Everything can seem right. But that’s only because the criminals are good.
A person calls to inform a consumer that his or her account had been frozen because of what was supposedly a “fraudulent transfer” or some other problem. The caller sounds professional, and might even send a text with details meant to provide confirmation and assurance. The request? Transfer funds into a new account for safety.
But that new account will be controlled by fraudsters, who will quickly steal the money – funds that might be unrecoverable by a bank or law enforcement. Such a scenario stands as a terrifying example of not only the sophistication of criminals, but also the threat of fraud in a real-time payments environment.
That threat – and how to defend against it – served as the foundation of a recent PYMNTS discussion that featured Karen Webster and two fraud prevention specialists from KPMG in the U.S. – Ron Plesco, principal of Cyber Security, and Bob Ruark, principal of Banking and Financial Services Strategy and KPMG’s FinTech leader in the U.S.
As Plesco pointed out, criminals have managed to steal credit bureau data, giving fraudsters an in when it comes to such theft. “All that info has been mined by organized crime groups and other actors,” he said. And those criminals are experts at social engineering, enabling them to con people who might be on high alert for fraud attempts. “They can convince you that they are the bank, and even the caller ID showing on your phone will say so.”
That doesn’t mean all is hopeless, of course. Education of banking customers — both commercial and consumer clients — is key to preventing such fraud and reducing the risk of further attempts, Plesco and Ruark told Webster.
The antidote? “You need layers of security,” he noted.
That might mean having banks move away from knowledge-based questions for identity validation — which criminals can figure out — to biometric authentication methods, including voice and facial recognition. In a real-time payments environment, that can also mean sending a message to the customer attempting the transaction, one that confirms the legitimacy of the other party and its payment request.
Another technology that can help banks prevent fraud and take a more proactive approach to suspicious transactions in real time is artificial intelligence (AI).
As Plesco explained, such a system will flag an out-of-the-ordinary transaction — a customer moving more money than is usually the case, for instance, or transacting with a new and unknown party. You can think of that as similar to the alerts credit card companies send when a consumer uses his or her card in an unusual way (or, of course, when a criminal tests that card via an unusual transaction). “You use artificial intelligence to say ‘wow, this is out of the norm,’” Plesco said. “All of our clients are moving toward that.”
Indeed, algorithms are taking on more of the data and security work for financial institutions, with technologies such as data mining and business rules management systems (BRMS) finding popularity among banks and credit unions, according to a new PYMNTS report entitled, “The AI Gap: Perception Versus Reality in Payments and Banking Services.” However, fewer institutions have made the move to true AI, with lack of funding and even misunderstanding of the technology serving as challenges to its wider acceptance.
But AI isn’t the only necessary defense when it comes to preventing fraud in an environment where consumers and corporations want faster, even real-time payments. Friction can also play a role.
That might seem counterproductive, given ongoing efforts to take friction out of payments (and commerce) so that consumers have quick and seamless transactions. Yet there is always a balance between security and convenience, and when it comes to fraud prevention in this global and digital era, a little more security — friction — can go a long way toward making sure thieves don’t make off with consumers’ savings.
A holistic approach to fraud prevention is also needed. The marketing department, for instance, accumulates loads of data that tells how consumers visit an organization’s website, and from what locations and machines, among other information. “That’s a gold mine of how your customers interact with you,” Plesco said.
That information can then be shared across the organization. As well, the people responsible for ID and access security should work with the people responsible for fraud prevention, and vice versa. “Look at [fraud prevention] from an enterprise level, not just a business unit level,” Ruark advised.
Furthermore, fraud prevention might require what Plesco called a “hybrid” approach. That means banks figuring out which of their data sets can help them defend against fraud, and determining how to access and use that information efficiently. That means using the best parts of the legacy technology and system, and then deciding whether there is a need to combine that with new technology from vendors.
Criminals are only getting better and more sophisticated, but the right mindset can lead to better defenses — and, perhaps, fewer fraud stories about people losing their savings.