Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
October 17, 2022
Webinars Address ATM Crimes, Financial Exploitation
ATM attacks don't generally appear in the news, despite their growing threat. As we've written before, these attacks can be both cyber and physical, and the physical attacks can be against both machine and the personnel servicing the machine. Another disturbing crime that may not appear enough in the headlines is the financial exploitation of senior adults. Two upcoming events in our Talk About Payments webinar series will give you the opportunity to learn more about these issues from the experts. The first, on November 3, covers ATM attacks. The second webinar takes place the following week, on November 10, and addresses the exploitation of seniors and community-based approaches to help mitigate vulnerabilities. More details about these webinars, as well as registration links, are below. We hope you will join us for both events.
November 3: ATM Attacks and Defenses
Because many financial institutions have closed or reduced the operating hours of many of their banking offices since the start of the pandemic, customer withdrawals of cash from ATMs have increased significantly. Unfortunately, the criminal element has shifted some resources to attacking ATMs and the personnel servicing them, including those who make currency deliveries. More than half of all ATM attacks in the United States involve thefts of the ATMs themselves, according to ATM Security Association data. The growth in dispenser jackpotting is also troubling. Because the methods of ATM crime can vary from city to city and month to month, it is critical that that ATM operators stay informed about current trends.
A panel of ATM experts join moderator David Tente, executive director of the ATM Industry Association, in discussing trends in cyber and physical attacks against ATM terminals and service personnel along with measures that can mitigate the risks. The panelists are:
- Brenda Born, supervisory special agent, Federal Bureau of Investigation
- Brad Moody, executive vice president of operations, Lowers & Associates
- John Toneatto, vice president of security and investigations, Loomis
The webinar takes place on November 3 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.
November 10: Financial Exploitation of Aging Adults
Did you know that more than 10,000 US adults turn 65 every day, and that many of them will be victims of financial fraud? Elder financial exploitation is a growing problem, according to the National Council on Aging, which estimates financial losses of at least $36.5 billion dollars a year. With the rapidly aging population, we must identify and protect elderly citizens exposed to financial exploitation risks.
In the November 10 episode of our Talk About Payments webinar series, Drs. Thomas Blomberg and Julie Brancale, criminologists from Florida State University, describe the current research, theory, and policy responses associated with this growing social problem. They also address the patterns and variations of financial exploitation of older adults and discuss why some older adults may be more or less vulnerable than others. The presentation concludes with a discussion of areas in need of additional research and policy attention. Scarlett Heinbuch, a payments risk expert at the Atlanta Fed, moderates the discussion.
The webinar takes place on November 10 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.
We encourage financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to join us for these informative webinars. You will be able to submit questions during the webinar. Please let your colleagues know about these webinars!
September 12, 2022
The Not-Quite-Forgotten Check
When did you last write a check? Last month, I wrote my first check in almost 10 years to send funds to sponsor an out-of-state friend for a charity event. This was after I failed to convince my Luddite friend to sign up for an electronic peer-to-peer (P2P) app so I could send the funds almost instantly.
That experience caused me to think a bit more about that somewhat forgotten payment method: the hand-written paper check. The triennial Federal Reserve Payments Study as well as the annual Diary of Consumer Payment Choice (DCPC) have consistently shown that check usage continues to decline. The 2020 DCPC revealed that of the average of 35 payments (including cash) made per month, 2.3 were made by check. The 2016 DCPC showed an average of 46 payments per month with 3.3 of those using a check. While the share of overall payments made by check dropped by just about one-half of a percentage point, the absolute number of checks written dropped by 30 percent in just those four years.
With the decline in check usage, why are financial institutions and merchants seeing an increase in fraud losses related to checks? The simple answer is because checks are easy to counterfeit or alter. The industry has made efforts over the years to improve check document security, including techniques such as microprinting, holograms, embedded fibers, and tamper-resistant paper. Despite these defenses, most would consider the check to be "low tech" and, as this blog has often stated, criminals go for the low-hanging fruit, making checks ripe for the picking. Anyone with graphics software and a high-quality printer can readily turn out counterfeit checks. Blank check stock, some even incorporating the defenses mentioned above, can be purchased at most office supply and stationary outlets. The 2022 Association of Financial Professional's Payment Fraud and Control: Key Highlights report noted "that check fraud remains the most prevalent form of payments fraud," with two-thirds of their professionals reporting their organization had experienced some level of check fraud.
Losses from check fraud come in a variety of forms. I wrote about cashier's check fraud scams in a recent post. Criminals often use money mule networks to cash counterfeit checks or to purchase with a counterfeit check merchandise that the criminal then sells at a discounted price. The criminal may deposit counterfeit or altered checks and then take advantage of the time gap between funds availability and when the check is returned after being identified as fraudulent. Check out this comprehensive guide to check fraud.
The industry is now seeing small to mid-size financial institutions and merchants targeted. To mitigate check fraud, the best action for both consumers and businesses is to monitor checking accounts closely to spot any unauthorized items posting to the account. For businesses, consider positive-pay software that automatically alerts you of incoming checks with altered amounts or checks that may have been counterfeited. For financial institutions, software that verifies document integrity or detects transaction data anomalies can be useful. For merchants, third-party check verification services as well as strong customer documentation will help minimize losses.
Although it may be another decade before I write another check, the prevalence of check fraud relative to check use suggests that Take On Payments will continue to highlight this topic and discuss the industry's efforts to combat fraud.
June 13, 2022
Quishing: Another "Fish" in the Fraud Ocean
We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.
And now there's quishing. Again.
Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.
QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.
The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.
April 18, 2022
Smishing: Phishing with a Different Bait
The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience, though we have to remind ourselves of our colleague Claire Greene's warning that each of us is a sample of one. What we experience may not be, and probably isn't, what the average person might encounter.
I was recently reminded of this warning with regard to my own experience with smishing attacks. Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.) Over the last several weeks, I have been getting one to two text messages a day on my phone asking me to click on a link to respond—usually to a customer satisfaction survey allegedly from a major retailer, with the offer of a gift card as a reward for responding. One message informed me that a product I had ordered (and already received) from an online retailer couldn't be shipped until I clicked on the link to pay an international tax of $2.83. I am confident that all these messages were "smishing" attempts.
Although a part of me was tempted to assume my experience was indicative of a very recent trend, I decided to research whether I was indeed average in experiencing an increased number of these attacks. It appears Claire was right—although my research showed that smishing attacks have substantially increased, seems I am fortunate to have only recently become a target. A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reported that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI's Internet Crime Complaint Center (IC3) doesn't separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3's Internet Crime Report 2021 shows that these complaints increased 34 percent from 2020 to 2021.
The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:
- A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
- An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
- Poor English grammar or improperly formatted phone numbers
- An unknown sender. It is best to report or delete messages you weren't expecting from people you don't know.
Be aware that what appears to be the sender's phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.
Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:
- Keep your mobile device software and browsers updated with the latest security upgrades.
- If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.
I realize that the criminals launching these types of attacks are generally using automated systems to transmit hundreds of thousands, if not millions, of the messages in hopes of getting even just a small percentage of recipients to click on the link. So even if you are like me and not average, there is a good chance you have been or are likely to be the target of a smishing attack. I hope you will use information to not become a victim, and distribute it to help keep others from falling victim.
Take On Payments Search
- account takeovers
- data security
- digital currency
- financial inclusion
- identity theft
- payments risk
- payments studies/research
- TOP payments inclusion
- supervision and regulation
- workforce development