As the speed of payments increases around the world, the potential scope of fraud shifts to targets beyond cards. Criminals are taking advantage of the global spread of real-time digital transactions to con chief financial officers, invoice managers and the like, hoping to steal massive sums before anyone knows they’ve been ripped off.
That is among the themes of a recent discussion that Karen Webster had with two fraud experts from Vocalink, the Mastercard-owned payment company that powers real-time payments schemes in markets around the world: Gary Kearns, executive vice president and David Divitt, director of product. The discussion took place as countries around the world turn their attention to upgrading their legacy payments infrastructure to better meet the demands of modern banking and commerce customers: faster payments and freedom from fraud.
Therein, Kearns said, lies the rub.
“Faster payments does not necessarily mean more fraud,” Kearns said. “It does mean that fraudsters know that they can move faster to more quickly launder money — a few minutes or hours now, instead of a day or two.”
Kearns said that banks are doing a great job keeping up with the “faster fraud” opportunities that cybercrooks are leveraging for their own nefarious gains. But the challenge, he said, is that it’s hard for banks to see outside of their own four walls to know which otherwise normal-looking, account-to-account transfers are actually bad guys moving bad money across the network.
“Fraudsters try to take the money and move it away from victims’ banks as soon as possible,” Divitt said, “with payments then being sent between accounts that fraudsters own or control.”
To a bank that is not the victim of fraud, and is instead one of the many accounts that the money is passing through, such fraudulent transactions can appear as mundane as any instance of funds moving between different accounts. An effective defense essentially requires a bigger (digital) eye that can look beyond real-time threats, Kearns and Divitt said.
That means a “network-level view” of transactional activity, along with machine learning and artificial intelligence — or, as Kearns put it, something along the lines of “hundreds of attributes being checked in 20 milliseconds.” Such a view enables an organization to spot idiosyncrasies that other types of fraud prevention technologies might miss.
“It’s more than just a rules engine,” Divitt said about adopting the network-level, anti-fraud defenses designed to stop fraud related to real-time payments. “It’s more than just a single type of analysis.”
Among the signs of fraud that Big Data and pattern-finding algorithms can help spot are what Divitt and Kearns called “mule accounts” — that is, accounts opened in order for criminals to launder money, and to do so quickly.
“They want to move money quickly across the network and hide it, to make it look like a normal transaction,” Kearns said. “They also have burner accounts.”
One of the typical tasks for Vocalink Analytics is to identify those suspicious accounts and give their information to financial institutions (FIs), which must then investigate further to determine whether they are part of criminal operations. Kearns said, “We would never make the final determination – that is for the FI to discuss directly with their customers.”
The wider those digital eyes can see, the more silos it can peer into, the better warning FIs can gain about potential and real attempts at real-time payment fraud.
“By doing the tracing at a network level, you can pick up on [fraud signals] weeks or months earlier than a traditional system can,” Divitt said. “You are not necessarily looking at behavior, but at the connections and relationships in a Big Data set.”
The stakes for fraud that relies on fast payments are substantial, typically higher than seen in thefts that involve consumer cards. A consumer who is a victim of such fraud will likely take a significant financial hit. For many businesses, though – especially small operations or the mom-and-pops (SMBs) – the aftermath of thefts that reach into the six figures or higher can be much more severe.
“It can lead to [the victim] going out of business, or layoffs,” Kearns said. “There is a real social effect on this type of fraud on smaller companies.”
Vocalink is already reporting that its fraud-prevention technology — Corporate Fraud Insights (CFI) — has led to approximately $9.5 million in savings for U.K-based NatWest, which uses the technology to thwart B2B invoice fraud.
In most circumstances, the fraudster’s methods are so advanced that the customer believes the transaction, usually a large payment to a familiar vendor, is completely legitimate and ends up approving the transaction. It is only now, with the CFI solution in place, that a bank can alert its customer that the transaction is potentially fraudulent, and the payment can be stopped before it’s in the hands of the fraudster. In some instances, the fraudsters have been so professional that the banks have to convince the customer that it isn’t a legitimate payment, noted Divitt.
Realizing those savings — in fact, simply preparing an FI for the full risk that comes with real-time payments, not just the full reward — requires an increased level of awareness.
“Education is absolutely key,” Divitt said. Proper education on how fraud is migrating to the faster payments environment, and how such crimes are carried out, results in “people double-thinking when those situations arise,” he said. “It goes a long way toward stopping those fraudsters.”
As real-time payment systems spread to countries around the world, Divitt and Kearns view this anti-fraud technology as not only a differentiator for banks, but an insurance policy. “Even if it’s not an issue today, tomorrow it might be,” said Kearns.