Experts Discuss Challenges, New Solutions for Detecting Authorized Payment Scams
Scammers are duping victims in many ways: tricking customers into believing they need to reverse a Zelle payment, promising big earnings from cryptocurrency investments or convincing online lovers to send money. A myriad of schemes is resulting in a sharp rise in authorized payment scams, which according to Aite-Novarica Group now account for two of the top five categories of fraud volumes and losses for financial institutions.
In the United Kingdom, for example, nearly half of the 609.8-pound million in fraudulent transactions in the first half of 2022 was due to authorized push payment scams. The growth in this type of scam, in which victims transfer the money and are held liable for the losses, has gotten the attention of banking regulators as well as the U.S. Congress, which argues that banks should reimburse their customers as they do in other types of fraudulent transactions.
In response, seven banks in the United States last month drafted a proposed framework for reimbursing customers for specific types of authorized payment scams. Peer-to-peer money transfer firm Zelle said it is preparing for a major rule change early this year that will require the network’s member banks to compensate customers who fall victim to certain kinds of scams.
This sea change from the banking and payments community will likely result in a shift in the technology market to solutions aimed at reducing scams such as advanced risk modeling platforms, consortium and network-based signal detection providers, and new peripheral controls employing AI and machine-learning technologies.
Information Security Media Group spoke to bankers and fraud experts to understand the tools banks can leverage to reduce authorized payment scams, and some say it’s a difficult challenge to overcome.
Challenges in Detection
The major challenge in detecting authorized payment scams is that the actual customer has logged in and authorized or executed the payment request. These real customers are often coached by fraudsters on how to answer questions from fraud analysts and call center agents if the bank tries to review or stop authorized payments.
“Generally speaking, traditional ATO controls will stop a payment from occurring until the true/good customer logs into their account, passes multifactor authentication and then follows whatever process the respective bank employs to reestablish confidence in the payment request,” says Bradley Haacke, vice president and financial crimes director at Fifth Third Bank. ”How do you establish confidence in a payment request when nothing about the customer’s device or the login event is raising a red flag?”
In short, the biggest issue that banks face when trying to prevent scams is that they lack full context behind consumer transactions. In other words, banks and financial institutions often do not have an accurate picture of consumer behavioral patterns that can help them predict what activities are genuine and, in turn, what activities carry fraud risks.
This lack of understanding or contextual knowledge leaves financial institutions in the dark when trying to identify vulnerabilities or security flaws in their fraud protection strategies.
Karen Boyer, senior vice president of financial crimes and fraud intelligence at M&T Bank, says bankers want people to have control over their money and that is what makes it tough to determine authorized scams. “When they don’t identify what they are sending is to a fraudster, the banks are kind of limited in some capacities,” she says.
“In addition to that, oftentimes fraudsters are coaching and manipulating victims into saying whatever the banker might want them to say,” Boyer says. “So you might have an instance where you’ve got a banker who finds it a little bit odd that somebody’s withdrawing $5,000. So they’ll ask them, ‘Why are you withdrawing the money?’ And the scammer has coached that victim to say, ‘I am getting my home repaired. I’m buying that.'”
“You can’t ask too many questions, and it’s just really hard to figure out if they’re being coached,” she adds.
While some anti-scam vendor solutions have been introduced, the market is not very mature. Ian Mitchell, managing partner of Omega FinCrime and founder of The Knoble, a network of fraud, cybersecurity, fintech and financial crime professionals, rues the fact that service providers have not really taken the time to think about how their legacy solutions can solve scams.
“So many of the vendors I meet with, their solution may actually work to fight first-party and scams, but they’re still having conversations around account takeover fraud and identity fraud,” Mitchell says. “And really, when it comes to account takeover fraud or identity fraud, the ones that are suffering are the ones that didn’t make the right investments over the last decade and are behind. But everyone that has is now dealing with the first-party fraud and scams.”
“So to help these financial solutions solve this problem, we need solution providers and service providers to really start thinking about how they can retrofit their solutions to really help with this fight,” Mitchell says.
Seth Ruden, director of global advisory for the Americas at BioCatch, says most fraud solutions are “fairly limited” in data they collect about authorized payments and how to apply their detection, scoring models or rules.
New Solutions on the Horizon
The good news is that the vendor market targeting scams is growing, and there are a few tools and mechanisms out there that banks can deploy.
“Ken Palla, former director of MUFG Bank, in a recent paper, “Top 10 Controls Banks Can Deploy to Protect Consumers,” lists some innovative ways banks can reduce authorized scams until the vendor market develops further.
He suggested banks use transaction nudges to control this type of fraud. A transaction nudge, which first began in the U.K., is a message to the customer at the time of a transaction when the bank sees something anomalous about the transaction. The nudge message is crafted specifically to this transaction and the anomaly. The purpose is to get the customer to stop and think about what they are doing.
Delaying the execution of payments for new payees is another way banks can control this kind of fraud, Palla tells ISMG.
“I think there could be a delay of up to four hours on certain high-dollar, high-risk transactions,” Palla says. “Payment platforms like Zelle say they don’t want friction, but the problem is if you look at how the scams work, you really have to rethink this.”
For example, for most high-dollar transactions, more often than not, the need for the transfer is not immediate and can wait for a few hours, Palla says. “I take this mindset: A four-hour delay is recommended as that allows enough time for a scammer to disengage with a customer, the spell to be broken, and the customer can call the bank to say they were scammed. This delay tactic has proven to be very successful in the Netherlands.”
Zelle did not respond to ISMG’s request for an interview.
Carolyn Homberger, president of the Americas at Featurespace, says tools such as AI and machine learning not only provide a more predictive outlook on consumer behavior but also provide more holistic insights into individual consumers’ spending habits and profiles.
“In order to accurately predict what would amount to fraudulent behavior, financial institutions must gain a full understanding of what behavior is authentic to each individual consumer. This can be done by creating a model of continuous learning, where AI and machine-learning technology can use past behavior to build accurate, reliable analytics to predict future behaviors.”
Trace Fooshee, strategic adviser at Aite-Novarica Group, says banks must employ three tools – advanced risk modeling platforms, network-based signal detection providers and peripheral controls – for better control over scams. “Things work best when they work together. For instance, advanced risk modeling platforms have proved useful in reducing false positives in areas like screening for first-party fraud,” Fooshee says.
One of the banks in the U.K. has leveraged this platform to create a new model with a vendor that has yielded triple-digit improvements in their detection rates for authorized push payment scams, Fooshee says.
Ruden of BioCatch says companies also must leverage behavior biometrics to be able to distinguish between legitimate customer action and coerced or coached behavior. “Trying to find and identify those cues and trying to associate elements that are high-risk with modeling techniques that we have internally is one of those mechanisms on how we’ll be able to take some of these cues and convert them into actionable alerts and prevention strategies.”
New Vendor Technologies
The vendor market dealing specifically with authorized payment scams is small, for now. A few companies including NICE Actimize, BioCatch, Feedzai and Featurespace are specifically concentrating on this particular scam.
“We do expect growth in this space although it is too early to quantify. I can share we are presently exploring interest in both scam and money mule prevention controls,” says Jake Emry, SME of fraud prevention at NICE Actimize. The vendor market, particularly for mobile device-oriented analytics and behavioral biometrics, seems to be getting a lot of industry attention in the U.K., particularly given the impending liability shift to banks and payment services providers there for APP fraud, he adds.
Homberger from Featurespace expects this space to rise massively in the coming years.
“Financial institutions are looking to improve their fraud prevention and anti-money laundering capabilities,” Homberger says. “Implementing more advanced, predictive technologies will enable financial institutions to become more agile and proactive in their fraud prevention efforts, and we anticipate that the financial sector will lean into further technology adoption in the coming years.”
Mitchell of Omega FinCrime adds that technology alone will not solve the problem and says banks also need to invest in fraud experts to intervene and spend time on the telephone with victims to explain the scams and prevent the transfer.
“As fraud fighters, we have an opportunity to do what our job says – fight fraud – and scams are the biggest fraud problem we have on the globe right now. We have the ability to do the right thing even before liability shifts to protect our customers to build programs that are robust enough to solve this fraud problem,” Mitchell says.