Scammers are duping victims in many ways: tricking customers into believing they need to reverse a Zelle payment, promising big earnings from cryptocurrency investments or convincing online lovers to send money. A myriad of schemes is resulting in a sharp rise in authorized payment scams, which according to Aite-Novarica Group now account for two of the top five categories of fraud volumes and losses for financial institutions.
In the United Kingdom, for example, nearly half of the 609.8-pound million in fraudulent transactions in the first half of 2022 was due to authorized push payment scams. The growth in this type of scam, in which victims transfer the money and are held liable for the losses, has gotten the attention of banking regulators as well as the U.S. Congress, which argues that banks should reimburse their customers as they do in other types of fraudulent transactions.
In response, seven banks in the United States last month drafted a proposed framework for reimbursing customers for specific types of authorized payment scams. Peer-to-peer money transfer firm Zelle said it is preparing for a major rule change early this year that will require the network's member banks to compensate customers who fall victim to certain kinds of scams.
Seven banks in the United States that own Zelle recently proposed a framework for reimbursing customers for specific types of authorized payment scams.
This sea change from the banking and payments community will likely result in a shift in the technology market to solutions aimed at reducing scams such as advanced risk modeling platforms, consortium and network-based signal detection providers, and new peripheral controls employing AI and machine-learning technologies.
Information Security Media Group spoke to bankers and fraud experts to understand the tools banks can leverage to reduce authorized payment scams, and some say it's a difficult challenge to overcome.
Challenges in Detection
The major challenge in detecting authorized payment scams is that the actual customer has logged in and authorized or executed the payment request. These real customers are often coached by fraudsters on how to answer questions from fraud analysts and call center agents if the bank tries to review or stop authorized payments.
"Generally speaking, traditional ATO controls will stop a payment from occurring until the true/good customer logs into their account, passes multifactor authentication and then follows whatever process the respective bank employs to reestablish confidence in the payment request," says Bradley Haacke, vice president and financial crimes director at Fifth Third Bank. ”How do you establish confidence in a payment request when nothing about the customer's device or the login event is raising a red flag?"
In short, the biggest issue that banks face when trying to prevent scams is that they lack full context behind consumer transactions. In other words, banks and financial institutions often do not have an accurate picture of consumer behavioral patterns that can help them predict what activities are genuine and, in turn, what activities carry fraud risks.
This lack of understanding or contextual knowledge leaves financial institutions in the dark when trying to identify vulnerabilities or security flaws in their fraud protection strategies.
Karen Boyer, senior vice president of financial crimes and fraud intelligence at M&T Bank, says bankers want people to have control over their money and that is what makes it tough to determine authorized scams. "When they don't identify what they are sending is to a fraudster, the banks are kind of limited in some capacities," she says.
"As a bank, for authorized scams, all signs point to it appearing that the customer is the one making the transaction. As we currently do not have transparency into what is occurring on the customers’ phone outside of the banking app, it limits us to determine possible scam involvement. In addition to this, the challenge lies when we ARE able to detect a possible fraudulent payment, and subsequently send an alert to the customer. The customer confirms the transaction but may then file a claim later that it was fraud. Naturally there is questions surrounding if we as a bank have any leg to stand on, that we detected fraud, alerted about it, and the customer confirmed the transaction. If the expectation is that we still must pay regardless, first party fraud will continue to proliferate beyond control."
"There are additionally many times we are able to detect a customer is being scammed, but the customer is adamant that the activity is legitimate. They often get frustrated and scold the banker that “it is their money, and we do not have the right to prevent them from spending it the way they want to”. This is often due to coaching from the fraudster themselves, especially in cases of elder abuse or romance scams," she adds.
While some anti-scam vendor solutions have been introduced, the market is not very mature. Ian Mitchell, managing partner of Omega FinCrime and founder of The Knoble, a network of fraud, cybersecurity, fintech and financial crime professionals, rues the fact that service providers have not really taken the time to think about how their legacy solutions can solve scams.
"So many of the vendors I meet with, their solution may actually work to fight first-party and scams, but they're still having conversations around account takeover fraud and identity fraud," Mitchell says. "And really, when it comes to account takeover fraud or identity fraud, the ones that are suffering are the ones that didn't make the right investments over the last decade and are behind. But everyone that has is now dealing with the first-party fraud and scams."
"So to help these financial solutions solve this problem, we need solution providers and service providers to really start thinking about how they can retrofit their solutions to really help with this fight," Mitchell says.
Seth Ruden, director of global advisory for the Americas at BioCatch, says most fraud solutions are "fairly limited" in data they collect about authorized payments and how to apply their detection, scoring models or rules.
New Solutions on the Horizon
The good news is that the vendor market targeting scams is growing, and there are a few tools and mechanisms out there that banks can deploy.
"Ken Palla, former director of MUFG Bank, in a recent paper, "Top 10 Controls Banks Can Deploy to Protect Consumers," lists some innovative ways banks can reduce authorized scams until the vendor market develops further.
He suggested banks use transaction nudges to control this type of fraud. A transaction nudge, which first began in the U.K., is a message to the customer at the time of a transaction when the bank sees something anomalous about the transaction. The nudge message is crafted specifically to this transaction and the anomaly. The purpose is to get the customer to stop and think about what they are doing.
Delaying the execution of payments for new payees is another way banks can control this kind of fraud, Palla tells ISMG.
"I think there could be a delay of up to four hours on certain high-dollar, high-risk transactions," Palla says. "Payment platforms like Zelle say they don’t want friction, but the problem is if you look at how the scams work, you really have to rethink this."
For example, for most high-dollar transactions, more often than not, the need for the transfer is not immediate and can wait for a few hours, Palla says. "I take this mindset: A four-hour delay is recommended as that allows enough time for a scammer to disengage with a customer, the spell to be broken, and the customer can call the bank to say they were scammed. This delay tactic has proven to be very successful in the Netherlands."
Zelle did not respond to ISMG's request for an interview.
Carolyn Homberger, president of the Americas at Featurespace, says tools such as AI and machine learning not only provide a more predictive outlook on consumer behavior but also provide more holistic insights into individual consumers' spending habits and profiles.
"In order to accurately predict what would amount to fraudulent behavior, financial institutions must gain a full understanding of what behavior is authentic to each individual consumer. This can be done by creating a model of continuous learning, where AI and machine-learning technology can use past behavior to build accurate, reliable analytics to predict future behaviors."
Trace Fooshee, strategic adviser at Aite-Novarica Group, says banks must employ three tools - advanced risk modeling platforms, network-based signal detection providers and peripheral controls - for better control over scams. "Things work best when they work together. For instance, advanced risk modeling platforms have proved useful in reducing false positives in areas like screening for first-party fraud," Fooshee says.
One of the banks in the U.K. has leveraged this platform to create a new model with a vendor that has yielded triple-digit improvements in their detection rates for authorized push payment scams, Fooshee says.
Ruden of BioCatch says companies also must leverage behavior biometrics to be able to distinguish between legitimate customer action and coerced or coached behavior. "Trying to find and identify those cues and trying to associate elements that are high-risk with modeling techniques that we have internally is one of those mechanisms on how we'll be able to take some of these cues and convert them into actionable alerts and prevention strategies."
New Vendor Technologies
The vendor market dealing specifically with authorized payment scams is small, for now. A few companies including NICE Actimize, BioCatch, Feedzai and Featurespace are specifically concentrating on this particular scam.
"We do expect growth in this space although it is too early to quantify. I can share we are presently exploring interest in both scam and money mule prevention controls," says Jake Emry, SME of fraud prevention at NICE Actimize. The vendor market, particularly for mobile device-oriented analytics and behavioral biometrics, seems to be getting a lot of industry attention in the U.K., particularly given the impending liability shift to banks and payment services providers there for APP fraud, he adds.
Homberger from Featurespace expects this space to rise massively in the coming years.
"Financial institutions are looking to improve their fraud prevention and anti-money laundering capabilities," Homberger says. "Implementing more advanced, predictive technologies will enable financial institutions to become more agile and proactive in their fraud prevention efforts, and we anticipate that the financial sector will lean into further technology adoption in the coming years."
Mitchell of Omega FinCrime adds that technology alone will not solve the problem and says banks also need to invest in fraud experts to intervene and spend time on the telephone with victims to explain the scams and prevent the transfer.
"As fraud fighters, we have an opportunity to do what our job says - fight fraud - and scams are the biggest fraud problem we have on the globe right now. We have the ability to do the right thing even before liability shifts to protect our customers to build programs that are robust enough to solve this fraud problem," Mitchell says.
Suparna Goswami: Hello there, I'm Suparna Goswami with Information Security Media Group. Authorized payment scams, especially Zelle scams, are rising at an alarming rate. Victims who fall prey to cryptocurrency scams, online romances and other schemes are losing billions of dollars. Meanwhile, banking regulators and lawmakers are putting pressure on financial institutions to do more to protect their customers. Information Security Media Group spoke to bankers and fraud experts about the challenges of detecting these types of scans and how technology can help solve the problem.
Ian Mitchell: I really just encourage both financial institutions and service and solution providers to think about this first-party fraud and scams problem and think about how your solution, your service can actually help financial institutions protect their customers from being duped. We owe that to our customers. They truly are the weakest link, not because they're for lack of a better word, they're not equipped there. These scams are targeting all ages, all socioeconomic demographics, the smartest in everything. They're attacking everyone.
Goswami: The big challenge of authorized payment fraud is that customers are signing owners themselves and transferring directly to the criminals. For the most part, banks and Zelle have not reimbursed customers for these types of scams, even though they do reimburse customers for other types of fraud. But that may be changing. In December, seven U.S. banks and Zelle indicated that they will change the policy for certain types of authorized payment fraud.
David Pollino: Financial institutions will figure it out. And they will manage it down to such a way that it's a minimal inconvenience to them on their bottom line, and customers will feel safe utilizing those mechanisms. Might take some time, might even take a name change, who knows if Zelle doesn't get a handle on it soon, Zelle might become synonymous with fraud. I hope we don't get to that point because it really is a cool product. It's good for customers, it's good for financial institutions, as far as a low cost mechanism to transact. We just need to make sure that we understand the operating rules and give customers the ability if they are a victim of a scam to to do something about it.
Goswami: With banks looking to take on more liability for authorized payment scams, fraud experts expect major growth in technology that can detect scams and prevent the transactions from happening. This and another platforms could have an immediate impact on scams by simply slowing down the transactions.
Ken Palla: That's all about Faster Payments. So if we look in the U.K., and they talk about the authorized push payments, well over 95% of those authorized push payments go through the past payment rails. In the United States, the big topic we've had has been Zelle and Zelle is immediate. So there's nothing faster. As soon as you do a Zelle transaction and click send, the money is at the receiving bank. So clearly, as we see the evolution of faster payments, that really brings it about. Now the other side of it, the fraudsters have gotten so much smarter about social engineering, and so they're able to do things that if five years ago, if someone said, this was what the scenarios would look like, I would have had trouble believing them. I think there could be a delay of up to four hours on certain high-dollar, high risk transactions. We have this thing about Zelle and it's faster payments, and it's immediate payments. And everybody says I don't want friction. But the problem is, when you look at how the transactions work, how the scams work, you really have to rethink this. And I'll give you an example. I've had to send money to my children every now and then. And they'll call me up in the morning and they'll go "dad, I need X dollars today." And I go, "okay," and back then, this was life was pre-Zelle, and pre-Venmo and things like that. So I'd have to go log on to my bank account and send a wire, and pay $25-$50 for a wire. But the important thing was they didn't need it immediately. They just needed it that day. And so I take that mindset when we look at Zelle and say, "hey, if I see a transaction, it's a high dollar amount transaction, it looks like it's high risk, is there a problem if I delay it for up to four hours?" It'll still get out today. And the benefit to that is when these scams occur, the scammer is on the call with the customer. They're pretending to be the bank, and they're walking the customer through doing the transaction, and in many cases, these customers have never done Zelle. But the whole thing is taking place where the scammer is in the customer's face - if you will - on the phone and getting them to do the transaction. So my thinking and I've seen this work in the Netherlands with the Dutch banks is what If you say "okay, well let the transaction occur, but we're going to hold it for four hours." And during that four hours, the scammer is going to get off the call with the customer. And the customer might reflect in a moment of peace and quiet. Oh, my goodness, what have I done, I better call the bank.
Goswami: Zelle did not respond to an interview request from ISMG, but a promotional video wants customers to be on the lookout for fraud.
(Transition ad: Keep in mind, Zelle can send money from your bank account to someone else's in minutes. So it's important, you know and trust the person you're sending it to.)
Goswami: Palla advises banks to look for signs of fraud, such as an active caller, during the fund transfer, and then give customers a real-time nudge to warn them before they complete the transaction.
Palla: A nudge is where you're doing the transaction online, but because of the anomaly detection that you see, you want to bring attention to the customer during that transaction that something seems strange. And you might have on the nudge, which is a little bit of a pop up, "hey, are you talking to someone on the phone? Are they telling you to do a transaction? Do you really know them?" Whatever it might be, that might be relevant to that transaction, nudge them right at that point, and see if you can - what I call - break the spell. So we've also seen that in the U.K., and we're seeing some of this in the United States. As a matter of fact, one of the major banks is starting to do one of my third things, which is education, real time. And so one of the major banks have started to do popups when you're going into Zelle before you even do the transaction. They're providing, if you will, education. To say, look, in essence, there are problems with Zelle, and be careful that you don't get caught up with a scammer. Someone calls you on the phone, we're not going to ask you to do a transaction, so on and so forth. So I think education being real time and more frequent, maybe every six months or every three months during the session. Do some education.
Goswami: While the market is still immature technology vendors are working on potential solutions using advanced risk modeling and signal detection capabilities.
Trace Fooshee: I think that there will be a pretty big shift in the market. And I think there are three segments of the market that are likely to benefit from this coming shift. The first is what I would call advanced risk modeling platforms. I also commonly call these things risk engine platforms. The second our consortium and network-based signal detection providers. And the third would be sort of a broad bucket of peripheral controls. These things work best when they work together in some form or another of orchestration, the first the advanced risk modeling platforms. So first of all, they're becoming more and more common today, largely because they're very helpful, and they prove very useful in reducing false positives in areas like check fraud, like screening for first-party fraud, and generally speaking for a lot of other use cases like account takeover. I think they will find utility in modeling for risk associated with scams as well. And in fact, there's been at least one bank in the U.K. that's piloted some innovative new models by one particular vendor that have yielded triple digit improvements in their detection rates for scams.
Goswami: Other experts point out that technology alone will not solve the problem, it will take a concerted effort by fraud investigators to shine a spotlight on this type of scams.
Mitchell: It starts with our fraud program. We need to include on our policies and programs the definition of scams, how it fits into our risk appetite, and how we define and are going to start classifying scam attacks in our case management system and our detection. So we just start with our program level, then we get into our prevention, we still talk about training, we can talk about really making sure we have active training and awareness. A side note on this is we can't train our way out of this. But that doesn't mean we shouldn't be training our customers. And so we really need to make sure we are robust and collaborative with all the institution training but then we get into really making sure that we're detecting this and we need to start looking at interdiction models. So we look at our anomaly detection, our machine learning, we need to start interdicting the transaction and not just sending a text message and say, did you do this transaction or verify that transaction, we actually need to now have a different conversation with the customer digitally and over the phone, where we actually start having a conversation that looks like patterns of scams where they may be being duped. We need to change the way we dialogue with the customers. We can't no longer go to the lowest cost provider that tries to automate this interaction with a customer. We need to now start thinking about this customer interaction as a meaningful interaction that's a chance to not only train but help this customer help us and help us help this customer through a very difficult life event. Our staff now needs to not be measured about doing 25 alerts an hour. If you think about these scams conversation, I see us getting to the point where a seasoned fraud detection analyst is going to get on the phone with a customer and be on the phone for 5-10-20 minutes having a conversation to let them know and unwind the way that they've been duped by these very sophisticated fraudsters. It's going to change the way we operationally measure.
Goswami: He adds that the industry as a whole needs to work together to solve the problem.
Mitchell: So once we identify the actual scam, how do we interact with the customer and start investigating? I do see there are countries that have liability shifts, I do think it's coming to North America. And I think we need to change our operational procedures to start not only interacting with the customer ask important questions, not on round liability, but to try to capture intelligence of how these fraudsters are actually committing the fraud and start classifying them in our case management systems. So we can have that feedback loop right to the front of the policy and the detection. I didn't describe anything that's not done for identity theft, not done for account takeover. The issue we have is is we're not doing it for scams for some reason. As a fraud fighter, we've never waited in our history, for regulation to change to fight fraud. As fraud fighters, I always used to say the most noble profession in banking is fighting fraud. I now say that for the noble, about human fighting human crime and financial crime. I will tell you as fraud fighters, we have an opportunity to do what our job says, fight fraud and scams is the biggest fraud problem we have in the globe right now. And so we have an opportunity to do the right thing, even before liability shifts to protect our customers to build programs that are robust enough to solve this fraud problem, the scams problem and to talk to our solution and service providers, our case management providers, our detection platform providers, our servicers and processors to talk to them about what can you do how can you help me fight and protect my customers and fight scams? We need to have those conversations.
Goswami: In the coming months, banks and regulators will work out liability questions surrounding scams and technology vendors will work on new innovations to fight this rising crime. At stake are company reputations, bottom lines and most of all, the financial health of millions of consumers. For ISMG, I'm Suparna Goswami. Thank you so much for watching.
Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.
From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:
Understand the current cyber threats to all public and private sector organizations;
Develop a multi-tiered risk management approach built upon governance, processes and
information systems;
Implement NIST's risk management framework, from defining risks to selecting, implementing
and monitoring information security controls.
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.