Payments Unbound: Tackling fraud in a digital world

[Music]

Mike Frost: It's an exciting time for payments, with emerging technologies providing more diverse payment options. However, these innovations also bring fresh challenges for businesses in the fight against fraud. How can businesses ensure security for themselves and their customers, and what steps can they take to stay protected?

Vince Meluzio: It's really difficult for fraudsters to get through a web of multimodal indicators. That's things like the validation of counterparty identities and account information. It's screening your outbound payments. If you're able to do these types of things in near real time, you can really cut down on the type of fraud you're going to see.

Mike Frost: Welcome to Making Sense. Today, we're taking a closer look at fraud prevention and security around payments. I'm Mike Frost, product solutions director with trust and safety here at J.P. Morgan. I'm joined by my colleague Vince Meluzio. Vince?

Vince Meluzio: Hey, everyone. I'm Vince Meluzio, product solutions director here at trust and safety.

Mike Frost: So good to have you here with us, Vince. So today, we're going to be discussing a couple of different next gen approaches to payments, privacy and security. But really, we're going to focus it on the basis of the kinds of things that you and I typically see when we're out there talking with clients, the kinds of things that we're helping clients deal with and the things that we're seeing, and giving people a sense of what's out there. So why don't you take us through some of the common questions that we get, and we'll kind of tag team on responding to them?

Vince Meluzio: So I think one of the first questions that we hear from clients, or we're hearing a lot is just kind of understanding what the current state of fraud is in payments. So, Mike, maybe I'll ask you first. From your perspective, what is the current state of fraud in payments?

Mike Frost: Well, the current state of fraud in payments is that it is basically ubiquitous. It's everywhere. It is everyone's issue. And it used to be something that people would have to, at least in the treasury team, would say, “Oh, that's an IT issue. We don't deal with that.” There's fraud, operations, et-cetera. And now, more and more, I'm hearing folks come in, and when they're trying to secure their businesses, they're thinking about payments as a pretty big area that they need to concern themselves with and protect. And unfortunately for them, many of them didn't get into the business of being in finance to fight fraud, but that is really what they're finding the issue is turning into. And you know, everybody seems to have a story with being victimized. I'll tell one example and, you know, then they'll come back and be like, oh, yeah, that happened to me. Maybe let's get into some of the challenges that clients are facing and what are the things that they're dealing with. What are some of the things that you're hearing there around challenges, Vince?

Vince Meluzio: Yeah, one of the biggest things that I hear almost every day is about business email compromise, and this is when you have, let's say, a vendor or a supplier in place, potentially even cross-border, and you're getting maybe a change of instructions from them. Except the problem is, is that that counterparty that you're facing off to was hacked. Their email system was hacked. And oftentimes, this doesn't surface until a few payments have been made. And then finally, that vendor kind of calls up asking for their funds. And our clients will say, well, we've been paying you this whole time. And then that's when they kind of realize, oh, no, that vendor got hacked, and all this money is gone, and I still owe my vendor, and I'm out this money. You know, making sure you're putting in place the right controls, performing callbacks, and having good validation services in place makes a lot of sense. How about you? What are you seeing?

Mike Frost: On the last topic that you mentioned, the validating, you know, payment information, businesses are really struggling to keep up. I mean, in many cases, they probably have good processes and procedures for validating payments, payment information, and supplier information. But they're doing it manually. They're doing it with humans, and you can't hire your way out of that problem. And that workload, unfortunately, does not decrease as time goes on. So they're struggling to keep up with the amount of work with their manual processes. They're also struggling with some of the increasing number and complexity of their treasury account structures, right? I mean, no longer are you really-- unless you're a small business working with like a single account. You usually have multiple accounts, and then maybe it's spread out over multiple business entities, maybe in different jurisdictions, and you have different functions. The problem, of course, that this generates is not really knowing exactly what sort of protections you may have on a given account that could help reduce the type of fraud that we're seeing and hearing from our different clients.

Vince Meluzio: Yeah, and one other one to add to this that just came to mind that I hear all the time, which is this balance between having a really good either consumer or vendor or employee experience, right, having a good counterparty experience, and putting in place good fraud mitigation processes. And you know, that concept and that conversation is something that we see all the time and, you know, striking the right balance between good friction and knowing when you can kind of straight through process because you've kind of done checks on the back end that satisfy kind of that control.

Mike Frost: That's a really good one. I'm glad you called that out. I've just seen and heard all kinds of scenarios where, you know, the process and things were all in place, and organizations were doing the right things. But hackers took advantage of basically the psychology of the people that are at the clients, which is just horrifying and, unfortunately, one of these, you know, ghost stories I think will be telling around the trust and safety campfire well into the future.

Vince Meluzio: Yeah, to that point, I think it's so important for organizations to have a consistent culture with controls, right? And you really want to-- you want to make sure that culture that's there is perpetuated up and down and, like, there can't be, you know, the exception made for the senior executive that says, I want this done now and just do it, right? If that's the culture that you have in your organization, you're putting yourself at yourself at risk for a fraudster impersonating you. I think that might be a good segue to this next question that I was thinking, which is, in what ways are you seeing technology change the fraud landscape?

Mike Frost: Oh, man. Technology is-- it's interesting, right? I mean, it offers opportunity for the organizations and clients that we serve, but it also supercharges the attacks that we see take place on clients. So the big thing, of course, you know, we're going to hit now, if you're playing AI buzzword bingo, here we are, generative AI. This one definitely is something that is of concern for clients justifiably because it makes people that, for example, may not speak the native language of the person that they're targeting speak that language perfectly, be able to write and compose a very perfect email and send that stuff off without any spelling errors, without any sort of tip offs that it might not be coming from the source you think it's coming from. So that piece has just made the attacks that fraudsters have always done more effective because it eliminates a lot of the errors that they were having before.

Vince Meluzio: Yeah.

Mike Frost: What about you? What sort of technology things are you seeing and hearing about?

Vince Meluzio: You know, it's rarer, although I think that may change. But one of the things that I think is very scary is deepfakes. Deepfakes are when effectively, fraudsters utilize technology to impersonate the voice or the or the image of whoever it is that they're trying to impersonate, in order to kind of trick you into doing something. And one of the most unfortunate cases that I heard of this was out of a firm in Hong Kong that recently, there was somebody who was called on to a Zoom call. They were called on to a Zoom call. They saw their CFO there. They saw senior leaders there. And so they assume that everything was legitimate and fine. And they said, we're closing an M&A deal, and we need to wire some money out, and we have to get it out before the end of the day. And they're reading off account numbers. And this payables person is, you know, trying to do the right thing and get the money out, hit the deadlines before the close. And they hung up the phone. And when all was said and done, millions of dollars of that company's funds were sent out and gone. And the entire thing was orchestrated by computers. The entire thing was AI. And so when technology is getting to a point where you can start faking that sort of stuff, that's where that culture really becomes important in your organization to say, I know you're the boss, but you've told me to follow a process, and I'm going to follow the process that we all agreed to because those checks are important. So that, to me, is one of the one of the biggest ones.

Mike Frost: So with that in mind, like, you know, the culture piece is a great lead in to this next question. How are you advising clients who seek advice on how to prevent or reduce fraud. You know, here at the bank, we just kind of have a comprehensive way of approaching things that we advise our clients to take as well. In other words, don't try and think of this as fighting it on one front. You really need to think holistically. So we kind of sum it up across five dimensions. The first dimension is prevention. You can prevent 100% of the fraud that could be perpetrated upon you if you spot fraudsters when you first encounter them. If you can, from an identity perspective, identify who they are, that's the best possible time to stop their fraud. So prevention is all about making sure the attackers, don't gain a foothold to begin with. The second area is around detection, and this is, as it sounds, you're going to have to basically screen activity and look for risk or anomalies. There could be known patterns of risk. In other words, we know if these conditions are hit. This is probably going to be a fraudulent payment. But there's also maybe unknown ones, that you start looking for unusual behavior. And that's where some anomaly detection helps. After you're screening things, you're going to have some things that you're not so sure about. They look suspicious. That's where investigate, the third element of this, comes in. This is where a lot of companies have trouble scaling, of course, because from the investigation perspective, you tend to think, OK, well, I just need to hire more investigators to give more time for them to investigate, et cetera. You want thorough investigations, and you want the investigations to be conducted with a broad breadth of information, and you want those investigations to be well-informed from data. Now, some of the things that are going to be discovered in the course of an investigation is probably a new pattern. And that's where remediation, our fourth element that we talk about, is. When you spot a new attack pattern or you learn of a new thing that you need to stop, you need to implement it into your controls, your processes, your detection to essentially improve your ability over time. You want to make sure that your system improves. You don't want it to remain static because unfortunately, fraudsters have a nasty habit of continuing to shift and change their attack patterns. And then the last one is around containment, and this just refers to the idea, like, look. We can't prevent 100% of fraud. I mean, the only way I tell people you can do that is to simply not move any money, which, of course, is unrealistic. So containment basically is like, what procedures do you put in place to ensure that even if something is successful, that it does not have an impact of the millions of dollars example that, Vince, you mentioned earlier, that the firm in Hong Kong that was victimized by the deep fake experience. So instead, maybe you're out thousands of dollars, that you're containing the risk there. What about you? What are you how are you advising clients to reduce or prevent fraud?

Vince Meluzio: Yeah, I'm a big proponent of leveraging as much data as that's available and really looking at an extensive range of different types of validation instruments that create a mosaic of signals that help to slowly put together and bring clarity to decisions about fraud. And so it gives you a clearer picture. And then you combine that with that human process. We were talking a little bit about the culture of your organization. You combine that with that human process and some intelligence exception handling. And I think that's so key because it's really difficult for fraudsters to get through a web of multi-modal indicators. That's things like the validation of counterparty identities and account information. It's screening your outbound payments. If you're able to do these types of things in near real time, you can really help to cut down on the type of fraud you're going to see. So as we look ahead, what new developments are you seeing that are related to fraud payments?

Mike Frost: Well, at least on my side, things that I see more AIML that's going to be brought to bear by organizations to do two things. So if we think about the detection element that I mentioned earlier, AIML allows for much more sophisticated pattern detection, identification and to be able to say, hey, instead of if these explicit conditions are reached, we know it's fraud. That's business rules, and there's always going to be a role for business rules to spot fraud. It's going to allow the probabilistic element, and it is allowing the probabilistic element of saying, hey, this is close to conditions that we know to be fraudulent, a known fraudulent pattern. And this allows for scaling and being able to look for those patterns much quicker in that near real time scenario that you mentioned, Vince. The other thing that it'll do is it really starts to be able to allow clients to start looking for payment anomalies and not just anomalies sort of globally, meaning across all payment activity, but really get down and be pretty specific, say, just for that client. Is this anomalous payment activity for me? And more importantly, is it anomalous payment activity for this specific account, right? Because you could have multiple accounts that have different types of behavior, and you want to be able to not only stop known patterns but also just say, hm, maybe I want to take a second look at this thing that is unusual, say, if it's a payment that's made outside of business hours, that's typical for that account, or it's made above a certain threshold, that's historically been the case for that account. Or maybe it's to a new beneficiary. And there may be a harmless reason for all of this, but we want to hold it and maybe give it a second look before we allow money to go out, hit the payment rails, and then we have challenges clawing back. What about you? What are some new developments you're seeing coming on the horizon?

Vince Meluzio: For me, I think the big one is for all those who are processing ACH payments, not just new rules change, right? And you've got to really take some time to kind of look at what these rules are, and make sure you're putting in place a controls framework that really demonstrates that you're being compliant with these. And so I think there'll be a lot more to come, but it's an important thing to kind of stay-- keep a focus on and start thinking about what are the tools that you're going to put in place and what are your policies going to be to demonstrate that you're in compliance with this, especially if you're processing, you know, at volume and especially if you have a lot of counterparties.

Mike Frost: Great. All right, so we talked about a bunch of different things here. What are the takeaways we want our audience to have? What are the key things that they should maybe think about as they think about their own organizations and what they can do to address or arm themselves against payment fraud?

Vince Meluzio: Yeah, I think, one of the most important things is to stay informed, stay aware, and it can't just be siloed to you. It has to be across your organization. You have to bring-- you have to bring a lot of people to the table. You need to have awareness about fraud because the attack vector from a fraudster is going to come from anywhere. It's not going to necessarily just be one or two people. It's not just a control person. It's going to be the path of least resistance. And so you need to make sure your whole organization is aware of fraud, they're up to date on kind of what are the different attacks that are coming, and at least be have it top of mind and in the conversations of as much-- anything related to your funds movement, certainly, but just in general throughout your organization.

Mike Frost: Vince, that's great. Thank you so much for providing your insight. Thank you to our listeners for tuning in to another episode of Making Sense. If you want to dive deeper into the future of payments, check out the latest issue of Payments Unbound by visiting jpmorgan.com/payments-unbound. You can also find the link on our episode page or directly in the description on your favorite podcast platform.

Voiceover: Want to dive deeper into the future of payments? Check out the latest issue of Payments Unbound by visiting jpmorgan.com/payments-unbound. You can also find the link on our episode page, or directly in the description of your favorite podcast platform. The views and opinions expressed herein are those of the author and do not necessarily reflect the views of JPMorgan, its affiliates, or its employees. The information set forth herein has been obtained or derived from sources believed to be reliable. Neither the author nor JPMorgan makes any representations or warranties as to the information's accuracy or completeness. The information contained herein has been provided solely for informational purposes and does not constitute an offer, solicitation, advice, or recommendations to make any investment decisions or purchase any financial instruments and may not be construed as such. Copyright 2024. JPMorgan Chase and Co., all rights reserved. Visit jpmorgan.com/paymentsdisclosure for further disclosures and disclaimers related to this content.

[End of episode]