EXCLUSIVE: “The BIG Sting” – Alex King in “The Fintech Magazine”
Could the UK-led purge of the iSpoof site and subsequent arrests across multiple jurisdictions mark a turning point in the detection and enforcement of APP and other fraud? asks Alex King
Anyone paying attention to fraud statistics that have spiraled since the start of the pandemic could be forgiven for thinking that fraudsters were given a free pass at a time of deep financial vulnerability for many people. But on November 24, Britain’s Metropolitan Police revealed it had made more than 140 arrests during the country’s biggest-ever anti-fraud operation, which spanned two continents.
Working with the FBI and Europol, the sting followed an 18-month investigation into a website described by detectives as a “one-stop spoofing shop” that had defrauded victims of more than $120 million, netting its service operators an estimated $3,850,000 . Brazenly going by the name iSpoof, it enabled paid users to mask their phone numbers with one belonging to a trusted organization – often a bank – allowing them to run phishing and “bank helpdesk” scams, steal money, bank account details, and one-time codes.
Using social engineering techniques, criminals had defrauded victims of an average of £10,000 each, with one losing £3.2 million, the Met said. iSpoof was used to carry out authorized push payment (APP) fraud, a methodology that tricks victims into making a wire transfer to the account of a fraudster, believing they are a legitimate payee. UK losses to APP fraud increased by 71 per cent in 2021, and are projected to continue to outpace the growth of other fraud methods worldwide.
The financial and reputational threat that APP fraud poses to banks, and the seemingly unstoppable rise in fraud, prompted UK Finance to warn earlier in 2022 that it now poses a “national security threat”. The numbers involved in the iSpoof operation are staggering. At its peak, the service had 59,000 users making nearly 20 fraudulent calls per minute, with 40 percent in the US, 35 percent in the UK, and the rest occurring in dozens of other countries. The Met believes more than 200,000 UK nationals fell victim, although only £48m of losses were reported to Action Fraud – which is proof of how fraud is under-reported and possibly how little consumers trust that their experience will be listened to or their crime solved.
“This operation is a very positive step. They have taken down and removed one of the biggest fraud threats globally.
The Met’s operation marked a change in strategy by law enforcement, according to Commissioner Sir Mark Rowley. Speaking to Radio 4’s Today programme, he said: “In the past we’ve just shut down [websites like iSpoof] and killed the fraud methodology. This time we have decided to take out everyone involved … we want to hold people accountable.”
This cross-border, multi-agency approach to financial crime with a clear focus on arrest – although there is no word yet on the likelihood of recovering the stolen funds – is exactly what the first Financial Action Task Force/Interpol joint mission was set up for to achieve. It convened a roundtable of regulators, investigators and financial services representatives in September to discuss what was needed in terms of a shift in law enforcement perspectives and culture, improved international networks and tools, and stronger legislation and global standards, to succeed in to detect and, critically, prosecute economic crime.
“For too long there has been too little focus on the enablers and perpetrators of fraud,” said David Howes, global head of financial crime compliance, conduct and compliance frameworks at Standard Chartered bank.
– It is great to see the police forces involved going after a significant and complex case with far-reaching consequences. In order to tackle the fraud pandemic, however, a unified strategy will be required, with collective efforts from both the private and public sectors, as well as increased awareness among the public to be on the lookout for fraud.”
For many consumers, a nagging question arises: Couldn’t banks do more to prevent this type of fraud in the first place?
According to Dan Holmes, a consultant at financial fraud technology firm Feedzai, APP crimes are notoriously difficult for banks to detect.
“There is no real compromise the bank can see on the victim’s account, given that it was the victim himself who paid,” he says.
That said, due diligence and verification of payee checks appears to be woefully ineffective, and the proceeds of fraud are removed before misconduct is discovered. Because of the pitifully low detection rates, says Holmes, “banks typically deal with law enforcement in a reactive rather than proactive manner”. So it is up to the police to investigate, and the banks assist in two ways: by providing the police with data on request, and by reporting fraud through well-established channels such as UK Finance, which forwards reports to the National Fraud Intelligence Bureau.
Banks may well bemoan the fact that, although fraud accounts for around half of all crime in the UK, only around one per cent of police resources go to specialist financial crime teams. In an effort to support fraud enforcement, the banking and financial services industry funds the Dedicated Card and Payment Crime Unit (DCPCU), a proactive UK police unit tasked with investigating financial crime.
According to a UK Finance spokesperson: “In 2021, the DCPCU prevented a record £101 million from being stolen – the highest amount in the unit’s 20-year history.”
So it is clear that cooperation between enforcement and the banks can work.
“There has been too little focus on the enablers and perpetrators of fraud. To tackle the fraud pandemic, a joint strategy from the public and private sectors will be needed.”
“Closer collaboration can help,” says Holmes. “Technological advances, such as the use of persistent device recognition capabilities, have been something that law enforcement has benefited from. Often, one compromised account can be linked to many others, not only through transaction patterns, but also by access patterns, such as device and location.”
Still, he says, “the speed of dialogue and action is critical”. To be truly proactive, banks’ detection of APP fraud must increase in frequency and speed. This is where proactive analysis plays a crucial role. Sophisticated machine learning models can examine random data around large transactions to spot those that present a profile consistent with past instances of fraud.
“Most banks should now be doing this,” says Holmes. The next step, he says, is to deepen that behavioral analysis.
“Banks and companies like Feedzai are researching user behavioral biometrics as a method of fraud prevention. For example, how does a user interact with their mobile phone and PC if they are under duress?”
This speaks for the importance of a feedback loop from the police back to the banks. Only the police could surreptitiously access iSpoof, downloading the site’s entire historical data. Only the banks can start matching phone numbers given to them by the police with account holders. And currently, only tech firms like Feedzai can help examine the behavioral biometrics of these victim accounts, using that data to generate new models that instantly detect APP fraud of this kind. It takes time to land a model that can protect and prevent rather than react and replace.
This is precisely why Holmes believes speed is key: the banks and their partners must act at full tilt to give consumers a fighting chance. There is another side to the iSpoof story. Such scams cannot take place without encrypted criminal Telegram channels, cryptocurrency exchanges, privacy coins, professional phishers, data brokers and dark web forums where names and numbers are bought and sold. No wonder the iSpoof investigation was dubbed ‘Operation Elaborate’ by the Met.
“We should be clear that this operation is a very positive step,” says Holmes. “They have taken down and removed one of the biggest fraud threats globally. But there is a growing perception that there are other actors involved in the life cycle of a fraud who also have a responsibility to protect customers, including telcos and big tech.”
Mark Rowley said the Met was trying to “industrialize” its response to the industrialization of fraud, where banks are as much victims as anyone else. Holmes is feeling positive. “The fact that law enforcement has taken decisive action shows,” he says, “that the industry can finally pull together as a collective to offer consumers the best fraud protection across the board.”
This article was published in The Fintech Magazine issue 26, pages 57-58
