How to fight online fraud?

In this first episode of a three-part special, podcast host Bryan Ferrari talks to his three guests about fraud prevention and detection methods, the key role of the ABBL in this context, and the opportunities and risks associated with the use of AI.

Camille Seillès is Secretary General of the Luxembourg Bankers' Association (ABBL). He is a member of the Conseil économique et social du Grand-Duché de Luxembourg and of the Comité consultatif pour la réglementation prudentielle of the Commission de Surveillance du Secteur Financier. Steve Muller is a cybersecurity specialist at the Ministry of Economy. He is Technical Advisor and Trainer at BEE SECURE, focusing on security awareness through various educational initiatives. Serge Wagener is Vice-President and Head of Business Unit Payments at Spuerkeess.

Bryan Ferrari (Host): Today's episode is about cybersecurity. According to the newspapers, cases of fraud are on the increase. Is this really the case?

Steve Muller: At the BEE SECURE helpline, we can see that the figures are rising. On the other hand, you have to ask yourself whether this is due to more cases of fraud or whether it's the visibility of our helpline that's increasing. But from what we see with our partners – the public prosecutor's office, the police and so on – I'd say that cases are increasing rapidly.

Bryan: That's at retail customer level. Are we also seeing a trend at institutional level?

Camille Seillès: The number of phishing cases reported to the police rose sharply between 2020 and 2023. In 2020, we had 28 cases, which was 4 years ago. In 2023, there were 1,310, according to figures from the Ministry of Interior.

Bryan: Perhaps we can talk in more detail about phishing to start with. What is phishing and what are its main characteristics?

Serge Wagener: Phishing is the most common form of fraud. For the fraudster, the royal road is to obtain the password and all the customer data so that he can impersonate the customer. I belong to a banking association with which we have drawn up a taxonomy to structure the forms it takes. We've categorised around twenty of them: phishing, manipulation or simply selling something that doesn't exist. Fake investments, extortion or emotional manipulation, you name it.

Bryan: What is a typical case of phishing?

Serge: First of all, the customer is contacted – it could be by text message or by call – and manipulated so that they slowly come to trust their counterpart. The aim is to extract information from them – confidential data and access to their S-banking accounts – and ideally to get them to carry out a transaction that they would never have done in the first place.

Bryan: How do these fraudsters gain access to customer addresses? Is there a loophole in the system?

Steve: Today, email addresses are no longer private information. It's available everywhere. So it's quite easy to get a list of people with their email addresses. You can even buy them on the notorious Dark Net. What's more, with all the data leaks we have, there are criminals who not only receive email addresses as lists, but also a whole host of additional information. When it's a company's customer information, the criminals can carry out even more plausible phishing because they're going to use information that in theory only the customer, or the company, can know. But phishing, of course, goes beyond that. It's not just about having this information, but also having access to your mailbox or social network and pretending to be someone the victim trusts.

Bryan: So there's a direct link with data breaches? If you see that a company at which you have an account has been hacked, you should change all your passwords.

Steve: Absolutely. If such a leak becomes known, you have to expect this kind of phishing and all sorts of manipulations. For example, if your electricity supplier is now being scammed, if there's a data leak, expect to receive an email or even a forged letter from your so-called electricity supplier telling you that there's an unpaid bill.

Bryan: How are financial institutions dealing with these challenges? What new or future measures have been put in place to counter-attack?

Camille: We can start from the observation that, despite the use of new technologies and greater sophistication, the human factor is always there. So we need to raise awareness among the general public. In our view, this is where we can and must work. At the ABBL, we have a foundation for financial education, which has launched a dedicated site called "Sécher am Internet" where you can find tips on how to behave properly and avoid online pitfalls. We could also consider campaigns to raise awareness among the general public. The provision of dedicated tools with an anti-fraud helpline – 49 10 10. Then, of course, there is the training of bank staff, more generally in the fight against financial crime. Afterwards, these criminals will try to reinject this illegitimate money into legitimate channels. That's the whole point of the fight against money laundering.

Bryan: Within a bank, I imagine that doesn't make it any less cumbersome..

Serge: That's obvious. Customers expect payments to be executed quicker and quicker, so the speed with which fraud can be organised increases. So we have to invest in increasingly sophisticated mechanisms to detect fraud. We have measures where, for certain transactions, we interrupt the automatic flow to call a customer and ask them to confirm their payment. In quite a few cases, this helps to thwart fraud. But it's extremely difficult to determine how far we can go to interrupt the normal flow and annoy customers for payments that they actually want to make. On the other hand, what we will never do during these calls is ask for additional information. It's simply the question: "Do you really want to do this transaction? Yes or no – that's it. Scammers play with this in particular. The customer is contacted and put in an emotional state of stress. Then they tell them that they have to solve this or that problem by sharing additional information. When a customer takes his car to the garage for repair, he thinks it's normal not to be involved in repairing the car. Here, when something goes wrong in a transaction, the bank will never ask the customer for help or ask him to participate in rectifying something. The bank has all the tools to do it on its own.

Camille: The acceleration of money flows is a point to keep an eye on. Last week, I was at a conference on financial crime, where an observation was made that I think is very telling. It said that criminals work at the speed of money and that we, the authorities and market players, work at the speed of law. How can we ensure that the legal framework keeps pace with the acceleration of financial flows? One area that is already well advanced is the exchange of information, whether between authorities and market players or between market players themselves. We talked about the European framework for payment, which continues to evolve. It will soon require payment service providers to exchange information and data on fraud. This is already working in some countries. I'm thinking of the Netherlands, where such a system is in place. It has reduced the number of fraudulent transfers by almost 80%.

Bryan: That's for financial institutions. What about normal businesses or SMEs?

Steve: For SMEs, it's more difficult because there are no regulations. SMEs are not forced to do anything. That's why they don't have a framework. For each SME, it depends on its manager. If the manager knows a bit about it or is aware of it, he might do something about it. But unfortunately, most managers are not. After all, they're not IT specialists.

Bryan: So financial institutions, thanks to the regulatory framework, are better equipped. But what could be improved?

Steve: I think it would be good to raise awareness among private individuals, because it's private individuals who work in these companies. It's not a task that should be given to the companies themselves. I often hear that people have lost all confidence in financial infrastructures. That's possible, yes, but we still have to deal with it. So I'm more of the opinion that we need to comfort these people and show them that the world isn't just bad, but how to recognise these attempts with examples.

Serge: For our part, we're also investing in technology. One of the avenues that the whole industry will be pursuing next year is beneficiary verification. When customers want to make a transfer, the beneficiary's bank will confirm that the account number matches the name of the account holder. This should provide additional security. What's more, the tools that enable us to analyse data and, where necessary, detect fraud are becoming increasingly sophisticated. And then, last but not least, artificial intelligence will be added to the mix.

Bryan: We're working on prevention and once the money is in the system, other measures can be taken to stop the laundering… Isn't that right, Camille?

Camille: Of course. The way in which a bank works, manages its risks and deals with them is standardised by a European framework and the system known as the "three lines of defence", in which each banking player has a role to play in detection. Firstly, those in direct contact with customers. It is up to them, on the basis of their knowledge of customers and the local environment, to report unusual activities without delay. To do this, they can rely on what we call the second line of defence: the Risk and Control Department, which ensures that controls are effectively implemented on the ground. Internal audit, then, comes in behind the scenes, as it were, to check and assess that the control processes are sound and meet the requirements. Then there is the external auditor, who has a role to play in assessing the robustness of controls within the bank. At the very end, you have the supervisory authorities. In Luxembourg, it's the Commission de Surveillance du Secteur Financier (CSSF), which intervenes at two levels: there are annual controls on a declaratory basis by the bank, which is asked to assess the robustness of its internal framework itself, and do on-site visits. So, at regular intervals, the CSSF comes to the bank and audits the framework in place.

Bryan: That all sounds pretty heavy… To lighten the debate a bit, do you have any examples of fraud that have surprised you recently?

Steve: On the BEE SECURE helpline, one of the biggest scams we hear about is online shopping. Then there's what we call the romance scam. The victims are single people looking for a new partner online. Here, there are people posing as someone who is romantically interested, but whose sole aim is to steal their money. Then there are more and more people pretending to be someone else. The bank that calls you and tells you that there's a problem with a transfer and that soon you'll receive a request on your LuxTrust App that you'll have to sign. People think that because it goes through the LuxTrust system, which is secure, it's OK.

Serge: One example that impressed me more for its effectiveness and impudence than for its ingenuity was the following. The fraudsters approached the customer by conventional phishing – email or phone call. They talked to the customer, pretended to be the bank and explained that they had seen that the customer had carried out such and such transaction, but that there were also other transactions, asking if it was the customer who had carried them out. Obviously not, because these transactions did not exist. It was a Friday at eleven o'clock in the evening. They performed their illusionist act and managed to convince the customer that he had to hand in his LuxTrust token as well as all his cards with all their PIN codes, wrapped in a plastic bag, and that a bank employee would come to collect everything from his home. Someone did indeed turn up, a young man. The customer handed over everything. Obviously, the cards had been used to the limit. In such a case, we can only recommend that customers stop everything and call 49 10 10 to block all their cards and the LuxTrust certificate. It's an emergency measure, but it's the speed with which you react that counts.

Bryan: The customer's first reflex should also be to think that if the message arrives somewhere other than the banking application, it's suspicious?

Serge: That's a very strong indicator, yes. We never contact customers by email.

Bryan: To conclude, how can we combat fraud in the future?

Camille: We've talked about the speed and creativity of fraudsters. The added value we can hope to bring in this situation as a banking association is the exchange of best practice between members. We have various working groups on cybersecurity, and on phishing in particular. I think that the exchange of information between players is vital, because some of them are faced with scenarios that are perhaps still unprecedented, and so it makes sense to raise awareness among their peers at an early stage, and then it's up to each of them to pass on this information to the general public, where the tools exist to be developed further in the future.

Bryan: The key word is awareness, caution…

Serge: And a healthy dose of mistrust towards situations that are a priori fortuitous.