Growing strongly (+64% between 2021 and 2022), transfer fraud is challenging banks. Traditional security systems are reaching their limits in the face of cybercriminals’ appetite, and regulators are pushing to modernize practices. What are the new anti-fraud tactics? And which banks are taking over? We take stock.
Among the payment methods available to you, it is one of the safest. But it is also the one that records the greatest growth in fraud. In 5 years, from 2018 to 2022, the total value of the amounts diverted was multiplied by 3, reaching 313 million euros, according to the Observatory for the Security of Payment Methods (OSMP) of the Bank of France. Even worse, the number of fraudulent operations has exploded: +64% between 2021 and 2022. The numbers don’t lie: cybercriminals, bothered by the increasing security of bank card payments, are resorting massively to transfer fraud.
How do they work? According to the OMSP, almost 70% of financial damages result fromattacks targeting transfers initiated from online banking interfaces, used mainly by individuals and small businesses. Clearly, the dominant mode of operation is as follows:
- criminals can access your online banking areaoften using data from phishing operations (or phishing).
- They add your list of beneficiaries transfer to a bank account over which they have control, usually opened through the usurpation of a third party’s identity.
- If necessary, to bypass strong authentication devices, they contact the victim directlypretending to be a bank consultant.
- They initiates transfers to the fraudulent account. To cover the tracks, the withdrawal passes, in a few minutes, from account to account, often ending up abroad. Where it becomes almost impossible to track and recover the money.
We see: setting up a transfer fraud operation is not easy. However, the game is worth the gamble: in 2021, the average value of a fraudulent transaction reached 4,000 euros. This type of scam not only allows checking accounts to be emptied, but also savings accounts. The saving of a life, for some victims.
Time delay and limit, classic recipes
What are banks doing to stop the bleeding? Traditionally, they offer two parades. The first consists limit the amount of sums transferable by transfer. All banks that agreed to respond to us use it in a more or less restrictive way.
|Limit on outgoing transfers
|Yes (different values depending on the customer profile)
|Yes (different values depending on funds and client profile)
|Credit Mutuel de Bretagne
|The postal bank
|No cap on traditional transfers
2,000 euros per day for instant transfers
|6,000 euros per transfer (10,000 euros per week)
6,000 euros per day instantly
5 transfers per day (20 transfers per month)
|2,000 euros per transfer
5 transfers per day
|100,000 euros per transfer
The other solution is to impose, when adding a new beneficiary, a timeout period before first transfer. This solution is used by BNP Paribas (24 hours), Crdit Agricole (duration varies depending on the funds), Crdit Mutuel Arka (only on the website) and La Banque Postale. BoursoBank also uses it, but only when the addition is made via an unrecognized connection. Others simply use strong authentication, whether when accessing the application (for the 100% mobile banks N26 and Revolut), or when adding the beneficiary.
These two solutions, however, have in common the fact that, for customers, they are irritants, which limits the use they can make of the transfer as a means of payment. And, as statistics show, they are also reaching their limits when faced with fraudsters’ new strategies.
Operations under surveillance
Most of the banks that agreed to communicate on the subject confirmed this: the security of transfers also requires monitoring devices automated system that allows, in a predictive way, to identify possible risky operations. This is the case of BNP Paribas, Crdit Mutuel Arka, Banque Postale and BoursoBank. On what criteria? In order not to make life easier for fraudsters, our interlocutors did not want to reveal them. But we can imagine that it contains the amount of the transfer, the moment it is initiated, the nature of the beneficiary’s account, payment habits, etc.
The emphasis on prevention…
The deterioration in transfer fraud figures is worrying enough to justify a intervention of regulators. Last May, the OSMP, which depends on the Banque de France, published a series of 13 recommendations It is intended to regulate the policies of banks and, more generally, payment service providers. Several of them encourage them improve the information present at the time of strong authentication used to validate a sensitive operation: in addition to the nature of the operation and its value, the name of its beneficiary or its irrevocable nature.
A prevention effort which several banks have started to implement. BoursoBank is one of the most zealous in the area. To combat certain manipulation techniques, online banking asks, for example, the user to specify whether they are on the phone with a colleague when adding a transfer beneficiary. Sometimes, at the risk of being annoying… In a recent post on the thread MoneyVox Foruma BoursoBank user complained about having to go through 6 steps to be able to make a transfer to a new beneficiary!
…not yet under verification
BoursoBank is also one of the first to comply with another OSMP recommendation: the one that consists of warning the user in the absence of check the agreement between the registered IBAN and the name of the beneficiary. When adding a new beneficiary, the online bank displays the following message: This is a customer of another bank, we are unable to verify its real existence.
Why this OSMP recommendation? This is, once again, to alert the user: the fact of providing, at the same time as your IBAN, the name of the beneficiary, does not mean that your agreement will be verified. In fact, this is never the case: none of the banks we questioned do this.
However, it is possible. For this purpose, a solution, called Diamond, was developed by the company SEPAmail, the same company that implemented the solution to automate the transfer of recurring operations when changing banks, within the scope of the A mobility mandate. Even better, this application, implemented in 2018, has been adopted by the 6 main French banking groups: BNP Paribas, BPCE (Banque Populaire et Caisse d’Epargne), Crdit Agricole, Crdit Mutuel, CIC, La Banque Postale and Socit Generale. But none activate it to secure their individual customers’ transfers. Its use, often paid, is limited to companies, which use it to guarantee the validity of their customers’ bank details.
Mandatory until 2026
Banks, however, will have to get involved. For a simple reason: this IBAN check will soon become mandatory. The measure appears in a recently adopted text, an extension of the regulation that governs the single European payments area in euros (SEPA). Your goal: promote replacement of the classic transfer, valid for 24 to 48 hours, via instant transfer, carried out in less than 10 seconds. The latter, launched in 2017, took time to establish itself: at the end of 2022 it represented only 11% of the volume of transfers in Europe. Not enough for European institutions, which have great hopes for this new means of payment. This, in particular, makes it the spearhead of its sovereignty on the ground, facing the control of the American Visa and Mastercard networks.
This delay in the start-up can be explained: to amortize the cost of developing this new payment method, most banks chose to charge for it, around a euro piece on average in France. Logically, to accelerate the transition, the EU will impose, by 2026, free instant transfers. But the generalization of real-time payments has a disadvantage: that of compromising, due to lack of time, the quality of anti-fraud controls carried out by banks and payment providers. Hence the option to require IBAN verification as additional protection.
In Europe and France, work has already begun. Crdit Mutuel Arka confirmed to us that it was working on the banking center’s initiative to check whether an IBAN is fraudulent. La Banque Postale, in turn, announces the launch, in 2024, of its IBAN Check project. Good news for them: according to our information, SEPAmail Diamond, the French interbank solution they already use, could serve as a model for the future solution implemented on a European scale.