Payments industry seeks to keep pace with fraudsters
Note from the editor
Payments fraud has mounted in recent years to the tune of tens of billions of dollars in losses worldwide.
While that increase has mainly been super-charged by e-commerce, it’s also happening in new ways offline, such as with gift cards. It’s not just consumers who are targeted, companies are an even bigger bullseye.
As a result, legacy businesses and startups alike are updating existing tools and sourcing new ones in an attempt to outwit fraudsters. It’s not easy or cheap, given the digital innovation and outsourcing that is sometimes required.
With yearend spending now in full swing, as companies exhaust their budgets and consumers prepare for the holidays, there will be new opportunities to thwart fraud or learn lessons the hard way.
Better spelling on fake merchant sites and more advanced card skimmers are among the latest schemes that will be deployed by fraudsters during the year-end holiday shopping season.
By: Lynne Marek• Published Nov. 17, 2023
In a consumer warning ahead of the year-end holiday shopping season, card giant Visa told consumers in a Thursday press release to beware of new schemes that seek to lure them into scams.
The techniques online will include phishing emails without the telltale spelling errors that gave them away in the past and in the physical world they will include ATM and checkout card readers corrupted by deeper-inset skimming devices, Visa said in the release.
Last year, such frauds increased 11% during the year-end holiday season, between November and January, compared to the non-holiday period and rose 8% over the period in 2021, according to Visa, the biggest U.S. card network company.
Payments fraud has surged in recent years, partly because of increased e-commerce activity online triggered by the COVID-19 pandemic.
The amount of money American consumers reported losing to fraud last year jumped 30% to $8.8 billion compared to 2021, the Federal Trade Commission said in February, and much of that fraud flowed through some part of the payment system. Frauds perpetrated in the context of “shopping” were among the top five most prevalent types of fraud, the agency said.
While Visa predicted that some fraud would still happen in old-fashioned ways, like criminals stealing cards and smartphones, the card network focused on digital crimes in detailing what consumers should be on guard against during this shopping season.
The digital form of skimmers placed on online checkout pages have also become more sophisticated, with hackers seeking to steal card account numbers, CVV security verification codes, expiration dates and personal data from authentic merchant web pages, Visa said. In addition, criminals are increasingly setting up fake merchant websites that more authentically mimic real shopping pages, without the spelling and grammar errors that made them easy to spot in the past.
Criminals are also using artificial intelligence to their benefit, rigging their fake sites with better search engine optimization so they appear higher in online search results.
Merchants will also be targeted online, with ‘bots’ created by cybercriminals who buy up items in bulk and resell them at higher prices or use their AI searches to find mismarked items that can be purchased and resold.
“Crooks prepare all year for the holiday shopping season, taking advantage of increased activity and consumers who let their guard down searching for the perfect gift,” said Visa Chief Risk Officer Paul Fabara.
Some of Visa’s tips for guarding against the scams are well-known: Don’t click on emails from strangers and be sure to keep software updated. Other techniques include looking for the ‘s’ in the ‘https’ portion of online web addresses, representing that the site is ‘secure;’ using tokenization to make purchases; and checking shipping details closely for shipments being routed to an incorrect address.
Article top image credit: Butsaya via Getty Images
Debit plagued by security concerns: survey
By: Caitlin Mullen• Published July 5, 2023
Only 4 in 10 consumers feel confident in the security and safety of their debit card, according to survey findings released last week by consulting firm J.D. Power.
“Security concerns” was the top reason identified by consumers for not using debit at the point of sale, J.D. Power reported in a June 29 web post. Almost 1 in 3 non-debit users expressed this concern.
More than one-third of U.S. bank customers have dealt with financial fraud in the past year, J.D. Power reported in May. Hardest hit were bank customers under 40, who are the “most prolific” debit card users, the firm noted.
The findings shine a light on consumer security concerns related to debit use at the point of sale, because that payment method is linked directly to consumers’ liquid assets.
Fraud has become a growing problem for banks and payments companies. The rise of real-time payment options such as the Federal Reserve’s forthcoming instant payments system, FedNow, could result in more fraud headaches, given its speed and irrevocable aspect.
“As the potential for fraud grows due to digitization and economic conditions, it will influence customers’ payment choices at the point of sale,” the June 29 J.D. Power post said.
Although the launch of FedNow could provide a springboard for the pay-by-bank payment option at the point of sale, that could depend on consumer confidence in the security of debit payments in the near term, J.D. Power said.
Fewer than one-third of bank customers currently get alerts about suspicious activity on their accounts, but 64% said they want banks to flag such activity, J.D. Power reported.
Findings are based on responses to an April J.D. Power poll of 4,000 retail bank customers, and from a retail banking study conducted by the firm last year that collected 77,696 consumer responses, a spokesperson for J.D. Power said.
Article top image credit: Joe Raedle / Staff via Getty Images
Of that group, more than a quarter (26.9%) have fallen victim to authorized push payment scams, which involve scammers tricking users into making payments to a destination account the scammer controls, ACI said in a news release issued Thursday. ACI called that type of payments fraud the top fraud threat globally.
Financial crime and fraud are projected to cost banks and financial institutions around the world $40.62 billion by 2027, ACI said. With the rollout of FedNow in the U.S., real-time payment volume is expected to grow 32.6% by 2027, ACI said, referencing the March report.
Though push payment scams are defrauding consumers abroad, ACI argues that the U.S. doesn’t have to suffer the same fate. U.K. consumers lost £1.2 billion to fraud scams last year, more than a third of which were push payment scam losses, ACI said. In the U.S., the July launch of FedNow, the Federal Reserve’s real-time payments system, presents the chance for the financial sector to anticipate risk and update its management technology, ACI said.
Push payment scams “are on the rise as fraudsters exploit human vulnerabilities and weaknesses in bank controls to manipulate mule accounts to receive funds from fraudulent activities and facilitate further illicit transactions,” Cleber Martins, ACI’s head of payments intelligence and risk solutions, said in a Thursday news release.
“Banks need to safeguard their customers and revenue by shifting their focus from relying on traditional measures designed to prevent check or card fraud,” Martins said in the statement. “They need to arm themselves with the right fraud strategies to capitalize on the security of the real-time payment rails and reap the benefits of real-time payments without fraud management becoming a cost-center.”
Fraud has become an increasingly large problem for payments players, and the onset of real-time payments has raised concerns about real-time fraud. Payments fraud came up at Nacha’s Smarter Faster Payments conference in April, during which Consolidated Edison Director Frank D’Amadeo urged banks to do more to combat fraud.
Article top image credit: ArLawKa AungTun via Getty Images
Payments fraud climbs as banks reach for joint response
Financial institutions and payments players are seeking to coalesce around new efforts to battle skyrocketing payments fraud.
By: Lynne Marek• Published May 25, 2023
Attendees at Nacha’s Smarter Faster Payments conference last month were coasting through a late morning panel discussion on fraud just before lunch when one panelist’s comments stirred up the ballroom.
Consolidated Edison Director Frank D’Amadeo, who leads treasury operations at that utility, was asked by a moderator about “pain points” faced by companies amid rising payments fraud. With his response, D’Amadeo took on the banking and payments professionals packed in the room.
“There is a need in our country for fraud to be stopped before it even gets to us, and there’s a lot of data out there where, if the banking community shared information, they could prevent a good amount of fraud before it even occurred,” D’Amadeo said. “The banks need to do a lot more,” he said during an earlier panel, making the message clear for those attending the annual conference in Las Vegas.
His remarks sparked a mini-debate in the ballroom over whether banks are doing enough, jointly, to thwart criminals who shift from one bank to another, undeterred, in search of new victims.
JPMorgan Chase, the biggest bank in the U.S., didn’t respond to a request for an interview on the topic, but the moderator for one of D’Amadeo’s panels, JPMorgan Executive Director Steven Bernstein, opened with this: “Fraud is prevalent.”
Fraud has become a big problem for payments players, which include banks, processors, card networks and a host of intermediaries and fintechs. Now, the rise of faster digital payments, including the impending launch of the FedNow real-time system, and artificial intelligence innovations threaten to exacerbate the trouble.
Here’s how Thomas French, a senior fraud consultant at software company SAS Institute, described the current environment: “That's just a basket full of awful there, between scams, scams, scams and more scams. When you combine scams with faster payments, you get faster fraud.”
While there has always been fraud, it has worsened in the past year to 18 months, said French, who spent 27 years working for banks, including Bank of America and the former Wachovia and First Union. “It's the industrialization of fraud, where you’ve got different criminal rings doing different things,” he said in an interview this month. “I’ve never seen it so sophisticated, so fast, and so full of crooks in my 30-plus years.”
Bank customers have suffered alongside their financial institutions. The amount of money American consumers reported losing to fraud last year jumped 30% to $8.8 billion compared to 2021, the Federal Trade Commission said in February, and much of that fraud flowed through some part of the payment system. Those frauds took place in business, shopping, investment and online dating settings, among others.
Fraud in payments is rising with a surge at banks
Dollar losses from fraud by payment category, annually, from 2019 to 2022
The FTC was able to identify a payment method for 17% of consumer fraud reports last year. Of those methods documented, the biggest losses were in bank transfers and payments, with those losses more than doubling to nearly $1.6 billion last year, compared to $762 million in 2021. That payment channel constituted the single biggest area of fraud losses for the past three consecutive years, the FTC data showed.
While the most dollars were lost through bank payments last year, the highest number of fraud reports were regarding credit cards, according to the FTC.
Businesses looped into losses
With such large losses, it’s not just consumers being targeted for the frauds. It’s also companies of all sizes, including D’Amadeo’s power company servicing the New York City area. With respect to incoming customer payments, the utility receives 500 to 600 fraudulent receipts daily from valid debit accounts, but they are accounts for which a fraudster likely bought information on the dark web. In some cases, they even brazenly use Con Edison account numbers. That fraud is minimal, relative to the utility’s three million customers, he said.
But D’Amadeo worries more about outgoing payments. The company is “constantly” targeted by email scams in which con artists, purporting to be Con Edison executives or vendors, seek payments, putting hundreds of millions of dollars at risk. For instance, a firm to which Con Edison owes money may have been hacked, and the hacker sends the utility an invoice with accurate information, but an altered bank account directing money to the fraudster.
“The biggest concern we have is on the disbursement side where we’re being compromised and duped into changing payment instructions to a counterparty and, look, if you don’t catch it within the first 24 hours, you’re not getting that money back,” he said.
Smaller companies are targets too. Jefferson Grace, a Las Vegas detective who also spoke at the conference, described how one local business owner that had been in business for 30 years went belly up after he misdirected $1.1 million in payments to a crook impersonating a vendor. He explained how fraudsters take over or mimic email addresses and glean executive names from social media sites, like LinkedIn, to send persuasive emails.
Email schemes that trick corporate executives into sending payments to swindlers has become a major stumbling-block. “We’ve put so much trust into email that was never designed to be there,” Grace said. Multiple speakers at the conference stressed the importance of executives following explicit payment processing instructions to avoid fraud.
A big part of the problem is valid accounts being tapped by bad actors. In that “synthetic identity fraud” trend some pieces of authentic information are used to create the appearance of normalcy.
“Synthetic identity is a concerning and growing threat factor,” Visa’s head of U.S. risk,Dustin White, said at another April industry conference, the ETA's Transact conference in Atlanta. “It's fairly sophisticated, and it's very devastating because it's not a $500, $1,000, $2,000 fraud run that a financial institution has to deal with. These are like $80,000, $100,000, $150,000 bust-out schemes, per instance,” he said.
The Boston Federal Reserve Bank estimated that synthetic identities cost the U.S. $20 billion in 2021, White noted. “It's a very prevalent and growing threat vector,” he said.
The conundrum for payments and banking industry professionals alike is fixing the fraud without introducing too much “friction.” With the industry having made significant headway in making digital payments easy for consumers to use, banks and companies are reluctant to unwind features that have fostered more commerce, especially online.
Nacha pivots to fight fraud
Nonetheless, a consensus is emerging that something has to be done, and industry organizations capable of bringing the banks and payments communities together are mulling new approaches. One Citigroup executive at the Nacha conference caught up in the debate said: “It’s coming.”
A key player in any new effort would be Nacha, formerly known as the National Automated Clearing House Association. Indeed, it’s discreetly pressing for changes within its own community, including among its big bank operators, so that financial institutions take more responsibility to counter fraud.
Earlier this month, Nacha posted for public comment the outline of a new “risk management framework” it has under development in what it called a new era of fraud, where funds are mistakenly “pushed” by users into accounts where they shouldn’t be. The updated approach would address increasing fraud threats and attacks on ACH credits, wires, cards and other instant and digital payments, Nacha said.
“As a new risk management strategy, the Framework is intended to bring the ACH Network and the broader payments community together to address an emerging and important area of need, and to provide an overarching direction for new initiatives, guidance, rules and industry tools,” the May 2 Nacha executive summary said.
The aim of the new framework is to increase awareness of the illicit push schemes; reduce the success of those attempts at fraud; and improve the chances of recovering funds after the scams have occurred, Nacha said. A Nacha spokesperson, Dan Roth, didn’t respond to repeated requests for comment on the new framework.
Obstacles to cooperation
Part of the challenge in addressing the problem has been banks’ reluctance to share customer data with each other that might otherwise be helpful in fighting fraud, said Mark Dixon, who is vice president of education at the New England Automated Clearing House Association in Burlington, Massachusetts.
Banks have long been sensitive to sharing information in any way that might undercut their proprietary interests, but that attitude might be changing now, at least slightly.
“The industry is looking at how can we be more proactive with our communication,” Dixon said, pointing to Nacha’s new framework concept and a Nacha contact registry designed to help institutions talk to one another. “A challenge is going to be making sure all the institutions get on board with that.”
Increasing the difficulty is the fact that there are nearly ten thousand U.S. banks, creating a daunting task in allowing them to communicate with each other.
As part of the effort, Nacha developed the contact registry in 2020 and had taken on the arduous task of asking bank personnel to sign in. So far, the registry has 45,000 contacts.
Nacha’s operating rules require financial institutions to provide the contacts so professionals from other institutions can reach them if need be, and all of them are supposed to be willing to share information as a part of the reciprocity of receiving it.
“The intent of the registry is to provide consistent and accurate information for a financial institution that may need to reach another financial institution regarding fraud scenarios like business email compromise and vendor impersonation,” Jeanette Fox, Nacha’s senior director for risk investigation and ACH network risk management, said in an emailed statement.
Early Warning Services, the bank-owned operator of the payment tool Ze also operates a national shared database to which the largest U.S. banks contribute account information, but professionals note it has a significant gap in coverage because smaller banks have more than a quarter of accounts.
Banks launch another initiative
Other banking organizations also are brainstorming new ways of combating fraud. The American Bankers Association is working on a new anti-fraud prevention project with Early Warning Services, according to one well-placed industry source who asked not to be identified.
That effort is starting out with just a handful of banks participating and is about to kick off a pilot phase, the source said, declining to provide further details.
Sarah Grano, an ABA spokesperson, declined to comment, as did Meghan Fintland, a spokesperson for Early Warning Services.
Professionals from those organizations meet regularly to discuss fraud and risks, but French still has concerns that banks aren’t capturing and sharing as much information as they might. He notes that bankers are steeped in policies that keep them from sharing information with third-parties. Also, some professionals say they lean away from broadcasting new techniques for fear of tipping off fraudsters. “There is some sharing, but I think there’s a need and a desire for more sharing of different information,” said French, whose firm sells fraud analytics software.
Still, plenty of companies have been stepping up public campaigns to sell new fighting-fraud tools in recent months, including SAS Institute, card network company Mastercard, credit bureau Experian and a parade of fintechs introducing new services and products.
Europeans explore a new approach
Across the Atlantic in Europe, there has been more movement in terms of a collective industry response. A new concept of “authorized push payments” has taken root, with a sense of shared liability among banks for wayward payments, said Donna Turner, a former chief operations officer at Early Warning Services who is now a consultant for the auditing firm Ernst & Young.
European financial institutions on the sending side are now taking as much responsibility for fraud as those on the receiving end, Turner said. Increased data sharing among banks in Europe has unfurled with the open banking trend following a 2016 adoption of the European Union’s Second Payment Services Directive, known as PSD2.
Bank and payment actors on either side of a transaction have an increased incentives to change their behavior to fight fraud, Turner said in an interview this month. “It’s about protecting the ecosystem,” she added.
Participants in the U.S. payments ecosystem may be starting to embrace the same approach as they seek to build stronger industry defenses against fraud.
Caitlin Mullen contributed to this story.
Article top image credit: jariyawat thinsandee via Getty Images
Google, Amex roll out anti-fraud tool
By: Lynne Marek• Published Feb. 7, 2023
In an expansion of its ties to Google, card company American Express added a new security feature this week for users of Amex’s virtual cards in the U.S., according to a blog post Tuesday by the tech giant. The new arrangement was initially announced last year as part of a broader Google campaign.
Mountain View, California-based Google launched the effort last year with card issuer Capital One to offer the auto-fill security component to that card issuer’s virtual cards. It kicks in when card customers use Google’s Chrome browser to make a purchase or tap their virtual cards via Google’s Chrome and Android apps.
The Google feature is also expected to surface later this year for users of virtual cards on the biggest U.S. card network systems, Visa and Mastercard, said a Google spokesperson. Those card networks were part of the announcement that Google made last year.
The Amex feature was disclosed today by Google in the blog post explaining how the virtual card upgrade works. Google is slowly adding the feature across the card universe. Most corporate, commercial and consumer Amex cards used in the U.S. will offer the feature as of this week, the Google spokesperson said.
“Our virtual cards are available to anyone with an eligible Capital One or American Express credit card,” Google said in the blog post. “We’re also working on adding Visa and Mastercard, as well as other major banks.”
The tech company doesn’t receive revenue from the new arrangements, which are aimed at beating back online fraud, said PeeyushRanjan, who leads Google Pay. The benefit to Google is in making it easier and safer to conduct commerce online using Google tools, he explained in an interview last month.
Google’s “virtual card number” works like this: When card users auto-fill their payment details at checkout using virtual cards via Chrome and Android apps, Google adds another “layer of security” by replacing the actual card number with a unique virtual number. The action eliminates manual entry of the CVV code at checkout and provides an encrypted connection unique to individual merchants.
With the Google service, the tech giant also plays a role in user management of the virtual card details via its web site, offering a portal where the users can access virtual card numbers, review which cards are enabled for the feature and see recent card transactions.
This Google checkout service will help further secure payments online and "create a convenient online shopping experience,” Amex's head of product and digital labs, Lisa Yokoyama, said in an emailed statement. “With more consumers shopping online than ever before, we’re proud to innovate new digital experiences that meet our Card Members both where they are and where they’re going.”
Clarification: The story has been updated to include that the Google feature can be accessed by means other than apps and to note it’s now available on most Amex cards.
Article top image credit: Justin Sullivan via Getty Images