The rapid emergence of new instant payment services based on real-time payment rails represents the financial industry's future. While these rails have many advantages, there has also been an increase in fraud, particularly social engineering attacks.
In this real-time setting, traditional fraud prevention is no longer as effective; instead, consumers can be safeguarded by real-time fraud detection technology.
To address systemic risk caused by the growth of instant payments and corresponding fraud, the financial services industry must improve collaboration among all financial institution players, including banks, fintechs, and crypto companies.
What are real-time payments?
Real-time payments (RTP) are payments that are initiated and completed almost instantly. The digital infrastructure that enables real-time payments is known as a "real-time payment rail." Real-time payment networks can ideally give 24x7x365 access, which implies they are always available to conduct transfers, including weekends and holidays.
The rise of real-time payments
Money transfer methods are rapidly evolving. Consumers and businesses alike do not want to wait 3-5 days for funds to settle in their accounts or pay bills.
Internationally, countries such as the United Kingdom, Australia, Singapore, India, and Sweden already provide their citizens with access to real-time payments for a variety of use cases, such as account-to-account payments, requests to pay, instant payouts, and so on.
While in the United States, the growing use of peer-to-peer (P2P) payment apps such as Zelle, Cash App, and Venmo is the first example of real-time payment rail-based innovation. According to Insider Intelligence, payment transactions in the United States will exceed $1 trillion in 2022.
Some of the P2P volumes in the United States are already on a real-time payment rail. Early Warning Services, the company behind Zelle, and The Clearing House (TCH) announced in February 2021 that Zelle transactions would be conducted through TCH's RTP network, which covers more than 60% of U.S. deposit accounts.
The Clearing House's RTP network, FedNow, is the most prominent example of a real-time payments network in the United States. The Federal Reserve's planned real-time solution will also be classified as a real-time network. FedNow is scheduled to start in 2023, according to the Federal Reserve.
Attacks involving social engineering and authorized push payment fraud
While payment experts tout the advantages of instant money transfer, one growing issue is the growing number of fraudsters on these P2P payment apps. Unlike traditional cybercrime, such as account takeovers or credential-stuffing attacks, fraudsters use social engineering attacks to initiate payments through these apps, such as phone number spoofing, robocalls, and personalized text messages.
Social engineering attacks target the elderly in particular. According to the Federal Bureau of Investigation's internet crime report, fraudsters are twice as likely to target this segment. According to the Federal Trade Commission, consumers over the age of 70 typically lose $1,500.
Fraudsters frequently pose as a bank or broker representatives and request that the victim send money to a specific account via a P2P payment app. Fraudsters will use remote desktop software (Zoom, TeamViewer, etc.) to "guide" them through the payment process.
This is an example of Authorized Push Payment (APP) fraud. It can be difficult to prevent because the victim is providing account information and using their device.
However, there are steps that can be taken to overcome this obstacle:
1. Detection and prevention of APP fraud in real-time
Using past transactions to identify emerging fraud patterns is no longer sufficient. To detect social engineering attacks, fraud detection must occur in real-time.
One common type of APP fraud in crypto is "investment advisor" scams, which are similar to P2P app-based social engineering attacks. In this scenario, a fraudster poses as an advisor and persuades a user to open an investment account. The fraudster guides the victim through the account opening process using remote desktop software, and the victim uses their own identity for KYC verification. The fraudster then gains access to the account and steals the funds that have been transferred.
This type of fraud can be prevented by effectively flagging suspicious devices, emulators, or scripts, as well as sessions conducted in real-time via proxies, VPNs, screen shares, or remote desktops. To prevent these attacks, banks, fintechs, and cryptocurrency companies can collect device and network data on their login pages.
Another method for detecting fraudsters is through their distinct device behavior. Regular users will fill out an onboarding form automatically and exhibit a variety of mouse and scrolling patterns. Because of practice, a fraudster will most likely copy and paste and have more repetitive movements. Other behavioral signals, such as shortcut usage and page or window switching, can be extremely useful in assisting businesses in detecting fraud.
At Flagright, we’re successfully using device intelligence and actionable behavioral data to prevent fraud in fintechs, neobanks, and crypto businesses. Using real-time data to detect and flag social engineering, it is possible to stop a fraudulent transaction before the money is transferred.
2. Industry collaboration to close data gaps in fraud
To successfully prevent APP fraud for real-time payments, all stakeholders in financial services should try to work together to collaborate and share data. Fintech and crypto companies, community banks, and credit unions are not included in today's data-sharing consortium models. This enables known fraud rings and bad actors to continue preying on consumers and merchants as they move from one institution to another.
3. Implement global best practices
Countries with long-standing real-time payment rails have also seen key regulatory initiatives, such as:
- Real-time payments require two-factor or token-based authentication: for example, the Strong Customer Authentication regulation in Europe requires banks, fintech companies, and merchants to support two-factor authentication for push payments and high-risk transactions.
- Verifying the payee — pay.uk, an industry body in the United Kingdom, launched a service to ensure that the intended recipient's name matches the name on a bank account. For example, if you're attempting to pay Coinbase, the account name should match one in the database. Before completing payment, users are presented with warnings and checks.
- Creating a fund to compensate for losses — The UK Payment Systems Regulator (PSR) has signed up nine of the largest UK banks to a voluntary code designed to reimburse victims of APP scams on the UK real-time payments network. Furthermore, the PSR has proposed mandatory reimbursement.
No single financial institution or country can solve fraud on its own, especially as cross-border payments become more popular and convenient. We're keeping a close eye on how these regulations are implemented and enforced, as well as how the private sector can help them achieve their goals. At Flagright, we want to continue the conversation with financial institutions that are interested in reducing and preventing payment fraud.
Real-time payment fraud should always be addressed
The Federal Reserve recently wrote that "The irrevocable, real-time nature of instant payments can pose a challenge to the industry in detecting and preventing fraud." And regulators are watching.
The Federal Trade Commission recently filed a lawsuit against Walmart for allowing fraudsters to take advantage of its money transfer service. The Consumer Financial Protection Bureau is considering reclassifying APP fraud as "unauthorized," which would require banks to compensate victims of social engineering attacks under Regulation E.
Evolve with security and speed
Given the increasingly sophisticated and ever-changing nature of the threats affecting financial services providers, predicting the patterns and types of fraud that can influence real-time payments is difficult. Financial institutions, on the other hand, should prepare for whatever comes their way by implementing solutions that provide protection against current threats while also allowing them to adapt as the threat landscape changes.
Having the most advanced dynamic risk assessment and real-time transaction monitoring capabilities in place, as well as KYC/KYB orchestration, crypto and sanctions screening, and a bad-actor database; all of which Flagright provides, can help financial institutions gain a competitive advantage as they balance customer expectations for speed, ease, and convenience with the need for secure transactions.
To get started, contact us here to schedule a free demo.