Payment processing is much more seamless now than it was even a few years ago. The pandemic accelerated the pace of digitizing payments, and peer-to-peer payment networks continue to grow in popularity. But this has also meant that consumers and banks have faced a growing number of innovative payments scams.
In a recent PaymentsJournal podcast, Sudhir Jha, Executive Vice President and Head of Brighterion, a Mastercard company, and Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research, discussed how generative AI is changing the payments fraud landscape and what we should expect in the year ahead
Leaving Information on the Table
Social media has changed many things about payments, starting with the fact that they can now be facilitated directly from an app like Facebook. That has opened up new avenues that institutions need to keep a careful eye on. On top of this, consumers have become more comfortable with leaving information in the open on various social apps. Many financial institutions have been facing more challenges when it comes to intervening or detecting fraudulent or suspicious activity through these channels.
Social media adds several new wrinkles to fighting fraud. “If you go to a restaurant and post your food before you eat, that gives a fraudster a ton of information about you to make their fraud attempts much more believable and effective,” Jha said. “The potential criminal not only knows the location, then they know which business you interacted with, and even what you ate.”
With all this information, a fraudster can easily create a believable approach to the customer: “You ate at my restaurant yesterday and you paid X dollars, but that was incorrect. To get your refund, click on this link.” That link can be part of a phishing attempt. By collecting all that personal information, the criminal can even become friendly with the target and create a bond that sets up a later scam.
While scams have always been around, AI makes such approaches more scalable. It used to be much harder for bad actors to collect enough information to personalize attacks. Now all of that can be automated using AI. To counter these attempts, businesses need to embrace sophisticated solutions. Checking a few touchpoints and asking a couple of questions will not be enough to fight the scams of today.
“We’ve talked a lot about regulation and halting advancements in AI, which sounds wonderful in theory,” Kitten said. “But in practicality it’s not really a logical step because regardless of what we do as an industry, cybercriminals aren’t going to halt. They’re going to continue to use AI to advance their techniques and their tactics.”
Leveraging Consumer Privacy
Consumers in many markets have become more lenient about privacy in recent years, because they trust the government to protect their data. “We find year over year that consumers are willing to share more personal data about themselves, specifically in the U.S., if they think it will fight fraud,” Jha said. Businesses can use technology to better understand their customers’ shopping habits, biometrics information, and even personal details as a way to enhance cybersecurity.
It all goes back to the fact that fraudsters have been able to amass a wealth of consumer data they can collect from the internet. To combat this, AI has become an important tool for institutions faced with fighting payments fraud. “AI technology can help you piece together a story and create a persona of the consumer,” Jha said. “And you can be a lot more prepared for what the customer’s next step is.”
Generative AI has the promise of allowing institutions to know enough about their customers that they can predict that next step. The challenge for banks is to secure the transaction without adding so much friction that the customer doesn’t enjoy the experience.
According to Jha, the key is layered security. Behavioral biometrics can indicate the typing cadence of the consumer logging into the account through an online banking transaction or the cadence they use on the keypad when they’re logging in on a mobile device. Those behaviors are difficult for a cybercriminal to mimic. Banks can use some of those back-end behavioral biometrics in tandem with device identification and the amount of the transaction to detect fraud.
Great Progress
Twenty years ago, when e-commerce was just coming into its own, most institutions were resigned to losing 1% to 2% to fraud. Now if institutions don’t get below 0.1% in fraud losses, they think that they’re not doing the right thing. As an industry, ecommerce is more well-versed in fraud than ever before. But evolving fraud threats require innovative approaches and collaboration across the industry.
“In almost any payment transaction, there are at least five or six parties involved, and they have their own view of the transaction,” Jha said. “For a credit card transaction, you have a bank that issues the credit card, a merchant where you’re transacting. There are acquirers who basically collect all these merchant signals into one place. Payment processors and card networks come into the picture as well. Each of these entities has a limited picture of the transaction and the cardholder profile. None of them have all the information. For example, a merchant doesn’t know what a given cardholder has done in other merchants’ operations.” Close collaboration across all parties of the payment transaction is key to securing it.
Collaboration and communication within organizations is vital as well. Silos have to be broken down to foster the sharing of tools and information, as long as the proper privacy concerns are accounted for.
“We have seen a lot of fragmentation within the organization because of the rapid advancement of the different payment technologies, as well as the different fraud vectors,” Jha said. “When I talk to different banks, I hear that they have all these different channels: a card payment type, ATM withdrawals, account transfers. These have evolved at different times, and therefore they have different solutions, different stacks, even different vendors. Now you add different fraud types to that and the solution landscape quickly becomes unmanageable.”
“We’ll take another step forward in 2024 towards making our payment ecosystem safer and better,” Jha said. “It is going to require a cultural change within financial institutions as well as retailers from the top down. The C-suite has to understand that this is a customer service issue—unless you take steps to protect them, you’re going to lose customers.”