Fraud methods come in and out of fashion. At the moment, we are well and truly in scam and social engineering season, otherwise known as authorised push payment fraud. The success of technical solutions like ThreatMetrix® that have made it so hard and risky for a fraudster to infiltrate an account directly has caused a shift in behavior to the new weakest link; the customer themselves. There is now a duty for banks and the vendors who supply them to offer protection to their customers against those that will lie, cheat and persuade vulnerable customers into willingly transferring money.

While the scams and social engineering techniques change, one thing can’t change: the ‘beneficiary bottleneck’. A fraudster always needs to orchestrate the transfer of money from the victim’s control to their own. And that is where the banks can apply a pressure squeeze in detection to stem the bleeding of authorized push payment fraud.

What does a solution need to put pressure on detecting scams at the ‘beneficiary bottleneck’?


Real Time: With mule herders increasing the sophistication of their operations, mules can be recruited, used and disposed of quickly. Fraud controls need to keep pace with the fraudsters trying to tear them apart; they aren’t waiting around for a weekly batch ‘job’ so nor should fraud teams.


Shared across banks: Fraud is not a zero-sum game. There can be an overall reduction of fraud across all banks if they collaborate. Data sharing between competitors is regarded with caution and suspicion, but makes no sense in the fraud industry. In Vegas, casinos that are competitors still share data on cheaters and hustlers because the benefit is mutual. Fraud in banking should be no different.


Combine Mule and Fraud detection: There needs to be a mindset and tool shift in the perception and treatment of mules. The responsibility of mule detection has for too long been a subset of Anti-Money Laundering (AML). It is time that it is instead treated as a fraud problem and for the frauds and mules to sit in one system. The most mature banks have recognized this and have already seen huge benefits in repurposing solutions such as ThreatMetrix to set up dedicated branches of their fraud teams to address the health of their own books.


Link up both parties: Finally, any payment has two parties, the sender account and the beneficiary. Preventing the payment from the sender is the ‘fraud’ problem. But every successful fraud has a mule account facilitating it. The link between the beneficiary details and the digital activity of that account needs to be linked to flag and block the mule at source.

The Two-Party Payment setup

LexisNexis® Risk Solutions has now upped our pressure on the ‘beneficiary bottleneck’ with the Two-Party Payment setup:

  • Both parties’ details, beneficiary and sender, can now be fed into the risk assessment
  • Both parties’ details can be queried for previous history across the Digital Identity Network®
  • The beneficiary details on the payment at one organization will be consistent with the sender details at the organization where the beneficiary is held.
  • Integrated as part of the ThreatMetrix API call, which allows querying and updating of history in near real-time.

The structure allows a bank to identify scam risks by querying previous transactions, both at their own organization and at all other organizations on the Two Party Payment setup. Was there a previous scam to this beneficiary? How long ago? How many pounds was it? Has there been an increase in payments to this beneficiary compared to normal? Has there been more customers paying this beneficiary, likely for the first time?

The consistency also improves mule prevention. Has the account we have on book received funds from a scam payment? Has the account been added to a blocklist based on the outcome of previous payments to it?

The sender and beneficiary details are available to use in highly customizable rules and variables, meaning these are just a small number of the questions the can be asked.

How can the Two-Party Payment setup detect scams at the ‘beneficiary bottleneck’?


Real Time: This approach for providing sender and beneficiary details on the payment flow incorporates real time decisioning as a core and necessary principle. A scam beneficiary at one bank is added to the anonymized history available to check for any other bank thereafter that also features the beneficiary. The benefit of real time can’t be understated; we’ve seen instances of flagging a scam payment in the morning at bank A, the bank confirming and marking it as a scam at lunch time and a scam attempt at bank B being blocked based on the global scam trigger. That’s an unprecedented level of immediacy for an industry still trying to shake itself away from the plague of batch processes.


Shared across banks: Scams in financial services are networked and connected. The fraudulent funds flow through a network of multiple banks to disperse it, improving the chance of the fraudster being able to keep the money. We’ve seen instances of multiple ‘bounces’ of scam funds flowing from and to multiple accounts that sit on the ThreatMetrix Two Party Payment network structure. Sharing intelligence related to these scams is key to unravelling the structure of these mule networks and needs the infrastructure to deliver consistent sender and beneficiary details across all banks.


Combine Mule and Fraud detection: Having the ability to combine mule and fraud detection in one system is indispensable. Network investigation of the mule entities and the deployment of mule detection models have all been productionized using ThreatMetrix. The Two-Party Payment setup naturally plays into both fraud and mule areas; the beneficiary details are the fraud problem and sender details are the mule problem.


Link up both parties: The main principle for the Two-Party Payment setup is the consistency in value between the same account in the context of it being a sender or beneficiary. This forms the crucial link between a beneficiary being the recipient of a scam and then flagging this fact when it becomes the sender to move the funds on.

So what next?

The Summer of 2021 will see a big increase in the adoption of the Two-Party Payment setup across banks on their existing deployments with ThreatMetrix. We’ll be working hard to use it to provide uplift to the detection and prevention of scams.

We’ve already seen over £700k of payments in a month being sent to beneficiaries marked with 10% fraud rate or higher across the banking network, and productionized the flagging of such cases. The next development will be reducing false positives and creating the rules and variables that can check for behavior changes of beneficiaries and senders to flag scams at the point of first exposure, without the reliance on scam marking.

Scams will take a real-time, shared and industry wide step change in detection. The Two-Party Payment setup applies another layer of pressure at the beneficiary bottleneck to contribute to the detection improvement.

Subscribe today to Fraud and Identity in Focus to receive regular email updates.

Let our experts help to protect your business and your customers in a digital world

Helping you to achieve new levels of success with market-leading fraud, identity and authentication solutions

Learn More