8 minute read
Privacy Concerns: The New Strain of Virus During This Fraudster ‘Scamdemic’
PRIVACY CONCERNS: THE NEW STRAIN OF VIRUS DURING THIS FRAUDSTER ‘SCAMDEMIC’
Frances Aketch
Advertisement
Technology: The Passive Enabler of Fraud During Pandemics
With a significant growth of Internet usage individuals’ trust is at an all-time high. Throughout the COVID-19 pandemic, one noticed people increasingly sharing their personal information online to stay connected during those trying times.1 As a result, an enormous amount of personal information on financial transactions have been exposed by vulnerable individuals to cyber criminals.2 With consumers at increased risk of data fraud, this article examines the means in which cybercriminals access and compromise personal information and how the world ought to evolve to tackle this new reality.
When it comes to data fraud, a real and challenging question is raised over who is truly in the wrong? Should we lay blame at naïve, trusting consumers who fail to take adequate protective measures to secure their personal data? Or rather, should we attribute fault to the banks, who fail to ensure their consumers are adequately protected from data threats? Should the banks owe vulnerable consumers a duty of care in carrying out their functions? Phishing or push fraud which will be outlined below has been a growing legislative concern, with recent Acts passed (at least in part) to consider this rising threat (including the Data Protection Act 2018, Companies Act 2014 and Finance Act 2019).
Developments in recent day to day life allude to the many profitable forms of cybercrime. This has led to a recent influx of such activities, due to the ease and convenience for criminals to steal important user data.3 The data here indicates a 40%
1 Niam Yaraghi and Samantha Lai, ‘How the Pandemic Has Exacerbated Online Privacy Threats’ (Techtank, 13 January 2022) <https://www.brookings.edu/blog/techtank/2022/01/13/how-thepandemic-has-exacerbated-online-privacy-threats/> accessed 26 March 2022. 2 Dan Patterson, ‘Cybercrime is Thriving During the Pandemic, Driven by Surge in Phishing and Ransomware’ (CBS Moneywatch, 19 May 2021) <https://www.cbsnews.com/news/ransomwarephishing-cybercrime-pandemic/> accessed 26 March 2022. 3 Central Statistics Office, Recorded Crime Q2 2021 (Media Release 29 September 2021) <https://www.cso.ie/en/releasesandpublications/ep/p-rc/recordedcrimeq22021/> accessed 26 March 2022.
rise in fraud, deception and related offences compared with the previous year.4 These once white-collar criminals have evolved over the pandemic from a once harmless saprophyte to a new strain of parasitic bacteria preying on all members of our society.
The coronavirus pandemic necessitated social distancing measures, requiring people to remain in their homes, leading to intense reliance on digital technologies.5 This has created many new and extensive environments and opportunities for individuals to commit online fraud and to be victimised on a widespread scale. Cybersecurity problems have also arisen due to home-based workers not adhering adequately to business cybersecurity policies, such as user authentication protocols, as well as improper sharing of sensitive corporate data with unauthorised family members.6
The range of adaptations of conventional scams in the pandemic environment has been extensive, with criminals developing scams involving PPE and fake cures, domestic pet scams, employment scams, investment frauds, travel refund and insurance scams, and a variety of phishing attacks.7 Other frauds have involved identity crimes and ransomware threats involving COVID-19 scenarios, sometimes impersonating contact tracing officials to obtain personal and banking information.8 There have also been reports of false charity scams and phishing emails claiming to provide important information regarding the latest coronavirus updates, local testing stations, potential cures, cheap medical products or working from home.9
4 ibid. 5 Jo Adetunji, ‘The COVID-19 Pandemic Has Made Us Reliance on Digital Technologies, Eroding Our Privacy’ (The Conversation, 13 October 2021) <https://theconversation.com/thecovid-19-pandemic-has-made-us-reliant-on-digital-technologies-eroding-our-privacy-168792/> accessed 26 March 2022. 6 Ciannan Brennan, ‘Remote Working Causes New Data Protection Headaches’ (The Irish Examiner, 24 February 2022) <https://www.irishexaminer.com/news/arid-40815051.html/> accessed 26 March 2022. 7 David Robson ‘ How Fraudsters Exploited Our Fears During the Scamdemic’ (BBC Future, 14 June 2021) <https://www.bbc.com/future/article/20210611-how-fraudsters-exploited-our-fearsduring-the-pandemic/> accessed 26 March 2022. 8 William Cooper, ‘How COVID-19 Created a New Wave of Fraud & False Insurance Claims’ (William Russell, 4 March 2022) <https://www.william-russell.com/blog/insurance-fraud-covidcreates-new-claims/> accessed 26 March 2022. 9 Leigh McGowan, ‘With the Rise of Ransomware, Report Says Cybercrime Cost Ireland €9.6bn in 2020’ (Silicon Republic, 23 November 2021) <https://www.siliconrepublic.com/enterprise/cybercrime-ireland-costs-ransomware-phising/> accessed 26 March 2022.
What is Push Fraud? (APP Scams)
Push payments involve a bank transferring money from a customer’s accounts to a secondary account. This is further described as ‘authorised’ when a customer gives their consent for a process to occur.10 Everyday examples of this are ordinary tasks such as entering passwords or completing buying transfers. However, scams of this nature have had exponential growth during the pandemic.11
Further, it is worthwhile defining for context of this piece the other principal source of fraud namely what is called “Phishing”. Phishing is where one is persuaded to give away valuable information about one’s self or financial data which may enable a fraudster to extract money from one’s bank account or make payments using ones credit card.12 Or alternatively to enable fraudsters to assemble the information which may then be used to help them in a push fraudulent transactions.
Historically, traditional ‘over the phone’ methods of calls or letters to customers was a key way to defraud customer. However, as outlined emails and texts have become the more prominent medium in recent times. The frequent and long-lasting lockdowns over the course of 2020 and 2021 have further increased consumer’s reliance on technology, and thus risk of a data breach. Overall, this has meant it has been increasingly difficult for ordinary bank users to identify what is a scam as their guises constantly evolve.
Important factors have had a contributory role in the increase of this type of fraud such as employees working from home, difficult opening hours, long waiting phone times, closed branches as a result of financial loss from the pandemic. Scamsters are well aware of these factors and sought to cash in on vulnerable consumers. These factors combined, leaves little surprise as to why someone you know received these scam texts or emails during this timeframe. And, unfortunately for a lot of trusting people, they
10 Sarah Rutherford, ‘What is Authorised Push Payment Fraud’ (FICO, 18 January 2022) <https://www.fico.com/blogs/what-authorised-push-payment-fraud/> accessed 26 March 2022. 11 Rodger Desai, ‘Fighting Authorised Push Payment Fraud in the UK’ (Prove, 27 August 2021) <https://www.prove.com/blog/fighting-authorized-push-payment-fraud-in-the-uk/> accessed 26 March 2022. 12 Josh Fruhlinger, ‘What is Phishing? How This Cyber Attack Works and How to Prevent It’ (CSO, 4 September 2020) <https://www.csoonline.com/article/2117843/what-is-phishing-howthis-cyber-attack-works-and-how-to-prevent-it.html/> accessed 27 March 2022. 89
were taken advantage of. The sophistication of these scams is that many victims do not harbour any suspicion until it’s often too late.
Banking Scams: Protection or Deflection in Court?
As noted in Philipp v Barclays Bank,13 the duty of care owed by banks requires them to refrain from acting on a payment instruction that would result in grounds which would be classed as misappropriation of funds. This duty of care likely arose from principles established in Quinncare14. This case concerned a bank’s duties arising in the case of a customer instructing their bank to make payments to an unknown push payment fraud scam. However, as noted in this case, it is neither fair nor reasonable to impose liability on the part of the bank in response to fraud perpetration.15 Regardless of the circumstances, UK courts have established that such a liability would simply only rest on grounds of unprincipled and impermissible extensions of duty of care. Ireland does not tend to depart from English courts judgements in banking law cases,16 although the Irish courts have not yet had many opportunities to explore this precise question yet.
Additionally, the courts do not tend to have much sympathy as such for those customers who fall victim to these fraudulent scams, not because of a lack of compassion but the implications any successful APP fraud scam would have on future cases.17 The entire issue surrounding these scams derives from questions surrounding duties of care to inspect every single transaction of payment instruction under every circumstances. Banks with outsourcing capabilities do not possess the funds or staff power especially during the pandemic which resulted to a shift in the market and the closure of Ulster Bank Irish branches or KBC. If the law required bankers to complete such an onerous discharge before every transaction it would simply not be commercially feasible to protect this duty of care.
Further challenges surrounding these types of transactional offences pertain to the culprit being often difficult to identify with the immediate transfer of data and funds to
13 Philipp v Barclays Bank [2021] EWHC 10. 14 Barclays Bank Plc v Quinncare Ltd [1992] 4 All E.R. 363 [35]. 15 ibid. 16 John Breslin and Elizabeth Corcoran, Banking Law (4th edn, Round Hall 2018), 12. 17 William Towell, ‘Authorised Push Payment Frauds – Plenty of Sympathy But Few Easy Answers’ (Hausfeld, 26 January 2021) <https://www.hausfeld.com/en-gb/what-wethink/perspectives-blogs/authorised-push-payment-frauds-plenty-of-sympathy-but-few-easyanswers/> accessed 27 March 2022.
various accounts.18 A further challenge surrounding this scamdemic’s rise to popularity the reluctance of a company or banking institutions to admit to being attacked owing to the negative public image this would create. In the UK, there exists jurisprudence from ZAM v CFM and TFW19 for the anonymization of blackmail plaintiff cases. While in Ireland there is merely a common law power to anonymize as shown by decisions from Kelly J in Medical Council v Anonymous20. This has led to the demand of a strengthening call-in legislation to ensure banks and consumers akin act bona fide if they know their reputation is protected against these cybercrimes.21
Conclusion
It will be interesting to note which other jurisdictions follow the UK’s lead in the fight against phishing and push fraud scams. As banking practices continue to evolve symbiotically with technology it’s truly imperative to strip duties back to their simplistic truths. Upholding legal obligations for banks and customers akin. It would be “commercially unrealistic” for a bank to require its staff to question every authorised payment instruction, regardless of the amount, and impractical to set a threshold level at which such questioning may become necessary. However, hope remains in regard to reimbursement for those customers or banks who have been victims of considerable losses due to ubiquitous scams.
18 Aja McClanahan, ‘How to Identify a Scammer’ (Experian, 25 March 2022) <https://www.experian.com/blogs/ask-experian/how-to-identify-scammer/> accessed 27 March 2022. 19 ZAM v CFM and TFW [2013] EW 662 (QB) 20 Medical Council v Anonymous [2019] IEHC 109 21 Stephen O’Connor, ‘The Perils of Hacking: First Criminal Charge Under New Cyber Crime Legislation’ (Thought Leadership, 8 March 2022) <https://thoughtleadership.leman.ie/post/102gr07/the-perils-of-hacking-first-criminal-chargeunder-new-cyber-crime-legislation/> accessed 27 March 2022. 91
