Mitigating instant payments fraud in today’s rising threat landscape

As we rapidly move toward a real-time payments environment, instant payments fraud has become a growing concern for today’s community financial institutions (FIs). Facing a host of constantly evolving challenges, it is not always easy to know how to best respond in this increasingly complex landscape. How can bankers create the most effective strategies for detecting, responding to and even preventing these fraudulent activities while staying ahead of the bad actors?

Evolving tech and emerging threats

There is no shortage of fraud trends impacting today’s financial landscape. Threats such as stolen credentials, money laundering, card testing and velocity attacks (where multiple authorizations are generated over a short period of time to test and exploit the validity of card information) continue to create major problems for both institutions and consumers alike.

However, one of the most significant and fastest growing threats is the evolving problems of social engineering fraud, which are becoming much more sophisticated. This has led to a rise in account takeover (ATO) fraud, with fraudsters using social engineering to gain access to, or the ability to spoof text messages or emails. The perpetrators then not only direct payments to the wrong party but also gain access to other accounts by obtaining two-factor authentication (2FA) or one-time passwords.

Fraudsters have honed their skills in taking over social media accounts and are now applying these techniques to financial institutions through methods like credential stuffing, where they buy username and password combinations and test them across various sites, including bank accounts. The use of AI has further exacerbated and accelerated these attacks, making access faster and at a larger scale. By leveraging modern generative AI models to learn what types of social engineering is working best (known as hyper personalized mining or spearfishing), fraudsters can more effectively target their victims, as well as keep up on what rules are being put in place to detect these models, thus making the violators even smarter.

A key challenge for instant payments fraud

While instant payments offer many benefits for community FIs, this banking advancement also presents some specific challenges. One of the biggest is that instant payments are non-returnable. Once the transfer is approved, the funds are gone.

There is a request for a return process yet receiving FIs are under no obligation to reverse the transaction. If a customer does end up getting taken advantage of and the bank sends a request to the other financial institution that they suspect fraud, the second party is not required to return the money. Unlike cards transactions or ACH, which have historical models of chargebacks and returns, instant payments to date remain non-revocable. In turn, as FIs continue to design and build these experiences, they must also ensure that safety is built into the process right from the start.

Best practices for securing payment transactions

To best help combat these threats and mitigate their impacts, it is critical for FIs to focus on a few key areas.

• Educating their customers: Educating customers should be a top priority for all FIs, especially regarding security measures like 2FA and one-time passwords to help in the ongoing fight against fraud. Text message reminders are easy and convenient, but they can also be spoofed. Account holders should be aware of what constitutes a spoof and what does not, and that they should never share their credentials with anyone. Additionally, FIs must find ways to effectively communicate with account holders to make sure that they know which contact info is legit, which links they should be clicking on and which they should avoid.
• Building strong security experiences: FIs must ensure that safety is a key component that is built into the heart of all payment experiences. For example, building in features that use individual one-time passwords and push emails to confirm the legitimacy of the request when customers send a request for payment allows FIs to both send and promote clear, effective communication between the FI and its customers, as well as between the sender and receiver of a transaction.
• Partnering with the right technology providers: Community FIs should seek out technology partners that offer robust fraud and risk controls. They should ask potential partners questions like: What fraud and risk controls are you putting into place? What rules and logic can we end up controlling? How much input do we have in defining what type of limits and controls we want in place for specific accounts? Ultimately, these vendors should help define specific controls based on the FI’s needs, such as age of account rules, transaction limits and dollar amount thresholds.

Creating an effective fraud prevention plan

FIs must take a broad view, examining their entire customer lifecycle (i.e., every type of engagement that a customer might have) to create the most effective strategies for mitigating fraud. When and how are they logging in? What safety and security protocols do they have in place? FIs should pay particular attention to their customers’ normal patterns of behavior, then leveraging this data to define and create various rules (for both pre- and post-transactions).

As they continue to implement AI and automation, FIs should build out robust machine learning model rules engines to monitor this data, making sure to monitor the ongoing health of those engines in terms of: What are we catching? What are we not catching? What resources are available to constantly evolve these risk engines and transaction monitoring or account monitoring engines? Often, this means FIs must straddle a fine line between how many alerts are too few versus too many so they can better define their health threshold (or ideally, different health thresholds by different types of fraud or attack vectors).

For example, most FIs will have a different level of threshold for account takeover than for someone trying to brute force an account versus credential stuffing, or account testing versus actual velocity attacks on transactions. Having those different thresholds, and then continuously monitoring and evolving them as needed, allows FIs to continue to adapt as threats change.

Finally, FIs should continue to keep up with the latest technology being developed to help them combat fraud. The industry’s technology is constantly and rapidly evolving, leveraging more data than ever before. While most fraud and governance teams have always been data junkies, now there are even more powerful tools available for all bankers. No longer must they run down the data, find the trend, then go to their engineers to hard code rules. Today’s technology allows bankers to change the rules instantly with no coding and stop an attack immediately (which can be critical as most attacks rarely come in ones and twos).

Anti-fraud innovation and collaboration

The latest innovations in fraud detection involve continuous monitoring of account activity, not just transactions. This includes monitoring of suspicious logins, changes to account information and other activities that may indicate an account takeover. AI and machine learning models continue to play a crucial role in the industry’s evolving fraud detection and prevention strategies, allowing for real-time adjustments to rules and immediate responses to attacks.

Additionally, collaboration not only among tech partners but also the financial institutions themselves is essential in the ongoing fight against fraud. Sharing information about bad actors and working together to refine technology and build robust fraud prevention systems is a key to helping the industry as a whole stay ahead of fraudsters while protecting all account holders. Regulatory agencies also play a vital role in establishing the rules and guidelines necessary to match this evolving landscape and ensure the safety and security of instant payments as adoption grows.

As we continue to advance toward a truly ubiquitous real-time payments environment, it is imperative for community FIs to stay vigilant and proactive in their fraud prevention efforts. By educating customers, building strong security experiences, partnering with the right technology providers and collaborating with other institutions, we can create a safer and more secure payments ecosystem for everyone.

Amanda Crocker is CEO for SWIVEL, an SWBC Company.