Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

August 22, 2022

Not-So-Common Scams Result in Large Losses

We often write in this blog about the scams that criminals seem to favor at the time and describe defenses that targeted individuals or companies can use to thwart these scams. The most popular continues to be the broad category of advance fee scams. I thought it would be helpful to review two other types of financial scams that are not so frequent but that can result in large losses for victims.

Cashier's check fraud
A genuine cashier's check is a direct obligation of the bank that sells it. In a more innocent time, cashier's checks were viewed "as good as gold." Regulation CCOff-site link generally requires a bank to make the funds of a deposited cashier's check available the next business day, but a fraudulent cashier's check could take several days or weeks to be returned to the bank of first deposit.

Criminals use this time gap to their advantage. In some cases, the check is for the exact amount of the item being purchased, and the criminal departs with the goods. For remote purchases, the criminal may send the seller a cashier's check for an amount in excess of the purchase price: $1,500 instead of $1,000, for example. Then the criminal claims the amount was a mistake and asks the seller to send the merchandise as well as refund the overpayment. When the fraudulent check is returned, the seller is out not only the merchandise but also cold hard cash.

Fraudulent cashier checks can be very difficult to spot given the advanced technology of printers and graphics software. Here is some fraud prevention advice:

  • Accept a cashier's check only from someone you know or trust.
  • Never accept a cashier's check with an amount higher than the purchase price.
  • Consider using an escrow service instead of a cashier's check, where the goods are held by a trusted third party until the payment funds are fully verified.
  • Be aware of the difference between when funds from a cashier's check become available versus when the check finally clears.

You can find more information about cashier's check fraud on the website of the Federal Deposit Insurance CorporationOff-site link (FDIC).

High-yield investment fraud
In this type of scam, a fictitious financial institution or company, often located outside the United States, offers a risk-free, guaranteed return on a savings or investment instrument that is substantially above the market rate. The scammer claims to be able to achieve these returns by using sophisticated trading techniques involving "prime bank" financial instruments in foreign markets. Often, there is a promise that the funds are insured by a country's financial oversight agency or by the World Bank, a claim supported by certificates that look legitimate.

These scammers target their victims through advertisements in national and financial publications. They may also solicit victims with executive phishing attacks that have obtained contact information of high-net-worth individuals. The criminals assert that the victim will be part of an exclusive group and therefore should not discuss the investment with others, sometimes even requesting execution of nondisclosure agreements.

My prevention tip for this scam is to follow the old adage that "if it's too good to be true, it probably is."

If there are other financial scams that you think we should address, please let us know by leaving a comment.

August 15, 2022

AI Is No Silver Bullet in Fighting Fraud

A sobering report just out from the Federal Trade Commission (FTC) explores the current limits of artificial intelligence (AI, variously referred to as machine learning, automated decision systems, natural language processing, expert systems, neural networks, thinking machines, and more) for preventing online harms, including scams, fake product reviews, romance fraud, money laundering, revenge porn, hate crimes, and counterfeit product sales.

The report makes clear that the use of AI to prevent online scams is "in its relative infancy" and that AI as a standalone tool is no silver bullet for eliminating disinformation from social media platforms, identifying cloaked offers of child pornography, and selling illegal products, among other ills.

The FTC's June 2022 report, Combatting Harms through InnovationOff-site link, returns to the first principles of fraud prevention, which are useful to merchants and financial institutions fighting all types of online fraud, including payments fraud. In the nothing-new-under-the-sun-category, the report warns, "Greed, hate, sickness, violence, and manipulation are not technological creations, and technology will not rid society of them."

The report points out the trade-offs between increased use of AI to prevent harm and the likelihood that more surveillance could result in discrimination or censorship. With implications for the challenge merchants face in identifying potentially fraudulent actors while minimizing shopping cart abandonment, the report states, "Even with good intentions, use [of AI tools] can also lead to exacerbating harms via bias, discrimination, and censorship."

The report lists eight principles for applying AI and various automated tools. Here are three with particular importance for fighting payments fraud:

  1. Human intervention is vital. When using automated tools, humans can prevent the sorts of unintended consequences that—at their most extreme—went on with the computer Hal, who very nearly murdered his human handlers in 2001: A Space OdysseyOff-site link.
  2. AI tools must be transparent to the people they affect. Merchants and financial institutions must be able to explain decisions to customers and potential customers.
  3. Businesses that use AI for decision making must be accountable for errors.

You can read the other five principles in the report, which is deeply skeptical of the wholesale application of this technology in its current state: "One caveat for consumer protection or competition enforcers, however, is that it makes little sense to use limited resources to obtain any AI tools without having already decided what exactly to do with them."

Another useful resource from ACAMS Today: "Your AI Cheat Sheet: Key Concepts in Common Sense TermsOff-site link."

The payments industry has benefited greatly from new technology over the decades. Check imaging, contactless pay, online payments all come to mind. As these examples show, advances in technology can provide many benefits, and, as Hal reminds us, adoption of new tools must move forward with a careful eye to not only benefits but also risks. As always, Take On Payments will continue to report objectively on payments technology.

July 11, 2022

Drawing the Line on Consumer Protection

Consumer protection regulations are designed to ensure that consumers are treated fairly in their dealings with a business. But what is fair from the perspective of the consumer is often quite different from that of the business when there is a dispute.

This post was triggered when I read an article about a series of lawsuits filed by consumers hoping to gain class-action status against financial companies in situations where the consumer has authorized an immediate payment from their account to someone who later turned out to be a fraudster. The consumers claim that they should be reimbursed by the financial institution because they were scammed.

Regulation E Adobe PDF file formatOff-site link is quite clear on where the line is drawn as to the customer's liability in an electronic transaction. If the transaction is unauthorized, the customer's liability is generally zero as long as they report the transaction within a specified amount of time. The regulation is very specific in its definition of unauthorized: "an EFT from a consumer's account initiated by a person other than the consumer without authority to initiate the transfer and from which the consumer receives no benefit." In the cases discussed in the article I read, the consumers admit that they voluntarily initiated the push payment transactions, so the financial institutions appear to be justified in denying reimbursement because the transactions did not meet the definition of "unauthorized" and therefore the liability protections of Regulation E did not apply.

In a late 2021 post, I wrote about how banks in the United Kingdom have adopted a Contingent Reimbursable Model (CRM) that could give customers who are victims of authorized push payment scams some financial relief. The debateOff-site link within the United Kingdom as to how equally the CRM is applied continues to this day, with consumers claiming that it doesn't go far enough to ensure that financial institutions fairly and uniformly evaluate a consumer's claims.

As push payment usage continues to increase in the United States, is there a need to redraw the line by implementing regulations that will give greater protection to consumers in such scams? While I am empathetic toward those who suffer these financial losses, I believe the payments industry has made a reasonable and good faith effort to educate customers when they should use authorized push payments and when they should not. What do you think?

June 27, 2022

The Ransomware Threat Continues to Grow

For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report Adobe PDF file formatOff-site link shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.

In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.

Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.

The defenses against a ransomware attack remain the same:

  • Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
  • Make frequent offline data backups and regularly test the backup process.
  • Install security patches and software updates as soon as possible.
  • Monitor remote desktop protocols, if they're used, and carefully review access controls.

What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.