Enterprise Payment Fraud: Why banks need a smarter approach to AI

Executive summary

Enterprise Payment Fraud (EPF) is the fastest-growing area of banking fraud. It poses particular challenges for banks because it usually involves run-of-the-mill deceptions and confidence tricks. Fraudsters pose as bank staff, send fake bills or invoices, or take advantage of people seeking romance to persuade their victims to transfer money. They frequently harvest information about their victims from social media and other available online sources – social engineering – to make their approaches appear legitimate.

If the fraudsters’ attempts are successful, the resulting transactions often evade the bank’s fraud defenses because they have been directly authorized by the customer. Even when the customer realizes they might have been duped, today’s instant payment networks mean it is already too late – the funds have left their account and cannot be recalled. The duty to protect customers from fraud will only intensify with the introduction of the second EU Payment Services Directive (PSD2), which obliges banks to open their payment IT infrastructure to third-party organizations.

The standard rule-based anti-fraud systems deployed by banks today cannot detect or block EPFs because they are not flexible enough to deal with the huge variety of ways in which people now use digital banking channels. In response, newer software systems are attempting to use Artificial Intelligence (AI) to identify and block fraudulent payments in real time. However, this approach has drawbacks. An individual bank’s data sets are just not big enough to allow the effective training of AI algorithms. This leads to what is called “overfitting”, which occurs when AI is trained using only a limited number of fraud examples.

Overfitting results in AI systems that are able to detect only the limited range of frauds that they are familiar with, but are unable to spot other types of fraud that they have not encountered before. So far, banks have been reluctant to pool their data to reach the critical mass that could allow them to overcome the overfitting problem.

NetGuardians’ proprietary Managed Learning technique offers an answer to this situation. Managed Learning combines several supervised and unsupervised Machine Learning (ML) approaches within a consistent scoring model and employs two phases of analytics to detect fraudulent payments. The first phase searches for anomalous transactions by building a dynamic understanding of each customer’s typical behavior as it evolves through time, and flagging transactions that do not fit with this pattern. In the second phase, the system is trained to recognize which of these anomalies are fraudulent transactions (and to disregard the legitimate ones) by learning from the feedback it receives. One of the key strengths of Managed Learning is that it manages to accomplish this without unbalancing the scoring models in a way that would lead to overfitting.

The results achieved by this approach are compelling: the fraud detection rate using a Managed Learning system is more than double that of a rule-based system, and the number of false positives is reduced by more than 80 percent. As a result, the time spent by fraud teams investigating suspicious payments declines by more than 90 percent, delivering major operational gains as well as a better banking experience for customers.

Enterprise payment fraud: Easy money from low-tech scams

Enterprise payment fraud involves stealing money via domestic or cross-border payments that have been authorized by the account holder – both individuals and companies – under false pretenses. This type of fraud is typically low-tech and most of the time requires no hacking expertise or technical knowhow on the part of the criminal. Instead, these frauds depend on a variety of straight-forward methods including fake emails, bills or invoices, fake SMS messages, telephone-based confidence tricks, online dating scams
and so on.

Common examples of EPF include:

Advance fee fraud: a caller posing as an official from a government department or the tax authorities tells the victim they face court unless they pay to settle an action against them.

Fraudsters target victims through online dating sites or social media and create a fake romantic relationship, winning the victim’s trust with online messages before asking them to send money.

Fraudsters email the victim a fake bill, such as for building work or school fees, closely resembling a genuine bill but including different account details.

A fraudster calls in person at the victim’s home, posing as an employee of a company that has carried out work for the victim and who has come to collect payment.

Fake invoices are emailed to a company again resembling a genuine invoice but including different payment details. In smaller companies with few formal controls, relatively junior staff who have access to payment systems can be duped or pressured by a caller posing as a senior executive or a customer into making a payment or settling a fake invoice.

A telephone caller posing as a bank employee, informs the holder that their account has been compromized and requests personal login information to help protect their money. Or they ask the victim to transfer funds to a new “safe” account that has been set up for them.

These frauds frequently involve elements of social engineering. By harvesting information freely available on organizations’ websites and individuals’ social media accounts, the fraudsters can gather the information they need to make a bill or request for money appear genuine. Although some payment frauds are much more sophisticated operations, such as the attack in February 2016 on Bangladesh’s central bank using the international SWIFT messaging system, these remain a tiny minority compared to the most common types of EPF.

How a school fees fraud could be executed

Fraudsters identify families with children at a private school by using the school website and looking at Facebook, Instagram, Twitter and other social media sources. They find out when bills for school fees are due to be issued and just before that date, they email fake invoices bearing the account details victims should use. By circulating a large number of fake invoices, they stand a strong chance of fooling some parents and potentially collecting large sums of money.

"

Social engineering, false bills or fake phone calls that give the victim new payment details for utility bills are the most popular and widespread types of payment fraud these days. Corporates are targeted for larger amounts, but individuals are equally under attack

A. Braunstein, Lead, Pre-Sales, Innovation & Business, Development Financial Messaging & Services, Finastra

EPF is the fastest growing area of fraud against individuals and a serious problem – especially for smaller businesses with less sophisticated systems and fewer internal controls. The Federal Bureau of Investigation in the US reports that in 2018 it received some 20,000 complaints relating to payment frauds resulting from compromised personal and corporate email accounts, often due to social engineering. Total losses in these cases were put at almost $1.3bn. A further $362.5m was lost through confidence tricks and romance frauds. Figures from UK Finance, the British financial-services trade body, show that in 2017 its members reported 43,875 incidents of authorized push payment fraud, which led to victims losing £236m ($287m). In 2018, it reported that such
incidents virtually doubled.

Rapidly growing losses from EPF highlight both how straightforward these frauds can be, and how difficult it can be for banks and large companies to spot and block them. Not only do the payments involved closely resemble legitimate transactions, but they have been directly authorized by the victims themselves. As a result, customers are often held responsible for their losses because they have authorized the fraudulent payments and therefore receive no compensation. But pressure is mounting on banks to provide redress. In the UK one bank, TSB, announced in April 2019 that it will refund all losses that its customers suffer from this type of fraud. A national compensation scheme is expected to be launched in 2020.

Banks are under growing pressure to protect customers from EPF and to compensate them for their losses – rather than holding them responsible.

In 2018 there were 84,624 reported incidents of authorized push payment fraud, leading to losses for victims of $431.4m

Video: How artificial intelligence helps banks to fight fraud

This video demonstrates how AI helps financial institutions to prevent banking fraud.

The need for round-the-clock monitoring of instant payments

EPF does not depend on the availability of instant payments in order to work. However, by removing the time lag between initiation and settlement, instant payment makes these frauds all but impossible to block once the payment has been made. The cash will leave the victim’s account almost immediately and be available in the fraudster’s account mere seconds later.

In the UK, annual losses from online banking fraud almost tripled in the 18 months after the UK’s Faster Payments system went live at the end of May 2008. Fraud losses climbed from £22.6m ($27.5m) in 2007 to £52.5m ($63.9m) in 2008 and £59.7m ($72.6m) a year later, and banks struggle to strengthen their internal defenses. By 2018, the first year in which UK Finance published figures, losses from so-called authorized push payment fraud had reached £236m ($287m).

International payments also open up timing opportunities for fraudsters. For example, in the case of the theft from the Bangladesh Central Bank, using the SWIFT network, the gang executed the fraud on a Friday – the Muslim day of rest and prayer in Bangladesh – which was followed by the weekend in the US, where the funds were held at the New York Federal Reserve before their transfer to the Philippines, where the following Monday was a public holiday. As a result, more than three days elapsed before the authorities around the world were fully mobilized. To date, of $101m fraudulently transferred from the New York Federal Reserve, $81m remains unaccounted for.

Equally, a fraudulent international e-commerce payment made on a Friday evening will move from the e-banking system to the core banking platform and then be transferred a few hours later to the SWIFT system to complete the cross-border payment. By the following Monday, the
funds have reached the fraudster’s account.

This highlights the dual nature of the challenge that EPF poses to banks in the era of instant payments. Detecting and blocking these fraudulent payments not only represents a major technology challenge for them, but it also exposes operational weaknesses in organizations that do not have teams in place to monitor and validate instant payments round the clock and through weekends.

Theft from the Bangladesh Central Bank

The impact of PSD2

The second EU Payment Services Directive (PSD2) obliges banks to open their payment infrastructure and allow third-party organizations to initiate online payments on behalf of their customers. The directive also – for the first time – requires banks to deploy anti-fraud software solutions.

What the third-party payment process looks like under PSD2:

1. Customer visits a merchant’s website to purchase goods or services online

2. On the merchant’s website, the customer clicks to allow a Third-Party Provider or TPP (i.e. not the customer’s own bank) to make the payment from the customer’s account to the merchant

3. The TPP authenticates the customer’s identity, then proceeds to initiate the payment

4. The customer’s bank receives the instruction to make the payment from the TPP, on behalf of the customer

What potential fraud problems does PSD2 create?

PSD2 will allow customers to grant access to their bank data to payment service providers and will offer new ways to pay for things and new services. However, it will also create more opportunities to commit payment fraud.

Under the payment processes set out in PSD2, customers do not have to use their own bank’s online banking channels to initiate payments from their account, but can instead use payment channels belonging to TPPs. Both banks and TPPs are obliged to use Strong Customer Authentication, requiring a minimum of two out of three possible factors.

However, as Francis Chlarie, Managing Director of the regulatory consultancy iXendar points out, banks that receive payment instructions from a regulated TPP can decide not to verify the customer’s identity separately for themselves. In order to achieve the directive’s goal of a near-instant, frictionless customer experience, the customer’s bank can accept the verification of that customer’s identity as carried out by the TPP.

In practice, some European banks are redirecting the customer from the TPP’s app to the bank’s app or online banking channel to reauthenticate their identity before the payment is authorized. Chlarie argues that this leaves banks open to sanctions under PSD2 for imposing barriers to competition.

He also believes this problem is likely to reappear as 5G services are launched. The 5G infrastructure will enable millions of devices to be connected into the so-called Internet of Things, many of which will need to be capable of initiating payments without human intervention.

Strong Customer Authentication Factors:

"

PSD2 will allow customers to grant access to their bank data to payment service providers and will offer new ways to pay for things and new services.

Francis Chlarie, Managing Director of iXendar

Knowledge – something only the user knows, such as a password

Possession – something only the user possesses, such as a card reader or token

Inherence – something unique to the user, such as biometric data

The weaknesses of existing EPF solutions

1. Rule-based anti-fraud systems

Most banks today deploy rule-based anti-fraud systems that set a series of pre-defined conditions intended to identify a potentially fraudulent payment that will be blocked for verification. These might include payments made in an unusual location, such as a foreign country, payments made to a recipient for the first time, and so on. However, these rigid rules are ineffective in today’s payments environment.

As banking has digitalized, more of a bank’s internal payments systems have become accessible to the customer, allowing them to transact whenever and however suits them via online and mobile channels. This digitalization has two major security implications for banks.

First, it means that the “attack surface” of the bank – the channels through which frauds can be committed – has expanded massively.

Second, it means that customers now have so much flexibility and choice in how to transact that the payment behavior of each one is effectively unique. Customers’ preferred ways of banking can now vary so widely that a rule-based system will inevitably be too crude and inflexible to manage the sheer variety of customer behaviors.

Equally, rule-based systems cannot learn from changes in a customer’s banking behavior to distinguish suspicious transactions. This inability to adapt explains why cases of EPF and customer losses from such frauds are rising. Banks need to adopt a different approach.

2. Why mainstream AI-based approaches fail to deliver

Banks are focusing on AI as a potential solution to the problems they face with inflexible, rule-based anti-fraud solutions. AI appears to offer the potential to identify fraudulent transactions quickly and more accurately, and therefore to create fewer false positives – when legitimate transactions are blocked due to suspicions of fraud.

Mainstream approaches to using AI in anti-fraud solutions have critical weaknesses, however, due to the nature of the data sets they must analyze. Training Machine Learning algorithms requires data sets that are both large enough and balanced. For example, to become sufficiently accurate, an image-recognition algorithm must be shown huge numbers of images containing the target to be identified, and similar numbers of images that do not contain it.

Effective training therefore depends on the availability of enough data of the right kinds. Banking fraud data presents specific challenges to this approach to training algorithms because any transaction data set will contain very large volumes of negative data (legitimate transactions) and tiny volumes of positive data (fraudulent transactions).

This presents major challenges. These banking data sets are unbalanced: they contain too little positive data to train algorithms to spot the full range of EPFs. And because the ML algorithm can learn only from the very limited number of fraudulent transactions in each data set, it has too little information to analyze and build upon.

As a result, most anti-fraud solutions that incorporate ML suffer from overfitting that results from the very small number of frauds included in the data set. The ML algorithm therefore becomes highly proficient in spotting frauds that are identical to the examples it is familiar with, but is unable to spot new variations.

Why managed learning solutions are better than mainstream AI

Managed Learning represents an alternative way to use ML in anti-fraud solutions for banking, which recognizes the specific challenges that bankfraud data poses for ML algorithms. This strategy therefore avoids the risk of overfitting.

Managed Learning combines several supervised and unsupervised ML approaches to enhance the way the ML algorithm learns and enable it to detect types of anomaly that it has not encountered before.

This permits the creation of an anti-fraud system that works by building a dynamic behavioral profile based on each customer’s transaction history, and flagging transactions that differ from the customer’s existing profile. Anomalous transactions are flagged and those that exhibit features that push them above the required risk threshold are blocked pending verification. The system progressively learns to recognize which of these anomalies are fraudulent (and to disregard the legitimate ones) on the basis of the feedback it receives on flagged transactions.

This approach therefore recognizes that, based on the transaction data available to the bank, a legitimate transaction can appear identical to an EPF. There is no way to distinguish them without blocking and investigating both. For example, if a young person moves to a foreign city to attend university, the parents may pay money into a foreign bank account that the student opened on arrival. This transaction – though legitimate – will bear important similarities to an EPF, which can involve customers sending funds for the first time to foreign bank accounts that they have not had any previous connection with.

There is no certain way for the bank to determine whether this payment is legitimate or not, so the only means to ensure no fraud takes place is to block the transaction pending validation. This highlights the conceptual strengths of this approach to fraud detection: ML is not employed to identify transactions that are fraudulent, but to identify and flag those that are highly unusual or suspicious – a group that is sure to include the vast majority of frauds.

Aviv Braunstein of the software vendor Finastra says his company’s solution, which uses NetGuardians’ Managed Learning technology, combats all types of fraud by monitoring routines and focusing more broadly on client behavior to identify anomalies, rather than just trying to spot fraud. “The solution learns patterns for normal transactions based on message parameters and raises an alert whenever a transaction is out of the normal usage scope,” he says.

Video: How to overcome overfitting in machine learning based fraud mitigation for banks?

Discover how NetGuardians developed a smarter AI technology to overcome overfitting. Through managed learning, we enable our anti-fraud solution to recognize new banking fraud types from just the few existing fraud cases from a bank’s transaction history. We achieve this through a unique combination of 11 unsupervised and supervised machine-learning techniques.

A better approach to real-time anti-fraud solutions, incorporating managed learning

There are significant practical difficulties in using ML to distinguish fraudulent payments from legitimate transactions. Instead, the most effective way to deploy ML is to train it to look for transactions that display the most important combinations of risk factors – even if they turn out on examination to be legitimate. This conceptual distinction lies at the heart of the Managed Learning approach to anti-fraud solutions.

The major features of the solutions developed by NetGuardians, which apply this approach, include:

1. The capacity to monitor all payments in real time and test each against the established user profile for the individual bank customer concerned (or the authorized user of the corporate account), based on that individual’s historic digital banking behavior.

2. Use of cutting-edge Big Data technologies to assimilate and process data in multiple formats from every step of the payments process – in real time – to maximize the range of information that can be incorporated into the system’s risk assessment.

3. Scoring of each transaction against the system’s risk model based on that user’s historic behavior. The risk model incorporates a wide range of contextual information, including the transaction size, type of account involved (individual or institutional, for example), the customer’s geolocation, the time of the day, week and month, the user’s device, web browser and type of webpage that is being viewed, the domestic or international destination of any payments, whether the payee is new or previously known, and so on. Payments are scored against the risk model and those the system judges sufficiently anomalous are flagged

4. Deployment of a sophisticated combination of more than a dozen analytics techniques to refine the way in which high risk transactions are identified.

NetGuardians uses advanced algorithms and unsupervised machine learning including neural network, statistical analysis, clustering, peer group analysis, etc. to detect anomalies and supervises machine learning techniques including gradient descent optimization techniques, random forests, neural networks, etc. to lower the false positives rates.

This approach results in the identification of a subset of anomalous transactions for verification by the bank’s fraud team. This pool of risky transactions will include a very high percentage of EPFs and a limited number of legitimate but unusual payments.

Experience with users of NetGuardians’ software demonstrates that this approach will result in the system typically blocking up to 0.1 percent of total payment volumes, while in retail banking the upper limit can be as low as 0.05 percent of payments.

Operational efficiency gains

The approach described delivers a very significant operational advantage to the bank since it represents a narrow group of transactions that can be reviewed by a small specialist team, limiting the human resource required for verifications and greatly increasing efficiency. NetGuardians’ experience shows a rate of fraud detection 118 percent greater than a traditional anti-fraud system, and a reduction of 83 percent in the number of false positives. This results in 93 percent less time being spent by bank staff to investigate
suspicious payments.

Improved customer experience

As well as delivering major gains in the bank’s operational efficiency, this approach to detecting EPF also improves the customer experience because the greatly reduced proportion of false positives results in far fewer legitimate transactions being blocked for verification. This means that customers can get on with their lives with fewer interruptions from the bank’s anti-fraud systems.

For example, if a customer makes a regular payment to the usual recipient but does so from a foreign location because they are travelling, the system’s incorporation into the risk-scoring model of geolocation data from the customer’s device will indicate that the customer has left their usual location or country. Provided other features of the transaction are consistent with that customer’s user profile, the system would allow the payment to be processed without checks. If other aspects of the transaction are anomalous, such as the device being used or the transaction size, the payment would be flagged for verification.

The opportunity for large companies to prevent payment frauds

This anti-fraud system is designed for use by banks, but it can also provide an additional line of defense for the treasury functions of large companies that process millions of payments each year. These companies can use anti-fraud software to check the payments routed through their enterprise resource planning system before they leave the company to detect transactions for unusual amounts or involving suspicious recipients. Major international companies deal with multiple banks in different countries, not all of which will be in a position to block suspicious payments using real-time anti-fraud systems of their own.

Conclusion

AI has a critical role to play in delivering effective solutions to EPF, but it is essential to understand the challenges that banking transaction data poses for those trying to use conventional ML approaches to detect banking fraud. The data sets are unbalanced, containing huge amounts of negative data and too little positive data to enable effective training of ML algorithms to identify frauds. Using conventional ML approaches in this context risks overfitting, resulting in algorithms that cannot identify a wide enough variety of frauds to be effective in real-world situations.

ML is not well suited to pinpointing payment frauds directly and therefore a different conceptual approach is required. Used in a smarter way, ML algorithms can make a major contribution to identifying suspicious payments and reducing the number of legitimate transactions that are captured in this group as false positives.

Success lies in achieving the optimum balance of AI and human input in detecting and preventing EPF. Using the Managed Learning approach set out in this paper, banks can achieve significantly higher rates of fraud detection, make much more efficient use of anti-fraud resource and deliver a customer experience that is less disruptive and more secure. In a situation where banks are coming under increasing pressure to refund all customer losses due to these types of customer-authorized fraud, the need to improve their defenses against EPF has never been greater.

If you are interested in taking those information with you: