Fraud: The collusion between internal and external bad actors

The Payments Podcast by Bottomline

Episode Transcript

When it comes to fraud, commercial banks historically play mostly defense against external attackers. Banks are also aware of the inside fraud threat, but it's not always treated with the same intensity, not until lately, anyway.

A recent study by digital financial crime platform, Themis, finds that collusion between internal and external actors is, quote, a growing concern, unquote, with 46% of respondents calling this collusion a primary threat. Bad guys working together. This is not good. To get actionable intel on the situation, we're very glad to welcome Eliza Thompson, Financial Crime Researcher at Themis. Eliza has a lot of experience detecting the dark elements of financial crime, and we're lucky she could join us.

Eliza Thompson, Financial Crime Researcher at Themis. Welcome to The Payments Podcast.

Eliza Thompson: Great. Thank you so much for having me.

Owen McDonald: So glad you could be here. To begin, Eliza, Themis found that 66% of banks are unprepared for emerging fraud threats. That's a lot of unprepared banks. How are fraudsters exploiting the interplay between insider access and external attack vectors with corporate payment fraud, Eliza? What is changing in the way these scams operate?

Eliza Thompson: Yeah. I think that's a really interesting and important question. A key area, as you mentioned, that we looked at was the interplay between insider and external fraud. Employees, insiders, often have access to really sensitive information such as customer data, bank account details. This information can be really valuable to criminals. So, that was really a key thing we wanted to look at is how is that being exploited. 

And then employees also have access often to systems directly. So, that's another area that criminals might look to target as well. So, we did find that this was one of the most significant threats that our survey respondents identified. This was really a top concern.

The thing that they identified within that is most concerning to them was privileged access, so potential misuse of privileged access by employees. So, one risk is employees intentionally sharing privileged information with external actors. So, that might be in exchange for money or other incentives. So, in today's age of remote working, I think this is a really key concern. So, it's harder today to have oversight of maybe what employees are doing when they're working remote.

So, potentially, less oversight, less monitoring of what employees are accessing is really a key risk. And then there's also the risk around remote access in terms of more of a security angle. So, even if an employee might not intentionally be doing any damage, if they're accessing information on, like, an unsecured network, for instance, then that's another really key risk as well. 

Another thing we saw that's really interesting is kind of the rise of dark web marketplaces. So, there might be more opportunities today for employees to be selling information in a way that they feel they might not be potentially caught or traced back to them. So, there might be more of this opportunity, which I think is interesting, this kind of balance between opportunity and risk, and how people may view it differently today. 

And then we also saw that there's potential for inadvertent acts. So, criminals might be targeting employees through social engineering tactics, especially with Generative AI today. Social engineering can be much more sophisticated. So, I think that's a key thing in terms of even employees that have awareness and have a good level of knowledge, in terms of risks, might be more easily targeted today. And then it could be used to either gain access to sensitive information or to systems themselves. And then that could be used to carry out authorized payment fraud, for instance, or kind of more of that, how do we manipulate victims into doing certain things. So, I think that was another key thing. 

And that really shows, I think, the importance of training as well. So, it's really crucial that you make sure that day-to-day practices are in place where employees understand the risks of them potentially being targeted by fraudsters and criminals, either in terms of potentially trying to get them to do something, purposefully or inadvertently.

Owen McDonald: It's a strange new world of exotic tech threats. Open banking, I know you looked into that. Now open banking was a shiny new thing for a while. Now it's big business, Eliza. But is the rapid adoption of open banking creating new vulnerabilities in B2B payments? What are you seeing there specifically?

Eliza Thompson: Yeah. Yeah. I think that's a great way to frame it as you did. I think there are a lot of really great opportunities and positive aspects of open banking in terms of efficiencies, improved transparency, but at the same time, it does introduce a lot of fraud related risks.

So, 59% of our survey respondents did also identify that as a key concern in terms of their fraud risk exposure. So, just the rise of open banking and incorporating open banking into their practices. So, I think a key one that stood out was data breaches. So, open banking really relies on data sharing between various parties. Criminals can potentially target APIs or third-party service providers to gain access to sensitive information.

And then this could be then used to carry out identity theft, other financial fraud. So, stolen information could be used to target victims directly as well. So, again, going back to the social engineering aspect of it, the more information criminals have to target individuals, then the more effective often their crimes are in that sense. So, I think, really, that kind of data piece is really important. 

Another thing is around third-party risks directly. So, certain third-party providers around the open banking ecosystem might actually have weaker anti-fraud measures or weaker understanding of fraud risks, red flags, crime. So, in that sense, some of these potential API data sharing platforms, third-party providers might kind of have a vulnerability in that sense that they are more new to the game in terms of dealing with these really, sensitive financial information. So, that's another key thing. 

And then also regulation, I think, is a really key aspect. So, with anything that's more new, you're going to have a lot of regulators and private sector trying to really understand what are the risks, how do we regulate this, how do we ensure there's proper oversight. So, if you have differences between countries and between regions and even between private sector actors, then I think that really can create inconsistencies, and that can leave room around security and compliance risks as well. 

So, I think, this is a really key example of how payment services and banks, as they continue to integrate new technology, it's really important to understand how criminals might be looking to exploit those advancements. And so that's really where research and industry knowledge, such as surveys or industry focus groups and stuff, that's where that really comes in in terms of how can we collectively understand the latest threats and really stay ahead of them.

Owen McDonald: I'm going to come back to jurisdictional issues in a moment, but we're going to go from something very high-tech to something very low-tech. It's hard to believe we're still talking about this, but paper check fraud remains a $24,000,000,000 a year opportunity for fraudsters. Hard to believe, but there it is. What strategies can businesses employ to protect the B2B transactions that are still conducted with paper checks, Eliza?

Eliza Thompson: Yeah. I think this is, again, a really important topic and something I thought was really interesting in our research was how traditional fraud type really still is important to look at. Traditional payment types and fraud targeting them still persist. So, actually, fraud, or check fraud in the U.S. has increased over the last few years, for instance. So, I think, it really is important to keep that in mind. It's not just about what are the kind of keywords that we're hearing out there in terms of digital threats. 

So, I think one, just quickly in terms of some of the key things we saw around check fraud, one was messaging platforms. So, we found that messaging platforms such as Telegram, there's an ecosystem of selling and purchasing stolen checks. So, this creates an environment where it might be harder to trace back the original source of stolen checks. And so, criminals might feel more of a sense of security to actually continue carrying out these crimes because maybe there's more of this ecosystem and network now, where they can be selling these checks.

Another really key thing is counterfeit checks. So, with advanced technology such as printing techniques or Generative AI it's easier now to make checks that really look and feel like real checks. And then also with things such as Generative AI, fake ID, tools. Now criminals can actually also create fake IDs that then match the stolen or fake checks. So, you really can kind of create this whole elaborate scheme in that sense to support the checks.

And so, yeah, I think in terms of the strategies, so what can businesses actually be doing, to protect and make sure that they're looking at check fraud and what can be done around that? I think one thing is really making sure that you establish clear protocols. So, businesses should have really clear, structured processes for authorizing payments, including multiple levels of approval for larger transactions, clear audit trails. I think another really key thing is around the training and awareness. So, making sure employees really understand the risks that are at play, especially those involving things like account payable, the signing of checks, best practices around verification, things like that as well.

And then, I think finally, just really making sure that you pay attention to unusual or suspicious activity. So, things like duplicate payments, changes to the vendor payment instructions, unexpected withdrawals. So, just really making sure that you treat it in terms of looking holistically at all the possible threats, and warning signs that come along with it.

Owen McDonald: It's incredible they're using high-tech means to pull off low-tech crimes. There's every possible permutation. You were talking before about regulatory gaps, and I'm curious about regulatory gaps in different jurisdictions affecting the ability of multinational corporations to implement consistent fraud prevention measures. How is this problem being addressed, Eliza?

Eliza Thompson: Yeah. So, I think as we see more increased regulatory scrutiny and stronger enforcement, we're also seeing kind of inconsistencies across countries and regulatory frameworks. I think that leaves companies really exposed to fraud risks and how to navigate compliance challenges. So, I think some countries, for instance, have stricter penalties for noncompliance, whereas others might have more sporadic, or even insufficient enforcement. So, I think this really creates kind of a compliance gap, in terms of what can be exploited by criminals. So, that's a key thing. 

And then businesses also have to adapt to different standards, in terms of what due diligence requirements they have, what they have in terms of system requirements. So, I think if you have to deploy anti-fraud solutions based on local standards, then it's really hard to achieve consistency there. So, I think in terms of what companies can be doing and banks and payment providers, I think really just making sure that you are staying on top of all the compliance trends. So, you really want to be proactive. You want to be looking at what are the local standards and compliance requirements and where you operate. And then also, what are the very latest technologies and resources that can be used? 

So, I think this is where technology is just so paramount today because I think it can help really navigate complex and changing compliance needs. And then it can also help in terms of making sure we're allocating resources effectively to deal with any gaps that there are.

Owen McDonald: Including and especially between jurisdictions in this case.

Eliza Thompson: Yeah. Exactly. Yeah. So, you want to make sure that you really understand what are the different requirements across jurisdictions, and potentially, what are the gaps there.

Owen McDonald: Last question, Eliza. Discuss the emerging fraud trends that are causing 48% of your survey respondents to flag Generative AI as a major concern. What did you find?

Eliza Thompson: So, I think it's already come up in some of what we've been talking about, which shows just how pervasive it is, and just how much of a risk it really is. So, as you mentioned, our survey respondents highlighted Generative AI as a key concern. And I think we've all seen Generative AI in the news, and we've all seen a lot of headlines around it. So, it's not necessarily anything new that this would be a concern. But I think what was interesting was seeing what are the key areas of concern within Generative AI.

So, the two things that really stood out, one was deepfakes, and then the other was synthetic identity fraud. So last year, in terms of deepfakes, the U.S., for instance, noted an uptick in fraud using deepfakes and Generative AI. So, I think it really shows that this isn't just some headline news thing, but it actually is already in real time, we are seeing this increase. So, one key thing is around the use of Generative AI videos or identity documentation, images to potentially try and circumvent identity verification mechanisms.

So, today with the amount of digital services there are, that is a really key thing where there's less face-to-face. So, if you have the ability to bypass the security protocols in place, through a lot of these fake ID, fake video, then that's a really key thing. Another thing in terms of going back to more of the insider risk, the U.S. also highlighted the rise of CEO fraud and other frauds targeting employees. So, that's another key thing in terms of there might be more sophisticated deep fakes that can then target employees that actually have a high knowledge of fraud and what to look for, but then they could still be duped into carrying out financial transactions, whether it's sending money to that criminal, wiring money under the guise of that criminal saying that they are the CFO or something. So, I think that's a really key thing that we've already seen. And I think it really is a real concern that we saw across our survey respondents. 

And then the other component of that is synthetic identity fraud. So, that is, unlike traditional identity fraud, synthetic identity fraud combines real and fake information to create new identities. So, it's using both, realistic synthetic data combined with potentially stolen information. And then you create these identities that can potentially bypass more advanced authentication systems.

So, again, that goes back to that component of if we have these protocols in place, but they're no longer adequate in terms of identifying, fake users, fake customers, fake businesses, fake vendors. So, that's a really key thing as well. And I think that's, again, where Generative AI comes in because you can really create highly realistic synthetic data today. So, that's a key issue. And, also, just as our economy does become even more digital and remote businesses and services, then I think that, again, is a really key risk in terms of how do you make sure that you're able to catch a lot of these fake identities that are out there.

So, I think it's a really interesting kind of area that I think is being paid attention to, and I think rightfully so. So, I think you really can't just look at one threat in a silo. You really have to understand the whole fraud landscape today. And I think how technology plays a part in all types of fraud is really important. And I think Generative AI is a really key technology in that.

Owen McDonald: And we haven't even started talking about quantum computing yet, but there it is. Fraudsters inside your organization colluding with fraudsters outside of your organization. If that doesn't alarm you, rewind and listen to it again. We also suggest reading the Themis White Paper 2025 Fraud Trend. It's a valuable resource in the fight against financial crime.

Our thanks to Eliza Thompson, Financial Crime Researcher at Themis. To our terrific audience, thanks for listening. Hit subscribe. Catch us again on your favorite podcast platforms, including Apple and Spotify. Bye for now.
 

Owen McDonald: The Payments Podcast from Bottomline.