Separating frauds from legitimate transactions

When it comes to cyber hits on digital payments, stealth fraudsters are adaptable. They’ll try new forms of attack on banks with alarming frequency. This has long been the case but never moreso than now, with so many payment types in existence.

Not that prevention teams aren’t fighting back. Following the mass rollout of chip cards in recent years, as one example, credit-card related activity such as card counterfeiting is in decline and represents a win for fraud prevention teams.

“It’s been estimated that over the next five years, we’re going to see $4.5 billion in counterfeits work its way out of the ecosystem,” said payments expert Julie Conroy, research director at Aite Group.

Even so, organized crime members aren’t picking up honest day jobs, added Conroy.

“Instead, the action is shifting to other digital channels and includes application fraud and account takeovers,” said Conroy.

Fraud spreads its tentacles

The Aite analyst outlined unfun fraud facts in a presentation that led off a Guardian Analytics webinar on trends and use of machine learning to combat cybercrime, held in late June.

Application fraud is one hot area right now. Totaling $1.9 billion so far in 2017, it is estimated to increase to $2.2 billion next year. (As a reminder, it involves applying for checking accounts or new cards using forged documents.)

Also on the rise are more insidious schemes involving account takeover, which occur when hacking into databases or when social engineering activities yield identity information that ultimately support broader stealing sprees. It’s estimated, according to Aite, that account takeover has leveled off somewhat at about $800 million in 2017 but will hit a billion by 2020.

By way of comparison, the higher profile, much-discussed and feared card-not-present fraud may reach $5.9 billion in the same year.

Impersonating the CEO

Business email compromise is another area where criminals are making inroads, as harried employees receive marching orders fabricated by C-suite impersonators to issue payments quickly and by circumventing any of the usual procedural checkpoints. Conroy indicated that the FBI believes companies have experienced $5.3 billion in such losses since 2013.

The fraudster might have an actual email address or use information picked up through open-source-intelligence gathering to create reasonable-looking requests for a transaction. This results in payments being issued to phony vendors or funds wire transferred to crooks. Facebook and Google sustained $100 million in losses tied to a scam involving business email compromise (BEC). Although much of that money was subsequently returned, it was still an embarrassing exposure for the two tech giants.

Generally, these payments can start out relatively small, but if fraudulent, can suddenly balloon significantly. Alternatively, transaction volumes to a questionable account can increase.

Although these frauds hit companies directly, as opposed to banks, the banks tend to catch the blame, Conroy said.

“The attitude is, ‘Hey, why didn’t you detect this?’,” she explained.

Conversely, she pointed out, those banks equipped to stop a wire transfer or ACH payment from going out the door, had “a customer for life.”

As many banks deal with up to 40% of their transactions going to new beneficiaries as a regular fact of business, according to Guardian Analytics, it can become harder for cash managers and other department personnel to pick up on cues signaling deception, in the absence of the right tools.

Cold cash from online fridges?

While fraud continues its migration to the path of least resistance—and new opportunities—payments are also in flux. This is occurring simultaneously with tech-related changes tied to the “internet of things,” that is, embedded chips and other apps that pull non-traditional devices online. These devices can present avenues of attack for criminals.

“With new opportunities [payment types], data gets stored in new places, and new schemes follow,” Conroy said.

Systems that evaluate risk have also evolved over time from static, rules-based technologies to intelligent neural networks in the 1990s, and later, in the 2000s, the emergence of big-data-driven analytics that blended artificial intelligence capabilities of self learning with, as the name suggests, the ability to process large data volumes.

Mountain View, Calif.-based Guardian Analytics offers turnkey integration with payments systems from vendors that include Fiserv and Digital Insight and provide point solutions for online, mobile, wire, and ACH channels.

Webster Bank uses new technology

Kim Syrop, senior vice-president of fraud loss and management for Webster Bank, Waterbury, Conn., discussed the challenges faced by the $26 billion-assets institution.

“We relied on a system that was home-grown and rules-based and which only covered commercial accounts, so our branch customers were exposed,” Syrop recounted. “Meanwhile, our fraud analysts were making 80 customer calls a day and little of this activity turned up fraud attempts.”

Management saw the need to reduce false positives but keep on top of wire and ACH fraud attempts. On top of that need, corporate clients began succumbing to BEC scams.

The bank installed Guardian Analytics’ solutions for ACH and wire protection, and will be installing its online and mobile point solutions for retail and business operations in the months ahead.

Not who you say you are, but what you do

Machine learning has evolved in the decade or so it’s been on the market. Today, forms of this technology can not only scan text but “understand” context. They can also learn what’s normal and expected in a given system of transactions and what’s a deviation.

Given sufficient data to interpret trends, these systems can predict user behavior. As a result, crooks may be able to steal documents that can fabricate identity but they can’t fool the systems with their behavior, according to Prashanth Shetty, vice-president of marketing at Guardian Analytics.

Aite’s Conroy said that more traditional, rules-based systems cannot stem potential fraud coming from payment types such as same-day ACH. Early adopters of behavioral learning tools can offer riskier transactions and a “lower friction” customer service experience—that is, one with fewer warning calls and false positives.