In case anyone needed a reminder of how aggressive and creative fraudsters can be, last week provided a stark reminder of both. T-Mobile was covered as the victim this time, as it reported that SIM-swap fraud was at least partially behind a huge breach of consumer data. More than 47 million hacked customers later, the telco is retracing the incidents to find out more, but regardless of what it finds, fraudsters will find new schemes to match new technology.
SIM-swap fraud was just one of the topics discussed at the NACHA Smarter, Faster Payments event on Monday as Bottomline’s Risk and Fraud Prevention Officer Chris Gerda and VP Product Management and Strategic Banking Solutions Jessica Cheney detailed the schemes and defenses available to financial institutions. “Gaining a Holistic View of Security and Risk Across the Payment and Cash Lifecycle,” urged attendees to be proactive instead of reactive where fraud is concerned.
“Banks need to authenticate the legitimacy of businesses before they interact with them,” Gerda said. “It allows for communication security to really bring it together holistically. It doesn’t matter whether we’re talking about emails, chats, real-time payments or sending and receiving invoices, secure networks that have multi-factor authentication can flip the script on a fraudster. It's bringing these digital processes into your fold of policies and people. It's kind of like night vision, and the fraudsters are trying to hide in the dark.”
Gerda broke down several fraud schemes from documents to devices to biometrics and the aforementioned SIM card swap. He specifically focused on business email compromise (BEC) fraud, because it is so prevalent and potentially harmful. According to the FBI, the bureau’s IC3 complaint division received 19,369 BEC complaints accounting for losses of over $1.8 billion. In just one week in April, as the pandemic set in, Google blocked more than 18 million malware and phishing emails.
Gerda used the BEC example to show how companies could use digital tools to be more proactive about stopping them. For example, before a phishing email against a specific target can be sent, an email threat intelligence solution should be deployed. Before a fraudster reviews an email for potential funds transfer activity and jumps in to misdirect payment, companies should add simple security info to their emails such as “my business will never attempt to change payment information via email.”
The importance of communication both internally and externally to fight fraud plays into the strength of one of the event’s core topics: real-time payments. Cheney encouraged the attendees to look at payments from the perspective of relationships. And because real-time payments carry such an intense volume of information via the ISO 20022 platform, she sees the technology as enabling “conversational payments.” For example, The Clearing House RTP scheme has created within its message set the ability to receive a payment, request a payment, to ask a question of the sender of the payment, or communicate with the sender of the request for payment.
“This provides a mechanism for two-way communication in a secure channel,” Cheney said. “In this case it's the actual, same rails that real-time payments flow through that can be used to validate the relationship between the parties in a uniquely enhanced way. These communications are recorded for historical use, they're audited and are available to either party in the chain. If there are any issues that arise at a later time the communications can be reviewed.”
Cheney also pointed out that because real-time payments carry so much information they are compatible with watchlist screening initiatives. They will also be increasingly integrated with tokenization technology, in which random numbers accompany the payment to foil fraudsters.
“And it has the advantage of keeping the most important communications out of the email channel,” she said. “The communications happen in the transaction.”