What is Payment Fraud?

There are various definitions of payment fraud, but simply put, it describes an illegal transaction that diverts money or creates false/unauthorized payments from a victim. This is often achieved by stealing their personal payment information or duping them into sharing it.

The 2022 AFP® Payments Fraud and Control Survey reports that 71% of organizations were victims of payment fraud attacks/attempts in 2021, costing businesses billions of dollars globally.

Customers must trust that their money is in safe hands. But one of the most challenging aspects of recognizing and tackling payment fraud is the complexity of the interconnected networks that underpin it. 

How do you Recognize Payment Fraud?

With potential attacks coming from all directions, taking a proactive, coordinated approach to tackling payment and transaction fraud is vital, particularly with an increased risk of cybercrime. In our annual State of Financial Crime survey, cybersecurity has been cited as compliance teams’ top pain point for the last two years. 

But how do you recognize when it is happening? How do you detect the unusual behavior that could indicate fraud, and how confident are you that you know your customers’ identities?

Types of Payment Fraud

There are many types of payment fraud/transaction fraud, including:

• • Phishing – emails or websites that induce individuals to reveal personal information such as passwords and credit card numbers
  • Identity theft 

• Malware – exists in many forms, but ransomware, in particular, continues to rise

• Payment card fraud – card-not-present (usually online purchases) and card-present

• Money mule-related fraud – often unwitting recruits used to launder proceeds of online scams and fraud (usually used in APP – see below)

In the UK, authorized push payment (APP) fraud rose by 71% during the first half of 2021 – with the amount taken exceeding card fraud losses for the first time. With APP fraud, a customer is tricked into authorizing a payment to an account controlled by a criminal or handing over personal details and passwords through tactics such as scam phone calls, text messages and emails, fake websites, and social media posts. 

Online Payment Fraud Risks

One of the most lucrative types of payment fraud is Advanced Persistent Threat (APT), which uses sophisticated hacking techniques to gain unauthorized access to computer networks to steal data. 

APTs are often state-sponsored and, according to the European Payments Council (EPC), “must be considered as a potential high risk not only for payment infrastructures, but also for all network related payment ecosystems.” 

(Distributed) Denial of service (D)DoS) is a form of online payment fraud in which criminals aim to make machines or networks unavailable to users to disrupt services, often through botnets (hijacked computer networks controlled by a hacker). The number of (D)DoS attacks remains high, and the EPC warns of systematic targeting of the financial sector. 

Payment Fraud Red Flags 

A significant challenge in payment fraud is understanding the differences between good and bad transactions and deciding how to calibrate automated fraud detection solutions to capture relevant information. 

While some deviations from a typical customer profile should be simple to spot – shipping addresses too far from an IP address, information mismatches, etc. – fraudsters are becoming more sophisticated and are increasingly cautious about covering any gaps. That means that firms must be vigilant and conduct due diligence in checking for discrepancies.

Payment fraud risks to be wary of include:

• • Phishing – urgent or threatening language, requests for sensitive information, information mismatches, suspicious attachments, unprofessional design, URLs/email addresses that don’t match, the sender doesn’t address the victim by name 
  • Identity theft – unexplained charges or withdrawals, documents provided for ID appear altered or forged, suspicious or inconsistent information provided, exceeding credit limits

• Malware – software suddenly demands information is updated; an alert warns a device is full of viruses, offers to scan systems suddenly appear on-screen

• Card payment fraud – substantial orders, or orders for multiple quantities of the same item, unusual cross-border transactions, large amounts of cash advances or luxury good purchases, spikes in activities

• APT – targeted Spear-phishing emails, strange logins, information moved, widespread backdoor trojan, data collated ready for export

• (D)Dos attacks – slow access to files, an excessive amount of spam emails, problems accessing websites, internet disconnection 

How to Mitigate Online Payment Fraud Risks

A risk-based approach built around customer profiles, security, and payment flows, is key to a robust payment fraud risk-mitigation program – alongside employee and customer awareness of red flags.

Pro-active KYC and customer due diligence can help firms better understand their customers, but managing payment fraud risks needs to take place at every stage of the customer journey and throughout firms’ functions, from back-end to customer-facing.

Online payment fraud, in particular, is dynamic and will keep changing as criminals access new technology and techniques to circumvent controls – and firms need to be able to detect changing tactics.

Alongside encryption of transactions, regular changing of login credentials, and the use of up-to-date software, there are other measures that firms should consider: 

1. Integrate biometrics and advanced identity verification (IDV) solutions during onboarding. Face, voice, fingerprints, or even veins in the hand or eyes, can enable strong authentication. However, consider if the technology is user-friendly, cost-efficient, and can be integrated into the broader KYC process.
2. Dynamic transaction monitoring solutions can monitor risks in real-time, with practical case management that helps analysts prioritize the most high-risk alerts. 
3. While firms have adopted machine learning to automate processes, many are not optimizing its ability to help detect and tackle payment fraud. Benefits can include reducing operational costs and false positives and processing large datasets at speed to help detect fraud sooner. 
4. Share fraud intelligence and information on incidents amongst firms and regulators. 
5. Identify and complete regular training programs. Europol, for example, has organized courses on the forensics of payment card fraud. Topics include examining skimming devices, ATM logical attacks, and malware attacks.

Payment Fraud Success Story: RealPage

Property management firm RealPage processes up to 100 million transactions annually across a portfolio of more than 19 million properties worldwide. As a payments provider, it has a regulatory obligation to monitor transactions through its payment product, to ensure property management companies and their residents are effectively protected from illicit activity such as payment fraud. 

RealPage needed a transaction monitoring solution that could screen for evolving fraud typologies in near real-time. The ability to do this using custom scenarios not used by traditional financial institutions was key. Effective case management was also critical to enable analysts to manage and triage alerts effectively. 

To find out more, read the full RealPage story. 

Request a Demo

See how 1000+ leading companies are screening against the world's only real-time risk database of people and businesses.

Demo request

Originally published July 26, 2022, updated July 26, 2022