Advancing cyber-criminal protection strategy

A NEW APPROACH TO FIGHTING FRAUD WHILE ENHANCING CUSTOMER EXPERIENCE

INTRODUCTION

?The speed of digitalization also attracts more vulnerability to fraud or crime. The state of affairs needs that organizations simultaneously combat fraud and also service customers with a seamless digital experience. Digital adoption is skyrocketing a decade in days during the COVID-19 pandemic, burgeoning the trend to digital and multichannel client service that began in the 2010s. The pandemic-propelled bolster to e-commerce is estimated to have exceeded $200 billion in 2020 and 2021. Widespread digitalization has empowered new forms of criminal activity and augmented the importance of competent online crime management for encouraging growth and fulfilling customers' increasing expectations for digital experiences. Although most companies have improved their digital user interface and experience, many have resisted effectively advancing fraud controls without impairing the client experience. Many organizations present information being perplexed by the absolute volume of fraud efforts. In financial services, for example, many banks are so besieged by fraudsters that they cannot meet online origination targets; they are unable to verify identities and authenticate customers while combating fraud. At the same time, fraud threat vectors have become significantly more sophisticated. They include nation-state actors, organized criminals, cyber terrorists, and insiders, in addition to local fraud rings. Advances in technology present risks as fraud attacks happen too frequently, with speed, and efficiency. The most used methods include phishing, destructive malware, social engineering, deep fakes, and fraud-as-a-service exploit kits. Faster movement of money usually increases the risk of fraud, and real-time disbursements are set to double in 2022 from 17 percent of disbursements in 2021.?Cryptocurrency opens up new threat vectors that companies must learn to defend against examples include crypto ATM scams, crypto support impersonators, crypto confidence scams, and the use of stolen credit cards to buy crypto. Risk further escalated when unsuspecting customers inadvertently share their authentication details with fraudsters targeting their devices and accounts.

?The evolution of fraud threats has destabilized the effectiveness of a reactive approach to combating fraud, which basically focuses on preventing schemes case to a case basis through manual reviews. Therefore, it is expedient to make the proposition a new approach to fraud and the client experience that addresses the new reality. In this approach effectively, companies must reinforce core capabilities (the immune system) and advance their abilities to continually detect and foil vulnerabilities arising from new fraud methods and patterns.

Immense value is a threat to companies and customers

The enlarged volume and greater sophistication of fraud have created two types of issues for companies: first, higher costs relating to fraud losses and operations to combat fraud, and second, significant customer experience challenges. This has created an opportunity for leaders to reduce costs and create standout client experiences by investing in tech-enabled client journeys and fraud processes. Fraud losses have increased dramatically. Data from the FTC, and F BI?paint a dangerous display scenario. ?In 2021, fraud losses in the US rose to $5.9 billion, and internet crime losses soared to $6.9 billion—increases of approx..436 and 392 percent, respectively, compared with 2017. Luckily, the US is not alone in this combat. Many global markets including Asia, Australia, the Middle East, South America, and Europe have experienced a similarly sharp increase in the magnitude or concentration of fraudulent activity. Companies generally comprehend it as typically regarded investments in fraud defenses as simply a cost of doing business. However, they reported that threat levels for fraud and identity threats are now so intensified that CEOs and business leaders are paying full attention. Regulatory scrutiny of fraud management controls also demands robust fraud protection technology. Further, companies not only bear the direct cost of fraud but also lose sales when legitimate transactions are denied or when customer attrition occurs at the point of sale or point of interaction. It purports to increase unsecured and dents on customer trust. There are up to two-thirds of declined sales transactions are false positives. Generally, fraud is also hurting customers’ trust and willingness to use services. For example, more than 10 percent of credit and debit card users experienced fraud over a 12-month period.?In most cases, these events not only prevent customers from running their transactions but also raise stress levels. In a survey of banking customers who were fraud victims, 70 percent reported having felt anxious, stressed, displeased, or frustrated when they were warned about potential fraud.

The same post-fraud survey made clear that customers perceive true fraud events—situations where fraud is not just suspected but actually occurring—as moments of truth that, on average, actually tend to increase their satisfaction with their service provider. But the impact in individual cases depends on how companies handle the fraud issue, with customer satisfaction ratings ranging from very high (customer satisfaction score of 82 points) to very low (customer satisfaction score of ?58 points). In addition, among “Detractors”—customers who had a bad experience related to the company’s handling of fraud—37 percent of all detractors closed the account or significantly decreased their use of it.

The new tactic: Swift, Stable, and Cooperative

An important tension exists between controlling fraud and optimizing the customer experience because tighter fraud and customer protection control often add friction to the customer experience. The new method joins a best-practice fraud model with customer experience thinking to assault a balance among several goals: loss prevention, customer protection, cost optimization, improved customer experience, and new business value. Organizations need to consider authentication, fraud management, and customer experience simultaneously—not individually, as they are often treated today. Poorly designed authentication experiences have an unreasonably negative impact on customer engagement, fraud mitigation, and operational efficiency. To foil threats and enhance customer experience, organizations need to redesign customer and internal operations and processes based on a continuous assessment of actual cases of fraud along key customer journeys.

Companies fail to do this today because they frequently do not understand the trade-offs in their current setup and have not seriously considered how they might redesign their processes and operating model to optimize these. Sales and marketing, customer experience, fraud management, and compliance groups often operate separately and rarely share information or collaborate on meeting integrated objectives and achieving the right balance. Additionally, companies often do not systematically track how their performance of fraud controls involves trade-offs with customer satisfaction, customer engagement, and attrition. As a result, they are not able to evaluate rules, models, and controls to understand their true impact on fraud losses, profitability, and customer experience. To execute the new approach, companies require actions across the fraud value chain, from deterrence and prevention to detection and investigation, to handling any disputes that arise. The actions all should be within the context of establishing an appropriate fraud strategy and paying careful attention to customer experience.

Fraud strategy

Companies need a comprehensive fraud strategy optimized across the full ecosystem. The fraud strategy should display a company’s client, channel, and product strategies, have a clear view of customer experience and identity controls and balance fraud reduction, customer protection and experience, operating cost, and business value. It has been integrated with enterprise strategic priorities (for example, incorporating the risk appetite for fraud into target customer journeys) and directly linked to performance.

Prevention

Leading organizations cause so much buzz around their fraud capabilities that bad actors are deterred before they even attempt to commit fraud. For example, a Latin American auto loan company was so effective at marketing its tracking and monitoring capabilities as security for customers that fraudsters were deterred from stealing the cars in the first place. Further, card companies that lack a strong fraud management program are more appealing to purchasers of compromised data, while leading companies now market strong fraud protection to new potential clients.

Risk assessment

Leading organizations continuously pursue emerging threats (including fraud, cybercrime, and money laundering) and assess their potential impact. Monitoring of controls used to mitigate risk can reveal the effectiveness of the control or its usage strategy. The insights inform a fraud taxonomy used to assess vulnerabilities. The outcome is a heat map updated in real-time that shows where controls need to be improved to prevent fraud or where excessive resistance is causing legitimate customers to abandon transactions.

Controls and usage strategy

Having controls that are durable, flexible, and adaptive is crucial to any fraud management program. Further, having the right supporting analytics is fundamental to the control’s effectiveness. Detection platforms that incorporate broadly based and detailed information can identify existing and emerging fraud attacks, whether they occur in the new account acquisition stream (identity theft), are perpetrated against existing legitimate customers (account takeovers), or arise from the theft of services (such as reward program theft). Artificial intelligence and machine learning (AI/ML technologies) support these approaches.

Spreading widespread awareness and education

Top performers effectively promote consumer awareness and education relating to fraud and cyber threats. They use viral channels and social media to maximize reach. For example, in conjunction with Emirates NBD, local law enforcement adapted the lyrics of Jamaican singer Shaggy’s 2000 hit “It Wasn’t Me.” They created a compelling video that warned residents about the dangers of fraudsters. Some organizations offer customers prevention services at low cost or without charge, or they partner with antiphishing or antivirus software vendors to provide customers with tools to prevent phishing attacks on electronic devices. Device-based customer alerts related to online and/or overseas purchasing, spending velocity, or balance thresholds can notify customers of suspicious activity (at their choosing), allowing them to protect their accounts more actively. Last, some companies build awareness through transaction analysis and alerts that educate customers and empower them to monitor potential suspicious activity on their accounts. For example, Capital One’s Second Look flags certain transaction patterns, such as an unusually high restaurant tip or duplicate transactions, and alerts customers.

Authentication

Robust customer integrating and validation are progressively vital. ?It is critical to design the fraud technology stack to allow iterative, fast-paced testing (including test control) across numerous types of fraud checks. ?Illustration a new dynamic multilayered control stack for new digital applications. This is a critical way to balance fraud control friction and customer experience, as customers do not value security and convenience equally and differ in their expectations for control, transparency, security, and convenience. how different segments of customers react to a transaction denial, one bank introduced new ways of handling transactions flagged as potentially fraudulent. The bank sent customers in some segments a mobile alert that they could simply put down to confirm the authenticity of a transaction. In other cases, the bank approved small transactions it would have previously denied and then sent the customer a follow-up email confirming the transaction. This solution not only reduced lost sales and cut the cost of fraud management but also increased overall customer satisfaction.

Detection and Identification of fraud attempts before success

Leading organizations use ML algorithms and attempt to utilize all available data to achieve a step change in the accuracy of fraud detection. They seek to reduce noise (false positives) and the risk that fraudulent transactions are missed (false negatives). For example, to thwart efforts by organized crime to steal equipment, a Brazilian telco uses powerful algorithms and a sophisticated escalation approach to verify and authenticate risky transactions. The score produced by an algorithm can be augmented by rules that improve fraud detection while reducing “goods” (that is, transactions that are not fraudulent) from the distrustful populations. Usage pattern profiles allow companies to detect previously unseen types of fraud attacks. Further, companies can use closure data in the detection queues to identify fraud attacks faster, well before the dispute is fully examined. This reduces “learning” time. The time it takes to detect fraud and false positives—and the costs of fraud. In addition, companies can use customer information and machine-learning models to ensure that models are not flagging false positives that affect customers’ experience and ability to complete transactions.

Investigation

Leading organizations support their investigation agents with sophisticated tools and artificial intelligence—for example, to determine the next-best action. In some countries, payment networks (such as Spain’s Iberpay) support collaboration on investigations, and this collaboration helps with future prevention strategies. Some banks are also forming cross-industry collaborations, such as with cable companies to detect and prevent fraud from SIM swap schemes.

Dispute handling

Self-service options make it easier for customers to file a dispute, raise a fraud claim, or check on the status of a dispute or fraud claim. Best-in-class institutions use a fully automated, straight-through approach to handle fraud claims in which automated decision engines apply calibrated red flags and white flags (for example, the first claim of a customer or value thresholds). Leading companies have an end-to-end automated dispute process, from customer interaction (for example, via website or app) to straight-through processing of up to 60 percent of fraud claims.

Client experience and delivery

Organizations need to deliver experiences across two critical customer journeys: false positives and true fraud. ?For false positives—transactions flagged for fraud that turn out to be legitimate—the goals are to avoid impeding a customer transaction and minimize the hassle and embarrassment of a decline online or at a point of sale. The easier the remediation path for a false-positive transaction, the more tolerance an organization will have for strict fraud controls. Beyond calibrating their detection platforms, companies can use multiple channels to interact with customers and enable them to act. They can rapidly and explicitly communicate about potential fraud via customers’ preferred channels (for example, alerts, texts, phone calls, and email), enable customers to identify fraudulent transactions or validate incorrectly suspected transactions themselves, and adjust the actions they take based on the risk, so as to minimize friction. For example, one bank flags certain transactions as potentially fraudulent but processes them and lets customers dispute the charge if the transaction is actually fraudulent. For true fraud, companies have a unique opportunity to deliver an experience in which customers feel swiftly taken care of and protected. A post-fraud survey identified security, speed, and transparency as the key drivers of customer satisfaction. Customers value the speed when organizations react to fraud events in seconds and protect their accounts against future fraud. They are also willing to take actions to better protect their accounts going forward, including, for instance, sharing data and using features such as geolocalization. About 39 percent of customers would even consider paying an additional fee to enhance protection. Last, customers want to understand how the fraud occurred, so they will feel reassured and trust their service provider in the future. For both false positives and true fraud, communication is a powerful bridge between fraud prevention and customer experience. Good communication reassures customers and makes them much more amenable to taking an extra step by helping them understand why an action is required. To effectively apply this underused lever, companies need new processes and a customer-centric culture across the organization.

Shifting to a proactive, customer-centric approach

Fighting fraud must be a top priority for CEOs across all industries. The new scale and sophistication of attacks can cripple even the largest organizations and threaten customers’ trust. Smaller start-ups and fintech companies may stay beneath the radar for a while, but they will become credible targets as they scale. To fight the threat, organizations need to achieve a seismic shift: from reactive and siloed fraud mitigation to a proactive, customer-centric, integrated, and continuously evolving approach. An effective approach relies more on AI/ML; employs actionable analytics combining scores, rules, and red flags; and uses technology to deliver a growing share of customer experience and advanced authentication. There is still an effort to enhance capabilities that will equip organizations to assess and address risks and effectively limit fraud in a way that restores customer trust and loyalty. This comprises enhanced threat intelligence along client journeys, fast-cycle testing to stop threats as they emerge, advanced data, technology, and analytics capabilities, and the use of an integrated operating model to support the business in making trade-offs among fraud, client experience, volumes/revenue, and cost.

Four prime capabilities to bolster fraud management system

?With the emerging new sophisticated fraud methods and upsurging of fraud attempts, companies must incessantly identify and address susceptibilities. Success will require core capabilities in four areas. Burgeoning levels of fraud,?enabled by the accelerated adoption of digital commerce and the ever-increasing sophistication of fraudsters, have overwhelmed traditional controls in recent years. This surge has led to increased fraud losses and damaged customers’ experience and trust.

Across the banking, payments, insurance, e-commerce, and telecommunications industries, and in governments, leaders must find new ways to fight evolving fraud threats while still delivering world-class client experience and enabling new business. Beyond the risk and economic impact, each fraud event is also an opportunity for companies to support and stand by their customers to form relationships of trust and loyalty. Some organizations will falter to act, and if tested by fraud actors, they may have their softness oppressed at a scale they have not formerly experienced. For large organizations beset by a large-scale attack, losses from fraud may exceed many hundreds of millions of dollars—a figure that excludes regulatory implications, damage to the brand, and customer attrition. These companies will also face challenges in achieving strategic growth objectives on digital channels. We proposed a new approach to addressing the new reality of escalating fraud threats.1?This approach includes ensuring the company has an end-to-end fraud strategy, creating a reputation that deters fraudsters, conducting constant risk and threat assessment, establishing a flexible, adaptive control strategy, and taking a proactive approach to consumer awareness and education.

Advanced threat astuteness along client drives

Even as fraud threats have become more sophisticated, customers are demanding more streamlined and low-friction journeys. Addressing these challenges requires an enhanced strategy that has strong customer experience and fraud prevention components and bases its long-term success on prioritizing 360-degree intelligence: we must?know our customers?(via authentication, usage profiles, and preferences),?know ourselves?(business activities, risk-prone, and ability gaps), and?know our adversary?(competitors’ motivations and tactics). This additional threat intelligence equips organizations to design the appropriate controls and deliver them across their customer experiences seamlessly. However, analyzing the huge volume of intelligence data now available is a real challenge. The traditional manual approach driven by individual investigators no longer will suffice. Instead, companies need a new at-scale technology-enabled solution and several disciplines' multidisciplinary approaches. A client intelligence and fraud prevention center can better source and integrate threat intelligence and analysis to serve antifraud decision-making. This involves the creation of trusted stakeholder networks—that is, a “team of teams”—both within the organization and among clients, partners, and government entities, to facilitate collaboration across silos and organizations. The cross-functional team includes business leaders, experience designers, marketing specialists, product development specialists, fraud specialists, investigators, operations specialists, data scientists, technologists, and cyber experts. The process by which organizations convert intelligence from multiple sources into actionable strategies, enhanced controls, and operational improvements.

Fast-cycle testing and feedback

To ensure that client journeys and controls provide the required protection against vulnerabilities and that the organization meets defined objectives (losses, volumes or revenue, customer experience, cost), companies normally perform two types of testing: Retro-testing.?This entails running anonymized data on an aged file to identify nonfraudulent and fraudulent behaviors and match them against actual outcomes, using historical data. At one organization, business leadership was surprised when a new fraud control caused the loss of a significant amount of business. This could have been largely averted by retro-testing the control against historical populations to gauge the outcome before implementation was underway. Spelling out all the key outcome drivers would have allowed the company to determine which variances, if any, were the root cause of the lost business and enabled it to devise a plan to address these variances. Champion/challenger (A/B) testing.?This entails identifying test parameters, related drivers, success measures, and a test population (the “challengers”) opposite the designated “champion” group, in a live business environment. Leaders in the payments industry rigorously use A/B testing to randomly present champion and challenger versions of the client journey and control setup in live tests. Determining which version performs better enables them to identify the impact on fraud rates and customer satisfaction. This is one of the most effective ways to quantify the trade-offs between customer experience and fraud losses. For example, a leading financial institution wanted to increase application completion rates without raising fraud levels. The institution used A/B testing that evaluated different thresholds for identity verification and device risk, thus determining the impact of fraud rates and customer satisfaction. Learning from ongoing tests requires a mindset shift by business leaders and specialists in operations, technology, customer experience, and compliance and risk. Test results should be synthesized and reviewed in a rapid feedback loop (for example, in less than one week and increasingly in real-time). By adopting this rapid testing cycle, the organization can continuously adapt its fraud controls and prevention measures as fraud threats evolve.

Advanced data, technology, and analytics

Companies need multilayer defenses with sophisticated data analytics that enable rapid decision-making for applications and nearly instant response rates for transaction monitoring. Technology needs to be flexible, adaptive, and quick enough to react to fast-paced fraud attacks. Equally important is the need for insightful and actionable analytics to identify fraud attacks quickly, enabling the company to modify controls and strategies and win the fight against fraud. Similarly, companies need to build the data and analytics that allow them to understand customer experiences and changes in behavior after a fraud incident and across journeys. They also need predictions and triggers to handle customers’ fraud experiences rapidly and proactively, such as communications about why fraud occurred and ways to protect the account in the future. This requires data models that incorporate both internal and external sources. Internal data, which should be combined across product silos, could be related to fraud, identification, transactions, account and customer profiles, and connected interactions across channels. External sources could include devices, biometrics, transaction, and social data. The model should also be updated to include new value-added data sources continually. Additionally, it requires an orchestration layer that integrates different systems and allows fraud management teams to think across the value chain, capture complex fraud patterns, and identify fraud earlier. It should also enable them to orchestrate the response and communication to customers so team members can handle the experience in a personalized and empathic way.

Leading organizations are already taking advantage of advanced analytics to create a step change in effectiveness and efficiency. That might involve several methods: Alternative data sources.?Companies could draw on alternative data sources, such as social media, phone usage data, purchasing history, digital communications, geospatial data, and satellite imagery. Machine-learning models.?System developers could build integrated machine-learning models for client targeting, pricing, proposition, experience, credit, and fraud to optimize for multiple constraints simultaneously. Models should be subject to rapid testing-and-learning cycles and self-calibrate within defined guardrails. Advanced modeling.?Analytics could include sophisticated modeling techniques such as deep learning and human-in-the-loop artificial intelligence. Automation.?Companies could introduce automation such as natural-language processing and cognitive-computing algorithms. For example, to respond to the COVID-19 pandemic, a government agency needed to disburse a massive volume of funds within a very short time. Not coincidentally, the agency was targeted by sophisticated fraudsters. By combining new data sources and sophisticated analytics, the agency increased fraud detection by around 60 percent while simultaneously reducing false positives by around 50 percent. This led to a dramatic decline in fraud losses.

Transformation of the operating model

Finally, to support advanced fraud management, companies should consider enhancing their operating model across six key dimensions: operations and performance management, organization and governance, customer centricity, roles and responsibilities, ways of working, and vendor management.

Operations and performance management

A company’s process and approach to fraud management should be consistent across divisions and stakeholders, including marketing and operations. Each company should have a risk appetite framework and a threat control library (TCL), as well as streamlined information sharing and coordinated planning to improve response speed and effectiveness. The company also needs a single set of end-to-end metrics to drive performance across the enterprise. The approach should promote a rigorous focus on efficiency, effectiveness, and continuous improvement while having fraud loss, customer experience, and process optimization as its key performance indicators.

Organization and governance

An agile fraud unit should aim to provide best-in-class enterprise capabilities to support fraud prevention, detection, and investigation (recovery) across all segments, products, and channels, with clear lines of responsibility. The first line—the business units, call center, and operations—is responsible for managing risk and trading off objectives (for example, fraud losses, business volumes, and client experience). The second line—the risk function—sets policies and requirements and provides oversight to ensure the effectiveness of key control components, such as risk appetite and assessment.

Customer centricity

A company must have the required customer insights and operations and the right capabilities in customer experience design and communication to deliver fraud experiences that consider customers’ preferences and needs. These insights and capabilities must be able to prevent fraud as well as support customers when a fraudulent event happens. An institution should embed the objective to improve the customer experience throughout its processes for fraud prevention (such as authentication, onboarding, and fraud alerts) and fraud management.

Roles and responsibilities

It is important to have staff with the right fraud management skills, process knowledge, and analytic capabilities. Staff members also must be given responsibility for effective fraud management and customer experience. A company should link planning for fraud roles to business dynamics and skill profiles and implement adaptive training programs. It can enhance fraud intelligence by promoting collaboration and information sharing across related areas (such as business, data and analytics, and cybersecurity) and the broader ecosystem (such as industry bodies and forums).

Ways of working

Agile ways of working across the business, operations, call center, and fraud, data, and technology teams can help drive required innovations in rapid cycle times. The fraud management function must participate in the product development process to close fraud-related gaps, build controls in the process, or both. Otherwise, delays will occur, or products will be launched on time but with unacceptable risks.

Vendor management

Fraud and compliance leaders have developed advanced vendor approaches by creating a “fraud lab” for testing new technologies and data sources as fraud continues to evolve and for correlating fraud prevention technologies to optimize coverage. A company should have a continuous process to source, test, and integrate innovative solutions to improve fraud management.

Getting ahead of the challenges

To get ahead of the challenges, companies should take several steps immediately: Set up an enhanced threat intelligence unit that can absorb data from across the organization and deliver prevention across client experiences. Push fraud expertise into the businesses to embed defenses in the design of products and customer journeys. Increase the pace of the operating model through agile practices, bring new skills to invigorate the investigative process (for example, pair data scientists with fraud investigators and business leadership), and let engineers reinvent reporting processes to surface insights in real-time. Employ a test-and-learn approach, which is used by the world’s largest and most advanced payment and e-commerce companies. This approach continuously quantifies the impact of fraud rules to see which ones do or do not work and which fraudulent activities are slipping through the cracks. Leading organizations will adopt these practices to be more resilient, provide better customer experience, support growth, and offer lower risk and sustainable returns to shareholders.

CONCLUSION

Undoubtedly, the latest gadgets are full of multiplicativity working on online payment and other financial transactions. People want or not want, there is no option but to adopt it. Financial service providers have been taking keen efforts and huge investments to prevent cybercrime. It is not possible to be fully eradicated from the system. As all users are not similar cyber awareness and are prone to vulnerabilities.