Collaboration is the Key to Fighting Cyber Fraud in Italy

Fraud is changing, says Romano Stasi, Managing Director, ABI Labs. More and more, fraudsters don’t break into systems – they trick customers into giving the threat actor access to their data and accounts. Italian banks are responding with investments in customer education, cybersecurity, and AI tools – even funny commercials aimed at potential victims. Still, Stasi believes collaboration within banks and across the ecosystem is necessary to fight fraud.  

Transcription (edited for clarity)   

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to the FS-ISAC podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC. The fraud landscape is shifting, with threat actors increasingly focused on customer manipulation as opposed to compromising systems. I spoke with Romano Stasi, Managing Director at ABI Labs, to discuss the challenges faced by banks in preventing fraud, the importance of customer awareness, and the future of fraud detection. 

Heathfield: Thank you so much for joining us. We're happy to have you. So let's start with talking about the current fraud landscape, especially in Italy and Europe. What is top of mind for your members and the Italian ecosystem? 

Romano Stasi, Managing Director, ABI Labs: So, according to our data, we see a significant change in the banking security landscape that cannot be ignored. The first points of entry are the citizens and the customers. So this is a change in the mindset that we have to manage as a security expert responsible for fraud management. It is increasingly the case that fraud is not committed by breaking into systems, but by convincing the customer to do it themselves. That is what we call the manipulation of customers. Phishing has become an act of persuasion. Instant payment has become the perfect weapon to move money between banks that are later referring to frauds. 

So Italian banks are reacting in two different measures. More investment, first of all. We are reaching half a billion euros per year as annual cost for cybersecurity, for prevention. And also they are investing more in people. Internal teams and internal experts in the Italian financial sector are becoming more and more dedicated to the specific issues we see in the banking sector. So it's a kind of specialization between the larger world of cybersecurity skills, and so more and more also the awareness and collaboration between bank experts and the customers, and between bank experts and different financial entities. So this is the main focus, we see more investment and more collaboration. 

Heathfield: What would you say are the main challenges in this new kind of paradigm? Because I would imagine that getting customers to pay attention is always a challenge, right? Everybody has busy lives, and they want to just be able to do their financial transactions as quickly as possible. 

Stasi: The fraud chain is more and more complicated, and the customer is involved by different players. So we need to work not only by collaborating in the banking sector, but also we need to involve other industries. This is what we see as the most complicated challenge we have to face, to reduce the scams and frauds that are involved with our customers.  

What we see as of primary importance is that all stakeholders are involved in addressing systemic vulnerabilities. Institutions are pushing more and more for an integration of the digital ecosystem. But at the same time, we don't see a clear distributional responsibility that is necessary to tackle vulnerability to attack in an integrated, collaborative manner. 

So just something simple. If we talk about channels, the bank cannot ensure the security of any mobile channel because the telecom operators are responsible for that. Everybody knows that the mobile channel is the primary remote information and operational device. Telecommunication operators can do a lot more to enhance the security on digital services, collaborating with the banking sector. So we see that 70% of the scams that we see in our banking customers have been started using remote channels using SMS and calls that are reaching the customers. So we need to be sure that the customer is not trusting this channel and requests coming from this way. So it's a complicated matter, but we need to work more with the telecommunications operators. They should be in charge of reducing spoofing SMS aliases that are used by fraudsters. 

Heathfield: One thing that has come up a lot in my discussions with various [FS-ISAC] members has also been that, internally within financial institutions, cyber teams and fraud teams are historically totally different and separate. Because fraud was, you know, more of a mitigation issue, determining whether or not something was fraud. It was after-the-fact, almost more like a law enforcement function versus cyber. So, integrating those as more and more fraud is happening through digital channels has been a challenge. Do you find that that is the case in the Italian ecosystem as well? 

Stasi: Of course. It's really important that we have a strong collaboration between different departments inside the bank. I can also add anti-money laundering. That is another department, another specialization, another kind of skill that we need to put together with the cyber expert and fraud experts. Because at the end, we see that fraudsters and hackers are looking for data. They need data, they need to have customer data, and they use this data to access our financial services. They use this data for impersonation. And sometimes they are able to collect this data from third parties, from fintechs, from other players that are outside the banking infrastructure. 

But then we have to put in place systems, monitoring systems, transaction monitoring tools, that are able to detect this kind of operation, this kind of transaction, collecting technical data together with data coming from the customer behavior. So the technical data may be referred to our cyber expert. The usage of channels is more referring to the sales department, marketing department, the fraud department. At the end, we need to intercept and block the activity in every single step. And this is something that we do only if we collaborate inside the bank and also with other banks. 

Heathfield: It seems like you mentioned, you know, instant payments and all of these non-financial channels where the fraud starts. What would you say is the weighting of fraud prevention – like that the investment needs to be in preventing fraud before it starts versus mitigating fraud after it happens? Because you also were talking about, you know, channels to reverse payments and things like that. I think that that's a challenge, it's a tall order. But would you say that the weighting of the investment that firms need to make in prevention versus mitigation is changing at all? 

 Stasi: Prevention, as far as I see, is more and more awareness. So if the problem starts with the customer that is involved with a fraudster, we cannot do anything from our side. We cannot invest more in tools and systems. We need to invest in making customers more aware and explaining the type of policy we have in place to ensure they can use financial services in a secure manner. 

So we have developed here in Italy a national banking campaign together with the Authority – the Bank of Italy – that is called Inavigati. And in this website we put many different videos describing it in a funny way, we hope, [of] different kinds of scams, different kinds of risks, that they can manage as customers. If they are really well-informed, they can skip the problem. So this is what we see as a very new trend that we need to invest more in, that awareness.  

Heathfield: Okay, great. Anything else that you wanted to say? 

Stasi: Yeah, I want to say that what our model in Italy is. The model that we are using here in Italy is to have a point of contact that is a way to aggregate information for the entire financial sector. This is what our financial CSIRT [Computer Security Incident Response Team] that we have developed together with the Authority and the banking association, that now is aggregating the 77 financial entities. And this initiative is very effective to also, according to the dollar regulation, to share information. 

And to do that, of course, we also need the help of other players, like, for example, FS-ISAC. So I think FS-ISAC is a very useful collaboration for us. So we aggregate and are supported by other players, we are able to share the value of knowing different models, operandi, and different attacks across the world. So my expectation is that more and more we will be able to create a network of networks collecting, connecting different sources across the world to be sure that all banks, the entire banking sector, is a line [of defense] against any new attack or any new kind of fraud that we have. So in this way, we are able to protect better our customers. 

Heathfield: Well, we are certainly more and more involved in fraud prevention and detection activities. It's just become such a major issue for our members around the world, and I expect that that will continue. So thank you so much for taking the time. 

Stasi: Thank you.