Cross-border payments fuel international cybercriminals

Cybercrime, particularly payments fraud, is highly attractive to criminals because it’s low risk and has the potential to be highly lucrative. (See “Cybercrime,” Australian Government’s Department of Foreign Affairs and Trade.) And cybercrime knows no boundaries. Cybercriminals can exploit individuals, businesses and governments from anywhere in the world.

While some intra-country payment fraud does occur, the real risk is in cross-border payments. Customers, financial institutions and law enforcement agencies find it difficult to pursue fraud across international jurisdictions. As far back as 2017, this has been a persistent and deep-rooted issue for stakeholders that use technology to engage in cross-border trade, as explored in an inquiry initiated in Australia by the Parliamentary Joint Committee on Law Enforcement. (See Chapter 5, “Operational challenges and vulnerabilities,” from “Impact of new and emerging information and communications technology,” April 4, 2019.)

Payments fraud is a substantial risk for big and smaller businesses that operate across e-commerce platforms, are reliant on international supply chains, or sell goods and services in multiple countries. While smaller businesses are attractive to cybercriminals because of a perceived lack of investment in cyber-protection, larger businesses potentially offer larger spoils, according to PwC’s Global Economic Crime and Fraud Survey.

INTERPOL, the International Criminal Police Organization, is so concerned by transnational financial crime that in January of this year it established the Financial Crime and Anti-Corruption Centre (IFCACC). INTERPOL said the center will focus on complex money-laundering schemes and the use of virtual assets to follow the financial trails of organized crime. (See “INTERPOL launches centre against financial crime and corruption,” March 15, 2022.)

INTERPOL says transnational financial crime has grown exponentially in recent years, undermining global financial systems, impeding economic growth, and causing huge losses to businesses and individuals worldwide.

The PwC 2022 report, which included nearly 1,300 responses from 53 countries, found that among companies with global annual revenues of more than $10 billion, 52% experienced fraud during the previous 24 months. One in five of these companies reported that their most disruptive incident had a financial impact of more than $50 million.

For companies with less than $100 million in revenue, 38% experienced fraud, and one in four reported a total impact of more than $1 million from fraud incidents.

COVID-19 lockdowns around the world sped up an already significant shift to e-commerce. The sheer volume of online transactions created new opportunities for cybercriminals.

And with more people working from home, the vulnerabilities for all businesses — small to big — have increased. Home Wi-Fi and working off-site, remote connection to servers and software, and the use of private email addresses when company systems couldn’t connect have created multi-threat points.

Cybercriminals saw these changes and identified fresh opportunities to defraud individuals and companies. They’re highly adept at taking advantage of current events, such as prolonged supply-chain delays due to COVID-19 developments and global logistics worker shortages. People and businesses, desperate to source materials and products to stay afloat, became easier targets for exploitation.

Types of payments fraud

As a global organization, we see different trends and risks emerging across various jurisdictions and regions. We may see an increase in money-mule activity in one region and an increase in identity theft in another.

From a business perspective, we try to focus on the identified key risks of a particular region and adapt our approach to suit market-specific needs. However, in recent times we’ve seen a definite increase in scams across all jurisdictions.

Over the past three years, the risks for clients in our Australia and New Zealand market have predominantly been scams. Unfortunately, this risk increased across all jurisdictions during the pandemic. In regions such as North America, where we saw identity theft as the main fraud risk, we also saw increases in the number of individuals used as unwitting money mules.

The FBI defines a money mule as someone who transfers or moves illegally acquired money on behalf of someone else to launder the proceeds of online scams, fraud or drug trafficking. Money mules can be contracted by criminal gangs or unwitting participants in fraud.

Globally, we observed an increase in money-mule events by 41% from 2019 to 2020. The methods for stealing identities range from phishing (malicious emails leading to bogus transactions or software upgrades) to purchasing identity documents from the darknet. Individuals and businesses conducting cross-border payments must ensure they guard against counterparty risk. That means establishing robust systems to verify the identity of a counterparty before a payment is made.

We’ve seen an increase in the money-laundering technique of “cuckoo smurfing,” which uses a legitimate account to hide illicit money transfers — similar to how cuckoos lay their eggs in the nests of other bird species.

Here’s one way it might work. An Australian living overseas wants to send the equivalent of 100,000 Australian dollars to their bank account back home. They choose a money transfer service to carry out the transaction. But the remitter is corrupt and gives the transfer details to an Australia-based crime syndicate that wishes to move illicit funds out of the country. The syndicate then instructs cash mules, known as smurfs, to deposit the equivalent amount in the Australian’s bank account but only in amounts of less than AUS$10,000. Amounts above that will raise suspicion with law enforcement, though it’s illegal to split large deposits into smaller sizes. This will take several transactions in different banks, but an account holder will see the money in their account. If they question the odd deposits, the money transfer business will tell them that’s how it’s done. [See “Cuckoo smurfing,” Australian Federal Police, and “What is cuckoo smurfing?” by Edward Greaves (EWG).]

Another scam — made possible by identity theft or the creation of fake company details — is tricking businesses or individual consumers into ordering and paying for goods that never arrive. We watch for bogus requests for additional fees or information to facilitate international transactions.

We’re seeing more and more data accompany trade in goods through the advanced use of internet of things (IoT) devices in freight logistics, such as interconnected tracking sensors and smart security systems. In this connected commerce ecosystem, we’ll certainly see spikes in attacks via these devices plus continued social engineering attacks.

As businesses grow, so does payment risk

As cross-border firms grow, so does the number of customers and suppliers they do business with from different countries. Each new international customer or supplier represents a payment fraud risk.

In a customer-centric world, companies don’t want to create unnecessary friction when doing business, particularly when onboarding new customers. Asking tough questions to verify identity and risk can be irritating for clients but necessary to protect their money from fraud risks.

Of course, an organization’s due diligence is a shared responsibility. As part of the onboarding process, it’s necessary to use a suite of tools and global government databases to verify the identities of those who request an account. Maintaining, improving and investing in systems that can support fraud risk management teams with making informed risk assessments and protecting clients’ money is critically important.

At your organization, hold regular exercises in understanding the level of fraud risk across the different regions in which your clients do business. These can assist with determining the required always-on solutions and processes to effectively minimize fraud risks and the level of needed investment.

Managing risk

Individuals and businesses can employ several strategies to reduce the risk of falling victim to financial fraud.

First, choose an international payments provider that’s dedicated to helping prevent fraud and continually investing in fraud-prevention systems and technology. Keeping current with the latest scams is the best position to protect yourself and your clients.

Don’t overlook the human element. Employees are one of the best anti-fraud tools an organization can utilize. There’s no substitute for human instinct.

Sharpen that instinct with education and awareness across all areas of your business. Since the start of the COVID-19 pandemic, we’ve observed a significant increase in the number of people unwittingly sending funds to scammers. Enhance processes and push for regular employee training and customer awareness initiatives to help all stakeholders understand potential fraud impacts, and perform due diligence on all individuals and organizations with which you deal.

Use cutting-edge AI to understand the complex relationships and behaviors between importers and exporters in your global trade. You must comprehend the context of these businesses, ownership structures and geographies, and where they sit in broader supply chains to manage risk effectively and efficiently.

To further reduce risk, limit the number of cross-border payment service providers you use and encourage third parties to transact with the same preferred payments provider. The more foreign exchange providers an entity is using, the more likely that entity will run into fraud.

Some foreign exchange payment providers offer settlement accounts in offshore markets, known as multi-currency accounts, that allow businesses to receive payments from customers and pay suppliers in the same currency if the transaction is happening in the same jurisdiction or currency.

For example, a British-based business may sell goods via e-commerce in the U.S. and use U.S. suppliers or service providers to fulfill orders. Make sure you use an account system that allows the business to receive payments in U.S. dollars and also make payments to suppliers in U.S. dollars. This avoids transferring received money to British pounds, then back to U.S. dollars to pay suppliers. This process effectively enables paying in local currency and skipping an additional conversion.

To grow and thrive, businesses eventually need to trade across national and currency borders. Yet while that may bring greater fraud threats, you can manage those dangers and reap the fruits of the global market through a proactive currency partner and a risk management approach that combines digital and human expertise.

Jason Nader, CFE, is head of fraud risk management & identity at OFX, an Australian online foreign exchange and payments company. Contact him at Jason.Nader@ofx.com.