Financial institutions are making substantial headway blunting account takeover and other types of fraud, but scams pose a unique challenge.
Authorized push payment (APP) scams are more complex. They are perpetrated through highly sophisticated social engineering techniques, which encourage the customer themselves to initiate a transaction rather than an outside party. That makes this scam typology, which includes romance and impersonation scams, particularly difficult to identify and even more difficult to prevent., Scams are a growing concern for organizations around the world.
Banks are bolstering their technology stack around fraud and identity risk management by investing in tools like device recognition, malware detection, behavioral biometrics and other capabilities, significantly strengthening their defense against account takeovers.
Fortified defenses are forcing fraudsters to reinvent their tactics, giving rise to APP scams, which target the weakest part of the chain – the customer. The growth of digital channels and transactions means there are more customers online and more opportunity for scams.
It’s hard to detect a scam when it’s the customer going on with their regular journey and willing to make a payment or when they are being tricked into performing this action. That is because the digital data points you would normally base a risk decision are less effective: the transaction is coming from the usual device, location and customer.
Traditional fraud measures struggle to prevent scams relative to other fraud typologies.
Solving for scams requires financial institutions to find and understand the deeper motivation of the customer and their behavior, which involves more effort and a more complex, creative fraud detection strategy.
Payment monitoring is a key part of capturing that understanding. It can help banks identify if the payment amount is in line with the user’s normal pattern of behavior, if the transfer is being paid by multiple customers in a short period of time and if the amount is discrepant when compared to past transactions – which represent a holistic approach to fraud detection.
Authentication poses yet another challenge. From a banking perspective, telling a customer that they can’t send their own money out of their own account is a very difficult conversation to have.
Those authentication scenarios result in what is often referred to as ‘catch and release fraud.’ It’s where the bank’s fraud systems do a good job of identifying a high-risk transaction, but then the user either self-serves and authenticates anyway, or the call center conversation with the user isn’t precise enough to ask the right questions to intercept the transaction.
Biometrics and other technologies can help. These strategies are critical to understanding the customer’s pattern of behavior and any abnormalities that can indicate the customer could be under duress.
Faster payments and the rise of scams
Fraudsters want to monetize quickly, minimize risks and move on. And the speed with which money transfers happen nowadays is influencing the fast growth in scams.
What is often seen in a scam scenario is the customer completing a payment while they have the fraudster on the phone. After they reflect on their actions, they begin to question whether the transaction was genuine, which prompts a query to their bank.
Instant payments contribute to scams because allow fraudsters to avoid delays between point of payment and getting access. Payments are occurring in near real time and by the time a customer has realized the scam, the money has already traveled to many different accounts and is hard to trace.
Regulatory changes: strong customer authentication and confirmation of payee
Confirmation of Payee in the U.K. provides some assurance that the beneficiary is the intended recipient, warning payers to think twice before sending a payment. After that, banks can choose to allow or block the payment. Confirmation of Payee adds an extra layer of education and awareness.
Detection strategies: risks and opportunities
Online banking has been the focus of scams in the past and there is a risk that these scams will expand to other banking and payments channels. Institutions need to rip out silos and think about how to build a cross-channel focus to improve detection and authentication.
Reimbursements are also a risk. A customer-centric bank should reimburse its customers, but from a fraud perspective, there could be a negative consequence. If a bank refunds the customer for a scam, there is less concern about the long-term impact it could have on a customer, so it might encourage scammers to do more.
Another risk is the rise of targeted social engineering, a complex scam where the fraudster uses details about the victim in order to convince them that they are an authoritative body – a bank for example. Targeted social engineering strategies often start with data attacks and breaches. Fraudsters collect data and credential-test the data against media companies or non-finance organizations by deploying automated bots that can quickly validate usernames and passwords. When the victim is contacted by the fraudster, the story is much more convincing as the fraudster is able to validate personal information and make the attack more convincing.
A holistic approach
Fighting fraud requires a holistic solution, with multiple layers of defense. An effective scam detection strategy can be broadly categorized into three different areas:
- Technology – The right technology solutions can provide a top-down view of the payment ecosystem with transparency to see beneficiaries. Behavioral biometrics can provide helpful indicators, such as signs of duress when a customer is entering an account number, or if they are hesitating before submitting the payment because they suspect something is wrong. These are part of the next generation of solutions when it comes to scams.
- Process and data – The ability to better categorize fraud data enables companies to build efficient rules and models to catch fraudulent transactions and avoid false positives.
- Education and awareness – This area includes stronger cross-country and cross-industry insights on scams attempts, so there’s a better chance to catch scams as they happen. Dynamic customer education and awareness is also key, so customers only see a message when there is a serious risk associated with the transaction or event.
Fraud and identity management solutions from LexisNexis® Risk Solutions provide real time, on-demand consumer identity analytics, authentication and investigative insight to effectively combat fraud. Our solutions leverage industry-contributed information about suspect beneficiaries or accounts to provide early warning of potential risks. We help our customers prevent fraud while keeping trusted transactions in efficient motion.