Multi-layered Fraud Strategies are Crucial to Win the Battle against Authorized Push Payment Fraud
This blog was co-authored by ACI’s Jay Floyd and Iain Swaine, head of Cyber Strategy for BioCatch in the EMEA region
Have you ever received a text from your bank asking you to confirm a transaction by replying Yes or No? You then realise you don’t recognize the transaction, reply No, and receive another text instructing you to call a telephone number to discuss this unknown payment further. Suddenly you’re hit with the fear that someone has hacked into your bank account. But, do you ever consider that the text you received was, in fact, a scam?
Authorized Push Payment Fraud is rising at alarming rates
Fraudsters no longer use just one tactic to trick their victims in order to access personal details and money. They have built up an arsenal of different approaches to scam people, loosely summarized under the umbrella term ‘social engineering.’ One type of fraud that has seen an alarming 50 percent year-on-year rise in the UK, along with significant increases in other parts of Europe and beyond, is the so-called Authorized Push Payment (APP) fraud, where cybercriminals trick consumers or businesses to send them money from their account. According to the March 2019 UK Finance Report, fraudsters stole £1.2bn last year, £354m of this total was through APP fraud.
Fraudsters will often use complex and convincing scams to lure their victims into transferring money. One tactic APP fraud scammers are favoring at the moment is SMSishing: the scam involves sending a text message to their target, pretending to be from a bank, and asking them to either call urgently regarding a security issue or update their personal details. Another tactic employed by fraudsters is ‘spoofing,’ which makes the SMS appear as part of an existing thread of genuine messages from the bank to make them look more convincing.
This year we’ve seen a number of European banks become victims of Vishing and SMSishing attacks, with customers losing up to tens of thousands of pounds. The problem with APP fraud is that once the victim has been tricked into transferring money to a fraudster, it will almost be impossible to get the money back because the transaction is instant and the cybercriminal can move on to the next target without being caught.
Detecting the fraudster and protecting the customer
With APP fraud on the rise and scammers using more sophisticated tactics to lure their targets, businesses must evolve their fraud strategies to combat security threats. Utilizing specific APP detection technology combined with layers of behavioral biometrics capabilities can help detect APP fraud much quicker.
Behavioral biometrics technology can identify a wide range of cyberthreats in real-time, by analyzing more than 2,000 behavioral parameters of online banking users in real-time, for example the way users interact with online applications and devices. It will also use subtle tests known as “invisible challenges” into online banking sessions. Users subconsciously respond to these challenges, without sensing any change in their experience. The responses provide additional behavioral data that can be used to distinguish a real user from an imposter, whether human or robotic.
These profiles identify a user based on their unique behavior. How a consumer interacts within a session differentiates them from any other potential user, including hackers and automated attacks. The technology can also recognize a range of human and non-human, malware, remote access trojans (RATs) and robotic activity in order to flag and catch fraudulent behavior in real-time.
In order to effectively detect and prevent APP scams, the latest behavioral biometrics analysis extracts powerful insights that suggest a genuine customer is under pressure to complete a payment which the fraudster is directing them to do on the telephone.
Positively profiling the customer
Armed with behavioral analytics to detect fraud, businesses should use positive profiling – a combination of consortium intelligence and big data analytics. Positive profiling allows businesses to separate legitimate customers from the fraudsters. It means building comprehensive customer profiles based on detailed behavioral data from multiple businesses and externally confirmed fraud intelligence, so organizations can screen the customer rather than just the transaction.
By producing more accurate results, positive profiling will enable businesses to tailor the customer experience, improve conversion rates and maximize revenue and, most importantly, block fraud.
Prevent future scams
While it’s critical to implement the right fraud prevention solutions, there is no doubt that fraud tactics will continue to evolve. But, so is the banking industry’s capability of stopping a threat. The advent of open APIs means financial institutions will be able to use overlay services such as ‘Confirmation of Payee’ to pre-empt and prevent fraud before a transaction happens.
Industry efforts to solve these issues are underway in the UK, for example, by creating a facility to cross-check the account name with the account details and give the payer certainty. There is recognition in the industry that real-time fraud monitoring needs to be an essential part of the payments processing solutions that a bank employs.
Banks are also working with telecom organizations to block text messages that spoof their identities and block numbers that have been linked to fraud. Ultimately, it’s vital that organizations take a multi-layered approached to prevent fraud – implementing one solution without other defenses will simply prove ineffective. Effective APP fraud strategies should combine both intelligence-driven tools and systems that provide greater assurance that a customer is transferring money to a legitimate recipient, while also addressing standards and guidance provided by institutions.
This article first appeared in SC Magazine.
Want to improve customer service and reduce fraud? Download our guide: The Six-Step Guide to Leveraging Machine Learning for Payments Intelligence
Related Blog Posts
Defense in Depth: Fighting Fraud in India with a Multi-Layered Approach
There’s a quip, albeit ironic, making the rounds as forwarded emails and messages – “Who’s driving digital transformation among enterprises: CEO or CIO? The correct answer is COVID-19.” Going beyond impacting global well-being, COVID-19 is pushing the corporate world to rapidly introduce new measures for business continuity. Diametrically opposite to continuity, the black swan event of the novel coronavirus is creating disruption in terms of exploitation and fraud perpetration – especially in the banking and financial sector.
Introducing Incremental Learning: An Industry-First Boost for Fraud Prevention
In our previous blog on machine learning, we sought to clarify its role in fraud prevention for merchants. To summarize, it can be an extremely effective way to identify patterns of fraud in a manner and at a speed that humans cannot. It is a critical tool in the fight against fraud, especially when used as part of a multi-layered fraud solution.
Machine Learning: Separating Fact from Fraud Fiction for Merchants
Machine learning is a broad discipline about which many claims, sometimes extravagant, are made. In recent years, it has often been hailed as the most effective answer to stopping payments fraud.
At ACI, we’ve been working with machine learning models to prevent fraud for over two decades – and we know they can play a critical role in improving fraud detection accuracy. Here we bring together a few insights on how models can be used most effectively.
For Financial Institutions, Community Is Critical to Fighting Fraud with Machine Learning
In November 2019, our experts predicted that democratized machine learning and shared intelligence would be among the most important fraud prevention trends for financial institutions (FIs) in 2020.
Fraud Prevention Is the Frontline of Customer Experience
Digital transformation has done more than disrupt business models. In almost every consumer-focused market – and most business-to-business ones, too – it has fundamentally re-oriented the competitive landscape around customer experience as a core differentiator.
SCA: How PSPs Can Help Merchants Stay One Step Ahead
The main objective of PSD2’s Strong Customer Authentication (SCA) is to protect customers and reduce fraud by introducing new measures that ensure that customer-initiated transactions are being made by the genuine cardholder.
The EMV Deadline Has Been Extended for U.S. Fuel Merchants – Now What?
U.S. fuel stations were originally supposed to be EMV-compliant by October 2017, but due to complications and costs at the time, the deadline for EMV at the pump was extended for three years – and it has now been pushed out further to April 2021 due to the COVID-19 pandemic.
Merchant Fraud in the Age of COVID-19: We Need to Prepare Ourselves for a “Tidal Wave” of Attacks
With millions of consumers around the world self-quarantining at home, online shopping for goods, services and entertainment has become the new normal for many. A recent analysis of our own data has shown that average transaction volumes in the retail sector in March rose 74 percent compared to the same period last year.
Predicciones de fraude para el 2020: Qué esperar con la rápida evolución del panorama de pagos en América Latina
La industria de pagos en América Latina está experimentando diversos cambios en varios segmentos a medida que la población de la región está cada vez más bancarizada y comienza a usar pagos electrónicos. Aunque el efectivo sigue siendo la forma de pago dominante, los gobiernos han impulsado los pagos electrónicos a través de la regulación. Esto ha asegurado que la aceptación y el crecimiento del pago con tarjeta hayan aumentado constantemente, han aparecido bancos digitales en diferentes países y el comercio electrónico ha aumentado significativamente.
Previsões para fraudes em 2020: O que esperar com o cenário de pagamentos em rápida evolução na América Latina
As violações de dados que envolvem dados de pagamento dobraram no ano passado por várias razões - falta de inovação em segurança, prioridades corporativas equivocadas e fraquezas nos portais de desenvolvedores, para citar alguns.