Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Changing Fraud Strategies: Hindsight Is 2020
Editor's note: This is the first of a three-part series.
It's been exciting to see such rapid innovation in payments recently. It's also been a little frightening, when we think of how quickly fraudsters and cybercriminals capitalize on fast-changing behaviors and how slowly others may adopt mitigation strategies.
To shed light on some of the new threats and offer tips on mitigating these new threats, Take On Payments is running a series of three posts, starting with this one. This first post presents some research and other information on the threat trends and contributing factors that escalated in 2020. The next two posts highlight innovative fraud mitigation strategies.
Account takeover fraud
- Research from one cybersecurity company found that every second fraudulent transaction in 2020 in the finance industry was an account takeover and that the share of account takeover fraud jumped from 34 percent in 2019 to 54 percent in 2020. In addition, 12 percent of account takeovers are carried out with remote access technology: the fraudster tricks the victim into loading software that will allow the scammer access to their computer for "troubleshooting." The research also noted that social engineering has become more successful during the pandemic.
- A recent report explained that over the course of 2020, the share of account takeover fraud ranged between 70 percent and 90 percent of financial fraud attacks.
- A January 2021 article on lessons learned from 2020 reported that criminals have evolved from relying on "credential stuffing"—the use of stolen account credentials to gain access to user accounts—to using sophisticated "device emulators." These emulators can spoof the variables that fraud prevention tools look for, such as device type, browser version, language settings, screen resolution, and GPS coordinates.
- The latest Europol Internet Organized Crime Threat Assessment identified SIM-swapping fraud as a rising trend. The criminal basically deactivates a victim's SIM and ports the victim's number to another phone, allowing the criminal to thwart multi-factor authentication tools used for account logins.
New account opening fraud
- A January 2021 report noted the significant increase in fraudulent new account creation. Cybercriminals are unfortunately becoming rich with stolen credentials and synthetic identities gained from increasingly successful data breaches and phishing attacks.
- Another report said that a full 85 percent of financial institutions experience fraud in the account opening process.
- Finally, other researchers have found that traditional fraud models miss 86–95 percent of applicants that are identified as possible synthetic. In addition, they've found that a full one in seven, or about 14 percent, of new accounts are fraudulent.
- The U.S. Secret Service recently emailed an alert to partners about how they continue to detect a significant upsurge in e-skimming attacks . In these attacks, fraudsters load malicious codes, which are increasingly difficult to detect, on e-commerce sites to steal payment card information from e-commerce websites. Cybercriminals consider e-skimming easy and highly profitable.
- Last month, the Financial Crimes Enforcement Network, or FinCEN, sent out a notice urging financial institutions to alert their customers about business email compromise, ransomware, and fraudulent payments that are attacking both vaccine delivery operations and the supply chains required to manufacture the vaccines. These crimes are drawing, in most cases, six-figure payouts.
Fraudsters see new payment behaviors and innovations as low-hanging fruit, a path of least resistance because sophisticated fraud mitigation tools have yet to be applied. Also, businesses and consumers who are new to digital or online commerce can be slow to adopt security best practices. So how should fraud mitigation strategies change to meet new threats? The next two posts will discuss how fraud strategies can build resistance with updates to organizational structure or expertise and innovative digital fraud prevention technology and security features.