- A guide on key lessons from managing digital fraud attempts; as a wealth management firm in Nigeria over the past three years.
Digital fraud has grown at an almost equal pace alongside financial innovation–from banks to modern-day fintech. From time immemorial, digital innovations in the finance space have always ushered in new levels of ease and speed. In 2017, we wrote a detailed article about this evolution. Sadly, just as innocent users are grateful for these changes, so also are fraudsters.
Over the past 3 years, we have monitored the activities of these fraudsters and how they’ve tried to game our system. Thankfully, at all times, we’ve been able to cage them before they caused damage. Our lessons have also placed us in a proactive position to anticipate and quash fraudulent acts before they manifest.
Basic Digital Fraud Categories
So far, we have been able to identify three categories of people associated with digital fraud:
- Referral Program Gamers
- Smurfs: Distributors of Fraudulent Cash
- Trusted Intruders
Using in-house examples, we’ll share how these categories differ, their modes of operation and how to reduce their success rates to zero.
Referral Program Gamers
A usual market-entry approach for service providers, and by extension other consumer tech products, is to use a referral program that nudges users to invite their friends. There are numerous case studies that prove this is a solid growth approach. This manner of digital fraud directly impacts any company’s growth efforts negatively.
The downside to this referral-based growth is that people try to game the system by referring nobodies. In essence, you can have one user duplicated as one hundred users.
People like these are described as gamers. In their numbers, they can drain marketing resources dedicated to genuine referrals. A quick fix is to limit people to signup with only known domains, like gmail.com. However, that will serve as a major hurdle for many.
And even if that were possible, gamers can just register legitimate emails using their cards. To effectively tackle this, we started with identifying known spam domains and flagging referrals made with the same card.
Do not let anyone sign you up, through a referral program, to any financial service without your total consent or proper understanding of the platform.
Money Smurfs: Distributors of Stolen Money
Today, using your Bank Verification Number (BVN), it is possible to open wallets that can take in more cash than your primary bank account limits. This is interesting to the everyday user and fraudster.
For the everyday user, a business person, for instance, it makes it easier to receive more payments seamlessly and then transfer to any bank account of their choice.
However, for the smurf, this is a beautiful loophole. A smurf refers to a money launderer who is tasked with under-the-radar transfers. With a random BVN, a smurf can set up a wallet, and transfer large sums in small bits to separate accounts.
Once the transfers are done, a smurf can go on to withdraw these amounts from mobile money operators in cash. Then the bulk cash is paid into a lesser number of accounts, or have them “cleaned” through purchases tied to legitimate accounts of the fraudsters.
Usually, smurfs make use of accounts in rural areas to receive these monies. Given the number of accounts that can be involved, tracing the money can be quite tough and frustrating. And even when properly traced, the BVN holders might be oblivious of what the accounts were used for.
As a BVN holder, do not share your BVN with anyone except trusted platforms. Your details can be used to wrongly tie you to a financial fraud case.
Here’s an example:
Emmanuel receives a fraudulent transfer into a wallet created with the BVN of a fisherwoman in Makoko. In the last three months, in building up, he has been making purchases from her. Gradually, he built up a rapport with her and finally got her BVN.
It is important for financial institutions to properly explain the impact of sharing BVN details. The issue is not with other fintechs, but random individuals who get these details to carry out transactions in their names. Here is a BVN education sample.
With her BVN, he created a wallet that received the fraudulent transfer. To cover his tracks properly he goes on to transfer the money in bits to various mobile money agents. Finally, he is able to access seemingly untraceable cash that can be paid back into the financial system as legitimate.
Smurfs are fond of using BVN details of people in rural areas or their unsuspecting friends or acquaintances. We’ll discuss a proposed solution to managing this category after breaking down the final category of fraudsters.
Trusted Intruders
This final category is quite similar to smurfs. Although these ones do not necessarily receive fraudulent cash, they tend to take the same withdrawal path. People in this category are usually close friends or family members.
Do not use the same password and PIN across platforms. Doing that makes you vulnerable to multiple attacks.
Given their proximity, they struggle less with getting passwords or PINs. An ally can log in to make a transfer, divert funds and clean up tracks easily. For example, Onyinye logs into her sister’s wallet and makes a withdrawal into the account of a money agent. Then, she will clear up the transactional emails that show proof of transfer.
How to Manage Digital Fraud of Smurfs and Trusted Intruders
Given their similar withdrawal patterns into accounts that cannot be traced to them, the same solutions apply. The first step is to limit withdrawal options to accounts associated with the BVN details.
As a service provider, leverage friction when it comes to editing BVN details. This might contradict the call for seamlessness with fintech apps but there is a strong case for frictional UX when money is involved.
With this limitation, you restrict the intruder and make it easier to track funds if they finally get through your security structure. Regardless of the strength of your structure, access might still be possible due to oversight from the user. Hence, such restrictions are welcome.
In one of the cases we have successfully handled, we were able to leverage BVN details to easily track funds moved by an intruder to multiple bank accounts and quickly froze them. With the freeze effected, we were finally able to retrieve the funds, identify the recipients and return back to the legitimate owner.
Secondly, set up approval hurdles like the use of the google authenticator app for two-factor authentication (2FA). If there is a need to turn off 2FA, they’ll need a token from the app or reach out to your support team for help. Once again, leverage friction.
In summary, it goes beyond having a strong security wall. It is more about observing user behavior and building flags around suspicious patterns before an attack happens. Keep building a seamless experience with security coming first.
RELATED:
Best Way to Resolve Flagged Accounts
Does Cowrywise have 2FA on its app?
Yes Deji. https://cowrywise.com/blog/two-factor-authentication/
This is an amazing article, Cowrysiwe. Kudos to everyone who worked on it.
Really nice article, keep it up Cowrywise and thanks for the awareness.
Thanks for these eyes openers.
Guys you are the best always
But,you should have resolved Funmi’s complain before she made it public.so,was the court order gotten?If it took forever for a funmi to get her funds back, what happens to people without clout?
Let me explain. While Obama was at a rally, someone from the crowd shouted at him about how immigrants were been deported. The issue was that these were illegal immigrants who were working honestly but contributing to America’s workforce, and hence it’s development… But it was tough, they are still illegal immigrants, right? So Obama replied: We [America] are a country of immigrants, yet we are a country of law. How do these two things cohabitate? The answer is: reasonable compromise.
It might be hard to explain to you that it wasn’t the clout that made her get her money, it was months of hard work in tracing the suspected thieves and following the law. The funds were transferred in a normal way any funds will, and the best thing was to work with Funmi to get the money back… By following the law. Unfortunately it took more time than Funmi’s patience, but eventually.
As a Software Engineer myself, one requirement is to always think and be ahead of the intruders… But you’d be surprised that as much as we try to make things for consumers that make their lives easier, there are people somewhere who’s purpose is to destroy that work. It’s tough but possible. We can stop them, or at worse, recover our stolen funds or losses… Even Twitter and other famous website gets gamed or hacked. Is this a justification for Funmi’s case, no. It’s just a point to help you understand, these things are tough. And we all have a role to play.
But we’d hold your hands all through. Trust us.
Impactful and mind opening
Funmi made our cowrywise even stronger💪
Thanks for the eye opener. Does cowrywise have 2FA.
Yes we do now, Ifeoma https://cowrywise.com/blog/two-factor-authentication/
Nice one
My account was flagged because of a transaction I made and my 2000 is hanging. How do I get it back????
Thanks for your patience. A flag is initiated when we suspect a transaction, and it is designed to keep you safe. Have you filled out the verification form we sent, please?
My account was flagged I don’t know why and my 90000 is hanging. How do I get it back????
My account is flagged ?and I send a send to be open back I fill the forms and everything? It a week now till eating ,I need the money for business pls u guys should help me ,I can’t even send massage for help ,it only show before massage and she is not reply am getting scared already
This is enlightening. Cowrywise, thanks to your team.
Thanks cowry wise. For a more detailed information on this issue. Thank you.
Insightful and Enlightening. Thanks
Why do I need to my bvn to cowrywise, I don’t feel that is necessary since have already linked my atm card
Why do I need to add my bvn to cowrywise, I don’t feel that is necessary since have already linked my atm card
With your BVN added, we can ensure that withdrawals only go to your bank account.
how do i unflagged my account?
This is a very insightful article. Thanks.
Thank you.
Please I have been asking and begging to unflage my account and no attempt from you please I will still be pleading again unflage my account so I can top up my savings I have sent emails upon emails chart on charts but no attempt to unflage my account was made please unflage my account
un flagg my account why is that flagging thing just common. now i cannot withdraw my saving when i have plannned to use to t
o buy a system
Good insight from Cowrywise team
More win 🏆
Is it working
Hi ope, I want to withdraw my savings but I am finding it difficult because they keep asking me to put another maturity date which I don’t want to extend that very savings. This is my first time of withdrawal on cowrywise.
This is super enlightening. Thank you Cowrywise 🥰
I learned a lot from this kudos to the writer