February 22, 2019
February 20, 2019
Posted January 22, 2019
Google Maps is a trusted, go-to app used by millions of consumers every day. But is it also becoming a dangerous new front in the battle against online banking fraud?
According to reports, cybercriminals are manipulating the information displayed on Maps by replacing the contact details for local banks with their own. Callers are then conned into revealing bank account login credentials, credit card numbers and other sensitive information. In other schemes, fraudsters replace the bank’s web address with a link to a phishing site. The victims are none the wiser as these thieves empty their bank accounts.
And why not? This is seen as a simple scam, since Google allows users to edit the information it displays. Circumventing existing safeguards is said to be quite easy. And the app’s status as a trusted brand may leave users far too trusting. Whatever the case, this form of cybercrime appears to be on the rise.
Police in India, for instance, have reported multiple Google Maps scams in recent months, including three different schemes targeting the Bank of India in a single four-week period.
Just as with other phishing attacks, consumers who fall prey aren’t the only ones to pay a high price.
Even though they too are victims in these scams, banks can find themselves blamed under the mistaken belief that they have total control over the information displayed in Google Maps.
What’s more, reputational damage can result when frustrated customers overwhelm call centers, or rage in social media. A parade of negative news stories don’t help, and will always be just a Google search away. For its part, Google is deploying AI-based tools to better spot these scams. But what of the banks themselves?
The fact is, despite being a novel approach, Google Maps scams and other search poisoning tactics are just a few of many multitudes of ways cybercriminals can harvest customer login credentials in order to plunder accounts. In a world of endless data breaches, things like stolen usernames and passwords are uncomfortably close to dime-a-dozen territory these days.
And while fraudulent transfers or withdrawals are bad enough, that’s not always the immediate game plan. The personal information within a hijacked bank account can be used to apply for loans or credit cards, or to open new accounts with a mobile carrier.
Confirming identity grows more complicated when the fraudster has access to the victim’s transaction history, and has already added their phone to an account—as financial institutions and other businesses have been finding out the hard way in recent months.
In other words, even when there’s no immediate theft, it’s only a matter of time before the bank becomes collateral damage. Whether it’s through an elicit transaction, or the customer’s own efforts to piece together the trail of fraud, all roads eventually lead back to the bank.
Efforts to stop fraudsters have led some financial institutions to enact overly-aggressive policies and additional identity proofing requirements. But customers get irked when they’ve got to jump through hoops to login or complete a transaction, even as cybercriminals find clever new ways to bypass these controls anyway.
Among savvier firms, a number are turning to modern, digital identity-based user verification and assessment technologies that can detect when it’s really a fraudster who’s logging in from a new location, transferring funds to a foreign account, or updating profile information with an out-of-state phone number or other incongruous information.
Some are gravitating toward solutions that employ behavioral biometrics and advanced machine learning capable of connecting the dots between users, their devices, accounts, locations and a host of online and offline identity attributes that can’t be stolen or abused.
Instead of focusing on trying to puzzle out “the bad,” these solutions shift the emphasis to establishing “the good” in terms of normative devices and behaviors informed by shared global identity intelligence, so anomalies surface instantly, without creating user friction.
It appears to be working. One international banking operation that has deployed these solutions reports it was able to block more than $250,000 in fraudulent transactions in just the first month.
It definitely beats the alternative. According to data from LexisNexis Risk Solutions, banks now pay an average of $2.92 for every $1 lost to fraud, thanks to labor costs, investigations, legal fees, those call center operations and more.
That’s an 8.5% increase from 2017. At that kind of rate of fraud growth, it’s likely that the status quo will cost more than bold action.
Besides, whether it’s through Google Maps scams or some other avenue, consumers expect their financial institutions to protect them from the fraud that results from compromised identity credentials. If you can’t protect them, they’ll defect to a bank that can.
But when customers come to feel their bank is committed and capable of looking out for them, the overall customer experience is dramatically enhanced. And according to studies from Bain and Company, businesses that can deliver a superior experience can boost customer loyalty and lifetime value by up to 14X.
That might even be lowballing it. With losses from cybercrime expected to top $1.4 trillion this year, banks and other businesses that can protect customers from online fraud possess a compelling differentiator. Especially when the competition’s cybersecurity efforts are all over the map.
Download this case study to learn how Lloyd’s Banking Group’s digital identity-based approach to user authentication and verification helps it detect and disrupt online banking fraud.