The frequency and magnitude of payment fraud is increasing year on year – alongside rising average losses for the victims.¹ Attacks are also becoming more professional, making the detection of fraudulent transactions increasingly difficult for anti-fraud teams. As the European Payments Council (EPC) recently pointed out, in its 2021 Payment Threats and Fraud Trends Report ², companies are faced with with several different versions of attacks.

To discuss the various patterns within fraud that have emerged over the past few years, and how these are being addressed by banks, corporates and technology providers, EuroFinance hosted a webinar titled Treasury: a holistic approach to identifying and preventing payments fraud on 16 December 2021. In the webinar, a panel of five anti-fraud experts examined the latest trends in fraud, the importance of collaboration among all stakeholders, and the technologies being used to address the dangers.

The world of fraud is as diverse as it is complex – and it continues to evolve. “11 years ago when I started out in anti-fraud, the work was relatively easy,” explained Leon Brown, Payments Anti-Fraud Lead, Richemont. “Fraudsters might intercept a card in the post or steal one out of a wallet – and they would then use the stolen card information to place transactions online,” added Brown.

Almost a decade on, fraud has become much more sophisticated – as have the fraudsters themselves. In part, this is the result of the e-commerce fraud boom, with a recent Juniper research report estimating that upwards of US$20bn would be lost to fraudulent activities in 2021 – up 18% on 2020.³

According to Brown, the movement from the physical to online world has helped create a safe space in which fraud can thrive. “We now have the dark web, where fraudsters can purchase card information in bulk and can test these cards in the comfort of their own home, with the protection of a proxy IP address. And due to new purchasing habits, it is often very difficult for us as anti-fraud experts to identify what transactions are fraudulent,” he explained.

“Instant payments allow transactions to settle within 10 seconds – meaning that banks only have a limited window in which to detect and prevent fraudulent payments”
Stefan Fruschki, Cash Management – Head of Transaction Surveillance, Deutsche Bank AG

Following the shift towards digital sales, fraud has become a lot easier – because companies and financial service providers have put tools in place which facilitate a seamless e-commerce experience. Yet, the speed of payments, for all its advantages, does also cause several challenges when it comes to fraud.

“Prior to PSD1⁴, payments in Europe took between six and seven days to reach the receiver. This gave banks a long time to redeem funds if a transaction was found to be fraudulent. Today, instant payments allow transactions to settle within 10 seconds – meaning that banks only have a limited window in which to detect and prevent fraudulent payments,” explained Stefan Fruschki, Cash Management – Head of Transaction Surveillance, Deutsche Bank AG.

The unusual circumstances surrounding Covid-19, including the dramatic increase in home delivery, have also led to a significant uptick in “friendly” fraud cases for merchants. This is a type of fraud in which a legitimate customer will request a chargeback on a purchase despite having already received the goods or services. As Brown reflected, “We have seen clients with no fraud experience taking advantage of the Covid-19 policies adopted by couriers, such as no longer requiring a signature for deliveries. In fact, false claims have increased drastically, to the point where friendly fraud – or first-party fraud – is now the most common type of fraud that we see, superseding third-party fraud”.

This is a trend that is being seen across the entire industry. The 2021 Chargebacks911 Field Report found that nearly 80% of merchants surveyed admitted to experiencing an increase in friendly fraud attacks over the past three years, with 68% stating that the pandemic had caused a growth in their chargeback rate.⁵

This is just one example of how fraud continues to evolve: once a company has a handle on one trend within fraud, a new one is always around the corner. And it has become a challenge in itself to keep up with these changing developments. As Brown noted, “it has become a battle of minds, with merchants creating the risk logic to stop fraud and fraudsters battling against this logic to continue their activities. This is not something that is going away and so merchants can no longer get away with a weak anti-fraud strategy.”

With fraud evolving so rapidly, a poll was shared with the audience – asking whether they had previously dealt with payment fraud and, if so, how this occurred. As many as 75% of audience members admitted that they had been a victim of fraud (see Figure 1). A surprise? “Yes and no,” said Royston Da Costa, Assistant Group Treasurer, Ferguson Plc. “I am pleased to see that people are willing to admit they have been a victim, but the reports I have read suggest that everyone has been subject to some kind of hacking. So, my message would be that we cannot be complacent. If you have not recognised an attack, that does not mean it has not happened – and it certainly could happen at some point and we all need to be ready.”

Erol Bozak, CPO & Co-Founder, Treasury Intelligence Solutions GmbH, added that the good news is that the industry is talking about the issue and is aware of what needs to be done. “It is no longer a question of identifying the problem, but one of ensuring we can put the necessary industry collaboration in place to solve it in a holistic way.”

Dealing with and avoiding fraud in payments is a challenging issue for the entire value chain – one that continues to keep corporates, technology providers and the banking industry very busy. In particular, treasury departments are under pressure to deal with these threats.

“It started with the CEO scam email which really brought the vulnerability of treasury to light,” noted Da Costa. With treasury teams being quite small, the fraudsters could easily identify and target the individual who had the complete ability to enter and approve payments.” According to him, companies are now able to use “the technologies at their disposal” to manage fraud risk.

And corporates are not in this game on their own. Banks also support their clients to stay safe, Deutsche Bank’s Fruschki points out, but corporates should not rely entirely on banks when it comes to detecting fraud. “When it is a one-sided effort, challenges arise,” he observed.  According to him, banks need to become experts in finding outliers and striking a delicate balance between stopping too many payments and stopping too few. With this in mind, “banks need to work hand-in-hand with their clients to determine what exactly their threat models are and what they want to be alerted to. Cohesive collaboration is essential,” he concluded.

“In order to detect fraud successfully and consistently, you need to have the insights and data from the entire chain”
Erol Bozak, CPO & Co-Founder, Treasury Intelligence Solutions GmbH

Bozak agreed that collaboration is a critical component of any successful anti-fraud programme, adding that internal, as well as external, collaboration will be essential. “Companies tend to be well organised in their production flows but not well organised in the enabling functions – and to detect fraud successfully and consistently, you need to have the insights and data from the entire chain. Companies need to look at their own processes and ensure this internal collaboration is forthcoming,” he explained. 

It is this very collaboration that Brown believes the industry is still lacking. “There has certainly been an evolution of the management of fraud but, collectively as an industry, we are so far behind in terms of collaboration”, he added. “From our perspective, we are still working in silos which gives fraudsters the upper hand”.

Collaboration is important but can only get the industry so far. So, what else is being done to ensure the response to fraud remains robust? At the most fundamental level, Da Costa explained that it is important to be educated from an individual perspective. “A review of processes,” he noted, “should not be seen as a one-off. It is a continual process and one that will ensure you are keeping pace with the fraudsters.”

Fortunately, technologies are making these efforts easier. To help mitigate the increasing risk of fraud, banks, industry bodies and FinTechs are developing a host of technologies. For example, companies are adopting vendor validation services, such as the SWIFT Beneficiary Account Validation service⁶, and utilising machine learning to automate the detection of outliers, to name just a few.

Technology is also helping to solve the problem of limited data, which often impedes a bank’s ability to detect outliers. “We have payment data available, but it is, by its nature, restrictive,” explained Fruschki. “This is because corporate clients are diverse. Even clients in same industry have different partners, and larger and smaller corporates usually have more than one banking provider. This means that we only see part of the payments – so even if you had two identical corporates in terms of payments, because it is split across multiple banks, the picture would still look different.”

This is why Deutsche Bank and TIS joined forces in March 2021 to build an innovative payment fraud prevention solution.⁷ The software service will extend beyond the payment data of individual customers, leveraging the knowledge of all corporates using the service, while the shared data remains anonymised. The new solution was among the reasons why Deutsche Bank has been awarded “Global Bank of the Year for Innovation” in the TMI awards for Innovation & Excellence in Treasury in 2021.⁸

But, as Brown concluded it is important to not put all your eggs into one basket. “There are no one-size-fits-all methods and clients should look to use more than one tool,” he said. “Going forward, it will be important that the industry remains abreast of these developments and utilises them in the right way.”

Sources

¹ See https://bit.ly/3u3NO7f at merchantsavvy.co.uk
² See https://bit.ly/3nZSc35 at europeanpaymentscouncil.eu
³ See https://bit.ly/3fW9RnZ at juniperresearch.com
⁴ The Payment Services Directive (PSD 1) entered into force in 2009. Amongst others, it established maximum processing times for payments in euro and other EU currencies.
⁵ See https://bwnews.pr/344v3FC at businesswire.com
⁶ See A new era for payment validation at flow.db.com
⁷ See https://bit.ly/32ue3bl at db.com
⁸ See Deutsche Bank named “Global Bank of the Year for Innovation” for its corporate treasury offering at corporates.db.com