Payment fraud happens when someone with ill intent steals another person’s private payment information – or dupes them into sharing it – then uses that information for a false or illegal transaction. Every time a new payment method or service gains popularity, the payment landscape changes. And so do the fraudsters. They adapt to each new trend by developing new and increasingly sophisticated payment fraud schemes.
Fraudsters rely on the weakest link in the chain of events leading up to payment fraud – people. Anyone who makes payments or uses payment services is a potential target. Unfortunately, it’s not hard for criminals to manipulate people as they work to achieve their nefarious aims.
Across the globe, fraudsters have rapidly adapted, migrated and scaled their fraud tactics by taking advantage of organizations and individuals who aren’t prepared. If present trends continue, Juniper Research says online payment fraud losses are likely to climb as high as $48 billion by 2023. And that’s just the tip of the iceberg.
What can organizations do to outsmart criminals and stay ahead of new payment fraud tactics? Before we consider the answer, let’s look at what’s new in the world of payments and see why new types of payment services have opened the door to new fraud threats.
Managing Fraud Risk in the Digital Age
Most customers crave convenience. But along with the popularity of faster, simpler transactions comes a higher degree of risk – some inherent to mobile and online payments. This paper describes key steps organizations can take to effectively counter the heightened fraud risk of digital payments.
New payment trends create new fraud challenges, threats
Today’s payment ecosystem has broadened well beyond traditional banks, with fintechs, challenger banks and payment service providers (PSPs) pushing a variety of new, innovative payment services. At the same time, we’ve seen huge growth in the number of instant (or “immediate”) payments. Such payments take seconds or less from initiation to settlement.
When the pandemic thrust the world into digitalization, payments became increasingly cashless and opened doors for new, faster payment types. But, with all the innovation comes new fraud threats – and they are emerging on different timelines in different parts of the world.
A new threat in one region gives organizations in other regions an opportunity to learn from those who have gone before – but it presents an equal opportunity for fraudsters. Fraud happens faster today because fraudsters export models that worked in one region to another region that's adopting similar technology. Organizations caught behind the curve pay a heavy price.
Consider the context around some of the more pressing challenges:
- Instant (immediate) payments mean immediate fraud. That’s because fraud attacks scale quickly – and losses grow exponentially. To respond rapidly, organizations must have appropriate fraud processes in place. Using a purely rules-based detection approach leaves organizations exposed because it takes days to implement changes.
- Evolving digital payments – such as mobile wallets, person-to-person (P2P) and overlay services – create new opportunities that fraudsters can exploit. Fraud and risk teams lack experience and historical data around these emerging payment options, making it nearly impossible to fight fraud with traditional rules-based fraud solutions. And, in the push to go live with new payment services like open banking, fraud controls sometimes get left behind.
- Money mules grow along with payment fraud. Money mule accounts are set up to receive and launder illicit funds (often uncovered via anti-money laundering efforts). Such accounts create issues for banks and PSPs in terms of managing their new account onboarding processes. The prevalence of such accounts also requires banks to have processes in place that identify, manage and close down accounts misused by money mules.
Banks and PSPs need to move to a 24x7 fraud response. Instead of taking days to investigate a suspicious payment alert, they need to manage alerts in real time. It’s imperative to make quick but accurate decisions as customers make instant payments. Today’s customers expect immediate resolution when payments are delayed or disrupted.
The role of regulators and open banking, standardization and interoperability
Regulators are heavily involved in and affected by changes in the payment landscape. Consider the regulatory challenges of open banking, for example.
The open banking model uses APIs to give third-party financial service providers open access to consumers’ financial data from banks and other transactions at different types of organizations. With open banking programs underway around the world, regulators must oversee many banking and payment services that have expanded to include new participants.
Another example is the EU’s payment services directive (PSD2), which has created disruptions in the payment ecosystem. Regulators around the world are pursuing similar options in their regions.
Standardization and interoperability are also relevant to the success of payment schemes and overlays crossing national and regional boundaries. Although these efforts are underway, the payments market remains fragmented along national and regional lines – much more so than card payments. No doubt we will continue to see movement in this space, such as:
- Changes like the ISO 20022 payment messaging standard.
- Schemes like P27 (pan-Nordic payment scheme) and SWIFT gpi, which will help move immediate payments beyond national to regional and global multicurrency services.
Amid the whirlwind of innovation lies many opportunities and challenges. How does this fast-paced environment affect the fraud space?
Learn about banking as a service and why it presents new opportunities
Banking as a service (BaaS) is a model that allows third parties to deliver financial services while banks retain the regulatory obligations. It's not a sexy role for banks, but it has the potential to drive new revenues, extend reach and create new markets at a low cost.
Major types of payment fraud
There are many different types of payment fraud. One way to understand it is by considering the two broadest categories – unauthorized versus authorized payment fraud. Let’s consider how each type works, and what can be done to stop it.
Unauthorized payment fraud (account takeover)
Unauthorized payment fraud, or account takeover, happens when a criminal compromises a customer’s credentials or has sneaked past customer authentication and gained access to a legitimate account. Typically, this is done via phishing or malware that collects customer information from online logins. Once the fraudster has accessed the customer’s account, they can set up and make payments without the customer’s knowledge.
How can you defend against unauthorized payment fraud?
In a world of immediate payments and increased payment fraud risks, banks and PSPs have almost universally adopted multifactor authentication and real-time fraud monitoring. This is being further entrenched across Europe with the PSD2 regulation that mandates the use of such controls. Other fraud profiling tools can be added to such techniques for additional protection. For example:
- Device identification helps banks assess the risk of the device used to access accounts or make payments.
- Behavioral biometrics tracks the user device interaction during an online session.
Layered together – and combined with sophisticated real-time fraud detection systems that use advanced analytics and machine learning – these tools and controls provide an effective defense against unauthorized account access and fraud. Even if banks and PSPs don’t stop all unauthorized fraud, they can stop a high enough proportion to make life hard for fraudsters. Frustration with their likely return on investment could be enough to thwart some fraudulent efforts.
Authorized payment fraud (payment scams)
Unfortunately, criminals have found a way to get around the need to rely on unauthorized payments. One of their tactics is to contact the customer and dupe them into authorizing the payment themselves. Authorized payment fraud bypasses several controls implemented by banks, PSPs and regulators. And since the customer is the one making the request from their own device, they pass multifactor authentication.
Authorized payment scams are not just harder to detect – they’re also more difficult to manage when they are detected. With authorized payment fraud, a fraud investigator would mainly have to figure out: Is this the customer? That series of investigations doesn’t apply in the case of authorized payment fraud. Here, the question needs to be: Is this customer being duped? This is a much harder question to answer.
Can we stop authorized payment scams?
With customer-authorized payment scams, tried and tested fraud detection methods do not work. This is the big fraud challenge for all payments organizations – regulators, banks, PSPs and vendors – as consumers and businesses around the world are increasingly exposed to this common type of fraud.
The way to address authorized payment fraud is through coordinated, industry-level mitigation initiatives, such as customer education. Using targeted, in-journey messages helps customers make the right decision in the moment. Other efforts involve:
- Sharing payee information.
- Targeting and acting on money mule accounts.
- Enhancing tactics to facilitate recovery of funds.
Application fraud, identity theft or fraud and payments fraud are closely related. Fraudsters use many methods to obtain credit and make fraudulent payments. Click through the box at the right to see how SAS helps prevent fraud across the entire customer journey.
Building the lie
Fraudsters build credible identities by applying for and opening multiple credit accounts – often using a synthetic or stolen identity. To begin, they establish a good credit record by making timely payments on multiple, small accounts. Eventually, they cash out – then walk away from the debt.
Applying for new credit
When onboarding a new customer or approving a current customer who is applying for a new product or line of credit, banks need near-real-time decisions about fraud and credit risk. They consider credit risk (a customer’s creditworthiness) based on credit score and history.
Verifying and authenticating identity
If an applicant meets basic credit requirements, the bank verifies identity. This involves matching the applicant’s details with historical records from credit bureaus and other sources and collecting hard-to-fake information. Digital identity authentication and device verification are other parts of this process. Third-party data providers also play a role.
Making and receiving payments
Once an account is opened, the transaction phase of the customer life cycle begins. Banks should use the intelligence gathered during the onboarding process to feed into their broader fraud strategies. Understanding how the customer was onboarded and what authentication methods were used help reduce customer friction while also decreasing fraud loss at the financial institution.
Reducing false positives, improving customer experience
If a customer tries to make a payment and a purchase is unnecessarily declined, they will pull out the next card in their wallet to pay. At this point, the bank loses revenue, customers are unhappy and the bank must spend time addressing customer escalations. SAS® helps correctly identify fraud, reducing the fraud loss dollar amount. The results: More profit. Protected reputation. Peace of mind.
Stay aware, stay nimble – Key tips for banks and PSPs
Just as criminals have adapted their methods, banks and PSPs need to adapt their responses so they can target anomalous customer behavior more effectively. For example:
- Incorporate adaptive real-time fraud detection systems for both outbound and inbound payments.
- Take a more holistic view of payer and payee accounts to more effectively target money mule accounts.
- Use adaptive machine learning techniques and behavioral profiling to identify and spot anomalies in customer behavior. This makes it faster and easier to recognize genuine customers.
The payment landscape is ever-changing, and the evolution presents promising opportunities for the financial industry. But awareness of potential new fraud threats must be considered with equal importance as new innovations are adopted. Banks and PSPs need to evolve by using advanced analytics that can quickly adapt and learn to spot anomalies from behavioral indicators.
Fight back against payment fraud
Payment fraud has increased dramatically. Estimated losses due to payment fraud are expected to surpass $48 billion by 2023.
With integrated data management, artificial intelligence and machine learning, SAS Fraud Management helps organizations around the world defend against rapidly changing threats in the world of payment fraud.
About Diana Rothfuss
Diana Rothfuss is a Principal Global Marketing Manager for the Fraud and Security Intelligence Practice at SAS. She drives the strategy and messaging for the banking industry suite of products and solutions under the Fraud, AML and Security Intelligence Division. Prior to SAS, she spent more than eight years in marketing, communications and sales enablement roles in business banking at M&T Bank. Rothfuss participates in organizations, such as WIN and American Marketing Association, and has been chosen to be a part of the ATHENA Emerging Leaders program for 2021-2022.
- Are you covering who you think you’re covering? Payers often don't focus enough on healthcare beneficiary fraud in public and private healthcare plans. Before paying a claim, payers need to ensure beneficiaries are eligible. Advanced analytics applied to a broad range of data can help them accurately detect and prevent beneficiary fraud.
- Contact tracing investigations for public health: Technology enhances epidemic investigationWhat was once a cumbersome process that relied on an individual’s often incomplete or inaccurate memory, contact tracing investigations for public health has entered the digital era thanks to advanced analytics and data visualization.
- Marketers and privacyCompanies that break new privacy laws get fined heavily, but there may be an even greater cost: A damaged reputation.