Source: Finance Derivative

Ed Kay, Head of Analytic Products, Featurespace

Beyond the APP fraud epidemic – what’s next?

There’s been a lot of media attention paid to Authorised Push Payment (APP) fraud in recent weeks and months, with the Payment Systems Regulator (PSR) tightening up regulations around how quickly victims of these scams should be compensated – and who foots the bill.

APP fraud involves scammers tricking a victim into sending money to a specified account in the belief that they will receive some kind of goods or services in return. The promise is never made good, leaving the victim out of pocket. Some £485 million was lost to APP fraud in 2022 in the UK, with many of these scams originating online.

But now that banks and the PSR are taking more action against APP fraud, scammers are looking for other ways to target consumers and businesses. Cross-channel scams – where criminals utilise multiple spending channels to fraudulently get money out – are set to become increasingly common and financial institutions need to take appropriate action or risk letting down their customers and damaging their reputation.

Getting wise to cross-channel scam tactics

The volume of suspected digital fraud attempts increased by a massive 80% globally between 2019 and 2022, according to figures from TransUnion. Among the fraud types identified in the report were cross-channel scams including account takeover, credit card cloning, and synthetic identity fraud. All of these scams involve criminals stealing information from a variety of touchpoints in order to respectively take control of a victim’s bank account; clone a payment card in a customer’s name; or steal someone’s identity in order to set up a bank account or take out a loan.

Many of these scams originate online, using compelling bait to draw in the potential mark. For example, the cost of living crisis means that people are looking for cheaper deals; often scammers will fake offers that seem almost too good to be true to attract potential victims and begin the process of gathering information. Romance scams are also used to target people at their most vulnerable – such cases have even inspired a recent BBC drama series The Following Events Are Based on a Pack of Lies.

It’s vital that banks adopt the right mindset when it comes to tackling these types of scams. While they may have been taking measures to address APP fraud recently due to the tightening of regulations in this area, they can’t assume that criminals will just give up. They won’t – they’ll instead adjust their tactics and focus more on exploiting customers through other channels and other attack vectors. Layers of protection and prevention only shift the problem elsewhere, and financial institutions need to think holistically about how they can put controls in place to guard themselves and their customers against any new strategies that the fraudsters deploy. Ultimately, protecting only against APP fraud for online payments could cause the epidemic to move to card-based transactions.

The use of machine learning to protect against fraud

Fortunately, fraudulent transactions only account for a very small percentage of the overall volume of payments that banks handle. Unfortunately, this makes the fraudulent transactions very difficult to spot – it’s like the proverbial needle in a haystack. What’s more, if banks put in lengthy processes to manually check each payment to assess whether or not it is legitimate, they risk disrupting the lives of honest customers. Machine learning can be utilised by banks to really narrow down on the riskiest transactions in order to mitigate this problem.

For example, an individual customer may receive into and pay out a consistent amount of money from their account each month. Simply looking at the top-line data for this customer, there would be no reason to suspect anything was amiss. However, looking deeper into the data could reveal that rather than the usual direct debits and grocery shopping transactions, the most recent payments were being sent to new payees. There could be multiple applications for loans being made in the customer’s name in a short period of time. All of which could be considered suspicious activity, and would be instantly picked up by machine learning algorithms and flagged to the bank so they could carry out checks.

Taking steps to tackle the cross-channel scam threat

While banks should be familiar with the new PSR requirements surrounding APP fraud already, adhering to regulations shouldn’t be the primary motivation for them to make sure they are ready for the threat posed by cross-channel scams. The reputational damage that will be caused by high levels of fraudulent activity within a single institution could have a significant impact on customer confidence. With that in mind, here are steps that banks should be taking in order to protect themselves  – and their customers – from fraud.

1. Join up various systems within the bank. If the bank’s loan application system isn’t connected to the payments system or credit card system, then they will struggle to get a full picture of customer activity. The clearer the picture they have of an individual customer, the easier it will be to spot any suspicious activity. What’s required is a single view of the customer across all of the bank’s touchpoints. Any data silos within the bank need to be eliminated – the key is to get all back office systems talking to each other.

2. Make sure the immediate problem has been dealt with. APP fraud is still the most prevalent threat at the moment, so if the bank isn’t able to counteract APP fraud then they’ll have no chance against more sophisticated cross-channel scams. Banks must make sure they have back office systems in place to catch APP scams accurately – or else they will be in trouble with regulators and face a large compensation bill. Any bank that falls behind its competitors on this front will soon find itself becoming a bigger and bigger target for scammers, as they will be seen as the weakest link in the chain.

3. Think one – or even better, two – steps ahead. Once banks have a single view of their customer and adequate APP fraud controls in place, banks then need to anticipate what the scammers’ next moves might be. Using customer data and data relating to fraudulent activity, banks can use machine learning to spot any new patterns that emerge. Scammers might move on to targeting ATMs or cards-based transactions perhaps, but if the bank can see new attack vectors emerging quickly then they can shut them down quickly too.

With the financial fraud landscape changing so quickly due to the ever-evolving tactics used by criminals, banks must make fighting fraud a priority. As well as eliminating data silos and joining up back office systems, new technologies must be adopted to help financial institutions spot patterns of fraudulent activity quickly.

While these steps may come at a cost, the value of preserving reputation is priceless. Banks that get ahead of the curve will find that not only are they able to catch fraudulent activity more effectively, but also that fraudsters will target them less – as they focus their attacks on financial institutions with the weakest fraud controls in place.