Tackling authorized fraud

Authorized fraud is rising because fraudsters exploit the trust loop between the customer and financial institution. Yogesh Patel, Chief Technology Officer & Chief Data Scientist for Outseer and ProSight’s Isio Nelson, Managing Director, Research, Fraud & Thought Leadership, discuss how adding defense layers can help intercept authorized fraud at the point of manipulation, before trust is broken. 

Don’t miss the other insights, strategies, and tools to help your institution stay ahead of evolving fraud threats in the Deep Dive: Fraud is everyone’s fight.

Dive deeper into fraud insights  

You might also be interested in:

Article: Evolving fraud threats demand a layered contact center defense 

Video: AI helps banking salvage speed and safety in fraud fight and preventing check fraud

Article: Limit elder financial abuse through transaction monitoring and staff training 

TRANSCRIPT: 

Isio Nelson, ProSight Financial Association: 

Today, I have the pleasure of being joined by an expert to talk about why fraud is everyone’s fight, Yogesh Patel. Yogesh has more than two decades of experience in fraud prevention, financial crime, and advanced data science and is currently with Outseer. Prior to that, Yogesh was CTO and Chief Data Scientist at Callsign where he provided technical leadership and security machine learning. Previously he served as security and fraud, enterprise and architect at HSBC, creating the bank’s global security and fraud technology strategy, and as fraud and financial crime domain architect at Lloyd’s Banking Group where he designed and delivered market leading fraud and financial crime programs in the UK. Yogesh holds a PhD in cross channel fraud detection using recurrent neural networks in computer science and as a master’s degree in electronics engineering. His career has been shaped by witnessing the devastating personal and financial toll of fraud, inspiring his belief that fraud prevention is not just about algorithms, but about understanding behavior, context and intent. Yogesh, it’s a mouthful, but I’m so glad to be sitting with a true industry expert to dive deep into some of the challenges the industry is facing in mitigating fraud without foregoing customer experience. Welcome, Yogesh. 

Yogesh Patel, Outseer: 

Thank you. It’s nice to meet you. Our mission here is to make sure that we are protecting our customers and their customers’ customers, making sure that the frauds stay at bay using innovative technologies and advanced machine learning algorithms. 

Isio: 

Great. Well, I’m so excited to talk to you guys. So I’m going to dive right into it on specific kind of fraud that we’ve been discussing. It’s authorized fraud. So maybe you can start with defining what is authorized fraud and how does it differ from other types of fraud and is it different than scams? 

Yogesh: 

It’s an interesting question to start off with because scam is definitely blurring the lines between all the different types of fraud that exist. But if I just focus specifically on unauthorized fraud and how is it different? So unauthorized fraud is when you have a victim themselves being tricked into authorizing a specific payment to a fraudster and they use the sophisticated social engineering techniques and they really go after that psyche that’s in your brain that’s trying to convince you that what you’re doing, it’s quite legitimate in a sense. In contrast, you have unauthorized fraud. This is where someone steals your card or does an account takeover through credential sniffing and makes a payment without your permission. So in a nutshell, authorized fraud, the payment looks legitimate because the victim has personally approved it. So all the defenses that we put in place for the banks around authentication and fraud detection lose legitimate authorized fraud is also known as authorized push payment fraud. The term given by UK, as you’ve seen, UK gets treated as a playpen for most fraudsters and authorized push payments and authorized fraud. The pillar started at the UK Green. 

Isio: 

We’re going to talk a little bit more about that because I think one of the things in general in banking we see is Europe is usually, I would call it five years ahead at least usually when we see things in banking. So you’re seeing some things that we’re probably going to start seeing here, but let’s start with a couple of other things. Now we’re grounded on what authorized fraud is. Tell me a little bit about where you’re observing this kind of fraud, whether that’s in the UK or the US or other places. 

Yogesh: 

So what we’ve seen is that when you think about, and as I described earlier, the change in tactics from an account takeover to now you’re getting social engineered into transferring money, this shift isn’t necessarily limited to the core system. Banks spend significant amount of time over the last two decades in hardening those systems to deal with what we call account takeover for. That is described earlier. What we are seeing now is that the cracks are starting to appear at what I call the trust boundaries. And this trust boundaries is between the bank and their customer. To give you an example, I couldn’t sit here and confidently say that the next phone call I’m going to get claiming to be from my bank that I’m certain that someone from the bank is really calling me and we’ve spent decades building. And the way to kind of think about it is that the way we spend decades building the walls around the bank, and what we are finding now is that forces are just walking around them straight into the front door of the bank, tending to be the friend of a customer or just a customer. 

Instead, what we build over time from the sort of account takeover perspective is what we call an anomaly detection, but we spend less amount thinking about what happens if that anomaly detection and that transaction layer fraud M.O. It’s completely disrupted by anomaly at a trust layer, and that’s the real blind spots that the customers are exploiting. They’re not really hacking into the systems, they’re hacking into people exploiting their emotional surface. Things like fear, urgency, shame, and these are some of the triggers that turns even the most savvy, cautious customer into an obedient victim. And the truth is that what we are finding is that fraud has completely gone mainstream and is cheap. Some of the software and solutions that we provide, when we look at this fraud as a domain, what we are seeing is that things like voice cloning kits are costing less than a Netflix monthly subscription. These days we have synthetic ID that’s just gliding past any of the weak onboarding controls that you have. And a major shift that we’re starting to see is that fraud is now a true SaaS. You can now get a fraud as a service offering from the criminals. So criminals are in agile sprints, pretty much shipping fraud features weekly, and this is where I think the big gaps are at the moment 

Isio: 

If only they could use their skills for good. So actually hit on that a little bit because AI, we don’t have a webinar or article about AI, we are not doing our job. But do you think AI is actually playing a role in making that scalable for the bad guys? I mean it’s actually going to continue to make it easier for them or is there something else to think about there? 

Yogesh: 

So another good question. Right now there is a lot of buzz around one domain in particular in AI called agentic AI, and it almost feels like it gets treated as something on a tray that gets built out like a tea every meeting, whether it helps or not. And I personally, whether we call it agentic AI or something else, your question around does AI add value? Absolutely think of AI as a self-healing defenses. And this is where some of the concepts of agentic AI can also be useful here because when we zoom into authorized fraud, authorized fraud, money moves in minutes, not in quarters. So when you think about your traditional rule system, fraud systems, which may have rules, those rules takes weeks and quarters to get updated so they’re dead on arrival. And this is where I think the power of AI is really helping because every case, every outcome, when we think about it, it becomes a labeled data point. It can get fed back into an AI system and we can quite quickly rewire the fraud playbooks and push the change straight into production. There is a term that we use quite often in statistics and it’s called the concept drift management. And this is about how quickly can your model adapt to the new fraud or new patterns that you can see. And I think that’s the real value of an AI here. You combine that with extension to authentication called adaptive intervention, and you now have a true set of instruments to fight against authorized fraud. 

Isio: 

So we’ve got AI for the bad guys, they’re using it to scale. They’re using agents for themselves to go out and try to find the areas. One of the things you talked about was it’s not necessarily just towards the banks, they’re going back to the consumer that is they’re trying to manipulate to come into the bank on their behalf and be able to do what they want them to do. Then you’ve got defenses with AI that the banks are using. How do you think about the defenses that they’re able to maybe, I don’t know if it’s passive or specific towards a consumer being able to make sure that there’s ways that they can defend themselves against these bad guys. Does that make sense? How is the bank looking at it? And then how does the bank enable the consumer to be protected? 

Yogesh: 

In the fraud world, there is this concept of what we call layered defense, which means that there is no one silver bullet that’s going to help you solve all your problems. In fact, you’re going to have to layer your controls so that one of the controls might be able to help with the fraud M.O. that might be taking place right now. And if I just give you one example of that, I would think of as a behavior biometrics solution. So think of behavior biometrics is like a silent layer of defense and it’s really measuring how you’re going about interacting with your device, your browsers and other human computer interface that you may have. And we can start to capture things like the cadence of typing, the rhythm of swipes, the pauses, the hesitations. And under social engineering, what we find is that there is generally a lot of pressure and the pressure is reflected by victim just hesitating to carry on that particular transactions and then relate that to how a fraudster would work. Now, fraudsters, what all they want to do is swift money out pretty quickly out of your account. So they may look like robotic. Now neither matches the customer’s natural muscle memory at a human computer interface level. And this is where behavior biometrics could play a decent defense when it comes to some of those fraud attacks. But I would say that it’s behavior biometrics in itself is not a silver bullet, but it is a required bullet not in defense in that situation. 

Isio: 

And Yogesh, we have numerous round tables on the operation side, fraud round tables, and the one thing we’re hearing is the binary one-time pass code is no longer effective by itself. It’s essentially you give a code, you get a code, and there’s a lot of fraudsters in the middle, we’d be able to impersonate you. But what you’re talking about if you layer in things like biometrics is what’s that code given in duress? Can I see an anomaly from the way that they performed things before? And that helps to be able to at least put that to the side to be investigated or step up the authentication process. Is that what I’m getting? 

Yogesh: 

Correct. Yeah. And it’s invisible to the user so you don’t see the genuine friction that you might see otherwise. 

Isio: 

So let me ask about this because the other big thing we’re talking about in the industry right now when it comes to fraud is collaboration. So do you think this is just a bank observation of the biometric pattern and they can rely just on that or more data is better to be able to better understand that consumer’s experience with other institutions? Or maybe it’s not just with the biometric but other ways to collaborate in the industry. What are your thoughts on that out? 

Yogesh: 

Totally. So I don’t think that the authorized fraud’s going to get banished anytime soon. In fact, I can only see it speeding up and I can only see it evolving. And I do genuinely believe that the frontier, it’s the ecosystem level intelligence sharing. So no bank really has the full picture, but when you start to combine different data points across the bank, you’d start to see a picture emerging at an industry level. So by pulling signals, things like account devices, mule rings, a scam can be cut off much faster than what we’ve been doing up until now about I would say a decade ago I would’ve been worried about the notion of sharing data in isolation without any security measures. But I do think that these days the previously preserving algorithms have come much further than what they used to be, the advancements we made with things like multi-party computation, hashing, even federated learning, which means that you can now have your signal that been shared across multiple banks without really ever exposing the raw data underneath that. And I think that would continue to evolve and we will see attraction around the world if the banks don’t get the grasp of these situations. I know that certain regions like India, like Malaysia, where they’re now mandating the banks to share information through their own networking protocol, and that’s the regulators stepping into saying you got to start sharing data. 

Isio: 

And I want to hit on one thing you talked about, but I think it’s maybe not just the banking collaboration cross-industry collaboration, too, to better understand the behaviors of a consumer ultimately trying to protect them from being exploited. But you mentioned India when I opened up, I talked about your time at HSBC and I talked about kind of Europe being five years ahead. So some of the things you’ve talked about, this isn’t like brand new, we should think about it. You’re seeing this already play out in other areas of the world and it’s just a matter of time before we start to be able to catch up here in the us. Am I getting that right? Correct. So how has that helped some of the banks in the UK or in India or other places, have you seen them able have better customer experience and less fraud losses? I mean, describe to me some of the things you’re starting to see as these are being implemented worldwide. 

Yogesh: 

And that pretty much boil down to the three fundamental pillars on how we think about the fraud KPIs. And then we said what the success looks like when we think about defending against the fraudsters, and it generally revolves around your customer experience. It revolves around your operational needs and operational efficiencies. And it revolves around how your models within your fraud detection systems that uses AI are performing. And it’s trying to find the balance between these three pillars and where we seeing the network and the use of effective network in terms of data sharing is obviously going to be in the machine learning space, but also in the authentication space as well as the case management space. So when you have a fraud that’s been detected by the bank, by one bank and let’s say bank acts and you’re working, bank B is working through a case around whether to unblock an account or to release a payment, they could do a quick check in the network world to say, has anything about the beneficiary or the pay being marked that’s suspicious that we should be worried about. So I can see it helping across all three pillars. 

Isio: 

Completely agree. And we’re working on building out a collaborative type of community front of fraud alert network that helps them for the use cases, best practices, known fraud that they’ve seen that they can go ahead and proactively poke holes. Two, I think it really comes down, you said it five years ago, collaboration was maybe not as high of a level, but as fraud continues to not just eat away at the known losses, but then the false positives and the customer experience, it’s going to be a collaborative effort to be able to be good for the consumer and bad for the fraudsters. 

Yogesh: 

This notion of collaboration, that’s the only thing. Other point I wanted to add is that this notion of collaboration existed prior to any of these previous concerns and everything else, but it was pretty much at bank A, I’m the head of fraud, you are at bank B, you are my friend, my mate. We are going to start to say, get together unofficially and say, look, let’s do something about this because there is a big problem between your bank and my bank. And it used to work at that level. And I’ve seen a gradual moved into this network sharing becoming much more at a consortium level driven by the vendors like ourselves where we hold that entity data at a global scale. And then what we now see is an emergence of regulatory plate here to say, let’s standardize this, let’s make it available for everyone. I’m see that becoming mentioned 

Isio: 

And I think that agnostic intermediary is needed regardless. And so the informal networks that were there were not scalable and fraud is going from the smallest banks to the largest banks. And in between those and then the fintechs to the banks, which we’re seeing some different sizes of controls, some more. Again, the industry can come together and kind of protect the consumer, protect their own interests, protect the industry. Hopefully we’re able to take this what is constant every single day we’re seeing new types of fraud and new branches towards fraud too. So Yogesh, with the segment focus on fraud being everyone’s responsibility, let’s discuss the balance needed between the customer experience and the fraud prevention protection. Do you think they’re mutually exclusive? Do you have to be able to have the best fraud protection and give up customer experience or good customer experience and then expose your fraud protection? Where do you think that this being everybody’s responsibility comes into play? 

Yogesh: 

Yeah, and that is what I’ve found in my experience is so much bank specific. So there’s no a universal answer to the question you raised, right? Because it depends from bank to bank. I’ve seen much more weaker controls of the bank in a notion of getting more customers through. So they have zero tolerance for impacting their customers. They’re happy to absorb forward losses are also seeing that some banks have super strict controls, they don’t want to lose fraud at any cost and don’t mind introducing a little bit of friction between the customers and the money movement that takes place. Generally the right balance is introduce friction where you need to use AI to kind of determine the level of friction you want to introduce, stop the bad guys at all costs and then let the good guys continue on that journey. If that means they do it frictionless and they do it frictionless. 

I do think that this notion around all the controls we put in place, just how we pivoted from an unauthorized account takeover fraud or to an authorized account takeover or authorized fraud, we are probably going to see in the next five years. Another shift takes place when we starting to see an introduction of agents are acting on your behalf and that brings a whole new dimensions into the level of port controls you’re going to require to deal with agents talking on the both sides. So what happens when the consumer or customer has an agent and the bank as an agent and the communications between those two guys? What do we do in those cases? So I do see another pivot in a not so distant future when the agent payments become like a mainstream payment method. 

Isio: 

Great. Well, we talked a lot of different things today. I learned some new terms. We talked about anomaly detection, we’ve talked about concept drift management, we’ve talked about federated learning, a lot of interesting things about where we’re going, where AI can be helpful and where it might be a headwind for us too as industry. So where do you see our industry in trying to keep pace with authorized fraud? And for the audience here who’s struggling to figure out what they do to next and keep up, what do you suggest that they start with to be able to take that first step? 

Yogesh: 

Yeah, so have a look at, so in authorized and unauthorized fraud, both of the two pillars of the fraud M.O.s, they’re not going away. They’re going to continue to evolve. Best suggestion that I can provide is to have a look at your fraud ecosystems or your payments ecosystems, your rails, your channels, find out where the gaps are. Once you identify those gaps, have a look at your platform strategy, but have a look at it with the layers and defense in that story that I was telling you earlier. So have a look at which compensating controls and help address the gaps that you have emerging. And that’s going to have to be a continuously evolving journey that you go on. So it’s not like you do one time and let’s say you’re finished, you’re going to have to continuously evolve as the four tactics evolves. Fraud is a, you can buy fraud as a service today. 

So we know that that’s not going away either. Having some compensating controls in that space would be a good start. The other bit that we didn’t talk about is just educating both internal users and your consumers. I cannot stress enough the impact of educations. Our education would have to at least slowing down the pace at which the fraud is evolving. So I think those education and having a better defense in that control and a platform story to overall having that levers that you can pull based upon the fraud you’ve seen would be a good start. 

Isio: 

That’s a great point and actually a great way to wrap it up because we’ve said this is everyone’s responsibility and that starts with education and making sure people understand some things that they think are inconceivable that would ever happen and better be able to look out for it and be able to find ways that, am I being manipulated? Is this the right thing to be able to do? Both on the internal side and then the consumer side just like we did with phishing emails internally a long time ago. And the repetition of continuing to be able to educate people to look for things that look suspicious. So Yogesh, I know you and your team have done a lot of great work. I think we’re going to put up a link here that’s going to allow people to go and see some of the work that you guys have done around authorized and mule fraud and things like that. Really appreciate your time, great and insightful information and together, I think we all can go ahead if we work just a little bit at a time together. I do think we can help at least contain this. We might not eliminate it, but at least contain it. Thanks again for your time. 

Yogesh: 

Thank you.