Global adoption of real-time payments systems has soared in recent years, enabling consumers to transfer money between accounts instantly, but also irrevocably. In November 2017 the Eurozone launched its cross-border, real-time payments system, while in the same month The Clearing House launched its Faster Payments scheme in the US. February 2018 saw Australia launch a New Payments Platform for consumers too, and Canada plans to implement one in 2019.
For consumers, the appeal from a convenience perspective is obvious. However, fraudsters are constantly looking for new ways to attack, and real-time payments present new avenues for criminal activity – writes Sarah Rutherford, Solutions Marketing Manager at FICO.
One example is invoice fraud, which involves a criminal sending an invoice that claims to come from a legitimate supplier, but instead contains their own bank account details. This is not a completely new form of fraud, but when the victim makes a real-time payment to the fraudster there is little opportunity to realise what’s happening and cancel the transaction before it’s too late.
In the UK, where we’ve had real-time payments since 2008 thanks to the Faster Payments Service, there’s been an increase in invoice fraud, particularly against individuals. An invoice may look like it comes from your plumber, for example, only for it later to be discovered that a fraudster is the real sender. As a real-time payment can total up to £250,000, this can be life-changing for victims.
Some might blame the victim by arguing that they failed to make adequate checks. But in many cases that would be misguided. The reality is, banks have given customers the power to make irreversible payments in real-time without the ability to carry out checks in the same way that a bank can. How could a customer perform a behavioural risk analysis on their own transactions?
This issue has not gone unnoticed. Following a complaint by consumer group Which? calling on banks to protect customers from this form of fraud, both the Payment Systems Regulator (PSR) and the Financial Conduct Authority (FCA) have started working to solve the growing problem. They are now looking to implement a model by September 2018 which defines when and from whom victims of APP (authorised push payment) scams should get their money back, meaning banks may soon be paying out much more.
Using Real-Time Payments to Evade the Law
Real-time payments don’t just facilitate invoice fraud, however. The ability to move money quickly is incredibly valuable to criminals, who can now transfer funds rapidly across different accounts, making it much harder for police to trace the proceeds of crime. Several new fraud tactics have developed to take advantage of this:
- Account takeover fraud:A criminal can take over an account and transfer money through it, making it more difficult for the authorities to track the money. In some instances, the account holder may not even realise it’s happening, particularly if the fraudster takes over an account that they don’t use regularly.
- ‘Money mules’:Money mules are accounts used by criminals to mask stolen money without necessarily needing to control them directly. In some cases, people allow their accounts to be used as mules because they’ve been conned into thinking they are helping someone in need, but in other instances the mule account holder receives a payment in exchange for facilitating the fraud.
- Application fraud: Another method is for a criminal to open accounts using stolen or synthetic identities. With such accounts the criminal can not only move money but extract it as well. In the case of authorised push payment fraud, the payee’s bank may not be held liable for losses from the fraud. However, in cases where the fraudulent payment has been sent to an account opened using a stolen or synthetic identity, receiving banks have been pushed to pay compensation to the victims for having opened an account for a fraudster.
How banks should respond
It’s clear then that real-time payments are a catalyst for fraud at points across the eco-system – not just at the point of transaction. Figure 1 illustrates the widespread use of real-time payments by fraudsters that banks must consider if they are to protect customers, their reputations, and their bottom lines in a shifting threat landscape.
At present many banks look at application fraud, payment fraud and account takeover fraud in silos, employing separate, one-dimensional strategies to tackle each problem. By taking a holistic approach, banks can be better prepared to stop fraud at all stages.