Real-time payments need real-time fraud detection
Summary
The rapid emergence of new instant payment services built on real-time payment rails represents the future of money movement. While these rails have many benefits, there has also been a significant increase in fraud — specifically, social engineering attacks.
Traditional fraud prevention is no longer effective in this real-time environment; real-time fraud detection technology can protect consumers.
The financial services industry needs to improve collaboration amongst all players, including financial institutions, fintechs, and crypto companies, to address systemic risk stemming from the growth of instant payments and corresponding fraud.
The rise of real-time payments
How we move money is quickly changing. Neither consumers nor businesses want to wait 3–5 days for the funds to settle in their accounts or pay bills.
Internationally, countries like the United Kingdom, Australia, Singapore, India, and Sweden already offer their population access to real-time payments across multiple use cases, including account-to-account payments, requests to pay, instant payouts, etc.
While in the United States, the growing use of peer-to-peer (P2P) payment apps such as Zelle, Cash App, and Venmo is the first instance of innovations built on real-time payment rails. According to Insider Intelligence, US P2P services will reach almost $1 trillion in payment transactions in 2022.
Some of the U.S. P2P volume is already on a real-time payment rail. In February 2021, Early Warning Services — the company behind Zelle — and The Clearing House (TCH) announced that Zelle transactions would be conducted via TCH’s RTP network, which covers over 60% of U.S. deposit accounts.
In addition to TCH, the Federal Reserve is piloting its real-time payment rail, FedNow, with over 200 financial institutions and plans to launch the service in 2023. Alloy Labs Alliance — a consortium of community banks and credit unions — is soon launching its real-time payment rail, CHUCK.
Social engineering attacks & authorized push payment fraud
While payment experts promote the benefits of instant money movement, one growing problem is the increasing amount of fraud on these P2P payment apps. Unlike traditional cybercrime, including account takeover or credential-stuffing attacks, fraudsters use social engineering attacks, such as phone number spoofing, robocalls, and personalized text messages, to initiate payments through these apps.
The elderly are particularly vulnerable to social engineering attacks. According to the Federal Bureau of Investigation’s internet crime report, fraudsters are twice as likely to target this segment. The Federal Trade Commission reports that consumers over 70 typically lose $1,500 each.
Fraudsters often present themselves as a representative of their bank or broker and request that the victim sends money to a specific account using a P2P payment app. Fraudsters will use remote desktop software (Zoom, TeamViewer, etc.) to help “guide” them into completing the payment.
This is Authorized Push Payment (APP) fraud. It can be challenging to prevent since the victim is providing their account information and using their device.
Yet, there are things we can do to overcome this challenge:
1. Real-time APP fraud detection and prevention
It’s no longer sufficient to rely on past transactions to identify emerging fraud patterns. Fraud detection must happen in real-time to catch social engineering attacks.
Like P2P app-based social engineering attacks, one common form of APP fraud in crypto is “investment advisor” scams. In this scenario, a fraudster pretends to be an advisor and convinces a user to create an investment account. While using remote desktop software, the fraudster guides the victim through the account opening process, where the victim uses their own identity for KYC verification. The fraudster then has access to the account and steals the transferred funds.
This type of fraud can be blocked by effectively flagging suspicious devices, emulators, or scripts, as well as sessions conducted via proxies, VPNs, screen shares, or remote desktops in real-time at the onset of a transaction. Banks, fintechs, and crypto companies can collect device and network data on their login pages to prevent these attacks.
Another way to detect fraudsters is through their distinctive behavior on the device. Regular users will auto-fill an onboarding form and show varied mouse and scrolling patterns. A fraudster will likely copy and paste and have more repetitive movements due to practice. Other behavioral signals, such as shortcut usage and page or window switches, can play a crucial role in helping businesses catch fraud.
At Sardine, we’ve successfully used device intelligence and behavioral data with fintech and crypto businesses to prevent fraud. Using real-time data to detect and flag social engineering and can stop a fraudulent transaction before money moves.
2. Industry collaboration to solve fraud data gaps
To successfully prevent APP fraud for real-time payments, there also needs to be coordination between all constituents within financial services to collaborate and share data. Today’s data-sharing consortium models don’t include fintech and crypto companies, community banks, and credit unions. This allows known fraud rings and bad actors to continue to prey on consumers and merchants moving from one institution to another.
Sardine is developing an industry-wide consortium to tackle these topics. The working group will include all constituents, from financial institutions, fintech, and crypto companies, regulators, and consumer-advocacy organizations.
3. Adopt global best practices
Countries with long-standing real-time payment rails have also seen key initiatives driven by regulation, including:
- Requiring two-factor or token-based authentication for real-time payments — For example, the Strong Customer Authentication regulation in Europe requires banks, fintech companies, and merchants to support two-factor authentication for push payments and high-risk transactions.
- Confirming the payee — In the United Kingdom, the industry body Pay.Uk launched a service to ensure the intended recipient’s name matches the name on a bank account. If you’re trying to pay Coinbase, the account name should match a known Coinbase account in the database. Users are presented with warnings and checks before they complete payment.
- Setting aside a fund to repair losses — Nine of the largest UK banks have signed up to a voluntary code created by the UK Payment Systems Regulator (PSR) to reimburse victims of APP scams on the UK real-time payments network. Additionally, the PSR has proposed introducing mandatory reimbursement.
No single actor or nation can solve fraud independently, particularly as cross-border payments become more convenient. We’re paying close attention to the implementation and enforcement of these regulations and how the private sector can play a role in helping achieve their intended outcomes. We want to continue the conversation with financial institutions keen to reduce APP fraud.
The time is now to address fraud in real-time payments
The Federal Reserve recently wrote that “the irrevocable, real-time nature of instant payments can pose a challenge to the industry in detecting and preventing fraud.” And regulators are paying attention.
The Federal Trade Commission recently sued Walmart for allowing fraudsters to abuse its money transfer service. The Consumer Financial Protection Bureau is considering re-classifying APP fraud as “unauthorized,” meaning banks would need to refund victims of social engineering attacks under Regulation E.
Rather than wait for regulators to propose a solution, take control of your fraud risk and prevent social engineering attacks and APP fraud today. Real-time fraud detection is possible and critical for real-time payments.