Cybersecurity

How cybercriminals are targeting asset finance instant messaging

With cyber security concerns on the rise thanks to Covid-19, Miles Rogerson considers what this means for commercial brokers and providers of equipment financing

C

losing IT loopholes exploited by cybercriminals who are targeting the asset finance broker and lending community should be at the top of executives’ agenda, particularly as cybercrime has spiked since the onset of the pandemic, according to Matthew Elliot, chief development officer and co-founder of Nivo, an identity verified messaging service provider.


“Everything has become much more digital in the last two years as a result of the pandemic alongside a shift in consumer expectations” and “this has led to more sensitive data flying around, more opportunities for cybercriminals and fraudsters to exploit,” he said.


In this climate, he said brokers and lenders need to understand exactly what is driving risk and how this is changing.

Cybercrime: risks

Elliot pointed to a 400% increase in cybercrime since the start of the pandemic, highlighting the need for lenders to pay attention to the technology systems and processes they use to ensure they aren’t leaving themselves open to an attack or putting customers’ data at risk.


Paul Spinks, co-founder of Alpha Asset Finance, a brokerage, recently announced a tie-up with Nivo, in a bid to reinforce the company’s application process.


Spinks said there had been a “significant increase in fraudulent activity in the asset finance sector during the pandemic,” and laid the blame at the feet of the restrictions that, while necessary, dulled the due diligence process.


For example, lenders and brokers were suddenly unable to visit a customer to certify their identity face-to-face, meaning that fraudsters manipulating customer data and cloning business websites could impersonate a customer in a much more convincing way.

In other cases, fraudsters were able to intercept customer invoices and direct the payment to themselves instead of the customer.

What are the solutions?

To help mitigate these risks, Elliot and Spinks identified five key areas that lenders should be vigilant of when conducting business.


These include:

  1. How do you prove that the person you’re talking to is who they claim to be?
  2. How can you be confident that the data they’re providing you is accurate?
  3. How do you collect and share personal information with intermediaries and partners?
  4. How do you store this information?
  5. How do you prevent malicious software from entering your organisation?


Elliot hailed “biometric identity verification and open banking” as examples of modern technology solutions that are “not only higher quality and lower risk than traditional checks, but also faster and more convenient for the customer too.


“When it comes to communication, sharing of data, and risk of viruses, email in particular is a major risk area,” he said. “It’s still used across the industry because it’s ubiquitous, but it is a horrible solution from a risk perspective, with a high chance that a fraudster can intercept personal information and it provides a doorway for bad actors to send malicious software through.”


For example, a hacker will monitor legitimate email exchanges between lenders, brokers and customers, then steal the bank account or identity information and use it to create a seemingly legitimate yet fraudulent profile. Alternatively, the hacker may step into the conversation, posing as one of the parties but changing a few lines in an invoice such that the funds are sent to the fraudster’s account.


In these cases, if the lender had used a secured communications network to transfer sensitive information to brokers and consumers instead of email, the fraud could have been avoided.


“It’s also crucial for brokers and lenders to maintain security after an approval has been received,” Spinks added. “Just because it has been approved, it doesn’t mean that information sharing is now less risky.”


“A number of conditions come with an approval and this process involves further sharing of confidential information. Maintain vigilance!” he warned.

Added benefits

Elliot was quick to highlight the silver lining, stating that the vast array of “new technologies which have been developed to mitigate these risks typically also speed deals up with a more streamlined user experience and as such have a time and cost business case alongside the risk benefits.”


Identity verified messaging, which mixes the speed and convenience of instant messaging services such as WhatsApp with bank standard security and FinTech features such as ID checks and e-signing, is an ideal way to shift away from the unsecure legacy channels such as email, paper and phone.


Earlier this year, Nivo and Alpha announced a partnership based around combatting the rising fraud in the asset finance sector. On 30 May, the pair launched a mobile app, integrated with Alpha’s ACE portal, featuring Nivo’s white-label technology that enables customers to complete biometric ID verification via their mobile device in minutes.


Speaking on the experience, Spinks said the new tech “gives the customer a seamless, secure experience. Information can be sent securely to the lender, so [Alpha] knows it’s not going to get interrupted, and from a customer perspective, they know they’re minimising their risk of future ID fraud when, historically, it would have been sent via email.”


Elliot added that in the interests of a safe, regulated industry, it’s “far from best practice” to ask customers to share sensitive personal information over email, because it is “putting that data and that individual at risk.”

What will the future bring?

Spinks highlighted the responsibility for all asset finance brokers to run a “tight application process”, as they are the first line of defence in identifying fraudulent activity.


“It’s part of the regulatory requirements, as laid out by the Financial Conduct Authority (FCA), as well as the relationship with the lender,” he said.


Elliot forecast an industry shift away from emails for risk and compliance reasons; GDPR puts an onus on service providers to keep customer information safe. “That’s impossible as soon as you put it out on email,” he said. “I am also anticipating wider industry adoption of trusted standards such as ID verification, e-signing and open banking which are harder to defraud.”


Another area that Elliot and Spinks highlighted for development in the coming years was the secure sharing of verified customer data.


“Under the traditional approach, the customer often shares their personal information multiple times with a broker, lender and solicitor,” which Elliot condemned as a waste of effort.


As such, Elliot said Nivo was strongly advocating for technology to allow the customer to provide this data once, and then consent for it to be instantly shared across multiple different organisations through the course of a loan application.


“The technology to do this exists,” Elliot said, “the challenge and opportunity rests with lenders and intermediaries collaborating to adopt it and realise the speed and security benefits at an industry level.”