“I wants to make yer flesh creep,” says a character straight out of Dickens. Though Halloween is less than a month away, what we talk about concerning payments crime is positively … creepy.
The data is enough to spook even the hardiest of payment professionals. In the latest Data Drivers, David Divitt, vice president of financial crime products at Vocalink, told PYMNTS’ Karen Webster that there’s some light at the end of the tunnel when it comes to battling the bad guys.
First, though, a trip through the tunnel of darkness. Consider the $1.45 trillion of losses that accrue to businesses, and the fact that 47 percent of firms were victims of financial crime last year. Cybercrime and financial crimes were the most common offenses, Webster stated.
“It seems like every time somebody does some research on this topic,” observed Divitt, “the numbers tend to grow.”
The bad guys and gals? Wily sorts, who go with the flow of innovation and see the sea changes inherent in payments. They look for the best returns on investment (ROIs), measuring risk and reward behind the malevolence — and for now, at least, that means targeting enterprises large and small. Squeezed out of tried-and-true methods of card fraud (thanks in no small part to EMV), the fraudsters are eyeing how to interfere with the money that firms legitimately send in the course of normal, daily business life.
When crime is successful, when the gains are ill-gotten, as many as 41 percent of firms do not report that they’ve been victimized. Call it a vicious cycle, perhaps. After all, when the bad apples know there’s unlikely to be a report, the temptation is there for the fraudster to keep plying their trade.
The underreporting, said Divitt, stems from a situation where, for large firms, reputation is key. However, as he noted, “even in the smaller and medium-sized businesses, I think they may just not know what to do when these things happen.” The nature of being scammed leads the victim to feel like they are solely responsible or that they have made mistakes.
“That ‘non-reporting figure’ probably happens across the board — not just with businesses, but with direct consumers who get scammed, too,” he told Webster.
Relationships Preyed Upon
Among the more prevalent criminal methods focused on business, according to Divitt: new relationship fraud. He described this as a “group of both business email compromise, BEC as it’s called, or CEO fraud.” Those acronyms are variants of the same theme, he noted.
The intent is to get the company to pay out a large payment — unwittingly, of course — to criminals, and it would be the first time they paid anything to the (supposedly legit) recipient. The CEO or CFO impersonation can come from a phone call or somewhat legitimate looking email, and typically applies the pressure of authority on those underlings to make the payment.
There’s also invoice redirection, said the Vocalink VP — a ploy and plot that crystalizes as a business and supplier have a relationship already in place. Here there may be regularity to invoices, and “what the fraudster does is infiltrate the receiver of these payments,” he said. They pretend to be the (legitimate) business and lure victims by directing them to their “new” bank account in between invoices, setting up the “next payment” to be funneled to the new bank account proffered. That communication seems innocuous enough, until the damage is done.
The tally of those types of crimes: $12.5 billion in losses across 78,000 incidents over the last half-decade alone.
Is yer flesh creeping yet?
Money Laundering And Technology ‘Enabler’
The conversation turned to money laundering, where such activities can account for as much as 3 percent of global GDP, stated Webster — or a staggering $1.6 trillion annually, as estimated by the U.K.’s National Crime Agency. One of the key drivers or enablers has been the speed of payments.
“You can inject a large amount of illicit cash into the system or right from your typical suitcase of cash [and] into a branch,” Divitt said, “but it can also come from one of those CEO, BEC or invoice redirection frauds.” The bad guys exploit the fast payment systems to split the money, share it and move it around into far-flung banks and, of course, far-flung bank accounts. It becomes difficult for any one institution to put the pieces back together.
Light At The Tunnel’s End?
Ah, but there may be light to burn away the darkness, light at the end of the tunnel through the advancements of technology.
Beyond technological lines of defense (we’ll get there in a minute), education is key. “It’s important for banks to talk to their customers, to explain the risks,” Divitt said. He also noted that Vocalink has been working with NatWest in the U.K. for a couple of years to develop a corporate fraud product, which has been gaining traction there.
Through such efforts, he added, though the criminals have made advances, so, too, have the good guys. The advantage lies in the rich data that is available, and where technology can help in real time — and it's well-known that artificial intelligence (AI) and Big Data are recent developments that can help effectively wage war against criminals.
To mitigate the crime, “you have to think about the areas and avenues that are the most attractive” he said. So, for Vocalink and others, it is the faster payments systems that should be prioritized. Elsewhere, FinTech and crypto, as they come to market, offer up new avenues of fraud, and scrutiny by the good guys.
A note of caution rings. “Because most corporate payments still go over the rather generally slower, older payments systems,” Divitt told Webster, “you still do have fraud in those systems and you cannot ignore them.” He pointed to the ability of stakeholders in commerce to do very complex checks, in real time at the point-of-sale (POS), as they try to pay for something — a method that can be applied to the faster payments systems.
“Being able to take these masses of different data points in real time and make calculations is very doable,” he told PYMNTS, “and that is how you are able to stay at the [same] speed of the real-time systems and ... the criminals.”
He noted that, in the U.K., Vocalink has been working with its banking and analytics team to deploy technologies and algorithms that will start from a fraud or scam and trace that money across a faster payments network, illuminating heretofore hidden networks of criminals.
“We can do that by approaching it collaboratively” with financial institutions (FIs), breaking down a siloed approach that may have existed on an FI-by-FI basis. Collaborative efforts are the most effective ones, Divitt added.
Optimizing The User Experience
In terms of effecting the user experience, he said, the trade-off is friction versus mitigating fraud.
“It’s a delicate balance,” he acknowledged. Too many controls, and friction abounds. Too few, and the system lets fraud into the mix, of course. Some of the older-time barricades against fraud, Divitt said, such as one-time passwords or key tokens with one-time passcodes (used in tandem with chip and PIN cards) … such technologies introduce friction that is no longer acceptable.
In effect, companies need to examine tech in a new way. Look beyond the behavior and look at the relationships — who has paid whom in the past. The movement is now toward technologies that may ferret out and stop fraud, even without the customers knowing.
He pointed to device biometrics, which can examine, monitor and answer some key questions: “How do you hold your phone when you are logging into a mobile banking app? What speed or pressure are you typing with on your screen? All of these data points are available and can be used to build up a picture of how you interact with those apps,” he told Webster. “That can happen all the time in the background, without you even realizing it. ... It is much more difficult for the criminals to mask relationships [between users and tech, and even between parties in a given transactional relationship] than it is for them to pretend to be ‘normal.’”
Faster payments, said Divitt, means “faster crime and money laundering, I’m afraid,” he said. “It tends to just be the way of these things.” In the end, with the twin weapons of education and technology, the battle can be joined a bit more fairly.