Today marks the end of Scam Awareness Week 2024. Via this year’s theme, ‘share a story, stop a scam ’, the Australian Government and the National Anti-Scam Centre (NASC) are encouraging us to overcome any shame associated with being a victim and share our stories to help others identify, avoid, report, and recover from scams.
On 31 July 2024, the Minister for Financial Services Stephen Jones addressed the National Press Club. The Minister told a number of Australian stories of people from all walks of life falling victim to the scourge of scams. Consumer Group CHOICE has shown that scammers are able to target even financially sophisticated Australians such as the former deputy chairwoman of the Australian Securities and Investments Commission (ASIC).
While 601,000 Australians reported $2.74 billion in losses to scams in 2023, the extent and impact of scams remains chronically under-reported with some cohorts (such as First Nations communities) being markedly underrepresented in official reporting figures.
The digitisation of our economy including the vulnerability of our data and our interconnectedness to global commerce, as accelerated by the pandemic, has resulted in fertile ground for scammers targeting vulnerable Australians.
Consumer education this week and beyond is only part of the whole-of-ecosystem approach that Australia is taking to combat scams. The whole-of-ecosystem approach involves collaboration between government, law enforcement, regulators, industry and consumer groups. In this article, we outline this ecosystem approach and discuss the developing legal and regulatory issues and requirements for banks and payments businesses.
Nature and scale of scams
Scams almost always involve an element of social engineering. Scammers may try to convince a victim there is an opportunity to quicky make money, or engage in false cries for help. Scammers typically put pressure on victims to act quickly and to pay in unusual or specific ways.
Types of scams
Common types of scams include:
- Investment scams: The scammer gets money from you for a fake investment opportunity.
- Buying or selling: The scammer creates fake online stores or classified ads to sell you a product that doesn’t exist. Scammers may also send fake invoices for services or products that you did not order.
- Job and employment: The scammer promises you a high-paying job that doesn’t exist or a money-making opportunity in the form of a ponzi or pyramid scheme.
- Dating and romance: The scammer creates a fake profile to lure you into a relationship, then asks you for money or to invest in something.
- Attempt to gain your personal information: The scammer tricks you into handing over banking or personal details, then uses these details to steal money. These scams include hacking, phishing and remote access scams and identity theft.
Contact channels
Scammers use a range of channels to contact victims including social media, text, calls, email and mobile applications. According to the latest Targeting Scams report for scams activity in 2023, while text message is the most common reported contact method, it is phone calls which result in the highest amount of actual losses to scammers ($116 million) followed by social media ($93.5 million). Concerningly, losses from scammers using social media increased 16.5% from 2022. While many disruption activities are focused on phone calls and SMS, the NASC expects that losses to scams from social media will continue to increase.
Payment methods
Payment methods used by scammers include bank transfers, cryptocurrency and credit cards. According to data from the Australian Financial Crimes Exchange (AFCX) from the end of the 2022-23 financial year, nearly half of all scam losses were processed through cryptocurrency exchanges.
A range of Australian banks have put in place steps to limit transactions to ‘high-risk’ cryptocurrency exchanges. HSBC has gone one step further, blocking all payments it reasonably believes are being made to cryptocurrency exchanges.
Increasing sophistication
Scamming methods are increasingly sophisticated. Scammers may obtain prospective victim personal information made available via major data breaches. For example, cybersecurity experts noted recently that the highly sensitive data of 12.9 million Australians, stolen from eScripts provider MediSecure, had been sold on the dark web.
Scammers may also use artificial intelligence to create ‘deepfake’ videos, for example celebrities’ images purportedly endorsing an investment scam on social media. One example cited by the NASC was an Australian man who lost $80,000 in cryptocurrency after seeing a deepfake Elon Musk video interview on social media.
Whole-of-system approach
Regulatory developments
The Australian Competition and Consumer Commission (ACCC) has been publishing its Targeting Scams report since 2010 with reporting data from ScamWatch (among other sources). These reports chart a dramatic escalation in losses to scam with losses growing to over $2 billion in 2021. For that year, the ACCC noted that popularity and hype of cryptocurrencies had led to a surge in losses to investment scams.
This escalation of losses has triggered a range of regulatory responses, including by ASIC. In April 2023, ASIC published Report 761: Scam prevention, detection and response by the four major banks (Report 761).
- The overall approach to scams strategy was highly variable and less mature than expected. For example, only one bank had a documented bank-wide scams strategy.
- The big four had inconsistent and narrow approaches to determining liability. ASIC found the reimbursement and/or compensation rate across banks ranged from 2-5%.
- Scam victims were not always well supported by their bank. Some cases were not resolved in a timely manner. Gaps and a lack of clarity in processes caused inconsistent and sometimes poor customer outcomes.
- Ability to hold and stop payments differed across the big four. For example, the ability to hold payment in real-time differed between banks and depended on the specific payment channel and network involved.
In August 2024, ASIC published Report 790: Anti-scam practices of banks outside the four major banks (Report 790). In preparing Report 790, ASIC reviewed the scam prevention, detection and response activities of 15 banks outside the big four banks during the 2022-23 financial year.
- The reviewed banks anti-scam measures were immature. Apart from education initiatives, most had not fully implemented key anti-scam measures discussed in Report 761.
- Governance and reporting tended to be focussed on fraud, not scams specifically. Only five of the reviewed banks had a scam strategy, with only one bank fully implementing the strategy.
- A significant number of reviewed banks do not have payment hold capabilities and the majority had not fully implemented monitor and stop capabilities across all payment channels.
- No reviewed bank had end-to-end coverage of the customer scam journey in policies and procedures leading to poor customer experiences. Reviewed banks did not always consider the stressed/vulnerable state of customers. Scam reports were frequently mishandled.
- Many reviewed banks lacked a bank-wide approach to determining liability for scam losses. 96% of total scam losses were born by customers. 2% of scam losses were reimbursed or compensated if the customer did not complain.
All banks and financial services businesses, regardless of size and scale, should assess their anti-scam practices in light of ASIC’s findings in Report 761 and Report 790. Where banks and financial services businesses fall short of these baseline measures, it is expected that ASIC may take enforcement action to ensure compliance.
Disrupting technology-enabled scams is a focus area for ASIC as outlined in its Corporate Plan 2024-2028. ASIC continues to engage in targeted communications campaigns (for example, warning consumers about fake ASIC branding on social media) and has published a new investor alert list for consumers to check whether an entity they are considering investing in could be a scam.
Key requirements for banks arising from ASIC Report 761 and Report 790 are:
- Fully implementing a scams strategy: This should include timelines to implement initiatives and measurable targets to monitor progress against the strategy.
- Uplift of scams risk management arrangements: End-to-end coverage of the customer scams journey is essential. Customer education, ease of reporting, tailoring communications to consider distress/vulnerability, coordination between parts of the bank and KPIs (including on timely action) are essential.
- Personnel and resourcing: Ensure the bank has a dedicated team and resourcing to manage the bank’s response to scams risk.
- Brand misuse across all telecommunications channels: Banks should fully implement controls to stop the misuse of its telephone numbers and SMS alpha tags to prevent impersonation scams.
- Payment hold/stop capabilities: Work with payment system operators to develop payment hold/stop capabilities across all payment channels. Regulators expect banks to have the capability to put in place risk-based friction, including for real-time payments.
- Liability: Develop a bank-wide approach to determining liability for scam losses with a focus on fairness, consistency, clear communication and a customer-centric approach that is acceptable to regulators. Augmenting existing remediation policies may be a good starting point.
Mandatory Scam Codes
In November 2023, the Treasury launched a public consultation on the introduction of new mandatory industry codes to outline the responsibilities of the private sector in relation to scam activity, with a focus on banks, telecommunications providers and digital platforms.
In the consultation paper, the Treasury acknowledged that there is currently no overarching regulatory framework that sets clear roles and responsibilities for the government, regulators and the private sector in addressing scams. The Treasury state:
“While regulators like the ACCC, the Office of the Australian Information Commissioner (OAIC) and ASIC can take some action to protect consumers from the impact of scams through their role as consumer protection, privacy and financial system regulators, there are no specific requirements on banks and digital platforms to address scams.”
Underpinned by the whole-of-ecosystem approach, the proposed scams code framework (the Framework) would be incorporated into the Competition and Consumer Act 2010 (Cth) to set mandatory obligations for designated businesses, including banks. There is currently no agreed formal definition of a scam in Australian legislation. The scams code framework would define a scam as ‘a dishonest invitation, request, notification or offer, designed to obtain personal information or a financial benefit by deceptive means.’
All designated businesses would have a variety of requirements under the Framework including implementing an anti-scam strategy, obligations to verify and trace scams on receipt of scam intelligence, and a requirement to take all reasonable steps to prevent further loss to a customer and treat customers fairly and consistently when notified they have been affected by a scam.
Codes and standards under the Framework that are specific to the banking sector would be incorporated into ASIC administered legislation. Possible bank-specific requirements are proposed to include:
- Prevention: processes and methods to detect higher risk transactions and take appropriate action to warn the consumer, block or suspend the transaction as well as blocking or disabling the scammer account (or working with the recipient bank to do so).
- Detection and disruption: processes or methods to identify and share information with other banks that an account or transaction is likely to be a scam.
- Response: user friendly and accessible methods for consumers to take action where they suspect their accounts are compromised or have been scammed (e.g. an in-app ‘freeze switch’).
In his recent remarks to the National Press Club, the minister described the Framework as the centrepiece of the government’s response to scams. According to the minister, existing law is not fit-for-purpose. While the ePayments code sets out the rules for redress for consumers for unauthorised payments, the nature of scams involves the consumer being duped into authorising the transaction. The government proposes to ensure that if a designated business breaches the Framework, that business must pay a financial penalty as well as pay compensation to the victim (including for inaction or negligence).
Submissions on the consultation closed on 29 January 2024. To date, no Bill containing the scams code framework has been put before Parliament. Given the minister’s recent remarks, any such Bill will likely include provisions on the paying of financial penalties for breach of the Framework as well as the circumstances where compensation is payable.
National Anti-Scam Centre (NASC)
In July 2023, the government established the NASC within the ACCC.
The NASC has three domains of activity:
Collaboration
- The NASC facilitates collaboration between regulators, banks and telecommunications providers (among others) to combat scams. For example, the NASC identified and referred investment scam websites to ASIC, contributing to 5,000 website takedowns.
- The NASC is also developing a near real time scam intelligence sharing service which will support the mandatory and enforceable obligations in the Framework.
Disruption
- One of the NASC’s key objectives is the disruption of scams. Disruption can involve preventing contact, stopping contact where it has already occurred, or preventing payment.
- In May 2024, the NASC published the final report of its first fusion cell. A fusion cell is a team of multidisciplinary specialists from different agencies and organisations who collaborate to disrupt a particular type of scam. The first fusion cell targeted investment scams and resulted in the takedown of over 220 investment scam websites and the diversion of 113 attempted calls from scammers to a recorded warning. The fusion cell also removed more than 1,000 instances of scam advertisements, advertorials and videos from digital platforms.
- The NASC’s second fusion cell will target jobs and employment scams.
Awareness and protection
- The NASC coordinates scam awareness campaigns (such as this week’s scam awareness week) to ensure consistent messaging.
- The NASC also undertakes outreach to at-risk communities including First Nations communities, older Australians, youth, people from culturally and linguistically diverse backgrounds, people with disability and small business.
- The NASC has also taken over publishing the Targeting Scams report from the ACCC, incorporating further data sources (including from ReportCyber and the AFCX) and has commenced quarterly reporting of scam losses.
Law enforcement action
There has been a relatively small number of law enforcement actions in Australia as frequently scammers are based overseas. One recent action was in August 2022, where the Australian Federal Police arrested two men in connection with an alleged role in stealing banking and identification details of thousands of Australians.
The NASC has placed a secondee at the Joint Policing Cybercrime Coordination Centre and engages internationally on law enforcement, including participating in the Global Fraud Summit in London in March 2024.
Scam Safe Accord
In November 2023, the Australian Banking Association (ABA) and Customer Owned Banking Association (COBA) announced a comprehensive set of anti-scam measures to be implemented across the banking industry known as the Scam-Safe Accord.
At the core of the Scam Safe Accord is a $100 million investment by the industry in a new confirmation of payee system to be rolled out across all Australian banks in early 2025. Confirmation of payee operates as a traffic light system as it cross checks the account details, branch number and name entered before a payment is made. Confirmation of payee will help reduce scams by ensuring people can confirm they are transferring money to the person they intend to. Australia will be the fourth global market with such a system, following the UK, the Netherlands and New Zealand.
In addition, major banks committed to include at least one biometric check (fingerprint, facial recognition or unique behaviour) for new customers opening accounts online by the end of 2024. All banks will increase warnings, payment delays and security questions by the end of 2024. ABA and COBA members have also committed to joining the AFXC and its automated Fraud Reporting Exchange to share intelligence at speed by July 2024.
Lastly, members have committed to place limits on payments to high-risk channels (including some cryptocurrency platforms). This requirement is at each bank’s discretion and does not have an anticipated implementation date.
A comparative approach: the UK reimbursement model
From 7 October 2024, the UK will have in place a mandatory reimbursement scheme for authorised push payment fraud (scams) for payments on the Faster Payments System (being a real-time payment system, roughly equivalent to Australia’s New Payments Platform).
Payment Service Providers (PSPs, including banks) will be required to reimburse victims of scams, subject to certain requirements, up to a maximum level of £415,000 per claim for payments on the UK’s faster payments system.
As specified in the UK Payment System Regulator’s Policy Statement, the paying PSP will be required to reimburse customers within five business days, but the cost of reimbursement is to be shared 50/50 between paying and receiving PSPs.
Only when the customer has acted fraudulently themselves or with gross negligence are the PSPs exempted from reimbursement. The Payment System Regulator interprets the term ‘gross negligence’ to be a higher standard than the standard of negligence under common law. The consumer needs to have shown a significant degree of carelessness in order for a PSP to rely on an exclusion from mandatory reimbursement.
The introduction of this mandatory reimbursement scheme follows four years of voluntary reimbursement by 10 UK banks under the Contingent Reimbursement Code. In its most recent fraud report, UK Finance reported $459.7 million in losses suffered by UK APP fraud victims in 2022. Of this amount, 62% was returned to victims by their bank (either voluntarily, pursuant to a decision of the Financial Ombudsman Service or pursuant to a court decision).
When the mandatory reimbursement scheme comes into force, the amount returned to victims will increase further. The concern about this reimbursement scheme is whether the amount of scam losses will also increase as scammers (and UK consumers, given the challenges of proving the gross negligence standard) consider losses to be ‘underwritten’ by banks.
The CEO of the ABA, Anna Bligh, recently commented that fundamental flaw of the UK model is that it does not address the core issue – stopping people being scammed in the first place. She noted that TSB, the bank with the highest reimbursement rate in the UK, now receives the highest value of scams of all British banks.
What comes next
Downward trend
In 2022, scam losses in Australia peaked at $3.1 billion. In the following year, scam losses decreased to $2.74 billion. While this figure remains unacceptably too high, the downward trend is the first modest dividend of Australian’s whole-of-ecosystem approach in which the private sector, law enforcement, regulators and community cooperated to combat scams. The NASC is cautiously optimistic that these combined efforts will see the downward trend in scam losses continue.
Social media
Going forward, more pressure on social media companies to combat scams is expected. Scam losses originating on social media were up 17% in 2023. In his address to the National Press Club, the minister remarked “social media companies are dragging their heels”.
In September 2023, CHOICE published the results of an investigation that found numerous scam ads were impersonating some of Australia’s most popular retailers. These fake ads were posted on Google as well as Meta’s Facebook and Instagram. According to CHOICE senior campaigns and policy adviser Alex Soderlund, “big tech companies have a perverse incentive not to act on scams because they generate advertising revenue, so it's clear that only strong mandatory rules to prevent scams developed and enforced by a regulator will result in any meaningful change for consumers”.
According to the minister, digital platforms have a moral obligation to join the fight as part of their social licence and have more than adequate resources to invest more in a significant uplift in consumer protection. The second phase of the government’s response may include mandating that social media platforms verify advertisers and take down scam pages. Meta has responded to the minister’s remarks, noting that it had “signed up to the Australian Online Scams Code along several other digital platforms, introduced SMS verification for new advertisers and removed 63,000 accounts in Nigeria attempting to target people with financial sextortion scams”.
Reimbursement or compensation
Consumer Group CHOICE is also calling on the Australian Government to introduce a mandatory reimbursement scheme in Australia.
Whether Australia will adopt a mandatory reimbursement scheme on a similar basis to that of the UK’s scheme via the Framework is yet to be determined. The minister’s latest remarks at the national press club on 31 July 2024 referred not to reimbursement but to compensation in the right circumstances.
Should Australia’s whole-of-ecosystem approach fail to make further progress against the scourge of scams, the government may impose stricter requirements on liability, including the potential for mandatory reimbursement. Policy-makers would look to the experience of the UK mandatory reimbursement scheme, including any unintended consequences, in designing any such scheme in Australia.
While the scourge of scams remains endemic, this Scam Awareness Week there are at least some first signs that Australia’s whole-of-ecosystem approach is beginning to work. More work is required, including from government in bringing forward a Bill to establish the Framework, before Australians are able to tell more positive stories of stopping scammers in their tracks.
Visit Smart Counsel