Introducing "Friendly Scamming"
Abstract
Despite billions of scam prevention messages delivered annually to customers by Financial Institutions (F.I.), scammers stole over $10.3B from U.S. victims in 2022¹, a 49% increase from 2021. This total would place scams at #295 on the U.S. Fortune 500. We concluded from reading crime reports, consulting with F.I.s, talking to victims, and conducting behavioral research that scam education does not deliver on its educational mission. Customers ignore messages due to Selective Attention, and the delivery does not involve learning by doing (i.e., the Hot Stove Effect). To become effective, scam education needs to be re-imagined and delivered through alternative methods, such as “Friendly Scamming.” This approach will challenge internal F.I. stakeholders but will be much more impactful than the status quo.
Scam Education
For years, banks have educated customers on topics ranging from Don’t Become a Money Mule to Don’t Cash Fake Checks. Every text message has the disclaimer that the Bank will never call or text you for a one-time passcode (OTP) or for personally identifiable information (PII). F.I.s embed scam prevention messaging in text messages, in mobile apps, in front of Zelle payments, on website landing pages, and in call center hold queues to caution customers. Security experts preach that customer education is a foundational layer of fraud prevention, and most bank regulators expect this as an element of commercially reasonable security.
Yet, how successful has “Embedded Scam Education” been in preventing customers from being scammed?
Qualitative Effectiveness of Scam Education
When interviewed, those who work in fraud prevention will say that no matter how much F.I.s educate their customers, they consistently fall for scams and give away the keys to the authentication kingdom, including User ID, Password, OTP, Social Security Number, Date of Birth, and other forms of PII. With this information in hand, scammers take over accounts, exfiltrate funds, and sometimes forge invoices to third-party organizations to steal even more funds. The psychological trauma of some scams, such as Romance, is so intense that some customers need to be deprogrammed before the Bank can convince them that “Natasha” is a scammer and not their bride-to-be. These events become stress-induced, leaving victims mentally and emotionally confused during and after the event.
Quantitative Effectiveness of Scam Education
Quantitatively, the FBI’s Internet Related Crime Report shows that while complaint volume has grown 2X over the past five years to 800K, customer losses grew at a rate of 5X from $2.7B to $10.3B (i.e., for an average loss of $12,860). As such, if the simplest measure of success is a decline in both the complaint volume and annual losses, then the current approach does not get a passing grade. Conversely, from the Scammers’ point of view, it is highly successful; they have few natural predators (e.g., law enforcement won’t look at thefts under certain thresholds), and unless there is a change in the status quo, scam volume and scam losses will continue to climb. From the Regulators’ point of view, if complaints continue to rise and losses continue to climb, there will be more pressure for changes that impact the customer experience and the F.I. bottom line.
Scam Complaints and Losses 2018-2022
Selective Attention diminishes effectiveness
To improve Scam Education, we need to understand why it isn’t working. When someone accesses their bank mobile app, website, IVR, ATM, or Call Center, the user is in task mode: checking their balance, paying a bill, sending money, disputing a charge, etc. The customer is on a mission to complete a task before they go back to caring for their kids, cleaning a dish, or taking care of some other aspect in their life. Customers do not use online banking to learn about scams. Because of this, their brains apply what psychologists call Selective Attention, which is the process of focusing on a particular object in the environment for a certain period while suppressing seemingly less relevant objects.
Average Online Attention Span diminishes effectiveness
Everything from social media, billboards, news channels, and marketing content competes for our attention. Attention is a limited resource, and from the early 2000s to today, the average online attention span has changed from 150 seconds to only 40 seconds². This means our minds and consciousnesses are developing in a way that limits how much external information we can process. In short, we focus on the task at hand, such as sending a Zelle, and ignore the scam prevention message that pops up in front of it.
The Hot Stove Effect
How do humans learn to avoid bad outcomes, like burning their finger on a hot stove or being scammed? Fraud prevention experts agree that customers learn best about scams and scam prevention by being scammed. In other words, they learn by touching a hot stove, but this burn usually involves losing anywhere from hundreds to millions of dollars. Touching a hot stove or being scammed are examples of classical conditioning, where the subject learns through association.
“Friendly Scamming” a New Approach to identify and educate susceptible customers
By recognizing that customers use Selective Attention to filter out extraneous noise from their banking tasks and that they learn best through direct experience, it becomes clear a new approach to Scam Education would be to run “Friendly Scamming” campaigns that are similar to what real scammers run today. The goal of “Friendly Scamming” is to identify and educate susceptible customers.
Similar to Friendly Phishing already deployed by most companies
“Friendly Scamming” is like “Friendly Phishing,” which has been adopted by corporate America to provide simulated phishing exercises to the entire staff two or three times a year. According to a leading provider of phishing awareness testing, 38% of untrained employees are “Phish-Prone” in that they fail a phishing test. That falls to 14% after 90 days of training and 4% after a year of training³. However, since we do not use similar tools and learning approaches with consumers, we can assume a high percentage of them are “Scam-Prone” and will remain so no matter how many scam prevention messages they receive.
Applying the Hot Stove approach to Scam Education
“Friendly Scamming” applies the same “Hot Stove” approach used with employees to F.I. customers. It’s a “Hello” text message that begins a text conversation; it’s an email about an amazing crypto investment; it’s a text message asking if you recently spent $300 at Target followed by a phone call from the Bank’s “Fraud Department”; it’s a text message from your boss asking you to purchase several $100- gift cards. This scam, however, is conducted by “Friendly Scammers,” who, after leading you partially down the treacherous trail, ultimately reveal themselves and let you know what could have happened. The customer touched a warm stove, not a hot one. No harm, no foul, but message received.
Internal Challenges to implementing a new approach
A “friendly scamming” program will challenge F.I. leadership, and questions will abound: is it possible, is it legal, is it scalable, will we damage the brand, does our customer agreement allow it, and how will we handle customer backlash. But what is the alternative? More ignored messages, more restrictive functionality, more alerts, more disputes, and more regulations? Through “Friendly Scamming,” we can finally educate customers through direct engagement and start reversing the number of scam complaints and losses.
Conceptual Approach
In our next article, we’ll share how we envision companies deploying a Friendly Scamming Program and will tackle the pros and cons of deploying this new, enhanced approach to scam prevention.
¹ FBI IC3 2022 Internet Crime Report https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
² American Psychological Association, Why our attention spans are shrinking, with Gloria Mark, PhD
https://www.apa.org/news/podcasts/speaking-of-psychology/attention-spans
³ KnowBe4 Report Finds 37.9% of Untrained End Users Will Fail a Phishing Test
https://www.darkreading.com/attacks-breaches/knowbe4-report-finds-37-9-of-untrained-end-users-will-fail-a-phishing-test
About Jerry Tylman, Greenway Solutions, and Fraud Red Team
Jerry Tylman is a Partner and Co-Founder of Greenway Solutions, a leading provider of Fraud Prevention Services including Fraud Control Assessments, Red Team Testing of Fraud Controls, Software Implementation, and Data Analytics. Since 2004, Jerry has led fraud prevention engagements with leading financial institutions in the U.S., Canada, and the U.K. Jerry created Greenway’s Fraud Red Team Testing Service and has managed over 50 engagements where the Red Team tests fraud prevention controls using live, funded accounts looking for gaps and weaknesses that could be exploited by fraudsters and scammers.
About Ronnie Tokazowski and Intelligence for Good
Ronnie Tokazaowski is a seasoned security professional who has been tracking, hunting, and disrupting scammers for over a decade. Ronnie is the Chief Fraud Fighter at Intelligence for Good, an organization that works with people who have been impacted and disrupted by cyber-crime and with corporations to provide them with data on how their customers are being targeted. Prior to Intelligence for Good, Ronnie was a Principal Threat Advisor at Cofense, an Anti-Phishing company that provides awareness and education to companies in all industries.