Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here Alert Banner Text Goes Here
What We Do
Since 1989, Bottomline has been modernizing global business payments with connected solutions for more than 800,000 financial institutions and businesses in 92 countries.
AP Automation AP Automation For Real Estate Payments Hub
Payouts Automation Payments Processing Receivables Automation Payments Hub
Paymode Pay Vendors Receive Payments Partner With Us
Connectivity Services Message Transformation & Enrichment Message Vault Risk Solutions
Connectivity Services Message Transformation & Enrichment Message Vault Payments Verification Payments Verification for Businesses
Global Cash Management Hub Digital Banking
Global Cash Management Hub
Who We Serve
Our Company
By Hagai Schaffer, Product Director, Bottomline
Payment fraud is growing and becoming a major concern for banks and other financial institutions. There is a variety of payment fraud schemes and methods as criminals are getting more and more sophisticated. Account Takeover (ATO) and Business Email Compromise (BEC) are just two examples of payment fraud schemes.
“The 2024 AFP Payment Fraud Control Survey found that 80% of organizations were victims of payment fraud attempts in 2023. This is a 15%-point increase over the previous year,” said Hagai Schaffer, Senior VP, Innovation & Technology of Cyber Fraud and Risk Management at Bottomline. “Many financial organizations are overlooking the risk from within when it comes to payment fraud,” he added, as it's arguably the hardest to detect.
Techniques for detecting payment fraud include the profiling of customers' behavior, and machine learning. These techniques can be effective to some extent and detect or block some fraud attempts, but typically attempts continue. One of the reasons is that when a payment fraud attempt is detected, it becomes evident that a certain customer account has been compromised, but the root cause of how this account became compromised – how the criminals got the information that enabled them to compromise the account in the first place – remains unknown in many cases.
Sensitive information on customers and accounts can be acquired by criminals from several sources. One source is the Darknet. Another is insiders within banks that may use their access rights to sensitive customer data for leaking this information to crime rings.
It’s a serious situation. A single bad actor with data access can do a lot of damage by leaving a digital back door open to exploit data later. A $25 thumb drive can cost a company big money by copying data from an unprotected laptop or server.
Stolen bank data can be up for sale on the Darknet the same day it was purloined.
Even when companies are actively pursuing the insiders behind disastrous data leaks, Schaffer said there’s a tendency to look for “unintentional data leaks” that are dangerous, but accidental. Someone innocently clicks on the wrong email, and it leads to cybertheft.
Unintentional data leakage is certainly a precursor to ATOs, payment card fraud, and other types of cybertheft that cause severe damage. But it’s only part of the problem.
It will come as no surprise that “intentional data leaks” are harder to detect and mitigate. The word “intentional” is the giveaway, as fraudsters know where the valuable data is and how to access it. Your payment partners ought to help combat this threat.
“There are still ways to protect against that kind of fraud,” Schaffer said.
“One of the ways is to profile what employees do. Not only when they make transactions or change something, but also when they just browse through sensitive customer information,” he added. “Just by monitoring this aspect, you may detect that this employee, and especially when they're able to work from home, nobody is watching and they have access, can leverage that access and pull thousands or millions of records.”
Interdiction is challenging, as Schaffer noted that log files are a prime source of information to detect theft, be it money or data, but insiders are getting too tricky to leave a trail.
More insiders are now patiently inspecting data for weeks or months, looking for ways to get what they’re after while avoiding detection. For example, insiders may browse data, then instead of exporting it in a detectable way, they simply take screenshots on their smartphones. It’s a devious form of cybertheft that’s hard to detect, but not impossible.
Banks and corporates can profile what a user does, using controls and alerts to reveal when browsing is out of the norm or excessive. Such indicators can be very effective, but it’s not ideal in these cases. There are better ways to find the sneakiest inside fraudster.
“Another way [to detect insider fraud] is having central monitoring of both external risks or access to customer data or accounts or making payments in online portals or in other payment channels, then to correlate this information with the monitoring that you do inside. That's something that most organizations don’t do,” Schaffer said.
In this way, suspects are more quickly narrowed down, and investigators can focus on a smaller group of individuals whose data access is suspicious and fits the fraudster profile. It doesn’t end the game of cat and mouse, but it’s a good tool for thwarting insider fraud.
In many countries it’s not mandatory to report insider fraud incidents, and that allows the problem to move from one bank and one country to another, evading discovery. However, banks and corporates are wising up to the insider fraud threat and taking steps to stop it.
While some privacy questions are unanswered regarding work from home setups, Schaffer said “This remains a major issue. Many organizations continue to work in hybrid mode, and when employees work part of the time at home, they have many more opportunities [for insider fraud]. Many surveys show that during COVID [lockdowns], insider risk increased.”