This week’s tech news, filtered for financial services execs

November 29

Hello and welcome to Insights Distilled, a weekly email briefing that curates tactical technology news for financial services execs. Every Tuesday morning, we send you the top five stories you need to know – and explain why they matter. Our tech news roundup helps you stay on top of the innovations driving business agility in your industry. To get next week’s edition in your inbox, sign up here.

 

The holidays tend to bring good food, time with loved ones, special moments – and financial fraud. ‘Tis the season for scams, spoofs, and swindles.  

Several stories in this week’s edition highlight tales of how bad actors may try to wreak havoc, as well as the tech-enabled preventative measures that financial institutions can take to block them.  

Let’s dive in: 

  1. Crime bust: Police shut down massive bank-spoofing operation
  2. URL opportunity: The case for the .bank domain to fight phishing
  3. Fighting fraud: This startup is working with the government on privacy-preserving AI
  4. People-centric security: How to train your workers to avoid attacks
  5. Partnership power: Wells Fargo exec on managing risk
1/5

International police just shut down a spoofing service that allowed cybercriminals to impersonate big banks on the phone and steal tens of millions of dollars from their victims.  

Police say that bad actors used the site iSpoof to target at least 200,000 potential victims and steal more than $120 million. The scale of the losses proves that banks need to do more to warn against this kind of social engineering attack.

International authorities just shut down a vicious fraud operation that allowed bad actors to imitate bank employees by disguising their phone numbers as legitimate bank lines. Fraudsters used iSpoof to pose as reps from the likes of Barclays, Santander, HSBC, Lloyds, and Nationwide.  

“The exploitation of technology by organized criminals is one of the greatest challenges for law enforcement in the 21st century,” said Met police commissioner Sir Mark Rowley in a press release. It’s also one of the greatest challenges for banks.  

Though banks aren’t legally or financially culpable for this kind of deception, it harms their reputation and erodes trust with customers. While technology has emerged to prevent (or at least sound the alarm on) many different kinds of fraud, customer education is still the best way to mitigate social engineering tactics like iSpoof’s.  

Financial firms have tried to get the word out that customers shouldn’t trust caller ID – urging them to hang up if they get a call from their bank and then redial themselves – but the scale of this latest bust proves that more awareness is needed. 

2/5

The .bank domain could help prevent phishing. Now banks just need to normalize it.

The .bank domain requires verification, which makes it a safer alternative to .com, which bad actors can easily mimic. There’s huge potential for .bank to become a trusted signifier like .gov and .edu and it’s relatively easy for banks to switch: To reap the benefits, they simply need to prioritize it.

It’s frighteningly easy for bad actors to create realistic-looking fake bank websites to dupe customers into giving up their login credentials. Not only can scammers replicate a bank’s user experience, but they can buy URLs that render almost exactly like financial firms’ real websites.  

A rise in phishing has spurred a renewed push for banks to adopt .bank domains (and insurance firms to start using .insurance). Because the domain requires verification for access, bad actors can’t buy URLs that use it. If banks start using the domain, they can teach their customers to only trust websites that include it, which would neutralize most common phishing attacks.  

“The move to .bank is easily managed alongside other bank projects” and will “protect banks and their customers from the ever-increasing, ever-more-costly cyberattacks they face,” Drew Schiff, senior director at fTLD Registry Services, told Insights Distilled. The company oversees .bank domain name issuance, and its best practices make switching “easy, affordable, and completely seamless for customers,” according to Schiff. 

More than 2,200 banks have registered their .bank domains and over 745 are actively using them for website and email security, he added. So, what’s required to make the transition more mainstream? A coordinated effort from the largest banks would be effective, but ultimately, each institution will need to own its own customer messaging. Schiff says that fTLD has created a communication guide to help. 

Paul Benda, SVP of operational risk and cybersecurity at the American Bankers Association, says that the domain’s additional security benefits are an impetus: “Banks looking to bolster their defenses sooner rather than later may want to make the transition faster.” 

3/5

US and UK governments just awarded this startup a cash prize to prototype a privacy-preserving AI system for fighting financial crime. 

Financial institutions would be much more effective at fighting fraud if they could pool their private transaction data to train artificial intelligence models that can find patterns that reveal criminal activity. The challenge is allowing them to avoid sharing their actual raw data. 

Insight Partners’ portfolio company Featurespace just won funding from Innovate UK and the National Science Foundation in the US to develop an artificial-intelligence system to help banks and payments services providers catch money laundering and other financial crime, while protecting data privacy. It was one of only 12 organizations to win the prize and has until late January to build its prototype.  

AI has proven effective at flagging the subtle patterns that reveal bad actors – Featurespace is one of a handful of firms that deploy machine learning models to flag fraud. However, doing so effectively across banks and borders typically requires the kind of data sharing banks are wary of, due to regulation or privacy concerns. Featurespace will use an AI technique called federated learning to build its prototype (confidential computing is another approach with similar goals).  

“This type of privacy-preserving, collaborative AI is a hard problem that no one has yet solved,” Featurespace director of innovation Dr. David Sutton told Insights Distilled, adding that the firm will productionize its prototype, if successful.  “We understand the real-world problem, which puts us into a great position to bring this into the market with real-world data and constraints.” 

Featurespace’s current customers include NatWest, HSBC, Turkey’s AKbank, and Danish Danske Bank. 

4/5

The holidays make people more distracted – including your own workers. A startup has attracted funding from big banks for cybersecurity training that tests – and upskills – every employee.  

Individual employees are generally the weakest links in organizational security. Cyber training programs should impart knowledge and skills to all workers, not just technical ones.

Research suggests that cyberattacks surge over the holiday season – particularly between Christmas and New Years – but it’s not just your organization’s overall security you should focus on. Cybersecurity is all about people, according to Insight Partners’ portfolio company Immersive Labs, which offers training software to help global organizations boost their workers’ judgment, skills, and speed in dealing with security risks and attacks. 

Immersive’s “cyber workforce resilience” program for upskilling employees is crucial, because worker error is typically at the root of successful cyberattacks. Want to gauge how prepared your institution is to fight the latest threats? Immersive Labs and Insight Partners are hosting a free cyber threat simulation for financial services execs: Learn more and sign up here.  

Immersive Labs recently raised a fresh funding round that included Goldman Sachs Asset Management and Citi Ventures and counts HSBC, Citi, Moody’s, and Bain Capital among its customers. 

5/5

Wells Fargo’s head of digital discusses how to mitigate the risk of working with fintechs: Make sure they can handle your volume and understand their business continuity plan. 

Working with fintechs can be incredibly fruitful but requires rigorous vetting – especially given the current economic climate for startups. If your 2023 innovation roadmap includes potential partnerships, make sure you’re asking these questions.

Wells Fargo’s head of digital, Michelle Moore, helps manage the bank’s fintech relationships. During a recent webinar with American Banker, she ran through the questions she asks when considering working with a firm: 

“Are they stable and secure? Can they handle our volume? Do they have a business continuity plan? Do they have the right controls in place to protect the customer experience?” she asks. Running through worst-case scenarios is crucial, she adds: “My legal, risk, and compliance partners are my best friends.” 

Obviously, Wells Fargo hopes that any firm it works with will succeed in the long run, but it’s still critical to lock down, at the very beginning of the relationship, how to manage customer needs if a fintech winds down.  

“We figure out how we’ll ensure that – if something happens – it’s seamless to customers, that they can go on managing their finances,” she said.  

For more guidance from your peers, check out the advice for evaluating technology experiments that a former CIO at Credit Suisse shared with Insights Distilled. 

Quick Bits:

Personnel news: The Bank of London poached Phil Knight from 10x Banking to be its group CTO and chief information security officer. Meanwhile, UK-based Nationwide Building Society has appointed a new COO, Suresh Viswanathan.

Money moves: Mastercard is acquiring a minority stake in Conferma Pay as part of a wider partnership to push virtual cards for B2B travel payments. On the other side of the world, Australian bank Westpac has joined five other organizations to form a new artificial intelligence consortium.

Fraud repayment: The biggest banks in the United States are devising a plan to reimburse victims of Zelle scams, sources told The Wall Street Journal. The details are still being finalized, but the rules could kick in next year.

 

Thanks for reading! Want next week’s edition in your inbox? Sign up here