- A guide on key lessons from managing digital fraud attempts; as a wealth management firm in Nigeria over the past three years.
Digital fraud has grown at an almost equal pace alongside financial innovation–from banks to modern-day fintech. From time immemorial, digital innovations in the finance space have always ushered in new levels of ease and speed. In 2017, we wrote a detailed article about this evolution. Sadly, just as innocent users are grateful for these changes, so also are fraudsters.
Over the past 3 years, we have monitored the activities of these fraudsters and how they’ve tried to game our system. Thankfully, at all times, we’ve been able to cage them before they caused damage. Our lessons have also placed us in a proactive position to anticipate and quash fraudulent acts before they manifest.
Basic Digital Fraud Categories
So far, we have been able to identify three categories of people associated with digital fraud:
- Referral Program Gamers
- Smurfs: Distributors of Fraudulent Cash
- Trusted Intruders
Using in-house examples, we’ll share how these categories differ, their modes of operation and how to reduce their success rates to zero.
Referral Program Gamers
A usual market-entry approach for service providers, and by extension other consumer tech products, is to use a referral program that nudges users to invite their friends. There are numerous case studies that prove this is a solid growth approach. This manner of digital fraud directly impacts any company’s growth efforts negatively.
The downside to this referral-based growth is that people try to game the system by referring nobodies. In essence, you can have one user duplicated as one hundred users.
People like these are described as gamers. In their numbers, they can drain marketing resources dedicated to genuine referrals. A quick fix is to limit people to signup with only known domains, like gmail.com. However, that will serve as a major hurdle for many.
And even if that were possible, gamers can just register legitimate emails using their cards. To effectively tackle this, we started with identifying known spam domains and flagging referrals made with the same card.
Do not let anyone sign you up, through a referral program, to any financial service without your total consent or proper understanding of the platform.
Money Smurfs: Distributors of Stolen Money
Today, using your Bank Verification Number (BVN), it is possible to open wallets that can take in more cash than your primary bank account limits. This is interesting to the everyday user and fraudster.
For the everyday user, a business person, for instance, it makes it easier to receive more payments seamlessly and then transfer to any bank account of their choice.
However, for the smurf, this is a beautiful loophole. A smurf refers to a money launderer who is tasked with under-the-radar transfers. With a random BVN, a smurf can set up a wallet, and transfer large sums in small bits to separate accounts.
Once the transfers are done, a smurf can go on to withdraw these amounts from mobile money operators in cash. Then the bulk cash is paid into a lesser number of accounts, or have them “cleaned” through purchases tied to legitimate accounts of the fraudsters.
Usually, smurfs make use of accounts in rural areas to receive these monies. Given the number of accounts that can be involved, tracing the money can be quite tough and frustrating. And even when properly traced, the BVN holders might be oblivious of what the accounts were used for.
As a BVN holder, do not share your BVN with anyone except trusted platforms. Your details can be used to wrongly tie you to a financial fraud case.
Here’s an example:
Emmanuel receives a fraudulent transfer into a wallet created with the BVN of a fisherwoman in Makoko. In the last three months, in building up, he has been making purchases from her. Gradually, he built up a rapport with her and finally got her BVN.
It is important for financial institutions to properly explain the impact of sharing BVN details. The issue is not with other fintechs, but random individuals who get these details to carry out transactions in their names. Here is a BVN education sample.
With her BVN, he created a wallet that received the fraudulent transfer. To cover his tracks properly he goes on to transfer the money in bits to various mobile money agents. Finally, he is able to access seemingly untraceable cash that can be paid back into the financial system as legitimate.
Smurfs are fond of using BVN details of people in rural areas or their unsuspecting friends or acquaintances. We’ll discuss a proposed solution to managing this category after breaking down the final category of fraudsters.
Trusted Intruders
This final category is quite similar to smurfs. Although these ones do not necessarily receive fraudulent cash, they tend to take the same withdrawal path. People in this category are usually close friends or family members.
Do not use the same password and PIN across platforms. Doing that makes you vulnerable to multiple attacks.
Given their proximity, they struggle less with getting passwords or PINs. An ally can log in to make a transfer, divert funds and clean up tracks easily. For example, Onyinye logs into her sister’s wallet and makes a withdrawal into the account of a money agent. Then, she will clear up the transactional emails that show proof of transfer.
How to Manage Digital Fraud of Smurfs and Trusted Intruders
Given their similar withdrawal patterns into accounts that cannot be traced to them, the same solutions apply. The first step is to limit withdrawal options to accounts associated with the BVN details.
As a service provider, leverage friction when it comes to editing BVN details. This might contradict the call for seamlessness with fintech apps but there is a strong case for frictional UX when money is involved.
With this limitation, you restrict the intruder and make it easier to track funds if they finally get through your security structure. Regardless of the strength of your structure, access might still be possible due to oversight from the user. Hence, such restrictions are welcome.
In one of the cases we have successfully handled, we were able to leverage BVN details to easily track funds moved by an intruder to multiple bank accounts and quickly froze them. With the freeze effected, we were finally able to retrieve the funds, identify the recipients and return back to the legitimate owner.
Secondly, set up approval hurdles like the use of the google authenticator app for two-factor authentication (2FA). If there is a need to turn off 2FA, they’ll need a token from the app or reach out to your support team for help. Once again, leverage friction.
In summary, it goes beyond having a strong security wall. It is more about observing user behavior and building flags around suspicious patterns before an attack happens. Keep building a seamless experience with security coming first.
RELATED:
Best Way to Resolve Flagged Accounts
