Payment fraud is growing. How can you protect yourself?
Overview
Not too long ago, people had just a handful of options for making payments: Think cash, checks, and wire transfers. But the number of payment options available to the average person has exploded since the rise of smartphones – and so have AI scams, deepfake scams, and overall fraud risk.
Fed payments fraud expert Mike Timoney discusses why these crimes are becoming more popular, the impacts of rapidly evolving technology in payments, and how people can better protect themselves from fraud and scams.
Timoney is a vice president of secure payments at the Boston Fed. Visit BostonFed.org to read a related article on payment fraud and learn more about how the Federal Reserve is tracking an increase in synthetic identity fraud.
Transcript
Amanda Blanco
Not too long ago, people had just a handful of options for making payments: Think cash, checks, wire transfers. But just as the popularity of smartphones has exploded over the past 20 years, so has the number of payment options available to the average person: digital wallets, apps like Venmo and PayPal, and more. But what does having so many options mean when it comes to fraud risks for everyday users?
That's what we're talking about on this episode of Six Hundred Atlantic. I'm your host, Amanda Blanco, and I'm joined by Fed payments fraud expert, Mike Timoney. Great to have you here again, Mike.
Mike Timoney
Thanks, Amanda. Happy to be here, looking forward to the conversation.
Amanda Blanco
So Mike, a recent brief by the Fed's payments improvement group discusses how the growth of different options has fragmented the payments industry. Does this make the industry tougher to protect from fraudsters?
Mike Timoney
So, I would say yes. The expansion of these options has brought us great benefits. But at the same time, it's created a more fragmented environment and one with more risk. With each new rail that we see, platform or channel, each of these introduces its own rules, user experience, and different risk controls that are available. And that diversity makes it so much harder to have consistent protection from a fraud perspective. Financial institutions must now have visibility across multiple different platforms. And also, we used to think about financial institutions, but now there's lots of different players in the industry – which then makes it even harder, because now we're talking about fintechs, we're talking about banks, we're talking about payment processors.
And so, when you start to think about that, it makes it much harder to have a consistent perspective. And fraudsters will exploit those. They look for the seams in the system, and that's what they're looking to exploit. Wherever processes differ or controls are uneven, they find the opportunity in that. So fragmentation in itself isn't the problem. It's really more the inconsistency when it comes to fraud defense across this fragmented landscape.
Amanda Blanco
And when payment options increase like this, do opportunities for payments fraud also increase?
Mike Timoney
I would say generally that is true. More options, if you think about it, create more entry points, and fraudsters don't need to take advantage of all of the entry points. They just need to take advantage of the weaker ones. So we see this with scams. Scams are a growing trend right now. There's a lot of fraudsters who are taking advantage of individuals. Why? Because the individual tends to be the access point into the system, and we tend to be part of the weaker link. If you think about things like check fraud and account takeover, even synthetic identity fraud, these are all things that are happening today. Who would have thought a while ago that check fraud is one of the biggest frauds we're dealing with today in a very digital environment? But the fraudsters, they shift to whatever channel will give them the least resistance and the greatest opportunity
If you think about the new payment networks that are coming about, and as platforms expand even, we also get into monitoring challenges, right? So, if all of a sudden I'm really good at monitoring certain types of transactions, and now I have three new channels I have to look at as well, I may not have the same kind of tools available. The other thing that we see today is that data is a big deal. Data lives and breathes in what we do. Every transaction has data associated with it, but it lives in multiple different places.
And so what financial institutions or even players in the ecosystem have to do, is they have to take this data, pull it together, and look, and make decisions. And not only do they have to make decisions, they have to make decisions very quickly. And so since there's so much data out there, it's not easy to pull it all together. So again, I would say that the different payment options, again, aren't really the challenge. It's how do we ultimately have control and fraud defense across multiple channels?
Amanda Blanco
And do thieves take advantage of the fact that payment networks cross various borders, countries, and jurisdictions?
Mike Timoney
So cross-border transactions really are much, much more difficult to investigate. You're trying to recover funds that maybe move out of the country; that's much harder. And the accountability is much less clear, because now you're dealing, as you mentioned, with multiple jurisdictions. So there's different jurisdictions, different countries, different rules, policies, laws, et cetera. And so the fraudsters typically understand these gaps that exist. And like I said before, they look for opportunity. And so where there's gaps, they realize that the difference in regulation, the response expectations, or even the data-sharing rules that happen, allow them the opportunity to obscure what they're actually doing with the funds.
The challenge today is criminals think globally, we need to think globally. They take advantage of the industry's ability to do transactions internationally and to make things easier for our customers. But at the same time, we are often constrained by boundaries that they are not. And so we're at a disadvantage when it comes to that. So absolutely, they take advantage of the international perspective of this.
Amanda Blanco
So obviously having these global networks must be a top consideration for the people that are supposed to be in charge of securing these payment firms and payment networks. What are some of the other top concerns that they have right now, the people that are securing these networks?
Mike Timoney
So people defending any system today have to think beyond the transaction. There used to be a time when we would look at specific transactions and say, "Does this transaction look suspect? Do we need to stop it? Do we need to do anything about it?" But some of the most important priorities today are really things like understanding identity. Is it Amanda actually making the transaction, right? Or is it Mike doing the transaction? How do we tell that they are real people? First of all, one, are they real people? Or two, is it somebody that's stolen your identity? So we need to think about that.
I mentioned scams earlier. Scam-driven fraud is a huge deal because banks have done a great job, and the payment system, I should say, has done a great job in developing controls, and ways to monitor transactions and to look at, is something fraudulent? But if Amanda is actually the one making the payment, but she's been manipulated into doing it, the bank's going to see that it's Amanda. She logged in with her username and password, and the same phone she always uses. So everything looks the same, except the intent was the fraudster got you to do something. So that's very difficult.
The other thing that I'll touch on is just the speed of payments. If you write a check, it takes a long time to clear, but if I pay you something today, it's in your account today. That is a change for the people that are trying to defend as well. When you have to make instantaneous decisions about, “Do I stop this transaction, or do I let it go?” can be a challenge.
And the last thing I'll touch on is that the role of data and information sharing to detect patterns is super important now. So it's not just looking at the transaction anymore. I now have to look at, is it Amanda? Is she using the same device? Is this a normal transaction? Does it make sense? Is it going internationally? Because those could fire off some red flags. And so I would say it's much harder today, just because there's so much more happening. Payments are growing, but fraud's growing just as fast.
Amanda Blanco
Now, Mike, we know you've also written and spoken about how criminals are using tools like AI and other technology to scam people. How else are these fraudsters adapting their tactics as the payments industry tries to keep them contained?
Mike Timoney
Technology really is one of the components that fraudsters are using to adapt, and they do it quickly. Most organizations out there, it takes time to implement technology changes. Fraudsters don't have to do that. They move – they are often the early adopters of technology. And so they're using it for the bad obviously, but they often move faster than the institutions, and they can adjust on the fly.
So, what we see is they are now becoming more convincing when it comes to their scams, because AI generated-messages are much better. They can also create deep fakes so they can mimic our voices. But the other thing is they can do now things in scale. Now they've got bots that literally send out thousands and thousands of messages. You know, I wouldn't be surprised if in the last week you haven't gotten a text message from a scammer in some form or fashion, or an email, that's asking you to do something. And that's a challenge for us in the business that are fighting it.
And then lastly, I'd say when you get into things like account takeover, when someone takes over your bank account, or any account for that matter, they're getting better at it. They can do that much faster and much easier because of things like GenAI.
Amanda Blanco
Yeah, I think just last week I got a scam message telling me about a new job that I should apply for on Indeed, but I don't remember ever making an account. So, Mike, with all these different things going on, how should the payments industry be proactive in protecting users and these systems?
Mike Timoney
So I think proactive defense really requires that they have strong controls, first of all. Secondly, I use the term coordinated intelligence. There's a lot of information out there that needs to be brought together in some coordinated fashion. And then lastly, I would say we need to still educate people and create consumer awareness when it comes to fraud. We can educate, educate, educate, and we're not going to educate ourselves out of the problem. But still, awareness is key, and it's important to make sure people are aware of that.
I wanted to touch though on the coordinated intelligence piece a little bit, because if you think about the more information that I can have as someone that's trying to fight fraud, the clearer the picture can be for me. So when I'm saying, "I have milliseconds to make a decision, should I stop a payment or let it go?" Well, the more information I have to look at, the better chance I am going to have, better success. And so, when it comes to those kind of things, organizations really need to think about how they use their data better and create stronger controls because of that data. We need to think about how to better strengthen identity and identity proofing, which means really just validating the identity. Today, we're inconsistent in our industry about that. You know, sometimes I'm asked for a one-time passcode to do something, other times I'm not.
And so if we could think of how to improve that, it would be better. I'm actually still surprised today that we're still so dependent on passwords. When we're so digitally advanced, why are we still using that kind of technology? A lot of people use the same passwords across multiple platforms, or they use not very strong passwords. And so again, GenAI and technology allows fraudsters to be able to figure those out.
And so we as an industry need to change that. We're trying to help our customers from a convenience perspective, but we also have to think about how to protect them. So, the industry's got to evolve as quickly as the bad guys are. And I think we oftentimes think about how to make things convenient, and don't take that step of actually not making it so easy at times.
Amanda Blanco
Do you ever see a future where we don't use passwords?
Mike Timoney
I would love to see that day. I think the opportunity is there, but I think we move slowly. I mentioned checks earlier. We still have a lot of check volume in this country, so we're still writing checks, and we're still using passwords. So, I would love to see us move away from that because I do think it's a vulnerability, but I think it will take us time.
Amanda Blanco
So Mike, just going off what you said about user convenience versus safety: I know about a week ago I was paying a friend back for a flight ticket on a trip we took recently, and as I was trying to transfer the money instantly from my bank account to his bank account, the bank asked me about five different times of whether I knew this person in real life, why I was sending this money, what kind of relationship we had. And I was wondering if you think that's something we're going to see more in the future, especially given how quickly payments can happen?
Mike Timoney
I think the answer today would be yes, but I'm hoping over time it's not quite yes all the time. I think your bank looking at the transaction was trying to evaluate, does this look like something Amanda does on a regular basis? And it obviously stood out, and so they wanted to make sure. So what they did was they prompted you to validate, to make sure that you weren't being scammed was probably part of it: "Do you know this person? Is this the right amount? Is this out of your spending pattern?" that kind of thing. And so, I think today that has to happen. What I'm hoping though is over time, with the use of the technologies that we were talking about earlier, that it's going to do a lot of that for us.
We're going to rely more on some of the GenAI to look at all this data that we have that says, "Okay, it came from your phone. It looked like you just made a trip, and it looks like that's about the amount that the trip was for."
I don't know if you've experienced it at all, but I actually was traveling recently, and I got a message that says, “Hey, we see you're in this city, and we know that you're there for this period of time, so we won't be declining transactions.” That's again, the use of the technology to kind of understand Mike and his spending pattern, so I'm not getting those friction points where they're asking me questions.
Amanda Blanco
I've absolutely seen that from both my credit card company and my bank, asking me whether I'm traveling and if everything's okay. And as we're kind of wrapping up here, are there any steps that consumers should be aware of, or can take to protect themselves as both scams and payments continue to evolve?
Mike Timoney
Yes. One thing that is super important is to understand what's happening. So, the more informed you are, the better protection it is. But probably the biggest thing in today's environment today is just to slow down. What fraudsters try to take advantage of is urgency, and concern, and fear, those kinds of emotions that we have. And so they're trying to manipulate us into acting quickly. And if we can just take a second, and look at it and say, “Is this real? Did I intend to pay this person? Did I really apply for a job?” You mentioned earlier, did I really do that? Do I need to give them this information? By slowing down, we take some of the advantage away from the fraudster. So that's key.
The other thing I would say is, there was a time for us older folks that we used to balance our checkbooks, and look at our accounts and things of that nature. We need to, today, even in a digital environment, understand our spending, what's happening with our accounts. Whether it's our social media accounts, or email accounts, banking accounts, we need to understand what's happening in those environments and know what's going on. Because if something abnormal happens, you need to be able to identify that.
I teach my kids about those kinds of things. Anyone I talk to, I do the same. The last thing I would say is that, don't expect that all your information is secure. A lot of our data gets taken in data breaches, and I personally am one to believe that all of my data is probably out there somewhere. In the United States last year, there were over 3,400 data breaches, which is a lot.
So just assume that the bad guys have that. And so, if you already understand that component, then you can protect the rest. We often think that there's a certain demographic that might be victimized, but the statistics show that it happens across the board. The difference is that the elderly population tend to have more money than the younger populations, but the younger populations are manipulated and deceived as much as anybody else. So don't think that it's going to happen to somebody else. Slow down and protect your information.
Amanda Blanco
Well, thank you for your time, Mike. We know that new payment options are coming, and we know you'll be tracking these fraud risks and trends that come with them. So thank you for speaking with us.
Mike Timoney
Thanks for having me. As always, I enjoyed talking about the topic.
Amanda Blanco
You can find more information on everything we discuss today on our website. Check out bostonfed.org/six-hundred-atlantic, where you can listen to interviews as well as our podcast seasons. You can also subscribe to our email list to stay up to date on new episodes. And don't forget to rate, review, share, and subscribe to Six Hundred Atlantic on your favorite podcast app. I'm Amanda Blanco, signing off on another episode of Six Hundred Atlantic. Thanks for listening.
Acknowledgments
This episode was hosted by Amanda Blanco and produced by Steve Osemwenkhae and Peter Davis. Executive producers were Lucy Warsh and Heidi Furse. Recording was done by Peter Davis. Engineering was done by Steve Osemwenkhae. Project managers were Allison Ross, Nick Brancaleone, and Peter Davis. The episode was edited by Jay Lindsay, Nick Brancaleone, and Allison Ross. Graphics were done by Steve Osemwenkhae, and website design was done by Michael Sorokach. Photos were taken by Michael Konstansky.
Site Topics
Keywords
- payment fraud ,
- AI scams ,
- fraud trends ,
- fraud risk ,
- deepfake scams


