- A guide on key lessons from managing digital fraud attempts; as a wealth management firm in Nigeria over the past three years.
Digital fraud has grown at an almost equal pace alongside financial innovation–from banks to modern day fintechs. From time immemorial, digital innovations in the finance space have always ushered in new levels of ease and speed. In 2017, we wrote a detailed article about this evolution. Sadly, just as the innocent users are grateful for these changes, so also are fraudsters.
Over the past 3 years, we have monitored the activities of these fraudsters and how they’ve tried to game our system. Thankfully, at all times, we’ve been able to cage them before they caused damage. Our lessons have also placed us in a proactive position to anticipate and quash fraudulent acts before they manifest.
Basic Digital Fraud Categories
So far, we have been able to identify three categories of people associated with digital fraud:
- Referral Program Gamers
- Smurfs: Distributors of Fraudulent Cash
- Trusted Intruders
Using in-house examples, we’ll share how these categories differ, their modes of operation and how to reduce their success rates to zero.
Referral Program Gamers
A usual market-entry approach for service providers, and by extension other consumer tech products, is to use a referral program that nudges users to invite their friends. There are numerous case studies that prove this is a solid growth approach. This manner of digital fraud directly impacts any company’s growth efforts negatively.
The downside to this referral-based growth is that people try to game the system by referring nobodies. In essence, you can have one user duplicated as one hundred users. A common approach to tackling this is to mandate a first-level action. This then triggers the reward. Still gamers can work their ways around this.
Here’s an example:
Ade knew that to earn the ₦250 referral bonus, he just needed to refer friends that saved ₦100. To game the system, he simply created imaginary friends using fake or suspicious email domains. All he needed to do was save ₦100 in each account and wait for 3 months to earn ₦250 on each fake account. In context, with ₦10,000 (100 fake accounts) he will gain ₦25,000.
People like Ade are described as gamers. In their numbers, they can drain marketing resources dedicated to referrals. A quick fix is to limit people to signup with only known domains, like gmail.com. However, that will serve as a major hurdle for many.
And even if that were possible, gamers can just register legitimate emails using their cards. To effectively tackle this, we started with identifying known spam domains and flagging referrals made with the same card. An additional approach we are exploring is thresholds.
For example, if Ade refers 10 people using different cards and they don’t go beyond the minimum deposit of ₦100, that’s still a flag. Hence, except from mandating the use of independent cards, there is a need to setup thresholds that justify referral payouts.
Money Smurfs: Distributors of Stolen Money
Today, using your Bank Verification Number (BVN), it is possible to open wallets that can take in more cash than your primary bank account limits. This is interesting to the everyday user and fraudster.
For the everyday user, a business person for instance, it makes it easier to receive more payments seamlessly and then transfer to any bank account of their choice.
However, for the smurf, this is a beautiful loophole. A smurf refers to a money launderer who is tasked with under the radar transfers. With a random BVN, a smurf can setup a wallet, and transfer large sums in small bits to separate accounts.
Once the transfers are done, a smurf can go on to withdraw these amounts from mobile money operators in cash. Then the bulk cash paid into a lesser number of accounts, or have them “cleaned” through purchases tied to legitimate accounts of the fraudsters.
Usually, smurfs make use of accounts in rural areas to receive these monies. Given the number of accounts that can be involved, tracing the money can be quite tough and frustrating. And even when properly traced, the BVN holders might be oblivious of what the accounts were used for.
Here’s an example:
Emmanuel receives a fraudulent transfer into a wallet created with the BVN of a fisherwoman in Makoko. In the last three months, in building up, he has been making purchases from her. Gradually, he built up a rapport with her and finally got her BVN.
With her BVN, he created a wallet that received the fraudulent transfer. To cover his tracks properly he goes on to transfer the money in bits to various mobile money agents. Finally, he is able to access seemingly untraceable cash that can be paid back into the financial system as legitimate.
Smurfs are fond of using BVN details of people in rural areas or their unsuspecting friends or acquaintances. We’ll discuss a proposed solution to managing this category after breaking down the final category of fraudsters.
This final category is quite similar to smurfs. Although, these ones do not necessarily receive fraudulent cash, they tend to take the same withdrawal path. People in this category are usually close friends or family members.
Given their proximity, they struggle less with getting passwords or PINs. An ally can log in to make a transfer, divert funds and clean up tracks easily. For example, Onyinye logs into her sister’s wallet and make a withdrawal into the account of a money agent. Then, she will clear up the transactional emails that show proof of transfer.
How to Manage Digital Fraud of Smurfs and Trusted Intruders
Given their similar withdrawal patterns into accounts that cannot be traced to them, the same solutions apply. The first step is to limit withdrawal options to accounts associated with the BVN details.
With this limitation, you restrict the intruder and make it easier to track funds if they finally get through your security structure. Regardless of the strength of your structure, access might still be possible due to oversight from the user. Hence, such restrictions are welcome.
In one of the cases we have successfully handled, we were able to leverage BVN details to easily track funds moved by an intruder to multiple bank accounts and quickly froze them. With the freeze effected, we were finally able to retrieve the funds, identify the recipients and return back to the legitimate owner.
Secondly, set up approval hurdles like the use of the google authenticator app for two-factor authentication (2FA). If there is a need to turn off 2FA, they’ll need a token from the app or reach out to your support team for help. Once again, leverage friction.
In summary, it goes beyond having a strong security wall. It is more about observing user behavior and building flags around suspicious patterns before an attack happens. Keep building a seamless experience with security coming first.