It's estimated [1] that online payment fraud amounted to around $20 billion globally in 2021, which represents a growth of 14% on the $17.5 billion that was recorded the year before.
What are the different types of payments fraud?
Glen: There are two main types of payment fraud, which can broadly be categorised as those that produce a direct victim and those that produce an indirect victim. For instance, payment frauds that fall into the former camp include things such as identity fraud and hacking, and attacks are commonly made via things such as supplier frauds, invoice frauds, and company director frauds.
Indirect fraud tends to focus more on more "faceless" crimes, with the victims being banks, states, and/or systems. Money laundering is the most common form of this kind of payment fraud. There are sometimes a combination of these two types of fraud, with AC Scams prompting victims to be misled about how their accounts will be used to cipher money from them.
Who is most likely to be targeted by payments fraud?
Dimitri: Businesses are the most common target for payment fraud, with smaller businesses a particularly popular target for criminals. Fintechs and other financial innovators can also be targeted in so-called "multi-vector attacks" that target a range of financial actors, however.
Which stage of the payment process carries the most risk?
Dimitri: The attacks will often target processes like the onboarding of new customers, request-to-pay and invoicing, and initiation or execution of payment. If you think about it, there are commonly three steps customers will go through when making any kind of payment:
● Validation of the source when requesting the payment
● Validation of the payment requisition
● Validation of the transaction
Each of these steps in the process has vulnerabilities that criminals can exploit, although the greatest risk comes in the second and third steps of the payment process. For instance, fraud conducted at the invoicing stage often results in a so-called Authorised Push Payment (APP), as fraudulent invoicing can prompt the payer to initiate payments in good faith to criminals.
How can companies identify and prevent payment fraud?
Dimitri: Thankfully, there are numerous things companies can do to both identify payments fraud and then prevent it from happening. The first step is undoubtedly to focus on getting the right people in place. A strong fraud team should consist of a broad set of skills, including not just technical people but also customer service managers, product managers, and so on. The aim is to ensure the whole payment process from end to end is reflected.
Of course, smaller businesses may struggle to muster such a comprehensive team due to resource constraints, so external help could be drafted in to provide that additional layer of support. For instance, at Libeo we aim to provide that extra security support for clients to enable them to bolster their in-house fraud team.
It's also important that any solutions implemented are backed by actions and don't purely rely on technologies like data and machine learning. Teams should strive to ensure that all actions are recorded and mapped to mitigate future risks.
Teams should also strongly consider implementing anti-fraud mechanisms [2] and security solutions that allow them to use data to score transactions and flag potentially suspicious payments. It's usually when payments are at the process stage that such anti-fraud mechanisms step in and block or intercept the fraudulent request.
Can the same level of risk protection be enjoyed in a cloud environment?
Dimitri: Cloud-based providers can certainly provide a high degree of risk protection, and indeed can often provide a better level of security than on-premise solutions. For instance, the fact that the cloud is externalised and contains an embedded security layer can reduce the risk of data loss.
What's more, cloud-based services often provide companies with the ability to govern admin rights internally, which collectively ensures that things like customer bank details, credentials, and sensitive invoices can be safer on the cloud than on an internal server.
This is really important as any data breach will result in a loss of confidence among customers and reputation in the wider ecosystem, so it's important that companies recognise the reputational aspect of security breaches.
What would your advice be to a young company trading and making payments internationally, for the first time?
Glen: The first step is to ensure that you're using data to make informed decisions about payment fraud. This should enable you to map out potentially fraudulent activity. This should be accompanied by a prioritisation of security throughout the payment process. This is a growing problem that has to be tackled head-on if it's to be properly addressed. Finally, teams should strive to produce a catalogue of actions that they will implement to combat payment risks. Payment fraud seems only likely to become a bigger risk as the payments landscape becomes more complex, so it's vital that it rises up your priority list so that you can ensure that customers, suppliers, and other stakeholders aren't compromised.
For more information visit Libeo [3]