Payments fraud climbs as banks reach for joint response
Attendees at Nacha’s Smarter Faster Payments conference last month were coasting through a late morning panel discussion on fraud just before lunch when one panelist’s comments stirred up the ballroom.
Consolidated Edison Director Frank D’Amadeo, who leads treasury operations at that utility, was asked by a moderator about “pain points” faced by companies amid rising payments fraud. With his response, D’Amadeo took on the banking and payments professionals packed in the room.
“There is a need in our country for fraud to be stopped before it even gets to us, and there’s a lot of data out there where, if the banking community shared information, they could prevent a good amount of fraud before it even occurred,” D’Amadeo said. “The banks need to do a lot more,” he said during an earlier panel, making the message clear for those attending the annual conference in Las Vegas.
His remarks sparked a mini-debate in the ballroom over whether banks are doing enough, jointly, to thwart criminals who shift from one bank to another, undeterred, in search of new victims.
JPMorgan Chase, the biggest bank in the U.S., didn’t respond to a request for an interview on the topic, but the moderator for one of D’Amadeo’s panels, JPMorgan Executive Director Steven Bernstein, opened with this: “Fraud is prevalent.”
Fraud has become a big problem for payments players, which include banks, processors, card networks and a host of intermediaries and fintechs. Now, the rise of faster digital payments, including the impending launch of the FedNow real-time system, and artificial intelligence innovations threaten to exacerbate the trouble.
Here’s how Thomas French, a senior fraud consultant at software company SAS Institute, described the current environment: “That's just a basket full of awful there, between scams, scams, scams and more scams. When you combine scams with faster payments, you get faster fraud.”
While there has always been fraud, it has worsened in the past year to 18 months, said French, who spent 27 years working for banks, including Bank of America and the former Wachovia and First Union. “It's the industrialization of fraud, where you’ve got different criminal rings doing different things,” he said in an interview this month. “I’ve never seen it so sophisticated, so fast, and so full of crooks in my 30-plus years.”
Bank customers have suffered alongside their financial institutions. The amount of money American consumers reported losing to fraud last year jumped 30% to $8.8 billion compared to 2021, the Federal Trade Commission said in February, and much of that fraud flowed through some part of the payment system. Those frauds took place in business, shopping, investment and online dating settings, among others.
Fraud in payments is rising with a surge at banks
The FTC was able to identify a payment method for 17% of consumer fraud reports last year. Of those methods documented, the biggest losses were in bank transfers and payments, with those losses more than doubling to nearly $1.6 billion last year, compared to $762 million in 2021. That payment channel constituted the single biggest area of fraud losses for the past three consecutive years, the FTC data showed.
While the most dollars were lost through bank payments last year, the highest number of fraud reports were regarding credit cards, according to the FTC.
Businesses looped into losses
With such large losses, it’s not just consumers being targeted for the frauds. It’s also companies of all sizes, including D’Amadeo’s power company servicing the New York City area. With respect to incoming customer payments, the utility receives 500 to 600 fraudulent receipts daily from valid debit accounts, but they are accounts for which a fraudster likely bought information on the dark web. In some cases, they even brazenly use Con Edison account numbers. That fraud is minimal, relative to the utility’s three million customers, he said.
But D’Amadeo worries more about outgoing payments. The company is “constantly” targeted by email scams in which con artists, purporting to be Con Edison executives or vendors, seek payments, putting hundreds of millions of dollars at risk. For instance, a firm to which Con Edison owes money may have been hacked, and the hacker sends the utility an invoice with accurate information, but an altered bank account directing money to the fraudster.
“The biggest concern we have is on the disbursement side where we’re being compromised and duped into changing payment instructions to a counterparty and, look, if you don’t catch it within the first 24 hours, you’re not getting that money back,” he said.
Smaller companies are targets too. Jefferson Grace, a Las Vegas detective who also spoke at the conference, described how one local business owner that had been in business for 30 years went belly up after he misdirected $1.1 million in payments to a crook impersonating a vendor. He explained how fraudsters take over or mimic email addresses and glean executive names from social media sites, like LinkedIn, to send persuasive emails.
Email schemes that trick corporate executives into sending payments to swindlers has become a major stumbling-block. “We’ve put so much trust into email that was never designed to be there,” Grace said. Multiple speakers at the conference stressed the importance of executives following explicit payment processing instructions to avoid fraud.
A big part of the problem is valid accounts being tapped by bad actors. In that “synthetic identity fraud” trend some pieces of authentic information are used to create the appearance of normalcy.
“Synthetic identity is a concerning and growing threat factor,” Visa’s head of U.S. risk, Dustin White, said at another April industry conference, the ETA's Transact conference in Atlanta. “It's fairly sophisticated, and it's very devastating because it's not a $500, $1,000, $2,000 fraud run that a financial institution has to deal with. These are like $80,000, $100,000, $150,000 bust-out schemes, per instance,” he said.
The Boston Federal Reserve Bank estimated that synthetic identities cost the U.S. $20 billion in 2021, White noted. “It's a very prevalent and growing threat vector,” he said.
The conundrum for payments and banking industry professionals alike is fixing the fraud without introducing too much “friction.” With the industry having made significant headway in making digital payments easy for consumers to use, banks and companies are reluctant to unwind features that have fostered more commerce, especially online.
Nacha pivots to fight fraud
Nonetheless, a consensus is emerging that something has to be done, and industry organizations capable of bringing the banks and payments communities together are mulling new approaches. One Citigroup executive at the Nacha conference caught up in the debate said: “It’s coming.”
A key player in any new effort would be Nacha, formerly known as the National Automated Clearing House Association. Indeed, it’s discreetly pressing for changes within its own community, including among its big bank operators, so that financial institutions take more responsibility to counter fraud.
Earlier this month, Nacha posted for public comment the outline of a new “risk management framework” it has under development in what it called a new era of fraud, where funds are mistakenly “pushed” by users into accounts where they shouldn’t be. The updated approach would address increasing fraud threats and attacks on ACH credits, wires, cards and other instant and digital payments, Nacha said.
“As a new risk management strategy, the Framework is intended to bring the ACH Network and the broader payments community together to address an emerging and important area of need, and to provide an overarching direction for new initiatives, guidance, rules and industry tools,” the May 2 Nacha executive summary said.
The aim of the new framework is to increase awareness of the illicit push schemes; reduce the success of those attempts at fraud; and improve the chances of recovering funds after the scams have occurred, Nacha said. A Nacha spokesperson, Dan Roth, didn’t respond to repeated requests for comment on the new framework.
Obstacles to cooperation
Part of the challenge in addressing the problem has been banks’ reluctance to share customer data with each other that might otherwise be helpful in fighting fraud, said Mark Dixon, who is vice president of education at the New England Automated Clearing House Association in Burlington, Massachusetts.
Banks have long been sensitive to sharing information in any way that might undercut their proprietary interests, but that attitude might be changing now, at least slightly.
“The industry is looking at how can we be more proactive with our communication,” Dixon said, pointing to Nacha’s new framework concept and a Nacha contact registry designed to help institutions talk to one another. “A challenge is going to be making sure all the institutions get on board with that.”
Increasing the difficulty is the fact that there are nearly ten thousand U.S. banks, creating a daunting task in allowing them to communicate with each other.
As part of the effort, Nacha developed the contact registry in 2020 and had taken on the arduous task of asking bank personnel to sign in. So far, the registry has 45,000 contacts.
Nacha’s operating rules require financial institutions to provide the contacts so professionals from other institutions can reach them if need be, and all of them are supposed to be willing to share information as a part of the reciprocity of receiving it.
“The intent of the registry is to provide consistent and accurate information for a financial institution that may need to reach another financial institution regarding fraud scenarios like business email compromise and vendor impersonation,” Jeanette Fox, Nacha’s senior director for risk investigation and ACH network risk management, said in an emailed statement.
Early Warning Services, the bank-owned operator of the payment tool Ze also operates a national shared database to which the largest U.S. banks contribute account information, but professionals note it has a significant gap in coverage because smaller banks have more than a quarter of accounts.
Banks launch another initiative
Other banking organizations also are brainstorming new ways of combating fraud. The American Bankers Association is working on a new anti-fraud prevention project with Early Warning Services, according to one well-placed industry source who asked not to be identified.
That effort is starting out with just a handful of banks participating and is about to kick off a pilot phase, the source said, declining to provide further details.
Sarah Grano, an ABA spokesperson, declined to comment, as did Meghan Fintland, a spokesperson for Early Warning Services.
Professionals from those organizations meet regularly to discuss fraud and risks, but French still has concerns that banks aren’t capturing and sharing as much information as they might. He notes that bankers are steeped in policies that keep them from sharing information with third-parties. Also, some professionals say they lean away from broadcasting new techniques for fear of tipping off fraudsters. “There is some sharing, but I think there’s a need and a desire for more sharing of different information,” said French, whose firm sells fraud analytics software.
Still, plenty of companies have been stepping up public campaigns to sell new fighting-fraud tools in recent months, including SAS Institute, card network company Mastercard, credit bureau Experian and a parade of fintechs introducing new services and products.
Europeans explore a new approach
Across the Atlantic in Europe, there has been more movement in terms of a collective industry response. A new concept of “authorized push payments” has taken root, with a sense of shared liability among banks for wayward payments, said Donna Turner, a former chief operations officer at Early Warning Services who is now a consultant for the auditing firm Ernst & Young.
European financial institutions on the sending side are now taking as much responsibility for fraud as those on the receiving end, Turner said. Increased data sharing among banks in Europe has unfurled with the open banking trend following a 2016 adoption of the European Union’s Second Payment Services Directive, known as PSD2.
Bank and payment actors on either side of a transaction have an increased incentives to change their behavior to fight fraud, Turner said in an interview this month. “It’s about protecting the ecosystem,” she added.
Participants in the U.S. payments ecosystem may be starting to embrace the same approach as they seek to build stronger industry defenses against fraud.
Caitlin Mullen contributed to this story.