No matter where you look, fraud attacks on banks and merchants are on the rise. The fraudsters are getting more creative in their schemes, leveraging the great digital shift to make the unwitting customers themselves the gateways to fraud.
Social engineering, coerced payment and push payments fraud are among the novel approaches of the day — and are proving successful at draining accounts.
But as trio of fraud experts told PYMNTS recently, some of the most effective lines of defense lie with arming the consumers themselves, with education and technology — in effect, “hardening the target.”
The panel included Yinglian Xie, CEO and co-founder at DataVisor; Jamie Burud, senior vice president of fraud at Texas Capital Bank; and Kevin Thompson, senior vice president of fraud services at Webster Bank.
The fact that so much payment activity has gone online creates a bit of paradox, Xie said.
“The innovations that make it easier for the users to transfer funds instantly also made it easier for the attackers to successfully conduct their fraud attempts,” she said.
And as to the common thread that links those schemes is the fact that the bad actors pose as someone else and can use the Web to cloak who they really are.
The Perfect Crime
In the case of synthetic IDs, they’re cobbling together various pieces of information from the web to present themselves as legitimate consumers to FIs and merchants. Coerced payments, of course, involve threats from the shadows. And push payments fraud occurs when victims are incentivized by attackers pretending that there’s a seemingly legitimate reason in place for individual or businesses to send payment: They pose as the IRS, for example, or the bank, or the boss of one’s firm.
Among some of the anecdotes offered up by the panelists: A fraudster impersonating a tech support desk might call a target and claim there’s a “fix” that needs to be installed — and fools that target into granting online access to their devices or computers. Or a consumer-facing third part website with deals that seem too good to pass up ask for an inordinate amount of PII data.
And: Since we live in an age of hyper-connectivity, said Thompson, “social media platforms connect people, in real time — and push payments make money movement that much quicker.”
The financial institutions and the merchants, he noted, are increasingly using social media channels to get consumers to open accounts, in a quick and streamlined digital manner. Criminals know this, of course, and so what we’re seeing is what Burud termed “first-party fraud,” where an individual account holder is effectively recruited to facilitate the very transactions that are so harmful. It winds up being easier for the fraudster to “game” the consumer into sending the money their way than trying to take over the account itself.
It’s a perfect crime to get someone to, for lack of a better term, steal from themselves.
None of this is lost on the enterprises themselves, who have been busy introducing stepped up authentication protocols in a bid to stop the criminals in their collective tracks. There’s a catch-22 in the mix, though. As PYMNTS data has shown, 6 out of 10 social media consumers have said that their last experience of trying to make a payment — particularly at the point of checkout — was a painful one.
As Thompson noted, there’s a fine line between speed and seamlessness and making sure that security is always up to date.
“We want to create less friction for our legitimate clients so that they have a nice, smooth, seamless experience, but at the same time, the fraudsters are taking advantage of that because they know it’s so smooth.”
It can pay dividends to “harden” the target — to make sure that individuals are given the tools they need, in terms of knowledge, to steel themselves against the criminals.
“We need to get the information out there, in a more repetitive manner so that defenses become second nature,” Burud said. Along those lines, Xie noted: Individuals need to know that any text that seeks to solicit money in any formal way can, potentially, be tied to a fraud scheme.
For the providers themselves, a data-driven approach can help FIs identify certain “trends” in fraud attacks, and issue alerts to consumers, or to step up risk controls, where senders are prompted more than once to confirm their intent to send money.
Looking ahead, some burgeoning avenues of fraud merit special monitoring: The metaverse is still largely an unknown quantity, said Xie, and Thompson and Burud said that business email compromise is on the rise. As new channels emerge for fraud to take shape, said the panelists, partnerships and platforms, linking providers and banks, can forge new lines of defense. And at the center of it all will be the individual, of course — ideally, newly-armed with more information.
As Burud said, the overarching principle can be boiled down to a simple, critical strategy:
“Trust, but verify,” he said. “You have to be suspicious of everything, because we are all targets.”