enabling the system to evaluate and classify the risk of every individual message.
Flexible Deployment Options: Customers can choose between monitoring their traffic with in-depth analytics or automatically blocking messages identified as AIT.
Scalable Plans: Starting at just €199 per month, Safeguard Plus processes up to 100,000 messages per month. For top-tier customers, an Unlimited package is available to continuously monitor all traffic.
Stay Safe With CM.com
CM.com is a leading provider of Communication Platform as a Service (CPaaS) solutions, and offers fraud preventative solutions of all levels - from one time passwords to the newest verification methods combined in one easy API, and a state-of-the-art traffic management suite called Safeguard, that leverages advanced machine learning to provide real-time protection against AIT.
Want to start protecting your services and traffic against fraud with CM.com? Or want to have a chat with our experts to see how we can help your business? Leave your details below, we're always happy to help!
