Fraud in Fintech: “What the Fraud” Podcast

TOM TARANIUK: This is What The Fraud, a podcast by Sumsub where digital fraudsters meet their match.

I’m Thomas Taraniuk, Head of Partnerships here at Sumsub. The global verification platform helping to verify users, businesses, and transactions. I’m looking forward to getting stuck into today’s episode all about fraud in financial technology. This is a truly global issue affecting economies all across the world.

Just think about this for a minute. Losses from online payment fraud are predicted to exceed 362 billion US dollars globally over the next five years. Meanwhile, consumer scams resulted in 43.6 billion US dollars in estimated losses that were shouldered by everyday people and businesses, with potentially life changing consequences.

Plus, access to the tools that make this kind of fraud achievable is becoming easier and easier. OnlyFakes is a dark web marketplace where you can buy near perfect identity documents for as little as 15 dollars. So, what can companies do to protect themselves from this criminal epidemic? And how can they work together to protect the sector as a whole?

These are just some of the questions that we’ll be addressing in today’s episode.

Today’s guest is Seun Oshinusi, Head of Financial Crime Operations at Mettle, following previous roles at Curve, Wonga and Jaja. It was a degree in criminology that led her towards a career as a fraud and financial crime professional to financial services, where she specializes in analytics, dispute resolution, and anti-money laundering, or AML.

She’s also a mentor and the founder of Slay With Seun, where she describes herself as your career and lifestyle big sis. Thank you so much for joining us on this podcast today, Seun. Great to see you here. 

SEUN OSHINUSI: Thank you so much for having me. 

TOM TARANIUK: Those are really some scary figures that I mentioned in my intro, and it really hammers home how much of a global issue fraud in fintech has become.

So to start off, Seun, with a broader question, why do you think this kind of fraud is happening on this scale? 

SEUN OSHINUSI: I think multiple reasons. I think that I think that we can’t deny that we’re in an economy right now where people are struggling financially. So I think that there is definitely an exploitation of that from the fraudster’s side.

I also think that technology has also allowed the scale of the type of fraud we see to become more sophisticated. So I think that it’s then making it a bit more possible for some of this fraud to be successful. If we think about scams in particular, What I’ve been seeing particularly over the last few years, is definitely an increase in the tactics used in social engineering.

People believe they’re speaking to the genuine institutions, whether it’s their bank, whether it’s another company, and therefore they’re coerced to transfer their own money over to these people. Fraudsters are now able to spoof genuine numbers from the bank. So when you pick up the phone, you think it’s actually your bank calling you.

They’re able to use different types of technology as well to try to get you to believe that again, you’re talking to the bank. So I think that I think it’s on a rise because I think it’s becoming easier on the fraudster side to leverage technology to be able to make a lot of these things possible. And therefore, as a result, a lot of customers are falling for it because they actually genuinely believe they’re talking to their trusted institutions.

So I think it’s a bit of both. I do think that, like, the level of sophistication has a part to play. But I also think that the social engineering methods being used are also a big part and a big factor.

TOM TARANIUK: It’s really interesting. So we’re talking about social engineering when we’re looking at people actually, well, departing with their money, whether or not it’s through phishing or other means, right?

But would you say social engineering, when we’re looking at biometrics, people parting with their ID documents, parting with things which actually will allow, let’s say, the fraudsters, whether or not it’s fraud networks or individuals who are trying to take advantage of these vulnerable people into these banks, do you see that as a massive issue at the moment or something to be aware of?

SEUN OSHINUSI: I definitely think it’s something to be aware of, I wouldn’t say it’s something that we’re still seeing at the moment, but I’ve definitely have seen it in the past. So I’ve definitely seen successful account takeover attempts. And as you say, that’s as a result of people giving away some information, whether it be like personal codes or anything like that, that allows the fraudster to then be able to intercept.

But I do think that having strong type of biometric verification can actually counter that. So I think it also depends on like what sort of technology or what sort of verification does the actual bank have in place to stop that from happening? Because I found that if you have a certain level of biometric activity or biometrics within the journey, it actually mitigates the potential of account takeover.

So whilst I think it is something that people should be aware of, I do think it’s probably a slightly easier one to try to mitigate, I would say, because I don’t think As much social engineering can actually counteract someone’s genuine biometrics. Like you can’t, there’s only so much social engineering you can do there.

I think if you have something in place to protect the customer from that, then I think you’re in a, in a good space. 

TOM TARANIUK: Definitely, and that could be multi factor authentication or looking through transaction history or ongoing transactions and seeing the pattern recognition there, whether or not they’re spending in different locations through the IP location or anything else as well.

So central to addressing frauds are the people like yourself, Seun, hard at work at these financial organizations such as Mettle, in departments such as risk compliance and payments. And sometimes, as you well know, you must assume some fraudsters will know the processes as well as you do, right? So how could you define your responsibilities as head of financial crime operations at Mettle?

And how do you enable your team to stay ahead of the actual fraudsters who may indeed understand More general anti fraud practices that you have in place.

SEUN OSHINUSI: I think it’s about trying to get one step ahead of the fraudsters, like almost kind of thinking, like, what is the next thing that we might be hit by?

And I think how to do that is by staying really engaged with your network. So, like, engage with your other, like, members in financial crime networks, in terms of, like, financial crime prevention networks, I mean. But, um, just making sure that you’re staying engaged with what’s actually happening in your industry and in your sector and what’s applicable to you.

And then taking that information internally, doing that horizon scanning, taking that information internally to say, what are the latest threats that we need to be aware of? So we actually have a threat mitigation function. And like a lot of their job is like doing a lot of that work, like scoping out like what could potentially be a threat to us.

What can we do to mitigate that? And I think that type of exercise needs to be continuous. I don’t think it should be reactive. I think you have to be proactive in order to try to stop some of this stuff. I think after a while the fraudsters can figure out the controls you have in place simply by testing it.

So I think that’s why you as an organization should also be regularly testing your controls and looking for any gaps, looking for any potential weakness. Looking for changes that you might need to make, looking for potential vulnerabilities that could be intercepted and like being a step ahead of that and actually like testing it yourself.

Like pretend to be a fraudster maybe, and see like what are your vulnerabilities? If I wanted to defraud this company today, like what would I do? And then thinking about what can we put in place to try to mitigate some of that activity? And do we have enough? Do we have the right technology? Do we have the right people?

Do we have the right resources? Do our people have the right resources? Do we have a good amount of data to kind of give us that historical look at what we’ve seen and maybe like what we might see in the future? So I think it’s like a whole exercise, like there’s multiple things that need to be happening at the same time.

But a lot of it is around thinking ahead and being engaged with what your potential vulnerabilities look like 

TOM TARANIUK: 100%. It’s an internal conversation, which is ongoing. And obviously within your community, whether or not it’s the Payments Association in London or other anti fraud days where you go and you exchange thoughts, there’s always going to be that ongoing gap analysis to where, uh, I mean, fraudsters are financially motivated.

They’re going to look for every route into your system to try and game it, try and take advantage of the community as well. And you just need to keep on playing that. Cat and Mouse, as we’ve discussed before, just to make sure that we’re ahead as well. I would love to move on to a little statistic here.

The top five identity fraud types in 2023 were AI powered fraud, fake IDs, account takeovers, force verification, and money muleing networks. What measures can fintechs take to fight these fraud schemes?

SEUN OSHINUSI: I think that there’s different things that happen at different stages of the customer journey. So I think there’s definitely a lot of like effort and work that goes into that initial verification process, like knowing who you’re like, trying to know who your customer is.

So that’s just like that initial, like, you know, is the information that’s being provided and given, like, are you confident that this person is who they say they are? And even if that’s the case, that’s still not enough to necessarily protect to Confirm whether or not that’s not going to be a mule because some of they’re using their genuine details a lot of the time.

So then there’s that next step that you need to think about of, okay, like now that the customer is in life as which is what we call it, what kind of checks are being done in life to determine whether that is like the true customer and what The actual intention of that account actually is. So it really depends on what your ongoing verification and procedures look like.

Companies could potentially like have like different triggers in place that they may want to kick in to check on particular customer activity, whatever that might look like. Maybe there might be things around like the behavior of the customer. So like maybe there might be some behavioral type of analytics that you might run.

So I think there’s different things that need to be done at different stages. So I think it’s important knowing. The person that you’re onboarding as your customer, but then I think there’s also ongoing verification that you can do more holistically to be confident in who you’re onboarding.

TOM TARANIUK: I would like to touch on APPs, something you’re probably very familiar with as well. Unfortunately. But fraud relating to APPs or authorized push payments is rife across the UK. In last year’s interview with Sifted, you said that customers were being contacted by scammers pretending to be from Mettle, saying they’d just seen a transaction attempted that needs to be cancelled.

Victims thought they’re preventing the fraud by interacting with such calls, but what they’re actually doing is authorising the transaction. So, my question here, Seun, how did authorised push payment fraud change since last year, and how do you fight against it now? 

SEUN OSHINUSI: I wish I could say that like there’s been like a drastic change since since then, but actually, I think that we’re definitely seeing, seeing more of that kind of activity.

And as I touched on earlier, I think a lot of it is down to the level of sophistication and the social engineering involved. So whilst we have enhanced our controls, and whilst we will continue to provide like a strong customer fraud education strategy and all these types of things, they’re just getting more advanced and people are still continuing to become susceptible to this type of fraud.

So I think that whilst we’re definitely seeing an increase in the activity, I do think that we have tried to do things internally to mitigate that. So there’s definitely more controls that we’ve put in place. I won’t go into the full details of that, not giving it away to the fraudsters. But, um, yeah, we, we have implemented some controls to make it like a lot more difficult for those transactions to eventually be authorized.

We have implemented a strong customer education strategy. So just really making sure that we are letting our customers know type of MO that’s out there and just regularly trying to educate them on the fact that we would never contact you. We would never ask you to share any information with us. We would never ask you to transfer your funds.

Like your money is always safe. We’re not transferring money into safe accounts, that sort of thing. So just that ongoing kind of customer education strategy, not just via sort of emails and blogs, but also within the app itself. So, and within the actual customer journey. So within the journey, whilst the customer is trying to make payments, things will be popping up, they will be like notified to let them know, like, you know, this could be a scam, that sort of thing. So trying to strike that balance between the user experience and also like trying to educate the customers. But I would say overall, it’s definitely something that’s continuing to rise, I would say amongst amongst the industry.

But I think for us, all we’ve tried to do is just continue to enhance our controls internally and externally. continue to educate our customers so that the customers are able to identify whether something’s genuinely a contact from us or if it’s from the fraudster. 

TOM TARANIUK: So APP frauds have been increasing, but would you say as well, the education for the general public is increasing and they’re better able to monitor what they should be doing and what would be a very silly case of handing out your, your information to a GMail account or something?

SEUN OSHINUSI: In my personal opinion, I feel that as an industry, Everybody has been doing really well to try to educate the customers on this type of fraud in particular. You know, even when I log into my other online banks before I can even do a transfer, I’m seeing all these different things popping up. I’m seeing all this text.

So I do think that people have done more. But at the same time, there seems to still be some kind of a disconnect between customers receiving that education and then them still being able to be socially engineered. So then that kind of tells me that maybe there is that step further that industry needs to take.

So not even just at an individual bank level, but even just as a community, as a society, like maybe even from the government top down, like there’s definitely more I feel that needs to be done. And I think that the new sort of payment service regulation that’s coming out this year, that’s going to essentially force the mandatory reimbursement for both institutions to refund customers in these cases.

They’ve made it quite tough in order to be able to hold the customer liable. So you as a bank or as a financial institution need to do a lot to prove that you’ve done everything you can to prevent that fraud from happening and to prevent the customer from being able to actually fall victim to that fraud, which I think is a good thing.

So I think that that’s definitely advancement from where we were last year with APP in comparison to now, because now that we know that that regulation is coming in, everybody has to step it up. Everybody has to make sure that their controls are robust. They need to make sure that customers are well aware of the fraud that’s out there and they need to make sure that they’re doing enough to actually stop the fraud from happening in the first place, which can be a bit more harder.

But I think that at least it creates that sort of level of accountability. And it also enhances what we need to do to meet that standard of caution that the PSR is stating out that we need to meet. So I think that’s definitely the evolvement from last year in comparison to now. But yeah, I think it’s an ongoing thing.

TOM TARANIUK: And it also enhances the trust of the community. I’ve got multiple banking apps, right? But I have preferences based on public image, everything else on certain ones, whether or not it’s been a label in the news for certain elements of frauds, not being able to look after users or actually personal experiences as well.

I would say on the other side of the coin here, businesses all over the world are increasingly adopting a card only transaction model. How does this trend increase the risk of fraudulent activity? 

SEUN OSHINUSI: I think when you say card, I mean, yes, How is that card being, being verified? How do we know it’s the actual person spending?

So, I think that, you know, I guess as long as there’s something being done in the background to actually confirm and verify that it’s the genuine customer making those payments, I would say you’re increasing more potential to card fraud, because I think there is like a lot more, especially from what we see, people’s, for somehow, fraudsters are still being able to get hold of people’s card details, their genuine card details, um, and that’s like a common thing.

So, I think that depending on how they’re verifying these card transactions, I feel like you’re definitely opening up yourself to more potential card fraud, more chargebacks, more disputed transactions. So I think it really boils down to how they’re verifying that these card transactions to be honest. 

Suggested read: What You Need to Know about Online Payment Fraud in 2024

TOM TARANIUK: Welcome back to What The Fraud. I’m Thomas Taraniuk and joining me today is the head of financial crime operations at Metal, Seun Oshinusi. Hi Tom, thanks for having me. I mentioned earlier about an illegal online marketplace that provides incredibly cheap and incredibly accurate identification documents.

In fact, 90 percent of document fraud signals are invisible to the human eye. It’s estimated that 95 percent of synthetic identities aren’t detected during onboarding. What makes synthetic identity fraud particularly challenging to identify and prevent? 

SEUN OSHINUSI: I think it would be around like what your actual onboarding procedures are.

So with us, for example, and in places I’ve, I’ve been at previously, there just isn’t that capacity to rely on just like an actual person going through that ID by themselves. There needs to be some technology to support that process. So even if it is that after somebody has tried to onboard, you have somebody that just double checks the information, but again, I feel like there needs to be some support in technology to actually call out what are the things that person’s supposed to look at. So if it is that, you know, it seems like the passport number seems fake or it seems like the picture’s fake or something like that, there needs to be that assistance from that particular technology to point out what those things are for that person to then look at.

Because like you say, I think it’s, It’s difficult to see at first glance, but I think if there is that advanced level of technology that can help identify what what it is that is being called out to look at, then I think that’s the best place to start, I would say. 

Suggested read: 4 Signs of Transaction Fraud to Watch Out For in 2024

TOM TARANIUK: Nearly half of anti financial crime professionals cited a lack of adequate resources in fighting financial crime.

Why is fighting this kind of fraud so costly? 

SEUN OSHINUSI: Yeah, it’s expensive. It’s expensive. I think there’s multiple reasons. I think that as a business, I guess you have budgets for things, right? So you’ll have a budget for losses. And if you are exceeding that budget for losses, the money’s got to come from somewhere.

So I think it’s expensive because I think that the investment required in terms of the type of technology being used is expensive. It’s not the cheapest out there. If you want the best, you’re going to have to pay for it. So I think there’s that. I think also the type of resources that you have to fight fraud.

So your actual staff, so whether that’s your analytics, whether that’s your machine learning staff, whether that’s your actual fraud investigators, your compliance team, your risk team. These are not cheap people. So these are also expensive resources to invest in. And I think that because the fraud landscape is continuously involved, evolving and you’re continuously trying to keep up with the trends and you’re trying to stay ahead of the game. There’s a level of investment that’s required in that too, and that also costs money. So I think it’s because it’s an ever changing landscape, and I think that fraud is getting harder. It’s getting more sophisticated.

The technology that you need to fight it is, is getting more like hot. I wouldn’t say it’s inaccessible. It’s not inaccessible, but it is expensive. So I think that all of those things coupled together generally makes it a costly place to be.

TOM TARANIUK: The majority of risk leaders say three things are on the rise. The volume of attacks, firstly. Secondly, the variety of attacks. And finally, the sophistication of these attacks. So this paints a fairly grim picture, as you’re probably aware, Seun. Is there light at the end of this tunnel? 

SEUN OSHINUSI: I want to say yes.

Because I think that the right kind of conversations are happening across all of the different industries. I think that like, as a industry, I think we’re coming together and we’re sharing that best practice and we’re, um, continuously like sharing information. What can we do to protect ourselves? I think that we’re becoming a lot more collaborative as well.

And I also think that as businesses, I think they’re a lot more receptive internally to try to fight fraud. And it’s not to say that that wasn’t the case, but I definitely think that the understanding around like why certain things need to be in place, why certain controls need to be in place. It can be difficult, I guess, if you’re trying to run a business and you have a function that’s telling you that you need to, you know, not put that fancy feature in the app because it’s going to cost X amount of money in fraud.

So I think that that balance is being, you would be striking that balance a lot better now. I think that like companies, CEOs are understanding why certain things need to be in place. So I think there’s that. And I do think that we are becoming a lot more collaborative as an industry as well. 

TOM TARANIUK: That is super important.

And we’re not only talking about regulators here, we’re talking about a tug of war with the internal team, marketing, UX, UI. We’re talking about sales and everyone else if we’re looking at different verticals as well on the B2B side. What do you think about adding friction to the process? And how has your team sort of reacted to that when you propose new levels of friction where it’s actually needed because you see higher levels of fraud in certain processes?

SEUN OSHINUSI: I think it’s going back to that, that collaborative piece. I think that once as an organization, you you agree that fighting fraud is everybody’s problem. It’s not just the fraud team or it’s not just the financial crime team. It’s as a business, we all need to be trying to think of ways to mitigate it. I think that helps because people’s approach and attitude towards it is collaborative.

I think also it’s, Trying to not be too reactive. So striking a good balance. So it’s not every single time like you have a particular fraud attack that you want to do something revolutionary that completely changes the app. You’ve got to have a strong business case for kind of like implementing some of these controls and also balancing that user experience.

So I think adding friction is good and I think it’s necessary. But I think it’s also trying to strike that balance between what the user experience is going to be like, and also, um, you know, how much of a threat is exposed that that particular control needs to be implemented straight away. And I think once we’re able to demonstrate that, then, you know, the teams internally are always receptive to that.

But it’s about, I guess bringing forth those discussions in a, in a way that’s constructive, having that strong business case, having the data to back up what you’re saying as well. So it’s not just a, we saw fraud today, can you shut this down in the app? It’s like, there’s got to be, you know, yeah, there’s got to be a bit of background around that.

TOM TARANIUK: Definitely a balancing act and really agree with the sentiment of what you were saying there in terms of the internal team as well, And we see this in different sectors. Even if you add a little bit more friction, it will affect maybe the conversion to a very small degree. And obviously everyone on the other side wants to mitigate that.

But if you’re looking at it from the other scope of the operations of the business, it also increases your stickiness and the trust of consumers in you knowing that they’re coming into a ecosystem where they are protected and they know that you have the proper controls in place as well. No, absolutely.

What are the three top tips that you have for fintechs, businesses, small or large, to protect themselves from financial fraud? 

SEUN OSHINUSI: So I think the first thing is really understand your customer base. So understand the customers that you’re servicing. Make sure that you have a good sort of account of what their risk profiles look like.

Make sure that you have a good risk management framework in place. The other thing I would say is making sure that. You do try to invest in some kind of technology to keep up with what’s happening. Obviously, that’s not going to be possible for everyone. But if you’re not able to invest in in technology, then invest in connecting with individuals or people in your industry that can give you that support and that understanding of what they’re seeing so that you can use a lot of that information for yourself.

And guess the last thing really is just really having a strong team in place. So when I say team, I don’t just mean like your financial crime team or your compliance team. It’s kind of going back to what we said earlier about that collaborative approach. You’ve got to have a strong team within your organization.

So all departments have to understand that there is a duty and a responsibility to try to combat fraud. And so therefore the processes they have in place should all sort of foster that environment that you all want to try and protect your customers and you want to try to mitigate fraud. And it has to be that joint approach.

So, um, I think those are the three things that come to mind. 

TOM TARANIUK: Absolutely, and it touches on both the external consumer, as well as the businesses, and you’re completely right. I think everything ties around education and collaboration, joint goals through, um, obviously enhancing and growing the business, but also protecting that community, and that community being able to think for and protect themselves as well.

Seun, thank you for joining us on What The Fraud, it’s been great having you. 

SEUN OSHINUSI: Thank you so much for having me, it’s been great.

TOM TARANIUK: Thank you for joining us for another fascinating episode of What The Fraud. Next time we’ll be looking at the hot topic of dating fraud, an issue that is becoming even more prevalent with the rise of AI and deepfakes.

Romance scams are consistently dominating newspaper columns and Netflix documentaries. One particular case that caught my eye this week was a Ghanaian social media star who pled guilty to her involvement in a romance scam organization called The Enterprise, which was estimated to have scammed innocent people out of a whopping total of 55 million US dollars. We’ll be talking to an expert to find out how these romance frauds are perpetrated and how people can stay ahead of the game and spot them before they become entangled.

There’s been a fascinating run of episodes so far, and I cannot wait to share with you what else we have in store. And as always, please like comments, follow and subscribe wherever you’re listening to us. Now, any feedback you can give is incredibly helpful and also makes it easier for other people to find us.