Payments fraud is a big problem…for everyone. It doesn’t matter who you are, where you live, or who you know–everyone gets hit by payments fraud attempts. And as more and more business is conducted remotely, and consumers and businesses use mobile and digital payments, we are seeing an increase in new and more sophisticated fraud practices.
You may not know it, but payments fraud is a huge problem for your financial institution (FI). In fact, 75% of all FIs with revenue greater than $1B were victims of payments fraud in 2022. Banks and credit unions spend millions of dollars (likely tens of millions) trying to protect you and their company from a growing number of immoral fraudsters around the globe looking to steal money from within one of the many payments channels.
Let’s start by outlining some of the most common payments channels and how they are commonly attacked:
- P2P Payments – most consumers utilize multiple P2P services via their mobile device (e.g., PayPal, Apple Pay, Venmo, etc.) – if a fraudster or “bot-farm” compromises the device (e.g., Account Takeover – “ATO”) – they now have access to several payment outlets to initiate fraudulent payments (for example, stolen credit card data used to make purchases via Apple Pay)
- Credit/Debit Card – Bot-farms or fraudsters capture your account data, create counterfeit cards and initiate payments
- Direct Transfers – consumers get scammed into transferring funds electronically for fraudulent products/services/investments/etc.
- ACH – ACH debits for retail consumers (e.g., bill pay) or for businesses using ACH in lieu of checks – fraudsters use social engineering (The criminal accesses a retail customer’s credentials and sets himself up as an automatic bill pay recipient)
- Wire Transfers – generally larger dollar transactions – fraudsters use ATO and business email compromise (BEC) methods to initiate or redirect funds being transferred (According to FBI statistics – CEO fraud is now a $26 billion scam1)
- Checks – issuing fraudulent checks or manipulating your Remote Deposit Capture (RDC) processes and illicitly moving funds (e.g., duplicate presentment). Small online businesses get targeted by fraudsters working an “overpayment scam”.
Now that we have a broader sense of how we are all being attacked, what should be done?
It is critical to instill a multi-layered approach to fighting against fraud for both consumers and businesses:
- Layer 1 – Awareness – Be aware of how fraudsters are attacking. Stay current on trends that FIs, regulators, or law enforcement agencies are regularly reporting on – this information is always available and regularly updated from several online sources.
- Layer 2 – Due Diligence – it is critical to “know” and trust the other party of a payment transaction. Be diligent in managing payments events – know what payment method you’re using – and associated “red-flags”. Verify the other party requesting/receiving the funds, and know how to verify the authenticity of this transaction before you initiate any movement of funds.
- Layer 3 – Protect Yourself/Your Company – here are a few best-practices to consider:
- Ensure the security software on your device(s) is current
- Use your FI’s tools (e.g., Positive Pay) for all payments services
- Regularly monitor account transactions to validate authenticity
- Do not share any confidential information unless you have verified the requestor AND the need to share such information
- Do not leave company information in accessible folders (e.g., Shared drive) on your computer, online, etc.
- Regularly change passwords
- Use dual authorization/segregation of duties for all business account payments authorizations
Here it is also critical to have a multilayered approach.
- Embed a comprehensive fraud management framework by deploying fraud alert solutions that cover the entire digital lifecycle (e.g., Account opening through settlement of a payment event)
- Identify Proofing
- Device ID
- Behavioral Biometrics
- Transaction & Event Monitoring
- Equip your employees with real-time information on:
- Existing and new fraudster scams/methods
- The ability to interpret and handle fraud alerts (in the queue or real-time)
- Where/how to escalate if a particular fraud event is too complicated/risky
- Fully resolve the fraud alert as quick as possible:
- Aggregate, prioritize, and work the alerts based on risk, complexity, and urgency
- Identify false positives and reroute them back into the process to serve the customer and retain the revenue
- Protect the client/FI – immediately trigger actions based on the alert type while research and decisioning is in-flight
- Resolve the alert – Make victim whole, charge-off settlement, corresponding FI settlement, SAR reporting, Op Risk requirements, etc.
Rulesware LLC is empowering Financial Institutions by providing them with the ability to digitize, automate and guide the entire fraud alert lifecycle – from alerts received through customer settlement and GL/FinCen reporting – via our unique solution Rulesware Risk Resolve™. Our solution allows clients to:
- Reduces the time FIs spend manually aggregating alerts, prioritizing the queue, assigning alerts, conducting research on lower priority or false positives, creating the SAR or other regulatory reporting, creating paper-tickets/GL entries for charge-offs, etc.
- Resolve false positives and retain the revenue associated with a payments request
- Potential Loss vs. Actual Loss – the ability to take immediate action (workflow automation to freeze an account can reduce the fraudsters’ ability to transact against the breached account)
- Reduction of time and resources required to work the alerts
- Reduction of time resources are spending on creating Op Risk reporting, Regulatory Reporting, and GL Settlement
- Reduction of IT time/resources used to create and maintain hybrid solutions for the Fraud & Risk Teams
- By automating specific activities (e.g., blocking an account, freezing a debit card, etc.) while the alert is being researched protects the FI and the customer
- “Fraudsters” or “bad-guys” generally hit one payments stream at a time (e.g., Wires, ACH, Check, RDC, Debit card, etc.) to determine where your weaknesses are – if they sense the FI has controls in place they move on to the next payments stream or to another FI – having automated actions, prioritization and faster response times on high-risk alerts, etc. results in the prevention of losses being significantly higher