Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 20, 2023
The Ransomware Battleground in 2022
The Retail Payments Risk Forum team has been writing a lot about ransomware in Take on Payments since 2018, when criminals shifted their targets from consumers with small ransom payouts to large government entities, educational institutions, and healthcare industries with their deeper pockets. Some of the initial victims in the United States were the cities of Atlanta and Baltimore and Florida's Monroe County School District. As with consumer attacks, criminals get to the bigger targets primarily by using phishing or smishing messages to obtain account credentials. They then exploit known software security gaps and make brute force attacks.
The number of ransomware attacks has ebbed and flowed over these last five years. The FBI's Internet Crime Complaint Center (IC3) receives voluntary reports on ransomware attacks and, according to the most recent data, in 2021 there were 3,729 reported attacks with net losses of approximately $50 million. This was an increase of 51 percent from the previous year. Our June 2022 post highlighted findings of IC3's annual report and some of the tactical shifts made by the criminal organizations to further their success rate.
While the IC3 report for 2022 has not been released, reports from some private cybersecurity firms (for example, here and here) give perspective on the current ransomware environment. The findings in these reports reveal a dynamic battleground:
- The number of attacks in 2021 declined but the focus on large companies and educational institutions continues. Some experts attribute the decline to the disruption of criminal organizations in Eastern Europe by the Russian invasion of Ukraine.
- While initial ransomware attacks were limited to file encryption, criminals now also deploy data extraction. They threaten to sell or publish that data to coerce an increased ransom payment.
- Ransom payments increased 144 percent in 2021 over 2020. The average reported ransomware payment in 2022 was $4.7 million. These attacks reflect a more diverse target base including smaller businesses, health care providers, and municipal governmental agencies.
- Ransomware-as-a-service offerings have increased, making it easier for less sophisticated criminals to perpetrate these attacks.
From my perspective, the ransomware battle between the criminals and their targets continues unabated. Despite increased security and education efforts, ransomware is still identified by the FBI as the major cyber threat against business. Law enforcement has had some victories with high profile arrests but still struggles to keep up with the pace of ransomware activity.
Defenders against ransomware crime must remain agile. What new tactics and weapons can businesses and law enforcement deploy? Let us know what you think.
March 13, 2023
Instant Payments and the Challenges of Inclusive Product Design
True confessions: I recently played around with a popular weight-loss app, but I didn't bear up so well under feedback that I'll call—for lack of a better term—negative reinforcement.
Problem: Too many of my foods are in the red zone. Whole milk! Olive oil! A teeny tiny piece of chocolate! Since apparently my eating habits were such a mess, I figured there was no hope. Less than a week in, that app was history.
My experience reminds me of recent work on product design and payments inclusion. Could it be that my whole milk and chocolate are the equivalent in payments of anonymity and low cost? I want both my preferred foods and help to eat healthily. Many consumers, including unbanked consumers, also want two things: the features of cash (anonymity and low cost among them) and help to pay and budget using 21st-century tools.
Data from the Federal Deposit Insurance Corporation and the Survey and Diary of Consumer Payment Choice (SDCPC) show that we are not there yet. Each data source finds low rates of adoption of P2P apps, among unbanked households for the FDIC and among unbanked individuals for SDCPC.
This finding is eerily familiar. In 10 years of investigating consumer payments, I've seen a lot of ideas for bringing everyone in the United States into the 21st-century payment system. Especially for US adults without bank accounts, various solutions with seemingly great potential come along and then are just okay. Mobile. Apps. Basic banking. Consumer education. No strikeouts, no home runs.
I'm sure you can think of lots of reasons for these just-okay results: cost (or perceived cost), inconvenient access without a bank account, lack of trust, low adoption rates of smartphones for some groups. But what about product design? One expert, speaking on a 2021 San Francisco Fed podcast episode, said that low-income people have been treated as "secondary users to products that were designed for other people in mind."
Today, with Real-Time Payments and the FedNow Service, we're on the cusp of a new opportunity to make payments accessible for all. The US Faster Payments Council is advising that products be designed not only to meet the needs of early adopters and existing customers but also to meet the financial lives of the underserved. In other words, treat underserved people as primary users with particular preferences and needs, just as you would treat early adopters and current account holders. For the underserved, faster payments providers should "design for people with tight budgets," include features to ease administrative tasks, and provide mobile-first access, among other recommendations.
Most importantly, providers should include the users in the design process. As a payments innovator said to me last year, "When it comes to product design, you can't assume you know what someone wants without doing the work." As I learned from the experts at ,Commonwealth, which offers a toolkit for inclusive product design: design with people, not for people.
What's your organization doing to make instant payments work for everyone? I'm looking for case studies on this topic. Please be in touch if I can learn from you.
March 6, 2023
Is Your Tax Refund at Risk of Theft?
With the start of a new year, I create a folder labeled "tax documents." This is where I place the W-2s, 1099s, receipts, and other tax-related documents in advance of prepping our tax return, which we begin in earnest on February 1. Fingers crossed that by planning ahead and keeping careful records we avoid mistakes in our filing (and that we underpaid just a little bit).
Now, when I talk about tax return fraud, I'm not talking about mistakes or intentional misstatements, income omissions, or incorrect deductions. I am referring to what is classified as stolen identity refund fraud (SIRF). In this type of fraud, the criminal obtains your name and social security number and then proceeds to file a tax return as early as possible, claiming a refund. You, the victim, don't generally find out this has happened until, in the course of your own filing, you receive a message from the Internal Revenue Service (IRS) that a tax return has already been filed for your social security number. The criminal often arranges to have the refunds sent via the ACH network to money-mule accounts or loaded onto prepaid debit cards. Sometimes the criminal requests that a check be mailed to an address where they can steal the check out of the mail.
The operators of the ACH network have been active in combating tax return fraud, and the IRS and the Department of Justice have made the investigation and prosecution of SIRF a high priority. In 2017, the IRS spearheaded the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (the IDTTRF-ISAC, or just ISAC), a collaborative effort of the IRS, state agencies, and the private-sector tax industry. At the heart of the ISAC operation is a platform that collects SIRF data, performs aggregated analysis, and then distributes anonymized reports to the participants.
The IRS continues to support major education efforts to help filers minimize the threat to the broader issue of identity theft. The IRS's Guide to Identity Theft is available in eight languages on the IRS website. An important tool for consumers to have is the IRS Identity Protection Personal Identification Number (IP PIN). The IP PIN is a six-digit number the IRS provides to the taxpayer to include with an electronic return. Originally available only to filers who had previously experienced tax return fraud, the IP PIN is now available to all consumers as of January 2021. You can find instructions on the IRS's website on obtaining one online or through an application. If you don't already have an IP PIN, I strongly encourage you to get one as soon as possible.
Best wishes as you gather all your tax documentation and that you are able to avoid the tax refund criminals.
February 27, 2023
Are Digital Payments Failing the Unbanked?
Data from the 2021 Survey and Diary of Consumer Payment Choice (SDCPC) give some hints into how US adults without bank accounts manage their financial lives, particularly when it comes to methods of digital access outside of a bank account.
Most US adults these days receive income through digital means. For example, the US Treasury reported in 2021 that they used direct deposit to distribute more than 85 percent of the third round of economic impact payments. People with bank accounts can receive income directly into their account. People without bank accounts are more likely to use prepaid cards for this purpose. However, they tend to own different types of prepaid cards when compared to people with bank accounts. People without bank accounts are more likely to have payroll cards and government benefit cards that facilitate the receipt of income.
For people with bank accounts, apps facilitate digital pay. Adults without bank accounts are far less likely to be using a payment app compared to other adults: half as likely to have any sort of payment app, about a third as likely to have PayPal, and highly unlikely to have Venmo. People without a deposit account have no access to Zelle, the payment app exclusively accessed through a bank account. This slow uptake of payment apps is notable because many commenters have been expecting fintech to create new, cost-effective, and convenient avenues of access for people without access to traditional bank accounts.
Despite their use of prepaid cards, people without bank accounts make most of their payments in cash. Even in 2021, people without bank accounts were three times as likely as other consumers to have used a paper money order in the past 12 months. And using a paper payment instrument inhibits access to the digital economy.
In the 14 years since the Federal Deposit Insurance Corporation’s first National Survey of Unbanked and Underbanked Households, the central story in payments has been about the transition from paper to electronic ways to pay. As the SDCPC data show, unbanked consumers are not enjoying the full benefits of innovations in digital payments. The Cleveland Fed recently posted a review of the literature into the causes and consequences of not having a bank account, which you can read on its website.
As payment innovation continues to flow, how can the payment process become more inclusive? We would appreciate your thoughts and comments.
Take On Payments Search
- account takeovers
- data security
- digital currency
- financial inclusion
- identity theft
- payments risk
- payments studies/research
- TOP payments inclusion
- supervision and regulation
- workforce development