With the advances in information technology, most payment transactions have moved to electronic channels like Internet / Mobile Banking and payment cards. Fraudsters have also followed customers into this space. However, the response to frauds in these areas needs further improvement, thereby avoiding putting the entire onus on the customer. There is also a lack of clarity amongst organizations on the reporting of these instances as frauds.
A need is therefore felt to have an industry wide framework on fraud governance with particular emphasis on tackling electronic channel-based frauds. This note endeavors to bring out the challenges and suggests a framework which can be implemented across organizations to effectively tackle the electronic fraud menace.
It would be useful to recall the definition of fraud at this stage. ‘A deliberate act of omission or commission by any person, carried out in the course of a banking transaction or in the books of accounts maintained manually or under computer system in the regulated entities, resulting into wrongful gain to any person for a temporary period or otherwise, with or without any monetary loss to the bank’.
This definition has been recommended as per para 9.1 of the Report of the Study Group on Large Value Bank Frauds set up by the Reserve Bank of India in 1997. It follows that like other bank frauds, various IT related frauds need to get captured through the fraud reporting system and organization should take adequate steps to mitigate such risks.
The activities of fraud prevention, monitoring, investigation, reporting and awareness creation should be owned and carried out by the Audit Committee of the Board (ACB) of Cashlesso specifically including the CEO.
Irregular financial transactions may be classified into 3 distinct categories as follows:
The most common types of online fraud occur via phishing or spoofing, data theft, and chargeback or friendly fraud. These are explained in detail below.
Online Phishing or Spoofing
Phishing is the process of accessing one’s personal information through fraudulent e-mails or websites that claim to be legitimate. The information gathered this way can include usernames, passwords, credit card numbers, or bank account numbers.
The most widely used method for phishing is to redirect an online user (from an email or SMS) to an “official” website where they are asked to update their personal information. User is thereby tricked into revealing personal information that user would ideally not reveal to anyone else.
Phishing can also occur via other electronic means such as SMS, instant messaging, and on email. User can be redirected to make a payment on a website that looks legitimate, but which is created to capture user card details so they can be used later.
Data Theft
Sometimes, dishonest employees or partners can steal credit card data from businesses and use this for committing fraud. Most payment gateways, payment aggregators and online websites take stringent measures to ensure that such privacy breaches do not occur.
Cashlesso does not store any card details, and is working on to implement tokenization systems with regulated service providers like Visa & Mastercard. Furthermore, Cashlesso is a certified PCI-DSS compliant organization, which means we undergo stringent audits on data privacy processes.
Account information theft: Malware can capture the keystrokes for your login information. Malware can also potentially monitor and capture other data you use to authenticate identity (like special images or words)
Hacking
Hacking involves compromise of weak login credentials in the infrastructure which manages live user data. These are relatively easy for a criminal to compromise. The systems and applications are exploited with dictionary of brute force attack till the right password or credentials are obtained, and an organization’s database and customer records are leaked. Cashlesso regularly conducts system audits and penetration testing, multi-factor authentication for Login, implementation of WAF (web application firewall), etc.
Man-in-the-Middle Attack
Fake website substitution: Malware can generate web pages that appear to be legitimate but are not. They replace a organization’s legitimate website with a page that can look identical, except that the web address will vary in some way. Such a “man-in-the-middle attack” site enables an attacker to intercept user information. The attacker adds additional fields to the copy of the web page opened in the browser. When an individual submits the information, it is sent to both the organization and the malicious attacker without his/ her knowledge. To prevent this, Cashlesso ensures that every request/data packet is verified by a unique checksum and the data is always transmitted over encrypted channels.
Chargeback Fraud or Friendly Fraud
For instance, a customer makes an online purchase. Later, they claim that the purchase was made fraudulently and ask for a chargeback – even though they made the purchase themselves!
This is known as chargeback fraud or friendly fraud, where business processes a transaction since it seems legitimate; only to be issued with a chargeback later on.
Fraudsters may first place orders of expensive items from the online shopping websites using fake credentials. Later, when the shipment gets delivered, they may remove the items from the boxes and replace with duplicated items, accusing the sellers of sending sub-standard items.
Chargeback frauds cause the Merchant’s losses and are a hassle for any business including that of Cashlesso. To mitigate this, Cashlesso has an exhaustive and robust Chargeback and Refund Policy that shall assist the merchant understand why chargebacks happen and take steps against fraudulent charges.
With the growing number of e-commerce users and transactions, it is important that organizations are aware of the mandatory security protocols for e-commerce websites; so that they can avoid fraudulent situations. We at Cashlesso follow:
Data security on an online payment system begins the moment a user lands on the site. The TLS Certificate tells users that the data transmitted between the web server and their browser is safe.
Cashlesso uses the highest assurance SSL certificate on its website which is the EV SSL (Extended Validity SSL) certificate.
Without TLS Encryption in place, all data sent over the Internet is unencrypted and is visible to anyone with the means and intent to intercept it.
The PCI Security Standards Council is a global organization that maintains and promotes compliance rules for managing cardholder data for all e-commerce websites and online payment systems.
The Payment Card Industry Data Security Standards (PCI-DSS) is in effect a set of policies that govern how sensitive cardholder information should be handled.
Cashlesso in order to be PCI-DSS compliant follows certain directives:
Restrict information access: An important part of securing online payments on e-commerce websites is restricting access to confidential information so that only authorized personnel will have access to cardholder data. Cardholder data must be protected at all times – both electronically and physically.
Financial crimes have assumed complex character. Cashlesso understands well how fraud, compliance and cybersecurity are interlinked and takes a holistic approach to mitigate these risks by employing data analytics, artificial intelligence and machine learning technology to:
Know Your Customer (KYC) procedures
A strong KYC process is the backbone of any fraud prevention activity. Such a process enables Cashlesso to prevent unscrupulous elements from gaining entry into the organization’s environment, which gives them an opportunity to carry out their fraudulent intentions. Similarly, appropriate due diligence procedures before recruitment of employees are essential to prevent known fraudsters or people with fraudulent motives to have access to the organization’s channels. Cashlesso imbibes strong procedures to carry out due diligence of potential merchants & employees before they are enrolled.
Merchant fraud occurs when someone creates a fake or bogus company with no intention of selling any product to the customer. The business appears legitimate; but since it offers no actual goods or services, all users who make an online purchase only end up losing their money.
Cashlesso implements strict processes in place to vet every company which uses gateway for processing payments, such as:
KYC & Background checks: Adhering to strict KYC norms even before Cashlesso onboards a business is an integral part of fraud mitigation practice followed. Cashlesso shall have in place an in-house ‘Risk’ team that runs background checks on new businesses and vets them before they are ‘live’ on Cashlesso’s platform.
Physical security: Cashlesso shall put in place a dedicated team to take care of the security of the physical infrastructure. This team shall conduct regular security audit of their office to check for deviations/lapses. It shall be the responsibility of this team to ensure that physical assets and data copied do not go out of the offices of the organization without authorization.
Creation of fraud awareness amongst staff and customers: Awareness on how to prevent and detect frauds is the basis of fraud management. Cashlesso adopts various measures to create awareness amongst staff and customers as detailed below in this policy.
Detection of fraud
In certain cases, despite strong prevention controls aimed at fraud deterrence, fraudsters do manage to perpetrate frauds. In such cases, sooner the fraud is detected, the better the chance of recovery of the losses and bringing the culprits to justice. System triggers that throw up exceptional transactions, opening up channels that take note of customer/employee alerts/disputes, seeding/mystery shopping exercises and encouraging employees/customers/ well- wishers to report suspicious transactions/behaviours are some of the techniques that are used for detection of frauds at Cashlesso. The exceptional/suspicious transactions/activities reported through these mechanisms are investigated in detail once reported by the Risk & Operations Team.
Transaction monitoring
Within the Operations Team, a transaction monitoring unit is assigned that is responsible for monitoring various types of transactions, especially monitoring of potential fraud areas, by means of which, early alarms can be triggered. This unit has the expertise to analyze transactions to detect fraud trends and has the authority to immediately trigger alarms and suspend the account. This unit works in conjunction with the technical team within organization for data extraction, filtering, and sanitization for transaction analysis for determining fraud trends. Cashlesso has put in place automated systems for detection of frauds based on advanced statistical algorithms and fraud detection techniques.
Alert generation and redressal mechanisms
Cashlesso has established appropriate mechanisms to take note of the disputes / exceptions or suspicions highlighted by various stakeholders including the transaction monitoring team to investigate them thoroughly. Furthermore, Cashlesso also incorporates a strong whistle blowing mechanism as a policy.
Contact for reporting suspected frauds
At Cashlesso, customers can report any fraudulent activity that they may notice on:
A dedicated staff shall reply to customer queries and concerns regarding frauds through the above email ID.
Importance of early detection of frauds
An organization’s fraud management function is effective if it is able to minimize frauds and when fraud occurs, is able to detect the fraud so that the loss is minimized
Cashlesso documents and implements the configuration aspects for identifying suspicious transactional behaviour in respect of rules, preventive, detective types of controls, mechanism to alert the customers in case of failed authentication, time frame for the same, etc
Systems for detecting ‘Merchant Fraud’
Cashlesso takes this check one level higher by monitoring all suspicious and potentially fraudulent businesses, and the transactions that originate from them:
A sudden spike in transaction velocity (number of transactions per minute/hour/day), volume (amount transacted for), or pattern (international orders for a local brand) is an indicator of fraud and Cashlesso systems immediately flag such transactions for further investigations.
‘Risk’ logic also entails business rules for monitoring the thousands of transactions on Cashlesso platform on a daily basis. This logic should be designed according to the merchant, and logic pathway should easily differentiate between standard day-to-day transactions and those that carry a high probability of risk.
The means of deception that fraudsters and criminals are using these days can range from forging identification documents, creating fake business profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall below reportable thresholds and other techniques. Cashlesso in order to effectively monitor fraud, maintains a holistic approach, involving the merchant’s entire portfolio and appropriate technological support.
Cashlesso considering the updated applicable regulatory mandates comprising pre on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of merchant behaviour and transactions. These do however permit risk-based flexibility with actionable customised solutions. Furthermore, internal risk profiling, periodic updates, and fraud reporting if applicable (to the Financial Intelligence Unit of the Government (FIU-IND), Central Bureau of Investigation/Police, Reserve Bank of India’s (RBI) Department of Banking Supervision, and others) shall also be undertaken. Even where there are no mandates, Cashlesso carries out these measures via self-imposed checks to detect transactional anomality’s and possible frauds.
Cashlesso’s different checks allow recognizing different fraud indicators, and in the process also encounter specific challenges:
In-house Fraud Prevention System
AN in-house custom Fraud Prevention System in place allows Cashlesso to block transactions based on certain risk rules to minimize fraud. The rules can deal with IP addresses, Geo location, user details, velocity checks etc. Following are the features provided by our Fraud Prevention System:
Cashlesso also endeavours to continuously improve the business rules such that;
At Cashlesso, a detailed and thorough fraud analysis shall be conducted to identify the reason for fraud occurrence and establish customized mechanism to prevent such frauds.
Entire staff, especially in the fraud control function, shall be educated about frauds and trained in the following skills and areas of expertise:
Furthermore, Cashlesso shall maintain updated contact details of service providers, intermediaries, external agencies and other stakeholders (including other organizations) for coordination in incident response. Cashlesso shall put in place a mechanism with the stakeholders to update and verify such contact details and also formulate specific SOPs to handle incidents related to payment ecosystem to mitigate the loss either to the customer or organization.
The examination of a suspected fraud or an exceptional transaction or a customer dispute/alert in the organization to be undertaken by:
Fraud Investigation function
It is widely accepted that fraud investigation is a specialized function. Thus, the fraud risk management group at Cashlesso shall undergo continuous training to enhance its skills and competencies. The first step in the investigation process will be gathering the entire transaction details, documents and complete details of the customer/employee or vendor. To investigate into suspected cases, the group would adopt various advanced techniques including computer forensics, forensic accounting and tools to analyze large volumes of data as required.
The investigation team will further conduct oral interviews of customers or employees to understand the background and details of the case. In case an interview of the person accused of fraud is required to be undertaken, the investigation group shall follow a prescribed procedure and record statements appropriately. The investigation activities would be carried out discreetly and within a specified time line. The investigating team shall take into account all the relationships of the involved parties (with the organization, if required) while investigating and submit an investigation report. The investigation report will help the respective business groups take a decision on the case and further if the case may be, all the relationships of the customer with the organization. The investigation report should conclude whether a suspected case is a fraud and thereafter the report would form the basis for further actions such as regulatory reporting as mandated.
In case of an employee involvement in the fraud, the investigation report would form the basis of staff accountability and HR actions. It is stated explicitly, that during the course of the investigations, Cashlesso would adopt only means permitted by law, regulations and code of conduct of the organization and any inconvenience to customers or general public shall be reasonably avoided. Cashlesso understands that certain investigations are best carried out by law enforcement authorities and that Cashlesso shall refer critical/complicated cases to such authorities at the appropriate time, to enable them to carry out their responsibilities efficiently and further if required, the investigating team shall seek the support of other specialized groups within the organization, such as the audit group to carry out investigations efficiently.
Recovery of fraud losses
The concerned group at Cashlesso shall make all reasonably possible efforts to recover the amount lost. They may use specialized groups like legal (internal or external) or government agencies for this purpose. The investigating team may also be able to recover some amounts during the course of their investigation. The Police may also recover some amount during their investigation. If incase a court case has been filed, these recoveries shall be cited as received pending final adjudication or settlement reached.
Creation of customer awareness on frauds
Customer awareness is one of the pillars of fraud prevention. It has been seen that alert customers have enabled prevention of several frauds and in case of frauds which could not be avoided, helped in bringing the culprit to book by raising timely alerts. Cashlesso thus aims at continuously educating its customers and solicit their participation in various preventive/detective measures. It is the duty of all the groups in organization to create fraud risk awareness amongst their respective customers. The fraud risk management group should share its understanding of frauds with each group, identify areas where customer awareness is lacking and if required, guide the groups on programs to be run for creation of awareness amongst customers. The groups should ensure that in each of their interaction with customers there is at least one message to make the customer aware of fraud risk.
The following are some of the measures that may be followed in time to create awareness amongst customers:
It may be ensured that the communication to the customer is simple and aimed at making them aware of fraud risks and seeking their involvement in taking proper precautions aimed at preventing frauds. Such communication should be reviewed periodically by the fraud risk management group to judge its effectiveness
Creation of employee awareness
Employee awareness is crucial to fraud prevention. Training on fraud prevention practices shall be provided by the fraud risk management group at various forums. Cashlesso may use the following methods in time to create employee awareness:
Rewarding employees on fraud prevention
A positive way of creating employee awareness is to reward employees who have gone beyond their call of duty, and prevented frauds. Awards may be given to employees who have done exemplary work in preventing frauds. Details of employees receiving such awards may be published in the internal fraud newsletters by Cashlesso.
Monthly certificate in respect of submission of fraud cases
Name of the bank: | Date: |
Certificate for the month: |
|
It is certified that soft copy of the following fraud cases, which were to be reported to RBI during the month ————————, have been sent to RBI by mail
Sl.No. | Fraud Number | Name of the Party | Amount Involved (Rs Lakh) | Date Sent |