In the previous instalment of this two-part article, we looked at rapid evolution of the payment landscape and how, alongside this transformation, payment fraud is adjusting too. One of the biggest challenges to banks and Payment Service Providers (PSPs) is from customer authorized payment scams – where tried and tested fraud detection methods do not work.
In this chapter we take a closer look at the main fraud threat types and how organizations defend against these.
Unauthorized payment fraud (a.k.a. account takeover)
Unauthorized payment fraud happens when a criminal has compromised a customer’s credentials or been able to pass customer authentication and gain access to the account. Typical examples of this are via phishing or malware collecting online login information. Once the fraudster has accessed the customer’s account, they are able to set-up and make payments without the customer’s knowledge.
Let’s start with the good news: it is safe to say that banks and PSPs are better equipped and have more effective tools at their disposal for tackling unauthorized payment fraud.
In a world of immediate payments and as a result the increased payment fraud risk, banks and PSPs have pretty much universally adopted multi-factor authentication and real-time fraud monitoring. This is being further entrenched within Europe with the PSD2 regulation which mandates these controls.
Added to this are other fraud profiling tools like device identification, which enables device risk assessment, and behavioral biometrics which tracks the user device interaction during an online session. These are tools and techniques that, when combined with sophisticated real-time fraud detection systems which use advanced analytics and machine learning, will be very effective.
Layered together these tools and controls can provide an effective defense against unauthorized account access and fraud. And even if banks and PSPs don’t stop all unauthorized fraud, they can stop a high enough proportion to make it hard work for fraudsters – and reduce the likely return on investment they could achieve.
And now for the downside. In response to improved controls and customer protection against unauthorized payment fraud, criminals have been forced to look for easier options with higher financial return. One tactic used is to contact the customer and dupe them, also known as social engineering, to authorize the payments themselves. This effectively bypasses several controls that banks and PSPs – and even regulators, via PSD2 – have worked so hard to implement. It means the customer passes the multi-factor authentication on their own device. Detecting authorized payment fraud is much harder and it is leaving consumers and businesses around the world increasingly exposed to this type of fraud.
Authorized payment fraud (a.k.a. payment scams)
There are many different types of payment fraud scams. An example could be where the criminal dupes their victim into paying for non-existent goods or investing in bogus investment schemes. Businesses are equally susceptible to these scams through invoice manipulation or false instructions to an accounts department employee from a member of the company’s executive team.
The United Kingdom is one of the hardest hit countries in terms of scams – £450m in 2019. While in the United States the Federal Bureau of Investigations (FBI) reported business scams costing victim organizations $1.8bn in 2019. And these are reported cases – the tip of the iceberg.
Customer authorized payment scams also evolve quickly. Criminals need a story that preys on a victim’s anxiety using the fear that they will lose money or on people’s greed by dangling an easy money-making opportunity. Covid-19 is unfortunately a good example of how criminals can adapt a story to prey on victims’ fears and dupe them into making a payment. We’ve all seen or heard of the scams involving the purchase of Personal Protective Equipment (PPE), track-and-trace scams, and scams offering access to Government relief funding.
So, fraud has moved on, with fraudsters recognizing that the customer is the weakest link in the chain. And this creates a big challenge for the banks and PSPs. Authorized payment scams are not just harder to detect but also more difficult to manage when you can detect it. With authorized payment fraud, a fraud investigator would have to figure out “Is this the customer?”. But that series of investigations doesn’t apply in this scenario; instead the question needs to be “Is this customer being duped?”. This is a much harder question to answer, particularly as the duped victim will have been primed with a viable cover story.
How do we stop authorized payment scams?
That is the big fraud challenge that will occupy all payments organizations: regulators, banks, PSPs, vendors, for the next few years.
A key part of the answer is through coordinated industry-level mitigation initiatives such as customer education, payee information sharing, efforts to target and act on money mule accounts, right up to facilitating the recovery of funds. Using targeted, in-journey messages helps with customer education and awareness. The effectiveness of these messages means customers can make the right decision ‘in the moment’.
In addition, the Contingent Reimbursement Model is an example of how the UK has made some progress by taking measures to increase ownership and accountability for losses onto banks and PSPs in a bid to reduce the impact on victims.
But what can banks and PSPs do to protect themselves and their customers?
The answer: Adaptive real-time fraud detection systems for both outbound and inbound payments. Taking a more holistic view of the payer and payee accounts to target money mule accounts more effectively should be a key part of this approach.
And using adaptive machine learning techniques and behavioral profiling can help to identify and spot anomalies in customer behavior. Making it quicker and easier to recognize the genuine customer, but crucially, that the customer is not behaving like they normally do.
As the criminals have adapted their methods, banks and PSPs need to also adapt their approach in response to target anomalous customer behavior more effectively.
Watch the recording from my recent talk on this topic and learn more about the ARIC™ Risk Hub.