Maciej Rudke, journalist of Business Insider Polska: The study you commissioned shows that 87 percent Poles have encountered fraud attempts, and almost half of them have either lost money themselves or know someone who has lost money this way. Are fraudulent transactions involving bank customers a big problem?
Krzysztof Dąbrowski, vice-president of mBank: This is a concern because our customers are losing money – and not only ours, but customers of all banks. However, this is a “silent problem”: even though Poles are robbed en masse, very little is said about it. Taking into account the sums that are extorted from them quarterly or annually, the scale is large.
The rest of the article is below the video
What amounts are we talking about in the banking sector?
It is difficult to obtain precise data. We estimate that this amounts to several hundred million zlotys per year in the entire sector. I don't know if it's half a billion or three hundred million, but it's that order of magnitude. This is also suggested by NBP statistics.
Key universal digital identity and its verification
Would you expect more help from the state?
This is a situation that banks cannot cope with on their own. Because in fact it happens outside banks – money is extorted directly from customers. The only connection with the bank is when the customer makes a transfer. He might as well withdraw the cash, carry the suitcase and leave it for the crooks under the bridge.
See also: Poles lose millions on fake transfers. The National Bank of Poland publishes alarming data
It's just more convenient for thieves to have it be a digital transaction. Moreover, they take less risk and do not have to appear in person. Something big is happening, but at the same time this problem is widely underestimated and treated as marginal.
So what can the state do to help?
Universal digital identity and its digital verification are crucial. We must reach the point when every Pole will have mObywatel and will be able to easily verify with whom he is talking on the phone or corresponding via instant messenger. Education and the habit of checking should be the basis. If someone calls and pretends to be an employee of a company, it should be possible to check whether the company is not on the Polish Financial Supervision Authority's warning list.
The problem today is that on the Internet we cannot verify who we are talking to, so people rely on faith. We need to stop believing and start using technology. The success of mObywatel is the foundation on which we must build. Poles should have an easily verifiable digital identity.
Krzysztof Dąbrowski, vice-president of mBank, Operations and IT.
|
mBank
What do we know about the perpetrators? How organized are they?
We don't know much, we can only guess by analyzing their modus operandi. We won't know the details until there are investigations and arrests. However, we see that they are professional and well organized. The market may be divided into a few large players who are able to reinvest the “earned” – that is, stolen – money.
Fraudsters operate like an enterprise, they run a “sales business” that changes and improves its methods. If, for example, a grandchild fraud method has a poor “conversion rate” and it becomes increasingly difficult to extort money in this way, it is modified or abandoned. It's a kind of Darwinism: scenarios that don't work disappear. Those that work are “tweaked” until they wear out and people stop using them.
What does this evolution look like?
For example, in the “bank employee” method, one person called first. If the “conversion” was weak and the fraud was increasingly rare, two people started calling: first the “consultant”, and then a supposed employee of the security department. Scenarios with three people are already appearing. For them, it's a small cost – it's still three people sitting in a call center.
Let's talk about sacrifices. How much money is stolen from customers? Are companies also cheated?
In the case of retail clients, fraud using social engineering methods, when the thief convinces the victim that he is talking to someone else, that his money is at risk or that there is a great investment opportunity, then the amount may be large, ranging from several dozen to several hundred thousand zlotys. Frauds involving a million or more are less common.
Millions are sometimes stolen from companies. Fraud is much less common there because the companies employ professionals, but when it does happen, it is for larger amounts. In the case of companies, it is often “at their own request” due to the lack of procedures or failure to follow them. For example: if an accountant makes a transfer to a telephone number from the president, all you need to do is prepare a telephone number or e-mail.
Artificial intelligence can be a problem
Is artificial intelligence already visible in the activities of fraudsters? Do criminals use it to fake voices and images?
It doesn't look like science fiction yet, where the voice of a mother or husband is cloned in real time so that the client doesn't notice. Targeted deepfakes, i.e. prepared for a specific person, may for now be the domain of attacks on the wealthiest people, where the “reward” for thieves is large.
However, AI is also used to authenticate oneself – generating false documents, photos of offices or thousands of virtual identities. The thieves almost certainly automated the sending and processing of emails. They work like a sales funnel. There is a rule from the book “Freakonomics” regarding spam: why are these emails so stupid and unreliable.
Well, why? There are such absurd methods known as those of a Nigerian prince or an American soldier.
To weed out the skeptics. They need gullible people. An aware person will quickly figure out the second step and it will be a waste of time for thieves. The email is designed in such a way that a skeptical person will laugh at it and not reply.
The “fail fast” principle, known in business, is used: if the “investment” in a customer is not to be recouped, it is better to do so as soon as possible, before further costs are incurred. Thanks to AI, it is now possible to guide the victim through the first few steps automatically, without human intervention, which reduces expenses.
Returning to the previous question about AI, when will we reach the point where thieves will use artificial intelligence in real time to fake e.g. voice or image?
It's hard to say. Maybe next year, maybe later, but it will mean big challenges.
This is the position of banks regarding unauthorized transactions
Is it about unauthorized transactions? Recall that there is a difference of opinion between banks and the Office of Competition and Consumer Protection as to the banks' liability for the consequences of the transactionwhich customers claim were unauthorized. I.e. most often, the transaction is authenticated correctly by the customer, but later he claims that he was cheated and wants his money back. The Office of Competition and Consumer Protection wants banks to always return the money within D+1 (by the end of the next business day) in such cases.
Banks believe that cryptographically confirmed authorization cannot be forged. For the Office of Competition and Consumer Protection, it is more reliable to record the client's voice on a tape and his “will”, but in the era of AI the voice will be counterfeited in a way that is indistinguishable. It is not the bank's task to guess what the customer was thinking and whether he actually wanted to make the transfer.
We must distinguish two things here. There is a transaction of exchange of goods – e.g. buying a car and a payment transaction – transfer. If a customer buys a car and is cheated by the seller, he or she has a claim against the seller of the car, not against the bank. He could have a claim against the bank if we did not deliver the transfer or delivered it despite the lack of the customer's order.
It's worse when the customer sent the transfer himself, but still holds a grudge against the bank, claiming that he did not authorize the transaction. This is the crux of the problem – determining responsibility for the alleged unauthorized transactions.
If the customer says “make a transfer”, the bank will make it. If someone impersonated a customer and we didn't detect it – it's our fault, we give the money back. I will say more: if the client proves that he acted under direct coercion, e.g. someone forced him to do it by threatening him with a gun, even at an ATM – we also return the money, even though technically there was authorization.
The problem is that these are very rare situations. Most often, customers order a transfer voluntarily because they believe the fraudster and are often unable to verify his identity or the account number to which they are sending the money. Banks should not return money to someone who – counting on a great investment promised by fraudsters, e.g. in cryptocurrencies – made a transfer voluntarily.
Our position is that if the customer has consciously consented to the transfer or payment transaction, the circumstances of the transaction of exchange of goods and services that he or she concluded are no longer the bank's business. In such a case, the financial institution is not a party to the transaction. The bank only takes part in the money transfer operation. It's as if someone made a mistake and sent a signed, but still negotiated, contract too early, the terms of which were not satisfactory to him, and he had a grudge against the postal operator. Or if he ordered an allegedly unauthorized transfer over the phone and had a claim against the telecommunications company.
On the other hand, these are your customers, banks should take care of them. Maybe it's the banking systems that need improvement?
In none of the fraud cases, the bank's security was breached. The systems are safe. However, we try to help by detecting anomalies. Very often, certain payment transactions are unusual for a given customer. But they are typical of some fraud scheme. For example: if a client has been saving for 10 years and suddenly stops depositing and makes one big transfer to a “suspicious place”, we react.
What does “suspicious place” mean?
When we see something suspicious happening, we react and say: “we think someone is trying to rob you.” Unfortunately, in most cases we hear in response: “I know what I'm doing, please make the transfer.”
Customers must take responsibility for their actions
Maybe you should act against the client's will for his good and block such transactions?
We operate within the limits of the law. If the action is not illegal, we cannot refuse. This is a philosophical dispute: whether personal freedom should be limited for the greater good or whether personal freedom can allow one to risk losing one's life savings.
It's like “forcing” people to wear seat belts – “libertarians” say it should be a personal decision for each person. We cannot take responsibility away from people. If they have freedom and decision-making, they must bear its consequences.
We help customers, provide information and warn them, giving them the opportunity to make the right decision. But it is the client who makes this decision and is responsible for his actions.
What tools can help in the future? Banks announce that they will introduce “trips”, i.e. solutions that are intended to increase the chance that a bank customer will calm down at the last minute and not transfer money to fraudsters. An example is the transaction blocking function introduced by mBank.
This is another “trip” that will give the client a chance to reflect. We have been consistently teaching people how to use banking safely for decades and that is why we have introduced the option of blocking transactions. This is a real advantage for the client, because in a situation where there is a shadow of doubt, you can immediately remove the risk from the transaction and at the same time maintain full visibility of the account and contact with the bank.
One of the important elements is Verification of Payee. This solution is introduced by EU regulations and allows you to verify the recipient of the transfer. Before the customer sends the transfer, the system will confirm whether the recipient's name matches the account number. This should help you avoid common mistakes as well as fraud. There will be another tool given to customers so that they can make informed decisions. But you can still imagine a situation where fraudsters will still convince the customer – seeing the data inconsistency – that everything is fine. Therefore, it will not be a remedy for all problems.
Author: Maciej Rudke, journalist of Business Insider Polska
