Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
April 18, 2022
Smishing: Phishing with a Different Bait
The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience, though we have to remind ourselves of our colleague Claire Greene's warning that each of us is a sample of one. What we experience may not be, and probably isn't, what the average person might encounter.
I was recently reminded of this warning with regard to my own experience with smishing attacks. Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.) Over the last several weeks, I have been getting one to two text messages a day on my phone asking me to click on a link to respond—usually to a customer satisfaction survey allegedly from a major retailer, with the offer of a gift card as a reward for responding. One message informed me that a product I had ordered (and already received) from an online retailer couldn't be shipped until I clicked on the link to pay an international tax of $2.83. I am confident that all these messages were "smishing" attempts.
Although a part of me was tempted to assume my experience was indicative of a very recent trend, I decided to research whether I was indeed average in experiencing an increased number of these attacks. It appears Claire was right—although my research showed that smishing attacks have substantially increased, seems I am fortunate to have only recently become a target. A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reported that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI's Internet Crime Complaint Center (IC3) doesn't separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3's Internet Crime Report 2021 shows that these complaints increased 34 percent from 2020 to 2021.
The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:
- A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
- An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
- Poor English grammar or improperly formatted phone numbers
- An unknown sender. It is best to report or delete messages you weren't expecting from people you don't know.
Be aware that what appears to be the sender's phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.
Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:
- Keep your mobile device software and browsers updated with the latest security upgrades.
- If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.
I realize that the criminals launching these types of attacks are generally using automated systems to transmit hundreds of thousands, if not millions, of the messages in hopes of getting even just a small percentage of recipients to click on the link. So even if you are like me and not average, there is a good chance you have been or are likely to be the target of a smishing attack. I hope you will use information to not become a victim, and distribute it to help keep others from falling victim.
October 12, 2021
Scams and Student Loan Forbearance
If you are a millennial like me, sitting on a mountain of student loan debt, chances are you've probably received at least one call or letter a month with offers to suspend your student loan payments as part of the administrative forbearance set by the Coronavirus Aid, Relief, and Economic Security—or CARES—Act. In fact, I recently received a letter stating that I was "prequalified" to have my federal student loans forgiven in exchange for an upfront fee. Of course, not all of the unsolicited letters and calls are scams, but if you're asked to pay a fee to have your student loans canceled, it's a safe bet that those offers are more than likely scam tactics.
Although student loan forgiveness scams have been around for some time, fraudsters claiming to be affiliated with the Department of Education are exploiting the current economic uncertainty by creating confusion around how borrowers can qualify for the administrative forbearance program. Some fake companies will offer to work with borrowers to negotiate a lower repayment plan for free and then request that they send their payments directly to the company rather than to the lender. Furthermore, scammers may ask for personally identifiable information or the borrower's Federal Student Aid (FSA) login credentials in hopes of stealing the borrower's identity or money. In a time when unemployment is high and many are financially vulnerable, people are likely more willing to take risks if it means obtaining some desperately needed financial relief—and fraudsters are well aware of this.
So what should you do if you are contacted by a company offering student loan debt relief? The FSA recommends you look out for these red flags before you respond:
- They require you to pay upfront or monthly fees.
- They promise immediate and total loan forgiveness or cancellation.
- They ask for your FSA ID username and password.
- They ask you to sign and submit a third-party authorization form or a power of attorney.
- They claim that their offer is limited and encourage you to act immediately.
- Their communications contain spelling and grammatical errors.
The FSA also lists some examples of common phrases that scammers use in their communications:
- "Act immediately to qualify for student loan forgiveness before the program is discontinued."
- "You are now eligible to receive benefits from a recent law that has passed regarding federal student loans, including total forgiveness in some circumstances. Federal student loan programs may change. Please call within 30 days of receiving this notice."
- "Your student loans may qualify for complete discharge. Enrollments are first come, first served."
- "Student alerts: Your student loan is flagged for forgiveness pending verification. Call now!"
Although the latest extension of the administrative forbearance into early next year may be a huge relief for many borrowers, it unfortunately also means that scammers have more time to exploit the situation. I encourage you to read an FSA article that contains other helpful information on how to identify and report a student loan scam.
May 17, 2021
Common Learnings from Fishing and Phishing
As a youngster growing up in Southeast Georgia, one of my favorite summer pastimes was fishing with my older brother at the local creek using cane poles and some corn niblets or, if we really hit the bait treasure box, pieces of beef hot dog. There is a reason they call it fishing and not catching as most days we barely got a nibble. But there were those days when we would land a nice-sized bluegill.
As I grew older and my fishing opportunities expanded, I began to learn more about the science and techniques of fishing. To increase the catching, there was a level of knowledge needed as to what type of bait (artificial or live) and what fishing technique (bottom, slow, or fast retrieve) to use to target the species of fish I wanted.
I reviewed the FBI's 2020 Internet Crime Report recently and learned that there were more than 240,000 phishing/smishing/vishing/pharming incidents in 2020—an increase of 110 percent over 2019 (and these are just those that were reported). Losses from these incidents were estimated at $54 million. Reading about this made me flash back to my fishing learnings. I reflected that in phishing, as in fishing, there are those people who simply throw out a baited hook to see what bites they get. They blast out a generic email to tens of thousands of email addresses they bought or otherwise acquired illegally, promising fortunes if you only pay, in advance, a finder's fee or the taxes, with gift cards or cryptocurrency. (These messages have advanced over the years to eliminate the poor grammar and misspellings and provide a more believable scenario about the money that belongs to you.)
It has become obvious to me from my research, from seeing the attacks firsthand, and from listening to my colleagues that criminals are becoming more sophisticated in their messages. They are quick to take advantage of current health or natural disaster crises, sending links to “breaking news” that contain malware or links to false websites to capture your personal information or other credentials. They have become very skilled in identifying a target and researching that individual's hobbies or life events through social media, which allows them to craft a message that appears legitimate and appeals to the target's interest.
My colleagues and I are constantly trying to better educate the public about these threats through our posts, webinars and other publications. Just when we think we've seen it all, the criminals come up with a new twist on an old scheme, such as what we saw over the last year regarding the stimulus payments. The bad guys are always going to be out there hoping they can get a nibble from you so they can try to set the hook and reel you in. Don't let yourself be the catch of the day.
April 19, 2021
Criminals Also Like Convenience
The phrase "The customer is always right" was coined by London department store retailer Harry Gordon Selfridge in 1909 to encourage his employees to provide customers with exceptional customer service. Ever since, retailers across all industries have been trying to achieve the positive customer experience—and possibly a competitive advantage—that Selfridge was striving for by offering a variety of customer-oriented policies and services. One such service that gained popularity a couple of years ago is buy-online-pick-up-in-store, often shortened to BOPIS. The COVID pandemic has led to a modification of BOPIS: BOPAC, short for buy-online-pick up-at-curbside. Merchants are offering these options so they can provide a "frictionless transaction"—in other words, they want to reduce the actions customers have to take to obtain their products. This less-contact process also happens to address the CDC’s COVID health recommendations of minimizing contact with others.
Unfortunately, fraudsters have latched onto BOPIS and BOPAC because they’re a means to secure their ill-gotten gains faster and at a lower risk of confrontation once they have stolen the payment credentials of a legitimate cardholder. According to a report published last fall , BOPIS fraud increased 55 percent from the first half of 2019 to the first half of 2020. While merchants in the BOPIS model can ask customers for identification, many do not, for a couple of reasons. First, the person picking up the goods may not be the cardholder, as often happens in the home improvement and landscaping business. Some retailers have addressed this by requiring the cardholder during checkout to give the name of the pick-up person. Second, requesting identification adds a step to the process and therefore adds friction.
A major financial services company published a best practices guide a year ago that contains recommendations on how merchants can reduce their fraud risk for BOPIS/BOPAC transactions. These recommendations include manually reviewing orders of high-value or targeted merchandise and using video cameras in the pick-up areas.
As stores and shopping centers begin to open more and with longer hours, it will be interesting to see if customers return to browse and shop in the aisles or the convenience of BOPIS/BOPAC will continue to drive ecommerce traffic. What do you think?