Securing the borderline between product design and product usage: Kyle, Lead Trust & Safety

Kyle and his team scan the web for potential security threats every day. Their specialty: collecting, analyzing and providing information on scams and attacks on banks, fintechs and other digital services to multiple teams within N26 in order to make our products even more secure.

Kyle, your team’s name combines two fundamental requirements for a bank: trust and safety. What exactly is it that you and your team do on a daily basis?

At N26, we do everything we can in order to keep the bank accounts of our customers and our systems safe. Product security plays a fundamental role in that. But there’s also a human component in the area where product design and product usage overlap. That’s where N26’s Trust & Safety team comes in.

In a nutshell, our responsibility is to protect N26 customers from fraud schemes, which usually present themselves as bad actors trying to enter accounts or scam people out of their money. The stories you may hear on the internet about people who get a call from someone who claims to represent their bank and they end up losing thousands of Euros – that’s an example of what we’re trying to address.

In order to do so, we constantly monitor the internet for phishing and infringement against N26 – basically anything that looks like N26 but isn’t, and is targeting our customers. This may, for example, happen via text messages fraudsters send to customers claiming to be from N26 and urging them to click on a link, call a phone number, or reply with their PIN or login details, in order for the fraudsters to obtain the customers’ personal data and gain access to their accounts. 

We also do broader research on new types of phishing attacks, scams and fraud schemes. Constant monitoring is necessary because malicious actors are, unfortunately, quite innovative and their methods change frequently.

What happens with all of the information you gather?

You can look at Trust & Safety as an intelligence provider. For example, information on potential cyber attacks is fed to product development teams and used to make the N26 app even more secure; we strive to ensure any new product offerings anticipate emerging threats before they are released to customers. Beyond that, information on the latest fraud trends and scams helps our teams to detect suspicious activities on customer accounts even quicker. 

Additionally, we also help inform N26 customers directly about online banking security: N26 has a blog, newsletters and social media channels where we share tips on how to stay safe when banking online and scams to watch out for.

Malicious actors will usually try to keep their methods to themselves. How do you find out about fraud schemes and scams?

You’d be surprised how many fraudsters actually brag about their methods and "accomplishments" online! But we get information from several different sources: To understand what kind of scams N26 customers are reporting, we conduct social media research, Deep and Dark Web investigations, and are in constant exchange with customer service. Also, we are well-connected with colleagues from other companies internationally in order to exchange intelligence.

Staying constantly aware of all kinds of scams that may or may not affect N26 sounds like quite the challenge, but also rewarding. What do you enjoy the most about your job?

Fraud is constantly changing and, with growing dependency on digitization, online crime has increased significantly over the past years. We'll often see bad actors both react and try to get around any walls we build to protect users. It is fascinating to investigate who these people are, what makes them tick and watch their reactions to any potential mitigation measures we apply. At the same time, it can also be challenging due to nature and speed of change.

From your perspective, what difference does N26 make in improving banking security?

One thing that really sets N26 apart is that we put our customers’ security at the centre of everything we do and every product or feature we develop. This allows us to prevent potential fraud issues from even being possible because we take the right measures proactively.

Are you noticing any new trends with regard to scams or fraud patterns? How much has the face of it changed over the past years?

There’s constant change in fraud. Consumers are getting better educated on fraud topics and as an unfortunate result, the bad actors are also getting more sophisticated and innovative in their schemes. There are several schemes we hear about regularly, such as fake shopping websites or Vishing, where fraudsters contact consumers via phone calls or voice messages in order to obtain personal information and ultimately, money. However, ​​the biggest trend I'd like to highlight is Authorized Push Payment Fraud.

Like other schemes, this one revolves around malicious actors deceiving consumers to willingly make a payment to an account that is controlled by the fraudsters. This can happen in many different ways. The crux about Authorized Push Payment Fraud is the focus on real-time payments. Since these payments are instant and irrevocable, victims are unable to reverse the payment when they find out that they’ve been scammed. That’s why at N26, we recommend that customers generally only make real-time payments to people they know and trust.

What’s the one thing customers should know about online security? 

It’s important to understand that online security is just as important as security in the physical world. So, the biggest kind of advice that I would give to users is to be skeptical about everything. I know how this sounds but let me assure you that I don’t want consumers to be paranoid. But if you’re approached by anyone with a request, especially online – be it a person claiming to represent a product or service you use, a potential employer, or someone on a dating app – take a step back and look at what you’re being asked to do. While scammers can be very good at convincing their targets to act irrationally using social engineering techniques, their requests usually don’t make a lot of sense at second glance. A healthy dose of skepticism often does the trick.

There are a few more pieces of general advice I would like to add:

• If you receive an email or text message from your bank, payment provider or any other company that urges you to take immediate action, be careful. In some cases, there may actually be malicious actors behind the message. N26, for example, will only communicate content that includes personal data via the inbox in your N26 app and users are only prompted to respond in the app – not via email, text or phone. You can also always reach out to customer service via chat if you want to confirm whether someone reaching out to you truly represents N26.
• If you get phished and a malicious actor has your email and password for a particular service, that’s obviously bad in that they can gain access to your account with that exact service. But more often than not, that bad actor is going to take that information and try it on any other website they think of. So don’t use the same credentials for multiple services!

If you ever suspect that you may have fallen victim to a scam or fraud scheme, file a report with law enforcement. Companies aren’t authorized to do it on your behalf because they are not the victim in legal terms. Cybercrime cases may still be harder for law enforcement to process but the number of reported cases of a particular type makes a difference: it helps identify patterns and may also allow law enforcement to assign more resources to an investigation.