designsoliman - Fotolia

Why the current fraud model is broken, and how to fix it

Scammers and fraudsters are catching up with the good guys; a new technological approach is needed to fight skyrocketing volumes of digital fraud, says Darwinium founder Alisdair Faulkner

Digital fraud and risk teams seem to be locked in a perpetual game of catch-up. Every five to 10 years, new technology comes along which gives us an advantage, until the hackers and fraudsters evolve themselves – and so the cycle repeats.

Now they stand at another crossroads. Half (46%) of global organisations say they’ve experienced fraud over the past two years. And in the UK, losses on cards topped £272m in the first half of 2022 alone.

A new approach is needed to replace inefficient, high-friction tools that rely on data from “point-in-time” interactions, with continuous digital risk orchestration. The key to successfully managing risk in this new landscape will be the ability to scrutinise entire user journeys rather than siloed events.

The first decade of the modern era of fraud prevention began around the year 2000. Systems back then were on-premise and hardware-based, had long update cycles and were reliant on IP address and web server logs. Use of AI was limited, and fraud and risk data was rarely shared – perpetuating a disconnected view of the customer.

Roll on to 2010, and software as a service (SaaS) and application programming interface-centric services began appearing at leveraged shared intelligence across global networks. Device identification helped teams better understand users’ digital behaviour, while the emergence of authentication and bot detection suppliers further bolstered efforts to reduce risk.

Fraud and security offerings moved beyond simple rules-only decisions to more dynamic model updates and self-learning models for specific fraud typologies. The direction of travel was towards a better understanding and modelling of good customer behaviours – although systems were still unable to accurately spot first-party fraud, money mules and scam victims.

Today, we stand at the start of a new age of enlightenment, with the potential to deliver on the promise of unifying fraud and security teams via a single, centralised decision engine that can see across the complete customer journey and join the dots together between every online interaction. Systems must feature a high degree of configurability, rapid and frequent feature updates, and real-time, dynamic risk decisioning based on a better understanding of user behaviour and intent.

Why ‘point-in-time’ is failing

However, the reality for most risk teams is very different from this vision of the next decade. In fact, most are working with first or second-generation tools which do nothing to eliminate info-sharing barriers across teams. While security teams tend to have visibility across all traffic, they lack the context of fraud services that see what is going on at specific moments in time. Deep insight and context across complete customer journeys is the holy grail that is often evaded by legacy “point-in-time” offerings.

What’s more, these systems are currently too easy for fraudsters to circumvent, armed with tools to impersonate users with growing accuracy, and automated software that can rapidly scale up attacks and the testing of identities. Above all, they have a huge volume of stolen data on which to draw to hijack accounts, open new credit lines and make fraudulent payments. They’re also past masters at tricking users into handing over their personal information, or even to unwittingly making fraudulent payments.

The result: fraud losses and volumes are surging. Over £1.3bn was stolen by scammers last year in the UK, according to the trade association UK Finance. Worryingly, over £583m of that was down to authorised push payment (APP) fraud, which surged 39%. In these cases, the victim is tricked into making a payment to the fraudster, who typically impersonates a legitimate payee.

Most legacy tooling struggle to disrupt this type of fraud that is typically facilitated by complex social engineering over weeks or months or offer tailored solutions that can disrupt a customer’s payment journey.

Focusing on the journey

The surge in APP fraud perfectly illustrates why we need a more holistic approach to fraud prevention, focused on the entire context of a transaction across a complete digital journey. And although this starts with the person making the payment, it should also encompass intelligence around the beneficiary, and combine this intelligence into a scam model that can run in real time during payment journeys.

What does this look like in practice? Well, banks could look at whether there were any unusual interactions or hesitations during the payment journey. Behavioural biometrics could spot potential signs of coercion. Was the victim on the phone while making the payment? Are the journey pattern and payee details typical for that victim? Is the journey similar to previous scam journeys?

The bank could then assess the payee account. How long has it been opened for? Is it a risky account type (i.e. cryptocurrency)? Has it received a large number of high-risk payments in the recent past? All of this can be done in milliseconds in the background, with zero impact on user friction. Suspect transactions could be blocked outright, or tailored messages could be dynamically inserted during the payment journey.

Other examples include account takeover or payment fraud attempts. Imagine how much easier they would be to spot if the organisation was able to cross-check with a previous bot attack which tested the victim’s credentials? It’s all about profiling and collecting data from users’ online journeys, then risk assessing against information on devices, behaviour, identity, session and content.

Better behaviour all round

More high-quality data of this sort ultimately means better decision-making and reduced friction for the customer. In this way, good user behaviour can be baselined from historic journeys, so that even if a customer made an “unusual” purchase, perhaps for a high-value item, it would not be held up if the IP, device, location and behavioural indicators all suggested low risk.

Trusted behavioural patterns could also be cohort-modelled so that, even if a customer is new to a business, the chances of them being stepped-up for unusual behaviour is reduced.

Interventions, when they are necessary, can and should be made in real time, on a per-user basis and at potentially any point in the customer journey. That’s the way to protect reputation and customer loyalty while minimising fraud losses.

Alisdair Faulkner is CEO and founder of Darwinium, a supplier of next-gen customer protection platform services. Prior to this, he co-founded and scaled digital identity specialist ThreatMetrix prior to its multi-million dollar acquisition by LexisNexis Risk Solutions in 2018. He lives and works in Sydney.

Read more on IT risk management