Images of a bank next to several money mules recruited to help fraudsters profit from instant payments fraud

With faster payment systems expanding globally, there’s a high probability that instant payments becomes instant payments fraud. The good news is that it doesn’t have to be this way. Here’s what banks around the world can learn from the UK’s pioneering experiment addressing instant payments and instant fraud losses.  

Preparing for an Instant Payments Fraud Surge

Following the launch of the UK’s Faster Payment Service, the financial services industry saw bad actors shift away from card fraud to instant internet payment fraud. This resulted in significant losses for banks who, in turn, responded by upgrading their defenses against account takeover attacks. 

That brings us to where we are today. Fraudsters realized the biggest vulnerability was no longer the bank itself – it was the customer. Hence, they moved to tricking legitimate customers using scams. Notable tactics include phishing, smishing, and vishing scams. Scammers typically pose as authority figures like a bank official or someone from law enforcement, or a technical support center offering to remove malware. Data from UK Finance found losses due to authorized push payment (APP) fraud reached £249.1 million in the first half of 2022. 

Instant Payments Open Money Mule Recruitment Doors

As the chart below indicates, we’re now at the fifth stage of the instant payments fraud journey. Fraudsters are now using a wide range of scams (including romance scams, investment scams, marketplace scams, and more) to trick customers. But scams aren’t the only tactic that fraudsters use following the launch of instant payment systems. They also need to recruit large volumes of money mules to monetize their efforts quickly.

The key benefit of instant payments is speed. Criminals will ramp up their money mule recruitment efforts prior to a scam campaign. Once fraudsters have received an instant transfer from their victim, they’ll use the same system to transfer funds to a different mule account, a tactic known as layering. They’ll repeat the process multiple times, to second- and third-generation mules, making it harder for banks to track where the payment ultimately wound up. A shaky economy gives criminals a strong opportunity to recruit more money mules into their schemes using enticing but ultimately shady job offers.

Image outlining 5 stages of Instant Payments Fraud Journey: Stage 1) Banks introduce instant internet banking payments; Stage 2) fraudsters shift attention from cards to internet banking; Stage 3) Banks see significant growth in losses and money mule account opening; Stage 4) Banks strengthen defenses with transactional analysis, device ID, and behavior biometrics; and Stage 5) Fraudsters shift efforts to APP scams and money mule recruitment as they priary method to defraud customers
Image outlining 5 stages of Instant Payments Fraud Journey: Stage 1) Banks introduce instant internet banking payments; Stage 2) fraudsters shift attention from cards to internet banking; Stage 3) Banks see significant growth in losses and money mule account opening; Stage 4) Banks strengthen defenses with transactional analysis, device ID, and behavior biometrics; and Stage 5) Fraudsters shift efforts to APP scams and money mule recruitment as they priary method to defraud customers

Challenger banks (aka neobanks) will be especially vulnerable to money mule recruitment. Rapid onboarding is one of the key selling points for these Fintechs. Unfortunately, this often means their onboarding controls are less thorough than a larger financial institution. 

UK Regulators Respond to Instant Fraud Losses

Regulators in the UK have already taken several steps to mitigate instant payment fraud losses. These steps include: 

  • Extending Confirmation of Payee: The UK Payment Services Authority extended Confirmation of Payee (CoP) last year. CoP is designed to stop funds from being misdirected by asking users to confirm the name and the sort code account number of their recipient. However, if a criminal’s scam is very convincing this only adds a small level of friction to a transfer.
  • Contingent Reimbursement Model: A significant share of UK banks have signed onto the Contingent Reimbursement Model (CRM) that agrees to reimburse some customers who face scam losses. 
  • Inbound Payment Monitoring: Using inbound payment monitoring, banks can monitor the recipients of a transfer. Receiving organizations may face a greater share of liability if it accepts funds from a fraudulent transaction. 

6 Things Banks Can Do to Stop Instant Payments Fraud

Inbound payment monitoring, CoP, And CRM are a good start, but they aren’t the final step to stopping instant payments fraud. Banks should take these additional steps to mitigate their fraud risk.

1. Educate customers on how instant payments work

Customers must clearly understand how instant payments are supposed to work. This knowledge is essential to ensuring they can use these systems responsibly. At the same time, banks should educate customers also customers on how these systems DON’T work. For example, teach customers that banks will never call them urging them to move their money to a different account. Banks should also insert educational opportunities into the customer journey such as giving customers a pop-up message before approving a transfer. This message can confirm that they intend to make the journey and ask if anyone is pressuring them to approve the transfer.

2. Focus on mobile registration

The registration of a mobile device remains the key control to prevent mobile fraud. Once registered it is either always the genuine customer or always the fraudster. Banks should also keep tabs on how devices are used across different accounts. If a single device is being used to reset multiple account passwords, that’s a red flag that someone is trying to commit account takeover fraud. 

3. Invest in technology and data to KYU

The most effective way to prevent fraud is to understand the habits of your customer base. Banks should invest in technology that maximizes the usage of data to help them know their users (KYU) and how they normally make payments. This knowledge is critical to understanding if a transaction has been approved by a legitimate customer or a fraudster.

4. Collaborate with other banks on money mules

Money mules are an industry-wide problem. Banks need to build collective intelligence to detect problematic accounts and close them. Inbound payments are not regulated at this time, but banks should consider implementing the process to mitigate scam losses.

5. Invest in real-time tools

In the age of instant payments, batch systems are far behind the times. These systems can only detect fraud after the event has transpired. For example, if an ATO attack occurred following a password reset, a batch system won’t detect it until too late. Banks need real-time tools to address the realities of real-time payments. 

6. Understand your customers across all channels

Bank customers can interact with their banks across multiple channels. This includes chats, call centers, websites, and mobile apps. Fraudsters frequently initiate password changes on one channel and commit instant transfer fraud on another. Banks need to have a holistic view of fraud to understand where the fraud is taking place. This may include unauthorized changes in credentials, an account takeover, or an unusual authorized transaction.

Payments are moving faster than ever. Today’s banks need technology and data solutions that keep pace with modern fraud.

Banner ad. Analyst Report. Quadrant Knowledge Solutions. Feedzai named a leader in the 2022 SPARK Matrix for Behavioral Biometrics. Spark Matrix 2022, Behavioral Biometrics, 2022 - includes competitive analysis and rankings of the leading vendors. Download now.