Barclays Bank’s Jamie Byles believes messaging fraud is a huge threat to financial services, and that cross industry action is the only way to defeat it. MEF Minute talked to him.
Barclays Bank’s Jamie Byles was recently put on hold by fraudsters operating a sham call centre. They were so plausible they even dealt courteously with his complaint when he bemoaned the wait.
The fraud director of Barclays Global Fraud Management says the anecdote reveals the sheer meticulousness of the scammers – and the scale of the telecom fraud problem.
“These criminals are extremely professional,” he says. “They understand telecoms. They will typically buy a number from, say, a Nordic country and then divert it multiple times to multiple different pre-pay accounts across Europe. Then they set up what seems to be a genuine call centre somewhere.
“I can only assume they are genuine. These places have a lot of background noise going on. Either this is a very good sound effect or there really are lots of people working in these centres.”
How does Byles know? Because he makes it his business to follow up every scam his customers report. “I like to know what I am up against,” he says.
And how does he define what he is up against?
“There is no doubt in my mind that SMiShing is the number one consumer fraud issue in the UK after corporate hacking. This is a war – and I do not use that phrase lightly.”
Like every other major financial institution, Barclays has been hit by a wave of message-based fraud ever since smartphones became ubiquitous and consumers became wiser to the threat of email scams.
Byles says the problem first emerged around 36 months ago. Initially, the scammers would find a way to emulate the bank’s official number so that their messages would appear in the same chat stream as genuine alerts.
They could also mimic the message header to read ‘Barclays’ – again just like a bona fide correspondence.
To counter this, Barclays worked with the MNOs to make it difficult for fraudsters to access the header. It worked. Byles says incidence of fraud has fallen.
But needless to say, it hasn’t disappeared. Criminals are determined and smart. So they have now changed their headers to read ‘Bank Alert’ or “Urgent Contact’ instead. They then include a message, which asks the recipient to click on a link, which requires a PIN or password to unlock.
More recently, Byles has become aware of the first phishing scams on Facebook Messenger. Here, a criminal will set up a fake profile using screenshots of real accounts and then send a ‘check this out!’ message to real contacts. When the recipients click, they are asked to enter personal details to access the clip.
Byles says: “The phone is so personal. This makes it so easy for the scammers in a way. And people are embarrassed when they get scammed. They are tech-savvy and they think it can’t happen to them.”
There is no doubt in my mind that SMiShing is the number one consumer fraud issue in the UK after corporate hacking. This is a war – and I do not use that phrase lightly”
Despite the ingenuity of the ‘enemy’, Byles and his team are determined to erect more technical and procedural barriers to deter the criminals. For example, it has launched a number verification service on its website through which customers can check a dodgy sender.
It also launched a feature on its app and website that lets customers check whether callers claiming to be from the bank are genuine – while they are on the phone.
It has even devised its own technical solution for verifying SMS messages without introducing any overhead to the existing process.
The idea introduces a character combination at the beginning of a text that could be understood by the receiving handset to indicate the message is verifiable.
Barclays made the white paper public and shared it for consideration with the rest of the industry.
Whether it is adopted is to be seen. For Byles, the important thing is to be collaborative. He recognises that any technical response to the problem will work best when it is a cross-industry one. That’s why Barclays is an enthusiastic supporter of the MEF’s Code of Conduct for industry participants.
“This is a serious societal issue. So what we need is a system that everyone can sign up to, that identifies a SMiShing scam, shares it across the ecosystem, and has a consistent way of informing customers. The consumer education piece is very important. People are getting different information. We must work with the MNOs and also consumer affairs bodies and government on a consistent message that everyone can understand.”
MEF’s Future of Messaging Programme Day – Nov 26th
MEF’s Future of Messaging Programme Day takes place the day before Messaging & SMS World and is the opportunity for Programme Participants to get an update on the different workstreams and projects, as well as plan for 2019.
The event is for MEF Future of Messaging Programme participants only – Find out how to get involved