More data means fewer places to hide for scammers

As ACI publishes original research into the state of APP scams in India, the UK and the U.S., Tanya Kopytina, Senior Fraud Consultant, ACI Worldwide, describes how more – and better – data is needed to fightback against the criminals.

The future of payments cannot be discussed without also considering the future of fraud prevention.

As new payment methods and spending habits evolve, they are always accompanied by an evolution in criminals’ tactics. Customers’ expectations to be monitored and adequately protected against those threats are also rising.

The world is still adjusting to the accelerated digitization brought about by the COVID-19 pandemic, and the implementation and adoption of new ways to live and pay digitally continues to grow, in new and mature markets alike. This has also coincided with longer-standing trends around enhanced digital security for bank accounts and cards, which has driven fraudsters to target the weakest remaining link: consumers. Meanwhile, the availability of real-time transactions, social media platforms and mobile messaging apps also leaves these consumers more vulnerable to attack and recruitment to mule networks.

It is increasingly difficult to distinguish genuine customer behavior from potential social engineering attacks, even for digital natives. As payments and digital experiences get faster, there is now only a tiny window for banks to prevent fraudulent transactions and scams.

Breaking scams down

The most common digital payments scams today fit broadly into two categories. The smaller category is merchant misrepresentation scams, in which phony merchants take payment for a service or product they never intend to provide. The other category is account holder manipulation scams. Commonly known as Authorized Push Payment (APP) scams, they are the subject of a new report from ACI Worldwide, Scamscope, examining APP fraud trends in three markets around the world — the UK, the U.S. and India — and featuring original data from global analysts GlobalData.

APP scams can take many forms, but the most common techniques are:

• Social engineering: These scams involve criminals posing as trusted institutions or individuals to gain the trust of account holders. The criminals’ goal is to either convince the account holder to share the information they need to access their account and make payments that appear to be authorized, or persuade the account holder to make a push payment themselves.
• Account takeovers: In these scams, criminals acquire partial or complete payer information, use that information to gain access to the payer’s account, and make push payments out to accounts under their control.

Detecting APP scams is a complex challenge, and the value of losses is generally much higher than other types of scams.

How to battle back on scams? Data, data, data… and more data

A merchant misrepresenting themselves can be easily identified with rules-based engines and blocked from receiving future transactions.

Payments that look genuine at first glance, as the customer has been tricked into facilitating the scam themselves, can only be detected if banks bring more and better data into their systems and then use that information to drive smarter, faster and more accurate decision making. This decision making then needs to be continuously updated to keep up with new trends.

This is among the Scamscope report’s key recommendations. Only with more data can banks increase their knowledge of what genuine behavior looks like versus either that of a criminal or a genuine customer grappling with extreme uncertainty, under emotional duress or subject to a high-pressure situation. Authorization transactional data alone is no longer enough.

As covered in the report, the emerging field of behavioral biometrics, seen in solutions such as those offered by ACI partner BioCatch, profile user behaviors, including mouse movements, typing cadence, swiping patterns and device orientation to distinguish between genuine user activity and criminal actions. This intelligence can form a passive authentication layer unseen by the user, comparing historically “trusted” behavior with “suspicious or unseen” behavior to spot signs that either the user is unauthorized or that the user is genuine but acting unusually, perhaps under the duress or direction of a scammer.

These kinds of insights, combined with banks’ authorization data and merchants’ authentication data, including billing address, shipping address, location, browser information and device ID,  are all vital to stopping scams. If tracked by both the initiating and receiving bank, there is no place to hide.

No time to waste

The challenge and opportunity for banks regarding APP scams is to get better at sourcing data and integrating it into enterprise-level fraud prevention systems – and there is no time to waste.

Across the markets covered in Scamscope, the value of total losses to APP scams is already high and is expected to grow at an average compound annual growth rate of 21%. By 2026, the value of annual losses to APP scams will double in every single one of our featured markets, running to $0.6 billion in India, $1.6 billion in the UK and $3 billion in the U.S.

Banks that can perfect scam prevention will be more able to make real-time payments a positive part of their customer experience while protecting their customers from risks associated with those payments. This in turn can become a truly differentiating factor for banks’ products and their services.

Get your copy of Scamscope: APP fraud trends in the U.S., UK and India from ACI Worldwide to learn more about the present and future of APP fraud and how the industry can battle back better against the scammers.