Truth and trust are the core principles of banking, but the lines between truth and trust are thin.
We have fake news and deep fakes. We have fakes everywhere. How do we know what the truth is? How do we know who and what to trust?
Emails asking for your bank details might be obvious scams, but what about websites that have all the accreditations of being real? What if you are called by your bank and they say ‘call us back’, but you call back on the number of their verified fraud line and only later find out it’s fake?
Criminals are clever these days and can fake anything online. The question is: are we keeping up?
Always a way in
When I look at bank systems, I find most are failing in this regard. They still operate on a basic username and password system. A mobile phone is more robust, with Face ID or Touch ID. Nevertheless, there are thousands of ways to get past security and more than a million criminals who want to.
A recent social engineering scam that has come to light revolves around a con artist sending a message to someone claiming to be a son or daughter who has lost their phone. Using WhatsApp, the scam works along the lines of messaging a parent and asking urgently for cash as their phone has been stolen. Using a new number, the begging child explains that they are now using a new phone and desperately need help. Rather than telephoning the child, the concerned parent immediately transfers thousands to some scammer.
anyone from Barack Obama to Donald Trump can be streamed saying 'invest in bitcoin'
It may seem naïve, but have you ever been caught out by a scammer? I have. In my case, a card issuer emailed me to alert me that my account had been compromised. I clicked on the link and treble-checked the site was authentic. After entering my username and password, I found out it was a fake site. I might have felt stupid for falling for such a scam, but it was a clever deception.
Today, we are operating in a digital world where the line between real and fake is more easily blurred through the use of technology. Case in point: the deep fake videos of Tom Cruise and others on YouTube. These days anyone from Barack Obama to Donald Trump can be streamed saying 'invest in bitcoin' (or something similar) when they never said anything of the sort.
The burden of proof
The challenge, therefore, is how to verify something is real and true. I believe that responsibility lies firmly with banks, because are meant to be the trusted intermediary in society. It’s not governments or regulators. It’s banks. They should engender trust, because it is trust that is used to ply our trade. Do we realise this? Do we trade in trust? Do we deliver trust? An even bigger question is around how we retain it.
Criminals will always target banks because that’s where the money is. This means the job of a bank is to protect itself – and its customers – from criminal attack. This obligation is clear when an attack is directly on the banks’ systems, but what if it is an attack on the customers’ systems that link to the bank? How far does a bank’s responsibility to protect customers extend?
Some claim that banks should protect customers even when they make a serious mistake, such as divulging a password or sharing a PIN. Others disagree. So, where does the duty of trust extend and when should the customer be held responsible?
These questions are coming to the fore as we become increasingly digital in our transaction and interactions, and banks need to consider where and when their duties stop. This is particularly true in the context of faster and real-time payments. When you can move thousands or millions of dollars in one click from one person to another – who may not be who they say they are – is it the customer or the bank that is liable?
This fine line between customer culpability and bank responsibility will be tested more and more in the future. As a bank, the question you should ask is: do you want to lead or bleed?
