Fighting a (losing) battle against fraud

Despite efforts to control payments fraud, it appears financial institutions and businesses in the US are fighting a losing battle. The recently released 2018 Payments Fraud and Control Survey Report from the Association of Financial Professionals (AFP), revealed that fraud levels reached a record high in 2017, with 78% of the organisations surveyed affected by fraud.

Cheques were the instrument of choice for fraudsters, with 75% of finance professionals reporting that their organisation’s cheque payments had been exposed to fraud. Business emails were also attacked, with 77% of organisations reporting their employees – from chief executives through to treasury analysts – had been targeted by email-based payments fraud.

Jim Kaitz, president and chief executive of AFP, says treasury and finance professionals need to better anticipate scams and be prepared to deter them. He is alarmed that the rate of payments fraud had reached such a high despite repeated warnings.

The survey also found that 65% of payments fraud was committed by individuals outside an organisation and 67% of fraud was detected by treasury staff. Nearly all – 92% – said fraud attacks collectively cost 0.5% of the organisation’s annual revenue.

“The fraud survey serves as an important resource in understanding the potential risks within the payments industry,” says Bob St Jean, managing director and treasury services executive at JP Morgan, which sponsors the survey. “With more than three-quarters of companies experiencing fraud in 2017, it is important that businesses take preventive measures by educating their employees and implementing processes to prepare and protect their infrastructures from cyber fraud.”

A greater share of survey respondents from larger organisations and those with fewer payment accounts (those with annual revenue of at least $1 billion and with less than 26 payment accounts) report payments fraud activity than do respondents from other organisations. During the past three years, AFP says larger organisations have been more vulnerable to payment fraud attacks than other companies. At least 80% of the larger companies have been victims of payments fraud in each of the past three years.

The report outlines some of the attacks reported. For example, more than 100 cards in a commercial card programme fell victim to a credit master attack, where fraudsters used sophisticated algorithms to estimate what the account numbers and expiration dates were. In another instance fraud was perpetrated via cheque and ACH debits on an account that did not feature Positive Pay filters. Positive Pay is a fraud prevention system offered by most commercial banks to protect against altered, forged and counterfeit cheques. It checks the accuracy of a cheque’s account number, date, and amount when the cheque is presented for payment. The company in question reported that once the necessary filters were added, the problem was solved.

“What is concerning is that despite the actions companies are taking to guard against payments fraud, scammers continue to persist in their efforts to attack payment systems,” says the report. “Even when fraudsters face challenges when planning their attacks on a particular payment method, they likely shift their focus to alternative payment vehicles, as in the case with business email compromise. Business leaders need to be vigilant in their efforts to prevent future fraud attempts and to make it more difficult for criminals to hack into payment systems.”

In Europe, payments fraud is also a concern. The European Payments Council (EPC) issues a yearly report on trends in security threats that could affect payments. Its most recent report, from December 2017, identified the main payments threats:

• an increasing professionalism and sophistication of cyber attacks;
• increasing numbers of distributed denial of service attacks, frequently targeting the financial sector;
• a shift from malware to social engineering attacks, or combinations of the two;
• a focus on mobile and internet of things devices.

The EPC believes the adoption of cloud services and big data analytics, while presenting new opportunities for organisations, may also present new risks. The idea that data is stored “everywhere” may be a concern.

Alongside the threats, EPC says there is a competitive market drive for user-friendliness and simplicity in payments solutions. This has led to increased pressure on security resources and to trade-offs by payment service providers (PSPs). “The challenge will be to find the right balance between the user-friendliness and the security measures needed,” says the EPC. As security becomes more regulated through the revised Payment Services Directive (PSD2), General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive, there are challenges because on the one hand payments are being opened to new PSPs, but security barriers with respect to fraud have been raised…

By Heather McKenzie, freelance journalist and editor, FinTech Eye

This is an excerpt. The full article is available in the May 2018 issue of the Banking Technology magazine. Click here to read the digital edition – it is free!