Preventing fraud in the era of instant payments

Instant payments have been a boon for businesses, their suppliers, and their customers. They reduce administration costs, support questions from suppliers looking for their payments, while also increasing speed (obviously), transparency, the ability to control cash flow, and help produce smooth supplier relationships.

They can also give criminals the opportunity for a quick getaway.

It’s important then for businesses to put procedures and technology in place to protect themselves, their vendors and their customers from fraud.

How does instant payments change the tactics behind payment fraud?

We’ve previously gone into depth about general types of payment fraud, and the tactics that criminals use, but how do instant payments change how criminals target businesses?

In the main, they don’t.

Instant payments are the equivalent of having a Ferrari versus a Morris Minor as the getaway car when robbing a bank. The way the bank is robbed doesn’t change much, but catching the criminals requires both early warning systems so the police can arrive on the scene as quickly as possible, and fast enough cars to catch the criminals if they getaway.

Of course, digital technologies have changed how criminals conduct payments fraud enormously, but instant payments themselves don’t change their fundamental tactics.

If you can identify (or even prevent) a fraud early, the chances of recovering the money increases dramatically.

For businesses then, they still have to look out for APP (authorized push payment) fraud, billing schemes, ACH (automated clearing house) fraud, check payment frauds, expense reimbursement fraud, kickback schemes, payroll fraud, and the like, but what they really need to consider when it comes to instant payments is prevention, response time and actions.

If you can identify (or even prevent) a fraud early, the chances of recovering the money increases dramatically. But, if a payment is instant, how can businesses realistically protect themselves? What’s more, how they retain the level of convenience customers now expect while still being a safe and secure entity to transact with?

Protecting your business against instant payment fraud

*With instant payments, response time and methods are all important*

According to the CIA, once 72 hours has elapsed from a fraud occurring and it hasn’t been detected and acted against, the chance of recovering the funds drops to 9%. Bottom-line, you need to prevent fraud whenever possible, detect fraud early (if not instantly) and take immediate actions. This requires a trifecta of elements – people, process, and technology – working together in harmony.

People

The most vulnerable part of any system is generally the people running it. There are always the chances that the digital architecture has holes in it, allowing criminals ways in, but usually it’s by exploiting people’s vulnerabilities that criminals create vulnerabilities within a system.

The most vulnerable part of any system is generally the people running it.

Training

‘Training’ is an obvious solution to make your people less susceptible to fraudulent tactics, but what form should this training take?

Firstly, you need to focus on where your business is vulnerable. Will criminals use your product or service to target you, your customers, your suppliers, or all the above? What are the tactics they are most likely to use? This emphasis on likely tactics will stop training being too general, and thereby less memorable for people.

Secondly, do you have instances in the past you can use as examples? Are there people – even the victims of the fraud – willing to talk about their experience? This personalization of the fraud will again make it stick out much more in the employees’ mind.

Thirdly, insider fraud should be a core part of any anti-fraud training. It’s not a nice conversation to have, but by having it openly you both tell your employees that you’re aware of the possibility of insider fraud, and you have systems in place to identify it when it happens.

Finally, training must be both regular and supported by top management. This doesn’t mean you have to do sessions every week, but a few times a year would be appropriate. Top management need to support this by communicating the importance of the session themselves and also attending regularly as well.

Due diligence and behavior monitoring

Beyond training, doing proper due diligence on new hires (difficult, of course, and any background checks usually legally requires all information gathered to be directly for job related purposes) is an important step.

As well as this, monitoring behavior of employees is an important way to prevent fraudulent schemes getting out of hand. This has to be done within reason, and the balance between monitoring discreetly and invading people’s privacy and destroying their trust can be a tough line to walk.

Technology

Instant payments are a result of technological advances and preventing instant payment fraud requires advanced technology too. Automated systems, which use embedded fraud detection algorithms and machine-learning tools, are at the front-line of preventing instant payment fraud.

Predictive risk assessments and automated fraud detection

One of the first steps in preventing instant payment fraud is to predict it before it happens. There are many red flags that anti-fraud professionals know to look for in a payment, and by embedding these red flags into a payment system, they can often prevent a fraudulent payment being made in the first place.

The system then needs to be capable of sorting out the ‘good’ payments that may have red flags and those genuinely fraudulent ones. A simple example is someone making a payment for a ‘bomber jacket’. The system may be looking for keywords such as ‘bomb’ and therefore prevent the payment going through but needs to be clever enough to know that this payment is for an item of clothing, and not linked to terrorist activities.

Without this ability to discern businesses may find multiple payments are being held up, causing an impact on revenue.

Robust data security

Any payment system must have strong data security. Regular penetration testing and external audits, prompt patch management (to keep the system up-to-date), deletion of out-of-date data, secure data processing activities in-line with top industry standards, data encryption, and certified host providers to house the data securely are just some of the elements world-class payment systems will have in place as standard.

Without these protections, data can become vulnerable to direct hacking or phishing attempts which criminals can then leverage to make fraudulent payments.

Real-time response mechanisms

Once the system’s detection methods raise the level of potential fraud to a defined level, the system will generally pause the payment and notify a human operator to make the decision.

The technology needs to be smart enough to detect potential fraud, while allowing good payments to go through

In the instant payment’s era, this makes the ability to do this in real-time an essential part of any anti-fraud response. And this is where the technology meets the human element.

The technology needs to be smart enough to detect potential fraud, while allowing good payments to go through, while the human side needs to be quick enough to deal with potential fraudulent payments.

Process

Process is rarely the shiny object in organizations that people want to build and follow. It’s bureaucratic, prone to manipulation, and rarely bullet-proof. It’s also essential.

What then are the processes businesses can put in place to prevent instant payments fraud?

Have a fraud response plan

What’s not written down, doesn’t exist. If you don’t have a defined plan, then any trigger events will lead to confusion and an inadequate, piecemeal response. Defining in advance who is notified, including the police, and what actions the organization should take immediately after a fraud is identified, will help align the team in the right direction.

A fraud response plan should also have a proactive element. This would include a whistleblowing process, allowing employees to report (confidentially if necessary) potential frauds occurring within the organization.

Double-blind monitoring

Payments, particularly initial payments to new external parties, should be double-checked by a human being. What’s more, the payment process in general should be the responsibility of more than one person.

Regular audits

Regular audits will help detect and prevent fraud. While auditors are not generally responsible for detecting fraud, a good auditor will monitor your incomings and outgoings with fraud in mind. Regular internal checks and audits will also help detect potential fraud and prevent internal fraud because the risk of being caught is greater.