What’s one thing all financial criminals have in common? They don’t discriminate. They don’t care how big your organization is, the industry you’re in, or even how they attack you. What’s important to them is to exploit every opportunity to get at you. And never were the opportunities to exploit more evident than over the past year. Side-swiped by socio-economic upheaval, businesses around the world focused first on maintaining operations, keeping the lights on and managing workforces pushed to levels of virtual and altered engagement like never before.
Those realities, however, exposed new and existing vulnerabilities in how businesses approach protection, in many cases inadvertently setting themselves up for exploitation. After all, the very advancements in technology that have helped us keep the world going virtually are the same ones used by financial criminals to wield syndicated assaults, at scale, indiscriminately.
The rise in bad acting crosses all forms of fraud. One of the biggest concerns—is the uptick in authorized push payments (APP). APP fraud occurs when victims (usually an employee with access to financial transactions and customer payment data) are manipulated into making payments that divert funds into accounts owned by the criminal orchestrating the attack. The fraudster often impersonates an executive or customer requesting a payment to be made or directed. The unwitting employee approves the request, authorizing funds transfer into the fraudulent account. APP is particularly damaging because the transaction is seen as authorized by the business, so in many instances banks issuing payments are not held liable for the dupe.
Playing into the rise here is the reality that many businesses are not as focused on fraud that starts inside, either “accidentally” as with APP, or criminally in the form of employee as bad actor. Typically, businesses invest more in identifying and protecting against classic external threats. But APP is no longer an emerging threat, it’s a very real one. And, as banks come under more customer and regulatory pressure to prevent APP and the fraudulent diversion of funds, it will continue as one.
Further complicating funds diversion is an adjacent and growing trend. Bad actors increasingly break up diverted funds into smaller disbursements directed to multiple destinations along rails that often can’t or don’t communicate with each other. The multi-layered, fragmented attacks and payouts are in response to the increased controls organizations are putting in place. They’re also perfect evidence of just how much fraudsters find ways to keep pace with innovations in fraud detection.
The persistence of these exploits, the emergence of new ones, and the ability of fraudulent actors to stay on top of efforts to stop them are all reasons to think whole-picture. It’s never been more critical to think of and protect payments across their full journeys, from the first to last mile, and to ensure layers of protection against all 3 main categories of fraud:
- 1st party – where the customer is the fraudster
- 3rd party – where the customer is the victim, and
- Insider – where the employee is the fraudster
If an organization doesn’t prepare for all 3 types, it remains unnecessarily vulnerable.
Still, many organizations don’t follow an integrated approach to fraud prevention. There’s no hub to intersect of multiple points of data, no application of smart query technology and intelligent behavioral monitoring tracking payments across data points, providing full visibility into transaction status. The key is to gain an in-depth knowledge of your customer – so the right questions can be asked, even if the payment appears to be authorized. That’s where the fusion and collaboration of cyber fraud, data and AML teams—a hub, is critical. Mobilizing these teams to provide an upstream and downstream, holistic view of customer activity is the path to a best-in-class fraud prevention strategy.
Hub collaboration lets teams map out payment junctions to understand the multiple touchpoints and install protection ‘shields’ on all junctions, across the entire payment flow – while making it a seamless experience for customers. Afterall, providing secure transactions is of utmost concern, but the more seamless it is for the customer (e.g. fewer authentication actions), the wider the adoption becomes. It’s up to financial institutions to help customers be the guardians of their security by arming them with the right tools and education.
For further insight into the payments and banking industries, subscribe now and stay up-to-date on the latest tips, trends, and topics. You can also check out The Payments Podcast, where experts engage each other on the real world factors impacting the payments and banking industries.
Omri Kletter is the Global VP, CFRM at Bottomline. Previously, Omri led fraud and authentication solutions in the EMEA region for NICE Actimize. He began his career in Israel’s elite technological intelligence army unit, where he served as the Head of the Global Counter-Terrorism section.