Emerging Vectors for Payments Fraud

By Karen Epper Hoffman

An old adage goes: If you add more locks to your door, thieves will try to come in through the windows. With fraud deterrents like EMV chips reducing losses on payment cards—merchants who completed EMV upgrades saw card-present payment fraud drop by 76 percent over three years, according to figures released last year by Visa—cyber-criminals have moved their game from the point of sale to other vectors.

“Today, the real trend for both fraudsters and bank fraud managers is the use of technology to be more effective and efficient,” says Canh Tran, co-founder and CEO of Rippleshot. “Digital transformation, data aggregation, machine learning, predictive algorithms, and cloud computing to be more effective—and unfortunately the fraudsters are more advanced.” In other words, as banks become more technologically sophisticated, so too do their attackers.

Here are five payments fraud risks for banks to pay attention to in 2020:

1. Business email compromise

An executive or financial department employee receives an email saying that she should make a significant transfer of funds to an external account. The email may include convincing details and persuasive language, but this is probably a fraud—an illegitimate message crafted from stolen data and intuited information about a person or their place of business.

“Account takeovers and business email compromises are also growing in popularity, because scammers have the technological resources and mechanisms nowadays to be convincing in their impersonation of a business or an individual,” says Brandon Kelly, EVP for fraud prevention at FirstBank in Lakewood, Colorado. “And while there is no limitation of their related exploits, most share a common feature: they are modern day confidence scams. They target users to gather personal information and can leverage real-time payment networks to move money quickly. Business email compromise also succeeds from misplaced trust, in this case on a channel that was designed for convenience rather than security.”

Paul Wilson, director of anti-fraud products for AppGate, agrees that business email compromise works “because it’s fairly easy. . . . It’s targeted emails sent to accounting departments or CEOs asking for swift payments to be made to new accounts, which may sound easy to avoid. But when people are busy trying to do their jobs, this can slip through the net. This is by far the most popular attack vector.”

Moreover, with access to tools sold on the dark web, would-be cyber-criminals are empowered to conduct such sophisticated business email attacks. Hence, an increasing number of less-gifted hackers are able to ply their trade with the help of the dark web.

Johan Gerber, EVP for cyber and security products at Mastercard, says BEC fraud and related crimes (such as using unsuspecting “mules” and their accounts or creating fake bank accounts to launder these ill-gotten gains) are becoming a “massive problem.”

Perhaps the best way to combat this growing fraud type is the simplest: confirm the validity of the payment or transfer order with a phone call or an in-person check-in, according to Wilson. While tools are available such as those based on DMARC standards, “they are not always deployed, and the receivers of such emails are not checking the details enough because they simply don’t have time or the tools to prove validity,” he adds.

2. E-commerce/card-not-present fraud

With online and mobile shopping continuing to rapidly rise and the security measures of EMV chip making physical POS fraud more difficult, it’s hardly surprising that eager fraudsters are moving their game to the digital realm of card-not-present payments. “Card-not-present fraud remains the preferred method of fraud,” Kelly says, adding that many e-commerce sites are designed for convenience rather than security. While services like the card brands’ 3-D Secure could provide an additional security layer for digital transactions, “it hasn’t been embraced by online merchants yet, out of concern for the customer experience,” Kelly adds.

Additionally, as the liability for fraudulent transactions has continued to shift in recent years from bank card issuers to merchants (from 40 percent merchant liability in 2015 to 60 percent now), the retail community has quickly become very reactive to such scams, according to David Mattei, senior analyst for the fraud and anti-money laundering practice at the Aite Group. “This has caught the merchants off-guard,” Mattei says. “They’re seeing a higher number of disputes and more customers inconvenienced.”

Cyber-criminals are also increasingly stealing information harvested from online merchants (including stored payment data) and selling it on the dark web, according to Gerber. “This problem is on the rise and not going away any time soon,” he adds.

Indeed, CNP fraud is now 81 percent more likely than point-of-sale fraud, according to Javelin Strategy & Research. Tran agrees: “Traditional card fraud is quickly shifting to new, digital channels.” While card-present and counterfeit fraud is down, bank losses from CNP fraud continue to rise.

3. Authorized push payment fraud

Akin to BEC fraud, authorized push payment, or APP, fraud happens when a consumer or business is coaxed or coerced into sanctioning a regular or on-going payment to a fraudulent recipient. As banks and payees have continued to encourage payers to set such payment authorizations in motion—for the sake of convenience—fraudsters see this as a ripe opportunity. “There’s such a focus on being who you say you are,” Gerber says, adding that APP fraud is a rising concern.

The rise of real-time payments has made APP fraud more attractive to criminals. In the United Kingdom alone, where real-time payments have longer been established, APP fraud jumped 44 percent in 2018. Even after the U.K. Financial Conduct Authority implemented a rule in January 2019 allowing victims of APP fraud to complain to the receiving payment service provider, such fraud still grew. In the first half of last 2019, APP fraud schemes stole more than £207 million from victims conned into authorizing payments, up 40 percent from the first half of 2018.

4. Synthetic ID account creation

While the creation of “synthetic” identities—where criminals cobble together a realistic fraudulent account or identity using a combination of legitimate and fake information—do not qualify as a separate type of payments fraud, the increase of synthetic IDs has aided the growth of payments fraud. Indeed, according to a study from LexisNexis Risk Solutions, 86 percent of fraud losses experienced by mid-to-large online retailers involved the use of synthetic ID accounts.

“New account fraud and synthetic ID fraud are continuing to gain attention as the volume of exposed personal identifiable information rises,” Tran says. “Fraudsters are being driven down the value chains to go after small and midsize banks.”

Paul Tomasofsky, partner with McGovern Smith Advisers, agrees that synthetic ID fraud “is growing both in volume and concern. This fraud vector is a tough one for financial institutions to mitigate. The FIs are focusing on better initial account opening underwriting processes to keep the door close to these bad actors in the first place. But with so much compromised PII in the bad actor databases, this is hard.”

In addition, Tomasofsky says that social media information provides another treasure trove of data for bad actors to exploit. Hence, banks and their third-party suppliers need to constantly work through card purchase data and fine-tune their fraud detection neural engines to proactively spot breakout fraud transactions and limit the damage as quickly as possible. While most third-party risk solutions incorporate data management capabilities, they still must be customized by banks to effectively work in their environments.

5. SMS spoofing

As more shoppers make purchases via mobile and rely on messaging to make and confirm payments, the incidence of SMS spoofing has risen. In an SMS spoof, cyber-criminals typically impersonate a trusted third party; victims receive messages that seem to be from their bank and follow payment instructions. Such fraud, through SMS messages or even within a mobile application, “is on the rise, as everyone is jumping into the mobile scene,” according to Mattei. Case in point: Mattei knows at least one national grocery chain that “rushed to market . . . with no fraud controls in place” and opened itself to fraudsters creating false loyalty accounts and transactions.

Based in Washington state, Karen Epper Hoffman covers cybersecurity and bank innovation. Her reporting has appeared in American Banker, CSO magazine, CoinDesk, and other outlets.