Mid-week, investors wiped nearly 25% off Target shares after its profit halved. Meanwhile, Walmart was down 1.3% on Thursday after already falling more than 17% in the two sessions after it announced poor results on Tuesday. 

Target’s earnings revealed consumers have been spending more on food and household essentials but cutting back on high-margin items. Meanwhile, Walmart’s earnings revealed consumers had moved to buy lower-margin basics. 

On Tuesday, Federal Reserve Chair Jerome Powell pledged the US central bank would rise interest rates as high as necessary to combat spiralling inflation.

"We think the developing impact on retail spending as inflation outpaces wages for even longer than people might have expected is a principal factor in causing the market sell-off today," commented Paul Christopher, head of global market strategy at Wells Fargo Investment Institute. "Retailers are starting to reveal the impact of eroding consumer purchasing power."

Great strides have been made in protecting the banking infrastructure from network-based attacks and securing the web and mobile application layer – often the front door into banks through customer interactions. Here Mike Nathan, Senior Director – Solutions Consulting EMEA at ThreatMetrix, A LexisNexis Risk Solutions Company, delves into the ins and outs of cybercrime in the banking sector, offering some insight into the most targeted and vulnerable victims of cybercrime.

Interestingly, fraudsters are not always responding by upping their own technological prowess but turning to con artist style tactics to simply circumvent increasingly sophisticated cybersecurity measures. We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point.

So, what can be done to anticipate or prevent this sort of attack?

Based on my observations, several years ago around 70 percent of attacks against banks involved account takeovers. Accounts can be hacked into using stolen identity credentials, or off the back of a phishing campaign where the customer is tricked into entering their login credentials on a fake site. Once the account has been compromised, the fraudster then accesses their digital banking account and commits the fraud.

Today, however, account takeovers only account for half of the problem due to the rise in social engineering attacks, also known as Authorised Pushed Payments (APP). APPs involve fraudsters contacting account holders directly and tricking them into making a payment. Given that the customer appears to give consent to the transaction, and it is originating from a device that is associated with that user, these attacks tend to be more difficult to detect.

A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”. In reality, that money has disappeared and so will the member of the fraud team who made the initial call. This is a simple method of APP attacks      used today.

These fraud techniques are especially effective with some of the most vulnerable people in our society, who tend to struggle with the evolution of banking and fintech. Advancements in certain remote access tools that allow the cyber criminals to access and control the customer’s computer are making the job even easier.

If fraudsters are evolving, so must the banking industry. The first step to tackle APP is through education. Ensuring all customers have extensive knowledge on the “dos and don’ts” when it comes to digital and phone banking is of paramount importance. Email alerts reminding customers that their bank would never ask for certain information over the phone, as well as adverts raising awareness on the risks of letting another person access their computer, are but a few options that can be used to ensure customers are protected and well-informed.

It is also imperative for the bank to place protections throughout the customer journey by monitoring user behaviour and spotting anomalies that indicate fraud. Banks must be actively looking for indictors of social engineering and account takeover attacks at crucial customer touchpoints including login, setting up a new beneficiary, and making a payment. By assessing activity in the context of historical activity for that individual, key red flags can emerge to identify suspicious behaviour. An example of this could be a payment from a desktop when the customer traditionally uses the mobile app, or a longer time between login and payment than normal or remote access tools being on the device for the first time.

Once the suspicious behaviour is identified, banks can choose between blocking the transaction or alerting the customer through other means to advise them that something is out of the ordinary. The art here is to strike the delicate balance between maximum protection against fraud – while avoiding blocking or questioning legitimate transactions, which can annoy customers and drain internal resources.

Avoid basing decisions on the typical banking customer but use advanced behavioural analytics to assess how that particular individual typically transacts. By using real-time intelligence on a user’s digital identity and their historical behaviour, banks can deliver security and customer satisfaction without compromise.

Banks implementing protocols like these can help ensure that customers are not placed in harm’s way and that cybercriminals are not entering into bank systems.

It is important to follow the latest fraud trends order to keep ahead of the curve. There will always be new technologies and techniques that increase the threat posed by criminals. However, in the same way technology may sometimes play against us, it also provides us with a number of tools which help us undermine attackers and keep businesses and customers safe.

Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

• Combined total losses fell by 5% to £731.8 million.
• Losses due to unauthorised transactions on payment cards fell 8% year-on-year to £566.0 million. The industry helped prevent £984.9 million in attempted unauthorised card fraud.
• Losses due to unauthorised remote banking fraud totalled £156.1 million, a 14% rise on 2016. Banks prevented £261.4 million of unauthorised remote banking fraud, 27% more than last year.
• Cheque fraud losses fell 28% in 2017 to £9.8 million. This is the lowest annual total on record. £212.3 million of attempted unauthorised cheque fraud was prevented.
• There were 1,910,490 reported cases of unauthorised financial fraud, a rise of 3% compared to the year before.

The new authorised push payment scams data, collected for the first time in 2017, shows:

• There were 43,875 reported cases of authorised push payment scams with a total value of £236.0 million. 88% of this total were retail consumers, losing an average of £2,784, and the remainder were businesses who lost on average £24,355 per case.
• Financial providers were able to return £60.8 million (26%) of the authorised push payment scam losses in 2017.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

• Helping to prevent customers being duped by criminals by raising awareness of how to stay safe through the Take Five to Stop Fraud campaign, in conjunction with the Home Office.
• Working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
• Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need, including around-the-clock availability of fraud teams, to make it easier and better for the customer, and, where possible, improve the likelihood of their funds being recovered. UK Finance will also be the secretariat for the PSR’s new steering group on authorised push payment scams².
• Working with government on making possible legislative changes to account opening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems.
• -Rolling out the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place – to every police force area in the UK. In 2017, while it was still being introduced across the country, the Protocol prevented £13.3 million of fraud and led to 129 arrests.
• Sponsoring the Dedicated Card and Payment Crime Unit⁵, a specialist police unit which tackles the organised criminal groups responsible for financial fraud and scams. This has led to a combined value in savings and disruptions in criminal activity of close to £30 million in 2017.
• Exploring new ways to track stolen funds moved between multiple bank accounts.

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

• A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
• Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
• Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)

Established in 1988, Target Professional Services is a UK-based company providing Data Cleansing and Verification solutions to the financial sector.  Target verifies that common data is accurate, complete and up-to-date. Where records are found to be out-of-date, Target are able to accurately trace and verify the data to ensure records held are always compliant with GDPR and other regulations within the Finance sector and in particular, The Pensions Regulator record keeping guidance. Here Lisa talks to Finance Monthly about the company’s services, the upcoming GDPR and its impact on the business, and her role in growing Target into a leading data verification and trace company.

With the EU General Data Protection Regulation (GDPR) scheduled to come into effect in May 2018 – what would you say will be the impact that GDPR will have on businesses?

The new regulations will require greater data accuracy and accountability. The potential to fine and the size of fines that can be imposed are significant, so GDPR should not be overlooked and needs both focus and a budget within any organisation.

What have Target Professional Services done to ensure that the company will demonstrate compliance with the directive in its entirety?

First of all, Target have reviewed and updated all of our internal processes where GDPR will require change. In addition, we are checking our suppliers to ensure that they will be compliant for the new regulations, so we are clear that we are using consented data. We know that some datasets will require individuals consent to continue to be used, so we are looking to ensure that consent is obtained or that type of data is not used.

In what ways can the company’s services assist others with becoming fully-compliant?

We are sharing our experience and understanding with our existing clients so they are clear about GDPR. We are constantly finding different levels of understanding throughout our client base and we work with them to improve their knowledge.

Could you tell us a bit about your career path?

Leaving school at 16 with 10 GCSE and unable to afford to go to University, I started work with Halifax Building Society and by 18, I had been promoted to Department Manager. However, I took the decision to leave the Halifax, as my aspirations were not in banking. At that time my father had invented a high-pressure valve cap for vehicles. He needed a BS5750 certification, so I studied the requirements and wrote his manuals for him. I also worked as a part-time book keeper for my mother, who ran a small independent debt collection agency, while I studied Accountancy, Law, Economics and credit control at night school. After successfully building a computerised accounts system for my mother, I identified a need in the market to transfer manual accounts to a computerised system and went on to support other businesses to successfully migrate their accounts data. With the merger of several rental companies in 1997, the debt collection business expanded, as did my role. Along with designing and implementing the CRM database to support the expansion, I took over the management of the Customer Service and Field Operations, before finally buying the business in 2001.

You’ve managed to build Target from a small debt collection business to a leading data verification and trace company – what were the challenges that you were faced with and how did you overcome them?

The debt market was very competitive and I had one very large client when I took over the business.  I knew that I had to change the dynamics and the markets the company operated in. We entered the Pensions Market bringing innovation and competitive pricing at a time of regulation change. Target has focused on Customer Service, Data Quality and flexibility to ensure that our business does not become stagnant and stale. We bring innovation to solve the problems legislation brings to the industry and to ensure that our clients are always ahead of any changes.

What would you say are the company’s top three priorities towards its clients? How has this evolved over the years? 

Our philosophy in working with our clients remains the same today as it’s always been. We look to develop long standing working relationships with all of our clients and understand what they require from us. Every client is different so we also look to be flexible in order to suit each client’s needs.   Target has always been industry innovators and this is still a driver for us today, as tracing and data availability changes and develops.

Looking into the rest of 2017 and beyond, what does the future hold for you and Target?

We see opportunity to apply what we do to many different industries, especially with GDPR soon upon us. We predominantly work in the financial services sector and then mostly, in the pensions sector, but tracing and data screening is of value elsewhere. We are exploring such opportunities and offering solutions in new markets. Contact us if you think we can help you. Through a partnership approach we may be able to offer you a service that gives value to what you do.