Fighting to stay ahead of payments fraud

Despite what Hollywood movies like “Catch Me If You Can” would have you believe, the business of tackling payments fraudsters seldom involves high-octane globetrotting adventures. Rather than frantic chases across airport terminals, it is a methodical business of detecting illicit activity, correcting weaknesses, and the decidedly unglamorous work of remaining ever vigilant to thwart the next attempted attack. 

Fraud prevention is a largely thankless but nonetheless immensely important task. The cost of payments fraud in 2023 in the retail sector alone was $429 billion, according to research from the Centre for Economics and Business Research.  When the overall global institutional payments ecosystem is taken into account, the annual cost of payments fraud likely stretches into the trillions of dollars.

In the realm of payments, the prevalence of fraudulent transactions and the net value of those illicit remittances continues to climb each year. A 2024 payments fraud survey by the Association for Financial Professionals (AFP) found fraudulent activity soared in 2023 relative to the previous year, with 80% of organizations reporting that they were victims of attempted or actual fraud in 2023 — an uptick of 15% from 2022. 

Despite heightened awareness around fraud — November 17, 2024, marks the beginning of “International Fraud Awareness Week” — and rapidly improving detection and prevention tools, fraudsters are responding by deploying increasingly sophisticated techniques to find new and inventive entry points to exploit. 

OLDEST TRICK IN THE BOOK

The rise in transaction fraud across financial services has often been linked to the development and rollout of real-time payments systems, with the misleading phrase “faster payments mean faster fraud” becoming commonplace. Focusing the discussion on the speed with which payments are completed risks missing the larger point, however. 

“The focus on fraud prevention is more critical than ever, and especially in the dawn of faster payments, it’s more prevalent today than we’ve seen before in the industry. From ACH payments to checks, there is a tremendous amount of fraud and we as an industry can — and should — do more,” says Carl Slabicki, executive platform owner, Treasury Services at BNY.

The point is demonstrated in the AFP report, which reveals that of all U.S. payment methods, checks are the most susceptible to fraud, followed by ACH debits. In fact, real-time payment networks and faster payments were found to be the second-least likely forms of transaction to be targeted by fraudsters (see Figure 1). 

THE CHECK BOUNCED

Payment methods subject to attempted/actual payments fraud

_{*Not asked in the 2023 AFP Payments Fraud & Control Survey    
Source: Association for Financial Professionals, 2024 AFP Payments Fraud and Control Survey Report}        

That fraudulent checks remain the most prevalent form of payments fraud in the U.S. is not surprising. Slabicki explains that while we might imagine fraudsters to be using sophisticated technology to initiate attacks, they will resort to any means necessary, exploiting any weakness or vulnerability, no matter how basic. “Everything old is new again — stealing checks out of a mailbox seems like an old-fashioned technique, but it’s a real and ongoing threat,” said Slabicki. 

In fact, check fraud related to mail theft remains sufficiently rampant that in February 2023 the Financial Crimes Enforcement Network (FinCen) alerted financial institutions of fraud schemes targeting the United States Postal Service, which prompted the rollout of 12,000 new high security collection boxes and 14,000 electronic locks. 

The volume of checks processed by the Federal Reserve declined 8.3% each year between 2018 and 2021, building on the existing 6.8% decline witnessed each year between 2000 and 2018, according to an April 2023 working paper from the Federal Reserve Bank of Atlanta. However, the customers and organizations who remain doggedly loyal to writing checks are increasingly vulnerable to being victims of fraud. FinCen statistics reveal that the number of suspicious activity reports (SARs) the agency receives pertaining to checks is increasing, in spite of declining check volume overall.  

Despite rising fraud — and the rest of the world having largely phased out checks — over 70% of organizations in the U.S. do not have plans to discontinue check use, according to AFP. While support for checks remains high, Eric Woodward, senior advisor at the identity verification and fraud prevention company Socure, compares the inevitable obsolescence of checks with the demise of DVD rentals. “When Netflix phased out DVD rentals in favor of streaming, people were up in arms, but now we can barely remember what a DVD is. As banks begin to end checks, I think we will see a similar phenomenon,” he says. 

DIGITAL FORTRESS?

Those that make the leap from the checkbook to digital payments are by no means free from the risk of fraud, however. A March 2024 Interpol assessment on global financial fraud highlighted how the increased adoption of technology is enabling organized crime groups to better target victims around the world. 

In particular, the report noted that artificial intelligence (AI), large language models and cryptocurrencies are being combined with phishing and ransomware-as-a-service business models to create more sophisticated and professional fraud campaigns at relatively little cost and without the need for criminals to develop advanced technical skills.

“Today, our lives and our devices are increasingly interconnected — and that includes in the payments space. It means there are many more access points for fraudsters to exploit. This is what motivates us to innovate faster and smarter to protect our customers from emerging fraud threats with the latest AI technology,” explains Rohit Chauhan, executive vice-president, AI fraud solutions at Mastercard.

Through these access points, fraudsters target customers to send payments, typically when they are distracted at work, or by using social engineering techniques to prey on emotions. The most prevalent form of attack is the business email compromise (BEC), where a criminal accesses a work email account to trick someone into transferring money. The U.S. Federal Bureau of Investigation received 21,832 BEC complaints in 2022, and in 2023 AFP reported 63% of organizations experienced BEC scams (see Figure 2). 

YOU'VE GOT MAIL

Percent of organizations that experienced business email compromise, 2014-2023

_{Source: Association for Financial Professionals, 2024, AFP Payments Fraud and Control Survey Report}  

AI and large-language models are creating new ways to defraud people, businesses and even governments. While AFP reports that only 1% of fraud attempts in 2023 were related to “deepfake” technology, this increased more than tenfold between 2022 and 2023, with North America and Asia-Pacific most affected. 

AI is also reducing the barriers of entry for criminals. “Fraud-as-a-service” platforms like Fraud GPT — a criminal version of Chat GPT — are now available on the dark web. “This allows people without any fraud or technology experience to produce convincing phishing emails,” explains Yuval Marco, general manager for enterprise fraud management at NICE Actimize. “But it also gets much worse: They can generate malware that can be deployed on different devices, and they can also easily create synthetic identities.” 

BUILDING A SOLID FRAUD DEFENSE

How are financial institutions responding to the plethora of methods criminals are using to perpetrate fraudulent transactions? For sender banks there are a number of steps that can help ensure a payment is legitimate. The first is for a bank to confirm that the payment instruction is a genuine request from a customer. Banks typically require customers to authenticate the request, by entering a one-time verification code, providing biometric verification, or answering a security question.

Second, banks check if a transaction falls within a customer’s set parameters. For retail customers, this could be as simple as a daily transaction limit. 

If the payment instruction passes the initial set of filters, the bank must validate that the beneficiary is legitimate by using proprietary tools or network analytics. “We process the equivalent of the world’s GDP every three days in our network, and we can use this transactional data to identify anomalies — and those anomalies could be fraudulent, or they could be operational errors,” says Stephen Grainger, global head of data and services at Swift.

After these tests have been satisfied the payment could still be fraudulent — no validation service has 100% market reach so there are always gaps. The beneficiary account might be correct, but that doesn’t tell the bank that that person isn’t a scammer. This has become the payments industry’s main pain point — and as fraud gets increasingly sophisticated, the harder this final verification step becomes. 

Some progress is being made here. Nice Actimize has been using AI and machine learning to optimize transaction accuracy and has developed typology-based risk models that provide greater fraud detection than a transactional model. 

“All participants in the payment chain have a role to play, starting with the initiation of the transaction,” explains Devon Marsh, managing director of ACH network rules & risk management at ACH governing body Nacha. “But the institution on the receipt side might have the best opportunity of all to spot when it’s a fraudulent transaction.” 

This is because most of the liability — and hence, the controls and protections on fraudulent payments — is with the sending bank. But the rise in induced payments fraud — also known as authorized payment fraud — has created a challenging situation for the sending bank. For example, a scammer sells fake tickets to 500 people and each buyer approves their payment via their bank’s authentication controls because they believe it to be a legitimate transaction. The challenge is then when they turn to their bank to report the fraudulent activity, because, from the bank’s perspective, each of the payments is correct and authorized.

However, at the receiving bank, the scammer’s account will be receiving 500 payments for similar amounts with similar reference words. Many believe there is an opportunity here to mitigate fraud and pressure is mounting on receiving banks to do more — but how can the industry hold the bad actors accountable?

Nacha is one of the first movers in this space and is introducing new rules that require receiving institutions to address fraud monitoring inbound payments. Effective March 2026, these rules will impose new requirements on receiving institutions, mandating them to put monitoring in place on all incoming credit transactions.

INFORMATION SHARING

The Federal Reserve is working to make information sharing easier and has established a working group to examine the mechanisms on how we share information.

CONCLUSION

Across the globe, organizations are making significant investments in payments trying to keep up with the ever-evolving threat of fraud. Those who haven’t already made investments are grappling with old threats, while the rest are combatting the latest criminal tactics. Soon, all participants in the payments value chain will be contending with the next generation of fraud attacks, with all the potential threats that AI and quantum computing may present looming large on the horizon.

No matter the speed of these technological changes, the financial services industry will continue to defend both the physical and digital payments ecosystems and ensure they are trusted, safe and reliable for all who use them. “Fraudsters may be ahead of the curve, but we will be chasing closely behind in this never-ending game of cat and mouse,” concludes Woodward. 

Sadhbh Cloonan is a freelance writer based in London.

¹Research from the Centre for Economics and Business Research.

²Association for Financial Professionals, 2024 AFP Payments Fraud and Control Survey Report.

³Ibid. 

⁴CNN World. 

Questions or comments?

Write to treasury@bny.com, or reach out to your relationship manager.