- A guide on key lessons from managing digital fraud attempts; as a wealth management firm in Nigeria over the past three years.
Digital fraud has grown at an almost equal pace alongside financial innovation–from banks to modern-day fintech. From time immemorial, digital innovations in the finance space have always ushered in new levels of ease and speed. In 2017, we wrote a detailed article about this evolution. Sadly, just as innocent users are grateful for these changes, so also are fraudsters.
Over the past 3 years, we have monitored the activities of these fraudsters and how they’ve tried to game our system. Thankfully, at all times, we’ve been able to cage them before they caused damage. Our lessons have also placed us in a proactive position to anticipate and quash fraudulent acts before they manifest.
Basic Digital Fraud Categories
So far, we have been able to identify three categories of people associated with digital fraud:
- Referral Program Gamers
- Smurfs: Distributors of Fraudulent Cash
- Trusted Intruders
Using in-house examples, we’ll share how these categories differ, their modes of operation and how to reduce their success rates to zero.
Referral Program Gamers
A usual market-entry approach for service providers, and by extension other consumer tech products, is to use a referral program that nudges users to invite their friends. There are numerous case studies that prove this is a solid growth approach. This manner of digital fraud directly impacts any company’s growth efforts negatively.
The downside to this referral-based growth is that people try to game the system by referring nobodies. In essence, you can have one user duplicated as one hundred users.
People like these are described as gamers. In their numbers, they can drain marketing resources dedicated to genuine referrals. A quick fix is to limit people to signup with only known domains, like gmail.com. However, that will serve as a major hurdle for many.
And even if that were possible, gamers can just register legitimate emails using their cards. To effectively tackle this, we started with identifying known spam domains and flagging referrals made with the same card.
Do not let anyone sign you up, through a referral program, to any financial service without your total consent or proper understanding of the platform.
Money Smurfs: Distributors of Stolen Money
Today, using your Bank Verification Number (BVN), it is possible to open wallets that can take in more cash than your primary bank account limits. This is interesting to the everyday user and fraudster.
For the everyday user, a business person, for instance, it makes it easier to receive more payments seamlessly and then transfer to any bank account of their choice.
However, for the smurf, this is a beautiful loophole. A smurf refers to a money launderer who is tasked with under-the-radar transfers. With a random BVN, a smurf can set up a wallet, and transfer large sums in small bits to separate accounts.
Once the transfers are done, a smurf can go on to withdraw these amounts from mobile money operators in cash. Then the bulk cash is paid into a lesser number of accounts, or have them “cleaned” through purchases tied to legitimate accounts of the fraudsters.
Usually, smurfs make use of accounts in rural areas to receive these monies. Given the number of accounts that can be involved, tracing the money can be quite tough and frustrating. And even when properly traced, the BVN holders might be oblivious of what the accounts were used for.
As a BVN holder, do not share your BVN with anyone except trusted platforms. Your details can be used to wrongly tie you to a financial fraud case.
Here’s an example:
Emmanuel receives a fraudulent transfer into a wallet created with the BVN of a fisherwoman in Makoko. In the last three months, in building up, he has been making purchases from her. Gradually, he built up a rapport with her and finally got her BVN.
It is important for financial institutions to properly explain the impact of sharing BVN details. The issue is not with other fintechs, but random individuals who get these details to carry out transactions in their names. Here is a BVN education sample.
With her BVN, he created a wallet that received the fraudulent transfer. To cover his tracks properly he goes on to transfer the money in bits to various mobile money agents. Finally, he is able to access seemingly untraceable cash that can be paid back into the financial system as legitimate.
Smurfs are fond of using BVN details of people in rural areas or their unsuspecting friends or acquaintances. We’ll discuss a proposed solution to managing this category after breaking down the final category of fraudsters.
Trusted Intruders
This final category is quite similar to smurfs. Although these ones do not necessarily receive fraudulent cash, they tend to take the same withdrawal path. People in this category are usually close friends or family members.
Do not use the same password and PIN across platforms. Doing that makes you vulnerable to multiple attacks.
Given their proximity, they struggle less with getting passwords or PINs. An ally can log in to make a transfer, divert funds and clean up tracks easily. For example, Onyinye logs into her sister’s wallet and makes a withdrawal into the account of a money agent. Then, she will clear up the transactional emails that show proof of transfer.
How to Manage Digital Fraud of Smurfs and Trusted Intruders
Given their similar withdrawal patterns into accounts that cannot be traced to them, the same solutions apply. The first step is to limit withdrawal options to accounts associated with the BVN details.
As a service provider, leverage friction when it comes to editing BVN details. This might contradict the call for seamlessness with fintech apps but there is a strong case for frictional UX when money is involved.
With this limitation, you restrict the intruder and make it easier to track funds if they finally get through your security structure. Regardless of the strength of your structure, access might still be possible due to oversight from the user. Hence, such restrictions are welcome.
In one of the cases we have successfully handled, we were able to leverage BVN details to easily track funds moved by an intruder to multiple bank accounts and quickly froze them. With the freeze effected, we were finally able to retrieve the funds, identify the recipients and return back to the legitimate owner.
Secondly, set up approval hurdles like the use of the google authenticator app for two-factor authentication (2FA). If there is a need to turn off 2FA, they’ll need a token from the app or reach out to your support team for help. Once again, leverage friction.
In summary, it goes beyond having a strong security wall. It is more about observing user behavior and building flags around suspicious patterns before an attack happens. Keep building a seamless experience with security coming first.
RELATED:
Best Way to Resolve Flagged Accounts
Great initiative to address this important issue.
Thanks for addressing this issue. I have always wondered how you it works.
It makes sense also request for death proof from d next of kin before any transaction
I have a case just like this but my brother is the next of kin and he was told to visit the ministry of Justice for a letter of approval which he did,, they told him the letter will be ready within 2month after spending some amount of money to my surprise it was more than 6month and just this Monday letter was taken to bank.
Bank also are saying we should come back later for a review that we should keep checking
I like this ideas
This is a good piece of information.
Thanks for the information, can I state both my adult children as next of kin because I have been told that using one could cause a rift
Sure you can.
Very detailed and explanatory. Thanks.
Yes my name is chiamaka i have a case like this my dad use as next of kin to process his dividend to the one of the nigerian bank but now he died on august last year and we buried him three months ago as a next of kin i dont no the required document i will use to go and present to the bank to claim his money he did not write any will only next of kin he uses thanks
My mum is my dad’s next of kin, he died few months ago as a polygamist he has no will what do we do.
Quite good, love that and will update mind, nice ? being part of Cowrywise.
Great!
I have a case just like this but my brother is the next of kin and he was told to visit the ministry of Justice for a letter of approval which he did,, they told him the letter will be ready within 2month after spending some amount of money to my surprise it was more than 6month and just this Monday letter was taken to bank.
Bank also are saying we should come back later for a review that we should keep checking
I would have loved to used my mom as the next of kin but she doesn’t like using Android phone thus she didn’t have any email address,, I don’t really trust my immediate younger sister that much so I used my second younger sister I just hope it wouldn’t cause any hatred towards each other
Thanks for taking the time to explain this . Great ?