Anti-fraud analytics must be about prevention, not detection

With machine learning increasingly improving analytics, model your investments on the business processes you’re trying to protect

Credit: ID 111827816 © Rikitikitao |

Fraud is hardly a new phenomenon online, but organisations’ ability to detect and fight it has increased as ever-richer machine learning models help helping experts apply analytic techniques to detect “once in a blue moon” events such as business email compromise (BEC) and high-value financial transfers.

Fully 74 percent of APAC banks in one recent FICO survey said they expect fraud in their country will increase this year, with more than half saying they block cards as soon as their protective mechanisms trigger a fraud alert.

This approach may rankle consumers that have to deal with blocked credit cards – but with fraud losses named as a leading performance indicator by 80 percent of regional banks, it’s a risk that many banks are willing to take. Just 6 percent leave cards open while trying to confirm a transaction’s authenticity with the consumer, for example by sending an SMS message to a registered mobile.

Banks’ increasing ability to flag and act on suspicious transactions in real time reflects their ongoing investment in anti-fraud analytics technologies –– and that investment is paying off by improving detection of a range of fraud and cybercrime activity, says Greg Henderson, government practice principal in the Fraud and Financial Crimes Global Practice of analytics giant SAS.

“A lot of organisations feel like [fraud] is an analytics problem,” Henderson told CSO Australia, “but I am often consulting with them that building the analytics model is only step 1 of a multi-step process.”

Prevention vs detection

The real challenge for businesses, he said, is not just building the biggest analytics platform possible – but embedding those analytics into operational processes, helping prevent fraud and cybercrime rather than detecting it after the fact.

It’s a big difference that can make all the difference for financial-services institutions that have been pummelled by data breaches and struggled to maintain consumer confidence in their fraud and data-privacy protections.

A recent Unisys survey found that Australians are by far the least trusting of their banks’ data protections – a perception that is hardly helped by incidents such as the recent exploitation of the Westpac PayID payment service.

Indeed, true to expectations, the increasing pace of financial-services transactions – for example, through Australia’s New Payments Platform (NPP), on which PayID was built – had had a flow-on effect in terms of the fraud it facilitates.

This trend towards real-time transactions, Henderson said, has ratcheted up the urgency for every company to understand the vulnerabilities in their payments processes and intelligently apply targeted machine learning-driven analytics to prevent fraud – not just detect it after the fact.

“At the end of the day it’s all the same capabilities and techniques,” Henderson said. “We’re just looking at it and producing scores that are ultimately addressing a specific kind of behaviour outcome that you’re trying to model against. Then we let the machine figure it out and build those specific models.”

Businesses that underinvest in fraud detection are suffering at the till, with recent research from Mastercard company Vocalink confirming that 49 percent of Australian business owners don’t have enough knowledge to protect their business from fraud.

Just 36 percent of businesses have tightened their processes to deal with payments fraud – leaving them open to fraud such as BEC attacks, in which cybercriminals manipulate privileged individuals into conducting fraudulent payments for them.

Yet businesses also needed to be careful not to overinvest in infrastructure that far exceeds their requirements – for example, by buying up masses of servers or cloud-computing capacity to provide real-time analytics on transactions that are being processed in batches overnight.

“The thing I always try to focus on is what are the latency requirements of the problem?” Henderson explained. “We don’t want to overengineer something for 30ms response times when they’re not going to make that payment for another day or week.”

“You have to absorb the cost of the infrastructure to do that, so if it’s not a real problem there are other ways that you can do that efficiently. These things are all interconnected – and the evolution of the technology is going to be how we tie all that stuff together to be able to see the bigger picture.”

Read more: The week in review: Cybersecurity breaches named the biggest risk to business… and healthcare… and sports… and…

Tags unisysanti-fraud

Show Comments