Banks need to do more to help customers who have lost valuable money to sophisticated fraud and scams carried out by cyber criminals, the chief financial ombudsman has said.
Caroline Wayman, the chief ombudsman, said that considering how sophisticated today's financial scams and fraudulent operations have become, banks need to do more to help their customers who have been victims of such scams, rather than blaming the latter for gross negligence.
Bank fraud and financial scams involve criminals setting up domain-spoofing and identical websites to lure victims into filling up their banking information on such sites, sending phishing texts and emails to victims by claiming to be banks themselves, and asking victims to share their OTP under the guise of offering genuine services.
The rise of bank fraud and financial scams in the UK has had such a profound effect that, in a survey carried out by research agency Populus last year, 33 percent of all Brits said that they could be victims of bank fraud over the next five years.
Populus noted that not only should banks introduce strong security measures to prevent fraudsters from succeeding, but customers themselves should take measures to ensure the security of their banking information.
According to the agency, 32% of consumers have asked their web browsers to remember their passwords, 29% have used the same password for multiple accounts, 13% have accessed their bank accounts on public Wi-Fi, 13% have shared their bank account details with others via texts or online messages, and 10% have put card details into websites they don't know and trust.
Banks need to investigate scams thoroughly
Considering that most scams succeed because victims share their financial information with fraudsters without checking if they're really dealing with their banks, banks do take such negligence into account when compensating their customers for losses suffered to scams.
However, Wayman, the chief ombudsman, said that banks need to investigate scams thoroughly before arriving at a conclusion to ensure that innocent customers are adequately compensated.
"Unlike most other complaints we see, complaints about fraud and scams involve – whether it’s accepted or suspected – the actions of a criminal third party. So it’s understandable that, in many cases, both the bank and their customer tell us in strong terms that they’re not responsible for what’s happened.
"This makes it harder for us to reach an answer both sides are happy with. But it doesn’t mean usual standards don’t apply. As our case studies illustrate, we’ll expect to see clear evidence that banks have investigated thoroughly – and reflected hard on what more might have been done to protect their customers and their money.
"We also often hear from banks that their customers have acted with “gross negligence” – and this means they’re not liable for the money their customer has lost. However, gross negligence is more than just being careless or negligent. And as our case studies show, the evolution of criminals’ methods – in particular, their sophisticated use of technology and manipulative “social engineering” – means it’s an increasingly difficult case to make," she said.
Customers can't be held responsible for scams
Commenting on Wayman's views, David Kennerley, Director of Threat Research at Webroot, said that since customers do not have the most sophisticated technology in place to monitor and detect threats that banks do, it cannot always be the customer’s responsibility to be alert to fraudulent activity and remain vigilant.
Customers cannot be held responsible because today's fraudsters are also using complex malware combined with a highly targeted delivery vector, such as personalised emails, to easily fool end users into handing over their personal details.
"Banks should take more responsibility for defending against cyberattacks and also assume the role of educator, as they possess the relevant knowledge of emerging threats, as well as the most effective defence. Cybercriminals only need to find one hole in the defence, while security professionals have to secure the entire attack surface area. It’s not an easy or simple task, but an intelligent approach of education combined with the relevant technologies – utilising smart capabilities, such as machine learning – can be used to deliver threat protection and help detect and stop attacks," he said.
James Romer, Chief Security Architect at SecureAuth + Core Security, also said that customers alone cannot be held responsible for keeping up with every scam and tactic that arises and assuming blame threatens their trust.
"Banks have a duty of care to constantly monitor, detect and neutralise new threats through investment in the appropriate technology and security expertise. Also, as banks open their APIs to authorised third parties to comply with Open Banking standards, authenticating users will become key to protecting sensitive customer information and combatting fraudulent transactions.
"Fighting fraud effectively requires a joint effort between banks and consumers, with identity and authentication at the centre of the strategy. Banks need to implement the most comprehensive cybersecurity technology which considers different factors (such as device recognition and geolocation) at the login phase and consistently apply multi-factor authentication(MFA) if risk is detected, to address the threats at the identity level efficiently," he added.