Real-Time Payments Sparking Fraud Worries Among FIs

Real-time payments may be booming, but they may also be growing targets for fraud — and credit unions and other financial institutions are getting worried, an industry pro warned this week.

The payment method, which allows financial institutions and members to pay bills and make payments almost instantaneously, can also enable criminals to avoid evade manual reviews, security measures that identify out-of-pattern activity and ACH service blocks, said Mike Lynch, who is chief strategy officer at San Francisco-based risk-profiling company Deep Labs. Growing account takeover activity, poor consumer password hygiene and social engineering vulnerabilities, among other things, may be helping criminals exploit real-time payments, he said.

“We have the perfect storm of many different factors at a high level, and now we’re moving money in real-time and we need to have a lot more security layers behind the scenes,” he said. “We can’t just have a rules-based approach. We need to correlate a lot of signals. So here is where you use device intelligence and behavioral analytics, et cetera.”

Real-time payment platforms aren’t necessarily the vehicles through which criminals are stealing data; they’re often the vehicles through which criminals can quickly exploit stolen data.

“It’s the tricking through social engineering or spoof calls for phishing,” he said. “That’s growing to be a pretty common technique and customers may be tricked into transferring funds to someone and never receiving the goods. So it looks like the money’s appeared in the seller’s account, but then a few days later [the platform] reverses the transaction.”

Credit unions and other financial institutions involved with real-time payment platforms should make sure they’re following best practices in terms of P2P security.

“Have some type of real-time risk analysis platform, embrace biometric features, use device intelligence,” he said.

Device intelligence helps credit unions and other financial services providers associate a specific device with a specific member, he explained.

“If the same device comes in across 20 different people’s credentials, you may have either a fraudster doing that manually or it could be a bot,” Lynch added. Being able to detect the location of a member’s device or IP address can also help credit unions flag out-of-the-norm behavior.

But one of the most effective things credit unions can do to keep real-time payments platforms from becoming vehicles for member fraud involves reaching out to payment platform vendors, according to Lynch.

“You need to approach them and say, ‘What are my fraud-prevention measures on your platform? What is it, or do I need to supplement those?’ I think that’s where you would start,” he said.

Credit unions should also invest in raising member awareness about how fraud happens, Lynch added. “A lot of people have been duped more on the social engineering fronts,” he said.