Preventing payments fraud with data and AI

How fraudsters move money, and how new technologies can stop them in their tracks

Written by
Arshi Singh

Editor’s note

As fintech becomes more accessible and innovative, bad actors are finding more ways to infiltrate systems and take advantage of individuals and businesses. Knowing how fraud happens and the ways in which systems are susceptible, as well as enabling early warning systems, can help businesses close potential gaps and keep funds safe. In today’s environment AI and ML are proving to be critical enabling tools for businesses that move money in any market.

Share this article

Fraud is typically defined as the act of deception for personal gain – as intent to deceive, misrepresent or conceal truth. Fraud is committed when deception results in financial or personal gain for a criminal, commonly referred to as a ‘fraudster’. Victims of fraud vary depending on the category, situation, and legal jurisdiction, but in fintech and financial services, they often include card-issuing banks and businesses, acquiring banking institutions, payment processors, merchants and their customers, businesses and bank account or card holders. 

Payment fraud is expected to cost over $40 billion in losses globally by 2027. In the UK, fraud is the most commonly experienced crime, accounting for 41% of all crimes against individuals. In the US, money lost to fraud increased by $2.6 billion in 2021 for a total amount of nearly $8.8 billion. With the proliferation of technology ranging from instant messaging to new forms of payments, like P2P global remittances and real time payments, criminals have more avenues than ever before to defraud people of their money.  

As fraudsters become increasingly more sophisticated at using the latest technology to exploit new vulnerabilities, the current methods of spotting and dealing with fraud are failing institutions and businesses. As a result, regulators are increasingly requiring banks and other financial institutions to play a greater role in helping to identify and prevent fraud as part of their duty of care to their customers.

Challenges faced by banks and other financial institutions when it comes to fraud

Banks and other financial institutions are struggling to keep up with the forever-changing regulatory landscape and criminal behavior. Criminals are fast and creative, causing immense financial damage before an institution is able to detect and act. The increase in use of remote and fast payments—both as e-commerce CNP (card not present) purchases and real-time payments channels such as faster payments in UK, SEPA Instant across EU and the soon-to-be-released FedNow in US—means that there is even less time to determine the risk to customers before money is moved into criminal hands. All of these factors make the prevention of fraud incredibly difficult, more so with the increase in social engineering attacks where the victims are manipulated into making transfers of funds themselves, and they may not even realize that they’ve been defrauded for a while.

E-commerce businesses are constantly looking to remove friction and provide a seamless user experience to their customers. To support that, institutions need to strike the right balance between preventing fraudulent transactions and allowing legitimate customers to enjoy a frictionless experience. Too many checks or delays in the payments process, for example, will risk letting good customers down and result in issues like shopping cart abandonment. 

Traditional fraud detection tools used by fraud analysts at fintechs and financial institutions are resulting in a high number of false positives today, making it very expensive to beat fraudsters. When fraudsters succeed, their customers are hit with the loss. Institutions are increasingly on the hook to make their customers whole and bear the cost of fraud as an expense of doing business. However, these costs can quickly add up as a direct hit to the institution’s bottom line.  

In the UK, steps are being taken to protect customers and hold Financial Institutions accountable. Most banks, for example, have signed up to the Contingent Reimbursement Model (CRM) code, which is designed to protect consumers and pushes liability onto the payee”s bank to do all they can to protect consumers from fraud. An increasing number of UK Financial Institutions are also implementing Confirmation of Payee, which checks payee details entered by the payer against the actual account name associated with the entered account number and sort code, and alerts the payer if there is a mismatch. The Payments System Regulator (PSR) recently proposed sharing of liability between the payee and beneficiary banks closer to a 50:50 split. 

The cost of a bank’s or fintech’s image getting tarnished once its platform is associated with fraud can be hard to quantify.  Exacerbated by social media, the reputation risk of fraud incidents quickly blowing out of proportion can be devastating for any business, especially newer fintechs.

These institutions need new solutions that provide them information and insights that can help them detect and prevent financial crimes. Institutions need to know that the transactions they facilitate are legal. AI and machine learning technology can empower the institutions to beat fraudsters' creativity by quickly adapting to the changing fraud landscape.

Common payment fraud scenarios

Fraud can take many forms. However, the most prevalent are the payment fraud scenarios faced by banks and other financial institutions through the millions of transactions they process every day. Payment fraud covers a wide range of payment channels and use cases, from business-to-business payments, to fake invoices, to the variety of scams targeting average consumers.

Some common fraud scenarios that are payment type agnostic include:   

Account Takeover (ATO) Fraud

Account Takeover Fraud covers all fraud where criminals are able to gain access to a victim’s money by obtaining their credentials, passwords, one-time-passwords (OTPs) or memorable information. This typically happens through a combination of social engineering and phishing attacks. 

With digitisation of banking, investing and other financial services, it has become easier for cybercriminals to assume control of users’ accounts.  They can gain virtual access without ever having to visit a branch or financial institution. They can use Remote Access Trojans (RATs) to commit ATO fraud by installing malware to victims' devices.  These RATs are often downloaded accidentally alongside software from unreputable sources or through phishing emails. Fraudsters also target victims posing as banks or government authorities like the IRS, or police, convincing them to download a remote access tool in order to ‘help them’, only to transfer money from their accounts.

Phishing, smishing and vishing play a critical role in these types of fraud, where, by different means, fraudsters get access to sensitive personal information or install malware onto victims’ devices. Phishing traditionally happens via email, where fraudsters pose as a legitimate source and either convince the victim to click on a link and enter sensitive personal information, or unknowingly download malware from an attachment. Smishing is similar to phishing but is conducted via SMS or messaging apps (commonly Whatsapp, Facebook, Instagram). Vishing differs from phishing in that it is voice-based, with fraudsters calling victims, typically via automated/pre-recorded messages. However it can also be live. 

These types of fraud are difficult for the average consumer to detect, as criminals can make emails, SMS messages or calls appear to come from legitimate sources. This is called ‘spoofing’. The completely or partially automated nature of all three allow criminals to quickly replicate attacks and reach very large quantities of prospective victims. 

Recently, the increased popularity of AI chatbots has allowed criminals easy access to more complex and believable phishing style attacks. Spear Phishing, for example, is another type of fraud that refers to a phishing attempt which is a targeted attack at a specific individual or organisation. Such attacks are more personalised and therefore even harder to detect. 

Mobile and telephone banking channels are also not exempt from exploitation by criminals. This fraud has increased post-Covid, due to the overall increase in digital banking and e-commerce activity. ATO can sometimes be committed by family or friends of the victim, especially vulnerable or older victims subject to elderly financial abuse. Common indicators are new device IDs, IP addresses, phone numbers, emails or unusual logins or account activity.  Addition of new beneficiaries followed by high value transfers to those new beneficiaries are indicators of suspicious activity.

Authorised Push Payment (APP) Fraud

Authorised Push Payment (APP) fraud happens when the owner of an account themselves authorizes the transaction, having been manipulated to make a payment to a criminal.  Some common scenarios of APP:

Synthetic Identity Fraud

Synthetic Identity Fraud is where criminals create applications using compromised or fake credentials for the purposes of directly defrauding a Financial Institution – for example applying for credit with no intention of paying this back, or creating accounts to be used in further financial crime, such as money mule accounts. Synthetic Identity Fraud is where a blend of compromised ‘real’ PII (e.g. national tax or ID numbers) and fake PII (e.g. addresses, names) is used to create a high volume of identities for criminals to use. By using elements of genuine PII the likelihood of the application to be approved is generally increased. 

Fraudulent applications for credit (including loans, credit cards, buy now pay later (BNPL), mortgages, etc) can be either third-party or first-party.  Third-party application fraud is where the person applying is not the individual named on the credentials or personal information. Individuals can fall victim to fraudulent applications filled out in their name if details are compromised from intercepted mail or after moving home. This is easier to detect as the ‘victim’ will typically raise the alarm. First-party application fraud, also known as “friendly fraud”, is where the applicant is the individual named on the credentials. First-party fraud is typically linked with fraudulent card transactions (e.g. false claims for refunds/chargebacks denying receival of products or services), however the increasing popularity of BNPL, particularly in Europe, coupled with current financial difficulties/economic uncertainty for consumers may lead to an increase of BNPL applications with no intent to repay. This was evidenced by Swedish BNPL giant Klarna’s reported financial difficulties faced by its Australian entity in late 2022.

Card fraud

Card fraud involves credit, debit or prepaid cards and broadly fits into two categories: card present (CP) and card not present (CNP). Within both CP and CNP fraud, criminals can obtain card details in a number of different ways:

Card Present Fraud

Card Present (CP) Fraud is where the physical card is required at a POS (point of sale) machine, i.e. a ‘card reader’. The prevalence of CP fraud is dependent on the customer authentication requirements of the region, such as magstripe & signature, chip & PIN or contactless. The introduction of chip & PIN in Europe reduced the prevalence of CP fraud, although the recent widespread use of contactless payments has allowed criminals another avenue to CP fraud.

Card Not Present Fraud

Card Not Present (CNP) Fraud is where card transactions are completed remotely, without the physical card present at a POS machine / card reader. Almost all CNP fraud happens via e-commerce, but it can also include Mail Order or Telephone Order (MOTO) fraud. Given that 1. high volume and value remote transactions are the norm in modern life; 2. criminals can retain and use cards remotely for a long period before detection; and 3. remote methods can be scaled quicker than face-to-face, CNP fraud is significantly more popular with fraudsters than CP fraud.

Fighting crime using AI and Machine Learning 

Financial institutions need innovative solutions that help them detect and prevent fraud regardless of the channel or payment type used.  While traditional tools have relied on a static, rules-based approach, we know that they’re not enough.  AI and machine learning technology can empower the institutions to beat fraudsters' creativity by quickly adapting to the changing fraud landscape. It can help identify fraudulent transactions in a timely manner and minimize losses for the institutions and their customers. While initial versions of machine learning models were mostly black box, giving little transparency into their decision-making, the newer tools are far better at providing full explanations as to why transactions are flagged, helping financial institutions resolve the situation quickly and efficiently.

Techniques that can be used to streamline fraud detection by reducing false positives and identifying previously undetected scenarios include:

While there are many fraud detection solutions in the market, few are making use of Machine Learning effectively. ComplyAdvantage has developed a fraud detection AI-enabled solution that can detect over 50 payment-type-agnostic fraud scenarios. It can be implemented in a few weeks and be useful from day one if sufficient historical data is available.

About the author

Arshi Singh

Arshi heads ComplyAdvantage’s suite of products that enable financial institutions to fight financial crime, including transaction monitoring, transaction screening and fraud detection. Arshi has 20 years of experience in various roles in finance and technology across North America and Asia. Previously, she worked as Product Director at CurrencyCloud and as Vice President of Product at JP Morgan. Arshi has an MBA from Duke University and a bachelor’s in computer science from the National Institute of Technology in India.