Strength In Numbers: UK Fraud Leaders’ Summit Focus Is ‘Coopetition’ Vs. Cybercrime

Executives on the front lines of the financial fraud and cybercrime wars know they’re not exactly winning. Yet. Many are hoping more industry collaboration will take the fight to the fraudsters and make real progress against a pernicious multi-billion-dollar problem. 

That mindset was on display at the recent 2024 UK Fraud Leaders’ Summit in London. Expo-style glitz was toned down for the July gathering, replaced by preset meetings between solution providers, corporates, banks, and FIs seeking partners in anti-crime. 

Framing issues dominating discussions, Ruud Grotens, CFCS, and Head of Fraud and Financial Crime Solution Consulting at Bottomline, said the unity message resonating through this event (and others) is a smart way to slow the roll of financial fraud. 

“Collaboration among industries, regulators, and law enforcement was emphasized as essential for effective fraud prevention,” Grotens said. “This includes sharing information and aligning policies to combat fraud collectively.” 

However, getting competitors to lower their guard and work together is another story. 

Strategies discussed at the event include collaboration, technology upgrades, and policy adjustments. “However, barriers to data sharing—like regulations, vendor interests, and competition—hinder effective information exchange,” Grotens said, depicting difficulties.  

“Some argue that regulations such as GDPR slow [industry] progress. But innovations in technology, especially in anonymizing data, are crucial,” he added. “Despite these efforts, evolving fraud tactics and regulatory challenges indicate that the battle against fraud in business payments is ongoing,” with fraudsters still outmaneuvering mitigation efforts. 

As with other forms of crime, financial fraud is often underreported or unreported to law enforcement or government agencies. That’s another obstacle. For example, Grotens pointed to the substantial number of  non-financial institutions attending the summit, saying fraud loss in some verticals “is often viewed as a cost of doing business, and treated as a P&L matter rather than a financial crime.”  

But ignoring the problem and writing off fraud losses as a cost of doing business is a mistake that harms revenues and emboldens bad actors over time. 

“It's imperative to respond to it” he said. “Reporting fraud to law enforcement or regulators is crucial both ethically and financially, and often mandated by legal obligations.” 

Deepfakes and the AI Threat 

Efforts to combat business payments fraud face increasing challenges such as identity theft, cross-border fraud, and the use of advanced technologies like deepfakes and AI by fraudsters. Fraudsters mimic legitimate entities using tactics like phishing and voice/video deepfakes to deceive victims. Adoption of tech such as Gen-AI by legitimate companies is seen as lagging that of fraud rings using its powerful capabilities to commit cyber theft. 

“AI and machine learning are dual-use technologies,” Grotens said. “Businesses employ them for fraud detection, while fraudsters exploit them to automate attacks and evade security measures, creating an ongoing challenge.” 

Insider threats are compounding these risks, with Grotens pointing to “malicious insiders” who exploit access to sensitive information or systems to facilitate fraud and may also collaborate with external fraud rings. Despite efforts to counter these threats, it remains a constant game of cat and mouse, worsened by the cross-border nature of online payments and regulatory disparities across jurisdictions. 

Grotens clarified a striking reality: “Fraud is a predicate offense. It's usually part of a much larger crime. So, if fraud is taking place, the next step is money laundering or terrorist financing. That's why I'm saying there’s almost an ethical obligation to report it.” 

Defeating ATO and CATO Attacks 

Account Takeovers (ATO) and Corporate Account Takeover (CATO) are particularly perilous, with one keynoter, Experian Senior Financial Consultant Grant MacDonald, saying that 36% of UK consumers are concerned about online activities due to the rise in identity theft. This is impacting trust that grounds relationships. 

Grotens was a guest panelist on the talk track "Under Siege: Defending Against Account Takeovers." Regarding account takeovers, he said effective countermeasures include: 

• Multi-factor authentication (a.k.a. Strong Customer Authentication) 
• Behavioral analytics and anomaly detection to identify  unusual activity 
• Comprehensive employee training on phishing and social engineering 
• Real-time transaction monitoring with alerts and interdiction capabilities 
• Collaborative information sharing among institutions and law enforcement 

Authorized push payment (APP) fraud and business email compromise (BEC) often lead to ATO or CATO incidents. Given the escalating costs of payment fraud in countries like the UK and US, financial institutions are adopting new defense strategies such as Confirmation of Payee, Grotens said. Additionally, the UK government plans to introduce legislation granting banks an additional 72 hours to investigate suspected fraudulent payments, underscoring the urgency in combating these threats. 

Cutting Fraud Budgets Invites Risk 

Among the many facets of fraud addressed at the summit, the topic of underinvestment was a recurring theme, exposing how vulnerabilities are created by short-sightedness.   

“Some non-bank financial institutions and corporates have underinvested in cyber defenses, relying on outdated legacy technology and home-built solutions that lag behind current trends,” Grotens said, adding that it's crucial to quickly modernize defenses.  

The concern is that fraudsters, operating with advanced technologies and organizational sophistication, innovate faster than the industry's fraud mitigation efforts. There is also a heightened risk of internal threats and collaboration between malicious insiders and external fraud rings. These entities must upgrade their fraud defenses to effectively counter these evolving threats. Criminals always exploit vulnerabilities. 

 “Data breaches expose employee and customer information to risks like identity theft. Insider threats, including data theft and collusion with external fraud rings, also require attention,” Grotens said. “While cyber security training is widespread, there's increasing recognition of the need for comprehensive fraud training as threats continue to evolve.”