In Why Is It Hard To Catch Cybercriminals?, we considered a canonical case of a cybercrime:
Joe pays Jane online for something and does not receive that something he was promised.
In the following two years, we’ve been hearing about romance scam, courier scam, pig-butchering scam, investment scam, online job scam, and so forth. All of them are variants of the same theme above where the scammer falsely induces the victim to make an online payment for something that she does not deliver.
Generative Artificial Intelligence (GenAI) is raising the cybercrime stakes to the next level. According to Eye for AI newsletter from FORTUNE magazine:
2024 saw brand new types of generative AI-enabled digital fraud make headlines, from a deepfaked video call that cost a company $25 million to new research on how AI copilots being built into enterprise software can be weaponized as “automatic phishing machines“. Even classic phishing attacks are getting worse and getting more personal, the Financial Times reported today, thanks to AI bots’ ability to easily ingest large amounts of data about a company or person’s style and tone and then easily replicate it. They can also scrape data from a person’s online activity to make phishing emails more personal, and thus more convincing.
Although Jane has defrauded Joe in all these cases, these are called “scams” – and not “frauds”. The reason for that will become clear in a bit.
In this post, I’ll describe the steps taken by regulators to crackdown on cybercrime in various jursidictions in the last year or so. (Spoiler Alert: Nobody has enforced my Three Strike Rule To Eliminate Cybercrime although some have come close.)
United Kingdom
The Supreme Court of UK ‘closed the doors’ opened by the Court of Appeal for certain fraud victims to bring claims against their banks (Source: The Law Society Gazette). In Philipp v. Barclays, the Supreme Court ruled:
When a bank receives a valid payment order that is clear… about what is required in order to carry out the order, it is its duty to execute the order by making the requisite payment.
That resonates strongly with my take on this subject.
I wish there was a more pleasant way of putting it but the payor is the only person left holding the can for a cybercrime.
However, the UK Payments Systems Regulator has enforced Drunk Under Lamp Post regulation and told banks to reimburse victims of FPS APP scam (see update at the end of the post).
As soon as I heard about this, I predicted that banks would retaliate by delaying payments.
Banks will thank regulators for providing the chance to delay payments and earn float income under the pretense that they’re “carrying out extra due diligence on the authenticity of the payment”.#APP #Scam #A2ARTP https://t.co/QqjN9cDPdA via @theregister
— Ketharaman Swaminathan (@s_ketharaman) September 21, 2023
That’s exactly what happened.
UK payments could be delayed up to three days to prevent fraud. The UK Treasury will give banks new powers to delay payments by up to 72 hours to investigate suspected fraud or scams. – Finextra.
Not sure what’s the role of law enforcement under this reimbursement regime. End of the day, the victim has been defrauded by the scammer and not bank, and deserves redress from the police towards nailing the scammer.
India
Banking regulation in India has traditionally veered towards throwing the baby out with the bathwater. From My Two Cents On PayTM Kerfuffle:
RBI has promulgated many regulations … like Reg Emandate, Reg CofT, and Reg Positive Pay. They target entire industries or sub-industries aka throw the baby out with the bathwater.
However, in the case of UPI / payment scams, we’re seeing a very nuanced response from the regulator Reserve Bank of India (RBI) and the UPI scheme operator National Payments Corporation of India (NPCI). I’m glad that India has not taken the populist approach of penalizing banks for such scams.
But, at the same time, it’s not ignoring these scams either. I’ve seen tons of concerted action from all stakeholders to thwart cybercrime.
- RBI, NPCI and many banks are running high visibility print, TV and social media campaigns to warn consumers of cybercrime.
- NPCI has made it crystal clear that UPI payments are irreversible aka irrevocable.
- State Bank of India, India’s largest bank, has issued a warning about AI Deepfake investment scams.
- Law enforcement is fully engaged in the fight against online scams. The cybercrime department of police has been active in trying to reverse as many scam payments as possible, especially the ones reported in the so-called “golden hours”.
- Police has set up a so-called Cybercrime 14C Portal in which scammers’ bank account details are logged as soon as scam victims log a complaint. Finance Ministry has asked banks to integrate their systems with 14C. Once done, this will enable banks to know if the intended payee is a scammer before the fact and block the payment before it happens.
- The government has recognized that mule accounts and fake KYC documents are two main reasons why it has been difficult for law enforcement and banks to recover proceeds of scams even though the monies are received in bank accounts. Accordingly, per Economic Times, the ministry of finance is stepping up vigil on digital banking channels, which are reportedly the go-to channels for originating these so-called “Farzi KYC” accounts, in order to weed out mule accounts. (Fingers crossed that there aren’t too many false positives ending up flagging genuine accounts as fraudulent!).
Hope the above collaborative efforts from multiple parties work to curb cybercrime.
“Victims Of Frauds Are Promising Targets For Subsequent Frauds. Nobody Ever Learns Anything From Experience” ~ @matt_levine .
+1.
Not only is a sucker born every minute but s/he stays a sucker forever. Like the guy who entered an OTP 6 times to make a payment – to a scammer. pic.twitter.com/BRfW8NC4KW— GTM360 (@GTM360) April 6, 2023
United States of America
There was no significant action from regulators for a year and a half.
Then, in early 2024, Senator Elizabeth Warren urged Consumer Financial Protection Bureau to write tighter regulations to root out scams on Zelle, the Account-to-Account Real Time Payment of USA (Source: CNBC). This entailed changing the law to treat falsely-induced authorized payments as unauthorized payments and giving them the same protection that fraudulent payments currently have.
This went up a notch when, in late 2024, CFPB sued three major banks and Early Warning Services LLC alleging that they rushed to bring Zelle to market without first ensuring users would be protected against widespread fraud (Source: CBS News). For the uninitiated, EWS is the consortium of top American banks that runs Zelle.
Notwithstanding the above political and regulatory bluster, neither banks nor Zelle is obligated to reimburse victims of APP scams as of now. I wonder if the bluster will survive the current Trump Administration (see update at the end of the post).
While no country has implemented my Three Strike Rule To Eliminate Cybercrime, LinkedIn user William Friend has an interesting suggestion:
Instead of outing victims from digital payments after the third strike, banks should force them to star in ads for free, advising how others can avoid being scammed.
In many jurisdictions, there are strong suspicions that scammers are converting the proceeds of their fraud into bitcoin. On the face of it, this might seem bad for nailing the criminals. But, as Matt Levine points out, Bitcoin is no longer a great way to do crime.
2012: Bitcoin was a good way to do crime in 2012.
2023: Bitcoin is a bad way to do crime in 2023.
Also 2023: Bitcoin is retrospectively a bad way to have done crime in 2012. Exhibit A: USA v. James Zhong.
H/T @matt_levine— GTM360 (@GTM360) May 4, 2023
This is because there are advanced tools now available that can trace blockchain transactions. For the uninitiated, all crypto transactions are in the public domain, only the conductors of the transactions are anonymous. These modern tools are able to pierce the confidentiality and expose the identify of the bad actors.
“There’s a weird mix of opacity & transparency in crypto: Everyone can see trades and balances on blockchain, so it’s easy to start rumors and snipe at risky positions, but nobody publishes audited balance sheets, so it’s hard to inspire market confidence.”
— @s_ketharaman November 11, 2022
Readers might have noticed my consistent use of the term “scam” rather than “fraud” to denote romance scam, courier scam, pig-butchering scam, investment scam, online job scam, and other forms of cybercrime.
This is intentional. As described in the exhibit on the right, there’s a fundamental difference between scam and fraud: Scam is authorized payment; fraud is unauthorized payment.
By definition, APP means “Authorized Push Payment”. How can an authorized payment be an unauthorized payment? In my oft-expressed opinion, the term APP Fraud used commonly by the media is an oxymoron.
While the victims may have been deceptively induced to authorize scam payments, the sad fact is that they have authorized them. Ergo the resulting dispute is between them and the perpetrators. While they can seek legal recourse to get their money back, their payments are authorized – ergo not fraud – as far as banks, social networks, mobile network operators, and the other parties involved in the transaction are concerned.
UPDATE DATED 7 MARCH 2025:
- The new UK government might abolish UK Payments System Regulator itself! More at UK Government mulls abolishment of Payment Systems Regulator via Finextra.
YaaY, I’d predicted that the UK government would abolish PSR’s populist drunk under lamp post regulation re. APP Scam Reimbursement soon after the elections. I never dreamt that it would mull abolishment of PSR itself. Great move, hope it materializes sooner rather than later.
- The new Trump administration in USA has dismissed CFPB’s case against Zelle and top three banks. In addition, it has almost dismantled CFPB itself. More at CFPB drops lawsuit against Bank of America, JPMorgan Chase and Wells Fargo over Zelle fraud via AP News.
