Cybersecurity

Senate Panel Hears Plea for Action on Bank Spoofing Scams

ACH Fraud , Fraud Management & Cybercrime

Top Lobbyist Says Regulators Should Do More to Combat Caller ID Spoofing

Senate Panel Hears Plea for Action on Bank Spoofing Scams
A banking lobbyist told a Senate panel Thursday that regulators should do more to stop phishing. (Image: Shutterstock)

A top U.S. banking lobbyist told a Senate panel Thursday there are limits to what financial institutions can do to stop scammers from draining individual banking accounts and called on regulators such as the Federal Communications Commission to do more to combat caller ID spoofing.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

A consumer advocate told the panel that Congress should strengthen consumer protection laws and ensure that banks – not individuals – are responsible when victims of phishing attacks lose money through wire transfers.

The Senate Committee on Banking held a hearing on scam and fraud just days after the New York attorney general sued Citibank, alleging that the third-largest bank in the United States had failed to protect consumers from scammers. Existing statute is sufficient, said Attorney General Letitia James, to ensure that banks must cap consumer losses to minimal amounts when fraudsters initiate a wire transfer by impersonating a legitimate account holder.

Citi said it is “not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived” (see: New York AG Sues Citibank for Poor Phishing Protections).

The Federal Trade Commission last June observed a nearly twentyfold increase in reports about texts impersonating banks in scams that have a median consumer loss of $3,000. Some victims highlighted in James’s lawsuit had retirement savings worth tens of thousands of dollars stolen from underneath them.

“Pretty much everyone has either been scammed, or knows someone who has been scammed, when trying to use a financial service,” said committee chair Sen. Sherrod Brown, an Ohio Democrat.

The FCC has mandated network standards known as STIR/SHAKEN that are meant to decrease spoofing by digitally signing calls at their source.

“Unfortunately, technical limitations of existing networks used, particularly non-IP networks, and calls originating from overseas communications providers have hampered the effectiveness of the framework,” said Paul Benda, an executive vice president with the American Bankers Association, in written testimony. The lobbying group said the FCC should block any caller ID from displaying unless the origin can be authenticated, even at the cost of dropping the caller ID from legitimate callers.

Benda also called on social media companies to root out more accounts pretending to be bank employees. “Banks clearly play a key role in fighting fraud, but unless every player in the ecosystem joins the fight, criminals will continue to steal at a scale we’ve never witnessed before,” he wrote.

But banks could do more, said Carla Sanchez-Adams, a senior attorney at the National Consumer Law Center. “We absolutely cannot push the entire burden of payment fraud onto consumers,” she said.

Most consumers lack the resources to fight a financial institution’s rejection of claims for restitution over a scammer’s wire transfer, she said and called for changes to federal law that would explicitly protect consumers from liability when they’re defrauded.

Government watchdogs have long called on the FCC to do a better job of managing spoofing and other fraud risks across sectors and programs. The FCC recently has taken steps to combat spoofing and other illegal robocalls, including launching a “robocall response team” that had a “significant impact” in disrupting illegal robocall traffic across multiple networks, the commission announced Tuesday.

The FCC said it has worked with the FTC and gateway providers such as CenturyLink, Tata Communications and Bandwidth to help put an end to international robocalling operations.