By Elizabeth Judd
Recently, a customer came to Kennebec Savings Bank to withdraw money to build a new deck. Knowing the customer lived in a condo, the account manager began asking questions, eventually escalating to the branch manager. “The customer teared up and pulled out his phone, and the branch manager saw the fraudster was listening to the conversation,” says Kennebec President and CEO Andrew Silsby.
For cases like this, combatting fraud comes down to “knowing your customer and knowing that a person who lives in a condo wouldn’t be installing a deck,” he says. Silsby notes that the branch manager helped the customer block the fraudster on his phone, preventing this instance of attempted fraud.
This incident is far from exceptional. One Kennebec customer recently tried to withdraw funds to marry someone he believed to be Jennifer Aniston, while a couple asked to wire funds to pay taxes on their Irish lottery winnings.
At Kennebec, a Maine-based mutual with $1.7 billion in assets and 78,000 accounts, the number of fraud cases tripled between 2021 and 2023, Silsby points out. He says that in 2023 alone Kennebec experienced 264 cases of fraud and prevented over $430,000 in fraud losses.
Kennebec is one small part of an epidemic of identity scamming. In 2023, the Federal Trade Commission reported a 14 percent increase in fraud losses compared to 2022. The FTC reports that imposter scams accounted for nearly $2.7 billion of the more than $10 billion in annual losses attributed to fraud.
Although there are numerous reasons for the rise of imposter scams, social engineering is increasingly a typical strategy. Social engineering, which is sometimes defined as techniques aimed at talking a victim into revealing private information or performing actions for illegitimate reasons, is the “piece that’s exponentially exploded,” says Silsby.
Social engineering is a particularly thorny problem for banks because their own customers are unwitting participants, says Paul Benda, EVP for risk, fraud and cybersecurity at the American Bankers Association.
“If you give somebody the keys to your house, they’re going to be able to rob you,” says Benda. “It doesn’t matter how good your security is. That’s the challenge we’re facing.”
Growing sophistication
A few years ago, identity scams tended to entrap the hapless. Not so today as seasoned professionals are falling prey, too.
In February, for instance, a New York Magazine financial columnist made headlines when she wrote about being scammed out of $50,000 by a criminal impersonating a CIA agent. What convinced her was the personal data he knew, ranging from her Social Security number to her home address and the names of family members.
Ditto for Jason Henrichs, CEO of banking consortium Alloy Labs Alliance, who last fall almost paid to avoid arrest for having missed federal jury duty. Among other things, the fraudster spoofed the phone number of the county courthouse on his caller ID.
“The social engineering aspect is next level,” says Henrichs. “Because [the criminals] have gotten so good at spoofing, it can get you in a mental place where you believe there are data points that support the actions you’re going to take.”
Jill Castilla, president and CEO at Citizens Bank of Edmond and at ROGER, a digital military bank, describes the increase in identity scams as “an onslaught.” She notes that generative AI is contributing to the problem. “It’s so easy to represent yourself as another person,” she says. “Even bots can do this.”
At these Oklahoma-based banks, which have $380 million in assets, she hears almost daily of romance schemes among customers who are not “fragile” people. Castilla is particularly alarmed by “the degree of sophistication” she’s seeing on the part of bad actors. “Fraudsters now know hold periods for new accounts. They’ll wait to write a check until after the hold period expires,” she explains.
Outwitting the fraudsters
Not only are fraudsters playing what Castilla and others describe as “the long game,” but they’re using cutting-edge technology that makes detection increasingly difficult. In romance scams, for instance, deep fakes are deceiving even very astute people who “see” an individual on a Zoom call. Not realizing that that individual has been created from a photograph.
The depth of the problem made headlines in February, when a finance worker in Hong Kong paid $25.6 million to a bad actor using deepfake technology to pose as the company’s U.K.-based CFO on a multi-person videoconference call.
“There’s still a sense that seeing is believing,” says Joe Palmer, president of technology provider iProov. The more we conduct business online, the “more chances there are to exploit vulnerabilities,” he says. With fraudsters using AI and deep fakes, he continues, “we as humans have become the weak link in the system.”
If technology has spawned this problem, there’s an argument that technology will solve it, too. Founded in 2011, iProov, for instance, uses facial biometrics and colored illumination to assure that a human being is present rather than a photo manipulated to look like a human being.
Another novel tech solution is Sardine. CEO Soups Ranjan identifies “behavior as the missing ingredient in verifying identities and actions online.” While a bad actor may spoof a Social Security number or other personal data, the criminal is likely to be cutting and pasting information or inputting straightforward spellings more slowly than an actual user would. By detecting behavioral differences, including whether more than one individual is controlling a computer mouse, Sardine can flag suspicious transactions.
Even with the latest technologies, some banks will always face unique challenges. Take, for instance, Asian Bank, which is based in Philadelphia and has $515 million in assets.
At Asian Bank, English is not the native language for most customers, says President and CEO James Wang. Given the linguistic challenges his customers face, he recently held an in-person seminar about identity fraud that was taught, in part, in a Chinese dialect. “A bank like ours has to take time to educate about these problems,” he says.
Enlisting government
When it comes to combatting imposter scams, ABA’s Benda is convinced that law enforcement and government have a larger role to play.
Benda recently testified before the Senate Banking Committee. He expressed support for the FCC’s efforts to combat illegal text messages but emphasized that more needs to be done. One suggestion: the FCC finalize a requirement that text messages be authenticated, and that this authentication solution have a set deadline for development and implementation.
Benda also noted that stolen or spoofed social media accounts can be a way for criminals to target consumers. While acknowledging the complexity of the problem, he maintained that social media companies should have a method for quickly taking down “impersonation accounts” once they’ve been identified.
In addition, telecommunications providers that “enable criminals to impersonate legitimate numbers and incorrectly authenticate their calls … should be held to account,” Benda said. ABA’s August letter asked the FCC to prohibit the display of data on consumers’ caller ID devices when the authenticity of the incoming call could not be adequately verified.
Jonathan Thessin, VP and senior counsel at ABA, underscores the problem of banks having “limited insight into the bad actors spoofing a call.” Often, he says, a bank learns about these calls only when a customer advises the bank that a fraud attempt has taken place.
Telecommunications providers “are in the best position to block bad actors who are trying to spoof the numbers of banks and other legitimate businesses,” Thessin says.
Because government has been slow to act, banking groups are working together on solutions. ABA is developing a program to flag accounts that have received fraudulently obtained funds so other institutions can make inquiries before allowing more money to flow into these accounts.
A similar effort is underway by Sonar, a consortium founded in August 2023 to create “a list of bank accounts being used by scammers,” according to Sardine’s Ranjan.
Educating customers
Any problem as complicated as tech-assisted identity spoofing, deep fakes and well-honed social engineering tactics will require a multipronged solution.
One aspect of any solution will be education. In this regard, Benda applauds banks for communicating clearly with customers about what types of information they will ask for — and what they won’t.
Kennebec’s Silsby has taken education to heart by instructing both customers and bank employees to “watch for out-of-pattern behaviors.” Each month, he publishes a newsletter that celebrates the quick thinking by front-line employees who recognize and prevent fraud. Not only is this a way of showing appreciation, but it’s “a way to teach everyone when there’s another version of what may be an age-old scam,” he says.
Getting creative about combatting imposter scams is an imperative, the experts agree.
“Banks need to get ahead of this because their number-one asset is trust,” concludes Henrichs. “And if you’re not actively taking steps to protect your customers, even if that’s protecting your customers from themselves, you’re eroding that trust.”
Elizabeth Judd is a freelance writer based in Chevy Chase, Maryland.
