Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

August 22, 2022

Not-So-Common Scams Result in Large Losses

We often write in this blog about the scams that criminals seem to favor at the time and describe defenses that targeted individuals or companies can use to thwart these scams. The most popular continues to be the broad category of advance fee scams. I thought it would be helpful to review two other types of financial scams that are not so frequent but that can result in large losses for victims.

Cashier's check fraud
A genuine cashier's check is a direct obligation of the bank that sells it. In a more innocent time, cashier's checks were viewed "as good as gold." Regulation CCOff-site link generally requires a bank to make the funds of a deposited cashier's check available the next business day, but a fraudulent cashier's check could take several days or weeks to be returned to the bank of first deposit.

Criminals use this time gap to their advantage. In some cases, the check is for the exact amount of the item being purchased, and the criminal departs with the goods. For remote purchases, the criminal may send the seller a cashier's check for an amount in excess of the purchase price: $1,500 instead of $1,000, for example. Then the criminal claims the amount was a mistake and asks the seller to send the merchandise as well as refund the overpayment. When the fraudulent check is returned, the seller is out not only the merchandise but also cold hard cash.

Fraudulent cashier checks can be very difficult to spot given the advanced technology of printers and graphics software. Here is some fraud prevention advice:

  • Accept a cashier's check only from someone you know or trust.
  • Never accept a cashier's check with an amount higher than the purchase price.
  • Consider using an escrow service instead of a cashier's check, where the goods are held by a trusted third party until the payment funds are fully verified.
  • Be aware of the difference between when funds from a cashier's check become available versus when the check finally clears.

You can find more information about cashier's check fraud on the website of the Federal Deposit Insurance CorporationOff-site link (FDIC).

High-yield investment fraud
In this type of scam, a fictitious financial institution or company, often located outside the United States, offers a risk-free, guaranteed return on a savings or investment instrument that is substantially above the market rate. The scammer claims to be able to achieve these returns by using sophisticated trading techniques involving "prime bank" financial instruments in foreign markets. Often, there is a promise that the funds are insured by a country's financial oversight agency or by the World Bank, a claim supported by certificates that look legitimate.

These scammers target their victims through advertisements in national and financial publications. They may also solicit victims with executive phishing attacks that have obtained contact information of high-net-worth individuals. The criminals assert that the victim will be part of an exclusive group and therefore should not discuss the investment with others, sometimes even requesting execution of nondisclosure agreements.

My prevention tip for this scam is to follow the old adage that "if it's too good to be true, it probably is."

If there are other financial scams that you think we should address, please let us know by leaving a comment.

July 11, 2022

Drawing the Line on Consumer Protection

Consumer protection regulations are designed to ensure that consumers are treated fairly in their dealings with a business. But what is fair from the perspective of the consumer is often quite different from that of the business when there is a dispute.

This post was triggered when I read an article about a series of lawsuits filed by consumers hoping to gain class-action status against financial companies in situations where the consumer has authorized an immediate payment from their account to someone who later turned out to be a fraudster. The consumers claim that they should be reimbursed by the financial institution because they were scammed.

Regulation E Adobe PDF file formatOff-site link is quite clear on where the line is drawn as to the customer's liability in an electronic transaction. If the transaction is unauthorized, the customer's liability is generally zero as long as they report the transaction within a specified amount of time. The regulation is very specific in its definition of unauthorized: "an EFT from a consumer's account initiated by a person other than the consumer without authority to initiate the transfer and from which the consumer receives no benefit." In the cases discussed in the article I read, the consumers admit that they voluntarily initiated the push payment transactions, so the financial institutions appear to be justified in denying reimbursement because the transactions did not meet the definition of "unauthorized" and therefore the liability protections of Regulation E did not apply.

In a late 2021 post, I wrote about how banks in the United Kingdom have adopted a Contingent Reimbursable Model (CRM) that could give customers who are victims of authorized push payment scams some financial relief. The debateOff-site link within the United Kingdom as to how equally the CRM is applied continues to this day, with consumers claiming that it doesn't go far enough to ensure that financial institutions fairly and uniformly evaluate a consumer's claims.

As push payment usage continues to increase in the United States, is there a need to redraw the line by implementing regulations that will give greater protection to consumers in such scams? While I am empathetic toward those who suffer these financial losses, I believe the payments industry has made a reasonable and good faith effort to educate customers when they should use authorized push payments and when they should not. What do you think?

June 27, 2022

The Ransomware Threat Continues to Grow

For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report Adobe PDF file formatOff-site link shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.

In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.

Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.

The defenses against a ransomware attack remain the same:

  • Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
  • Make frequent offline data backups and regularly test the backup process.
  • Install security patches and software updates as soon as possible.
  • Monitor remote desktop protocols, if they're used, and carefully review access controls.

What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.

June 13, 2022

Quishing: Another "Fish" in the Fraud Ocean

We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.

And now there's quishing. Again.

Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.

QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.

The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.