Real-Time Payment Rails Are Creating New Fraud Vectors in SEA
Instant payment systems like PromptPay, PayNow, and QRIS are fueling faster fraud. Here's what banks need to know about protecting real-time rails.
RTD Team
Run-True Decision
The Real-Time Revolution Across Southeast Asia
Southeast Asia is in the middle of a payments transformation. In less than a decade, real-time payment systems have moved from pilot programmes to national infrastructure:
- PromptPay (Thailand) — processing over 30 million transactions per day
- PayNow (Singapore) — linked to national identity and mobile numbers
- QRIS (Indonesia) — a unified QR standard connecting 30+ million merchants
- InstaPay (Philippines) — enabling 24/7 interbank transfers
- DuitNow (Malaysia) — integrating person-to-person, merchant, and cross-border flows
These systems are a remarkable achievement for financial inclusion. They let street vendors accept digital payments, enable migrant workers to send money home instantly, and reduce the economy's dependence on cash. But the same properties that make instant payments transformative — speed, irrevocability, and always-on availability — also create new opportunities for fraud.
Why Speed Favours Fraudsters
In batch-era payment systems, banks had hours (sometimes days) to review transactions before settlement. Suspicious transfers could be flagged, queued, and investigated. Real-time rails compress that window to seconds.
Three properties of instant payments tilt the playing field toward attackers:
Settlement finality. Once a real-time transfer clears, the money is gone. Unlike card payments, there is no chargeback mechanism built into most instant payment schemes. Recovery depends on the receiving bank's cooperation — and if the funds have already moved to a second or third account, recovery becomes almost impossible.
Reduced investigation windows. Fraud teams that relied on overnight batch reviews now need to make decisions in milliseconds. A rule that triggers a manual review queue is functionally the same as blocking the payment, because the customer expects instant confirmation. This creates pressure to approve borderline transactions rather than risk false declines on a system built for speed.
Mule network acceleration. Money mule networks — chains of accounts used to launder stolen funds — operate dramatically faster on real-time rails. What used to take days of interbank transfers can now be accomplished in minutes, with funds layered across multiple accounts and jurisdictions before any alert fires.
The New Fraud Patterns Emerging on Instant Rails
Real-time payment systems are not just faster versions of existing infrastructure. They enable entirely new attack patterns:
Authorized push payment (APP) fraud. In APP fraud, the victim initiates the transfer themselves — often after being deceived by a social engineering scam. Because the victim authorised the transaction, traditional fraud rules based on anomalous account activity may not flag it. APP fraud is now the fastest-growing fraud category across markets with mature instant payment systems, with some central banks reporting year-over-year increases exceeding 30 percent.
QR code manipulation. The widespread adoption of QR-based payments (especially QRIS in Indonesia) creates a physical attack vector. Fraudsters overlay legitimate merchant QR codes with their own, redirecting payments to mule accounts. Unlike card skimming, QR swaps require no technical sophistication — just a printed sticker.
Account takeover for instant drain. When attackers compromise a bank account linked to instant payments, they can drain the balance in seconds through a series of rapid transfers. The always-on nature of real-time rails means these attacks can happen at 3 AM on a Sunday, when fraud operations may be running with reduced staffing.
Cross-border instant transfer abuse. As Southeast Asian countries link their instant payment systems — Singapore-Thailand (PayNow-PromptPay), Malaysia-Indonesia (DuitNow-QRIS), and others under the ASEAN Payment Connectivity initiative — fraudsters gain the ability to move funds across borders in real time. Domestic fraud detection systems often have limited visibility into cross-border patterns, creating blind spots at the borders.
What Traditional Fraud Systems Miss
Most banks in the region still rely on fraud detection infrastructure designed for the batch-processing era. These systems face three fundamental gaps when applied to real-time payments:
Batch-era rules at real-time speeds. Rule engines that were designed to process overnight batches cannot evaluate transactions in the single-digit milliseconds that instant payment SLAs demand. When the fraud system becomes the bottleneck, banks face an impossible choice: slow down the payment (breaking the customer experience) or bypass the check (accepting the risk).
Post-transaction detection is too late. Many fraud platforms focus on detecting suspicious patterns after transactions have settled, triggering investigations and recovery attempts. On instant rails, post-transaction detection means the funds are already in a mule account — and likely already moved again. The detection is accurate but no longer actionable.
Cross-scheme blind spots. A customer who receives funds via PayNow, converts to cryptocurrency, and sends it to a wallet linked to an Indonesian exchange is crossing multiple payment schemes and jurisdictions in a single fraud chain. No single institution sees the full picture, and data-sharing agreements between schemes are still in early stages.
Building Fraud Defences at the Speed of Payments
Protecting real-time payment rails requires fraud decision infrastructure that matches the speed and always-on nature of the payments themselves. Several principles are emerging from banks that are getting this right:
Pre-authorisation decisioning. The fraud decision must happen before the payment is authorised, not after. This means the decision engine needs to evaluate risk in single-digit milliseconds — fast enough that the customer never notices the check. Every millisecond of latency in the fraud engine directly impacts payment confirmation times.
Behavioural context, not just rules. Static rules ("flag transfers over $5,000") are easily gamed by splitting transactions. Effective real-time fraud detection requires understanding the customer's normal behaviour — typical transfer amounts, usual recipients, time-of-day patterns, device fingerprints — and flagging deviations from that baseline. This is especially important for catching APP fraud, where the transaction itself looks normal but the context is anomalous.
Regional intelligence sharing. Cross-border fraud requires cross-border intelligence. Banks that participate in shared fraud signal networks — even anonymised ones — can detect mule accounts and fraud patterns that would be invisible from a single institution's perspective. Several industry initiatives are emerging across ASEAN to facilitate this data sharing while respecting data sovereignty requirements.
On-premise deployment for payment-grade SLAs. When milliseconds matter, network latency to a cloud-hosted fraud engine in another region can be the difference between a real-time decision and a timeout. Banks with strict payment SLAs are increasingly looking at on-premise or in-country deployment models for their fraud decision infrastructure — keeping the decision engine as close to the payment switch as possible, with data that never leaves their own infrastructure.
The real-time payment revolution in Southeast Asia is irreversible — and the fraud landscape will continue to evolve alongside it. Banks that invest in fraud decision capabilities matching the speed, availability, and regional complexity of modern payment rails will be best positioned to protect their customers without sacrificing the experience that makes instant payments transformative.
Run-True Decision is building a fraud decision engine purpose-built for Southeast Asian banks — designed for millisecond-level response times and on-premise deployment. Talk to us to learn more.