ITIC Global 2023 | Digital fraud – identifying the risks and finding solutions
In the fifth session of ITIC Global, Phil Peart, Charlie Tizard and Alan Abreu focused on digital fraud and efforts within the insurance and payments industries to combat it
The ITIJ team have been reporting live from ITIC Global in Barcelona this week (November 2023) sharing the discussions that took place at the conference. Read all reports
Phil Peart, Senior Manager, Travel Claim Investigations, Allied Universal Compliance and Investigations
Veteran insurance investigator Phil Peart drew on his wealth of experience investigating fraudulent claims activity to provide some eye-opening examples of how fraudsters operate, and what the industry can do to try to stop them.
The types of fraud he has encountered extend beyond inflated charges and fabricated hospital reports to forgery of official documents and fake websites purporting to be for holiday accommodation that doesn’t actually exist.
According to the US Federal Trade Commission, victims lost US$26 million to travel, timeshare, and vacation rental scams from January to March 2021, with a median loss of $1,000. In the UK, 56 per cent of holiday fraud cases were related to booking airline tickets, and 29 per cent to accommodation, Action Fraud reported.
Peart took us through one fraud involving a criminal syndicate who created a website for a fake resort in Thailand. Members of the syndicate booked a holiday, which they later cancelled on medical grounds. The deposit they paid stayed within the syndicate, while the unwitting insurer paid out for their supposed losses.
He also cited a report by BDO Australia looking into trade on the dark web of hacked accounts and stolen documents. The Australian Scam Culture Report revealed that hacked email accounts were trading for A$269, fake passports for $2,255, and cloned SIM cards for $399. A hacked Facebook, Instagram or WhatsApp account costs $119, while just $18 will buy a contact list of professional hackers for hire.
Fraud used to be about hand-forged documents or signatures, he said, but the “new technology that some of these fraudsters are using, we’ve got to get new methods to try and identify the fraud”. Still, he advocated traditional methods such as visual site inspections, interviewing suspects and reading their body language. “It’s all about connections,” he said – investigators working with authorities and insurance companies.
Charlie Tizard, VP of Risk and Regulatory Compliance, Vitesse PSP
In his presentation, Charlie Tizard spoke about the role of payment service providers (PSPs) in combating fraud. The key threat was automated push payment (APP) scams, where someone is conned into making a payment into a fraudster’s bank account. “This is a really hot topic in the PSP industry,” he said, adding that it led to hundreds of millions of dollars in consumer losses each year. There was a lot of political pressure to reimburse victims, which is focusing minds on prevention.
Types of APP scams include impersonation, purchase, invoice, romance, and investment fraud – referring to the fake websites Peart had uncovered, Tizard said similar websites were created for fake investment companies. The problem for PSPs, he said, was that contact between the fraudster and the victim often began on social media, long before the PSP was involved.
With insurance fraud, meanwhile, there is also a variety of scams: “But, importantly, these can be really difficult to detect. A fake claim can look exactly the same from a PSP perspective as a legitimate claim.”
The knock-on effect of this is higher premiums for honest customers.
So, what are PSPs doing to prevent APP scams?
Know Your Customer procedures, transaction monitoring, Confirmation of Payee, warnings at the point of payment, and investment in specialist fraud investigation teams were some of the steps being taken.
It will only work, he said, if PSPs collaborate with the insurance industry to understand insurance fraud better and apply those controls specifically to these threats. That means more sophisticated transaction monitoring and data analytics on transaction patterns. “If you have a large amount of data can you pick up on anomalies.”
It doesn’t come without its challenges, though, which include data quality, data protection, scope limitations and market penetration. But Tizard hoped he’d planted the idea that these areas were worth exploring between industries.
Alan Abreu, European Cyber Manager, BOXX Insurance
Cyber underwriting expert Alan Abreu’s presentation was about keeping people digitally safe. The risk of cyberattack was increasing everywhere, he said: among households, individuals and businesses, especially with the rise in remote working, which often leaves people more exposed.
Three quarters of hacks target individuals and families, he said, and sixty per cent of attacks can be crippling. But most attacks are avoidable – with greater awareness and security.
Abreu highlighted figures from the US Federal Trade Commission, which showed that reports of identity theft increased by 212 per cent between 2019 and 2021.
But threats are not confined to the office and home, and it was important for employees to be protected during business travel in particular. Digital risk increases for travellers, he said – their awareness is reduced because they’re out of their comfort zones. “You go abroad, things change and hackers know that,” he said.
In terms of solutions, he believes in a ‘predict, prevent and insure’ approach. The cyber insurance industry was growing but there was room to go further. Simplicity of support was key, he thought, when people are wondering what to do after a hack. Technology was also critical in managing the cyber risk properly. “Sometimes policy warnings need to be updated,” he added, “because sometimes risks are beyond what the scope of the cover is.”
ID theft products had been around for a while, but were usually a very limited solution compared with cyber insurance, said Abreu. Cyber insurance can cover a range of threats including online fraud, data breaches and cyber bullying, and can provide emergency support for the victim. The key was prevention, though, he said: “It is very important to be proactive as an insurance provider, not only to sit and wait for a claim to happen; we help them to mitigate against those risks during the whole policy period.”
In a Q&A session following the presentations, the panel were asked how we can strike a balance between alerting customers to risks and putting too many controls in place. The important thing, said Tizard, was “consistently evaluating the effectiveness of that control and whether it’s having the desired outcome”.