“Verify your details,” reads the subject line of the email as it exhorts you to upload your driver licence, passport, Medicare card, or birth certificate “to better protect your account [and] enter your identity details exactly as they appear on each ID document.”
The email looks legit, but in an era of AI-enabled scams even the most malicious emails are well crafted and cleanly written – and you provided 100-point identification when you opened the account, so is it actually from your bank?
Or – with personal details at risk, stolen passwords exploited with banks under constant cyberattack, the National Anti-Scams Centre taking down 20 scam websites every day and 47 per cent of all Australians victims of cybercrime last year – is it just another drop in the flood of scam emails?
"What we're seeing is an ecosystem where attackers are using AI and automation to create more convincing scams that are harder to detect," NordVPN chief technology Marijus Briedis said, warning that too many Australians “still fail to pause and ask ‘Is this legitimate?’” before clicking.
Echoing general best practice guidance around scams, Breidis advises anyone who receives such an email to stop, check, and protect – and to “never provide money or personal information if you feel uncertain.”
“Build that instinct to pause and verify,” he said. “Scammers rely on creating urgency and pressure to make you act without thinking… our best defence is always that human judgement, trusting your gut when something doesn’t feel right, and taking the time to double-check before you act.”
It’s a scam – except when it’s not
The thing is: sometimes, as in the case of the above banking email, the request for information actually is legitimate.
Even when you’ve been a customer of a bank for many years, banks may well contact you to reverify your identity as part of ongoing regulatory requirements known as ‘know your customer’ (KYC), anti-money laundering (AML), and/or counter terrorism funding (CTF).
Those rules – which are enforced by government regulator AUSTRACT under the AML/CTF Act – are designed to ensure that funds can be traced to their owners as they move around the financial system.
All fiancial institutions are required to re-verify your details every five years. Source: Shutterstock
Compliance is mandatory and AUSTRAC isn’t shy about pursuing offenders – with the agency in July alone launching civil action against pokies firm Mounties and Western Union Financial Services even as it finalised enforceable undertakings with prior offenders NAB, PayPal, and Perth Mint.
KYC checks are a core obligation on banks and other financial firms, which must verify customer identities before any financial transactions and, whether due to changes in customer behaviour or ongoing customer due diligence (OCDD) obligations, may have to re-verify customer identities.
This means they must collect and verify the authenticity of customer identification documents – yet, in a nod to the security risks of accumulating large volumes of customer ID information, they are not required to keep copies of those documents once the verification is complete.
Major banks were reluctant to go on the record with Information Age to discuss specifics of their policies, although one said KYC details are refreshed every five years or more frequently in certain cases – and that they do hold onto customer information in keeping with regulatory requirements.
All advised customers to be vigilant in assessing incoming emails for signs of fraud – including the use of links in the email, which banks have generally stopped doing; inaccuracies in the information or inconsistencies in senders’ email domains; or creation of a sense of urgency.
Your bank may need to verify certain details. Source: Supplied
Contact the bank or other organisation directly by phone, or through their secure website or app – which is, at the very least, an environment that’s under the bank’s control; never send money to anyone you can’t identify; and don’t be afraid to ask for advice before trusting anybody online.
Your body is the new identification
With banks facing what OpenAI Sam Altman called an “imminent fraud crisis” from increasingly criminal-friendly AI, Australian banks are changing the way they verify customers – with NAB recently following ANZ and CBA by allowing customers to verify themselves using phone selfies.
New customers will be asked to provide a selfie when taking on a new product or account, NAB confirmed, in a move that NAB executive for group investigations Chris Sheehan called “stopping fraud at the front door.”
A recent TELUS Digital survey found 60 per cent of Australian businesses will increase KYC spend this year, with 34 per cent citing regulatory pressures and 28 per cent blaming the increase on data breaches – and 73 per cent saying that ID verification had become a higher priority in the past year.
“Relying solely on document uploads may soon not be enough,” warned Troy Nyi Nyi, APAC senior vice president and general manager at anti-fraud firm SEON, noting that “fraudsters are becoming increasingly sophisticated… institutions need to think beyond static checks to stay ahead.”
Customers “dislike lengthy onboarding steps they cannot resonate with,” he said, adding that “the solution lies in layered verification strategies that go beyond basic compliance” – an approach Australian fintech Moneyme is taking after recently engaging SEON for KYC and fraud prevention.
That platform draws on 900 different variables, such as email, phone, IP, and device data, to build what Nyi Nyi called “a more holistic customer profile in real time”.
“While passports and IDs will always be a cornerstone of KYC processes,” he said, “the future of verification belongs to organisations that embrace a flexible and intelligent system.”
