One of the predictable effects of the pandemic is that the overall volume of payments1 has dropped. This won't come as a surprise -- people have been shopping less while retail is shut down, and have less disposable income due to the economic downturn. But this is mostly temporary -- retail will likely recover as the pandemic subsides, and the economy recovers.
Another more permanent effect has been the rise of digital payments, which now makes up a higher proportion of the total volume of payments2. Digital commerce has spent two decades maturing, and the pandemic has acted as its grand opening. But along with digital commerce, comes cyber fraud.
Cyber criminals are exploiting the conditions caused by the pandemic, creatively, producing COVID-19 related lures to gain access to their victims' financial information or data. Some of these lures include information offers about virus treatments or medical equipment, disguised government portals to apply for financial assistance as a result of lockdown, bulk purchase offers of short-supply commodities, and malware posed as updates to in-demand services such as video conferencing solutions. All of these -- just to get people to part with money3.
Even before the pandemic, fraud, financial crime and cyber-crime were becoming increasingly intertwined. But now more than ever, we see cyber-criminal activities becoming larger, more scalable and more profitable. We see a change in complexity in individual ransomware demands (growing in scale and payouts to criminals), in content providers and ecosystem content related fraud, in larger CEO targeted attacks and in cross-industry attacks4.
When analyzing and managing incidents including content related frauds, channel frauds, CEO related fraud and more complex instances, the following questions are repeatedly asked:
Why were we not able to pick this up? Why are systems focusing on the reactive and post-event scenarios, which typically follow a much too late 24/72-hour window? Can we create proactive mechanisms and triggers as new channels, platforms and products get built? Do we understand how the attack unfolded and did we miss any signs in the early stages of the attack?
More specifically, from a cyber and fraud team's perspective, what triggers are we likely to see around potential digital channel fraud, e.g. attempted phishing and account take over, leading to transactions outside normal behavior patterns? Do we know where to get this information and can we link it to our predictive platforms? And with new regulatory changes such as Strong Customer Authentication (SCA), how do we ensure newly adopted solutions are adequate and don't leave channels and customers exposed? How do you predict the impact of SCA on payment trends?
There is a need to look at developing cross-functional teams between fraud management, compliance (leveraging financial crime teams' insights), revenue assurance, product assurance and marketing, security and operations teams. These teams should develop common metrics of normal and abnormal behaviors across business processes and technologies while linking these to early warning signs, events and red flags across ecosystems. Moreover, this can be extended in an anonymized way through the industry ecosystem and created as a common knowledge base of events.
Also, through innovation and technology advancements, new predictive mechanisms can be created to simulate a potential exposure by new channels and product launches in advance of the actual events (via application of artificial intelligence / machine learning in particular).
If organizations choose to enhance those data sets and mechanisms with additional external information (such as potential supply chain information, extended threat intelligence and more), it's possible to predict what would happen next. For example, if we open a new venture (a new company, a new business unit within specific jurisdiction), the likely exposure to cybercrime will be XYZ. Such metrics could potentially include more accurate and granular information per location, per particular partnership, even considering specific APIs.
Some of these visions of the future cyber and fraud management process may be idealistic, but perhaps a radical change of mindset and thinking is required if we are to stay ahead of the curve.
Throughout this article, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.