Rising payments fraud triggers new cyber-security tools

Although the global fraud rate was below expected levels in the first half of the year, threat actors managed to evade safeguards leading fraud to spike across multiple categories, according to a Visa report.

Between January and June, the San Francisco-based card giant tracked an uptick in fraud in ransomware attacks, enumeration attacks and card-not-present fraud, according to the most recent edition of its biannual threats report. Among retail-specific crimes, the company highlighted the rise of counterfeit and spoofed merchants, malicious advertisers, flash-fraud scams and free gift scams, according to the Sept. 7 report. 

“While we are pleased by the lower-than-expected fraud rate over the last few months, this edition of the Biannual Threats Report continues to underscore just how savvy fraudsters continue to be,” Visa’s Chief Risk Officer Paul Fabara said in a statement. “The same way criminals take advantage of technology advances, so does Visa, and the $30 billion of fraud prevented in the last six months alone is a great testament to that.”

Ransomware attacks spiked in March, soaring 91% over February numbers and 62% year-over-year, Visa said in its report. The top root causes of ransomware attacks were exploited vulnerabilities (36%) and compromised credentials (29%), according to the report. 

Enumeration attacks jumped 40% during the January to June time period, compared to the previous six months, Visa said. As for card-not-present fraud, more than half (58%) of the fraud and breach investigations stemmed from online merchants. However, brick-and-mortar retailers comprise 20% of card-not-present fraud.

Visa did not disclose how much malicious advertising, spoofed or counterfeit merchant fraud, flash-fraud scams or free gift scams it had detected. It only noted that these categories had seen “a measurable uptick during the past six months.” 

The rise in artificial intelligence is contributing to the increase in some fraud amid an overall decline. As artificial intelligence “continues to proliferate in the market and new use cases evolve, merchants and consumers alike may experience new challenges in identifying and preventing scams,” Michael Jabbara, vice president and global head of fraud services at Visa, told Payments Dive via a spokesperson. 

While ransomware is not a new tactic for threat actors, they are using ChatGPT and advanced language models to “create malware that can act as file stealers while evading detection or generating malware capable of encrypting an entire device,” Jabbara said in the statement. “ChatGPT and other ALMs have lowered the barrier to entry for those with limited programming abilities or technical skill and carry out attacks.”

As of now, Visa continues to see a disproportionate increase in attacks targeting e-commerce, Jabbara added. “We found that merchants in this sector were impacted by 58% of the total fraud and breach investigations and 7% for ransomware fraud schemes,” he continued in the statement. 

While counterfeit merchant attacks involve creating fake sites to steal customer information, malicious advertising attacks use fake ads to gather consumers’ payment information, Visa explained. Flash fraud involves tricking merchants into processing legitimate transactions and then processing a large number of illegitimate transactions using stolen payment information. 

Meanwhile, free gift scams swindle victims by offering them a free gift in a pop-up window that actually links to a “malicious payload” that includes a file with harmful non-fungible tokens, enabling cybercriminals to transfer cryptocurrency from the victim’s digital wallet to their wallet, according to Visa. 

As Visa tracks rising fraud, the company has separately said that its fees support its cybercrime prevention strategy. Though the company said in its report that the global fraud rate “trended lower than normal” during the first half of the year, it noted in a September blog post that cybercrime is at record highs. The fees helped to support its fraud prevention infrastructure, Visa has explained in the past.

Research suggests that card issuers’ efforts to mitigate fraud are beginning to pay off. A December 2022 issue of the industry publication Nilson Report noted that the international card fraud losses for sellers, issuers and acquirers will reach $397.40 billion during the next decade, down from the previous predicted loss of $408.50 billion.

Attendees at Nacha’s Smarter Faster Payments conference last month were coasting through a late morning panel discussion on fraud just before lunch when one panelist’s comments stirred up the ballroom.

Consolidated Edison Director Frank D’Amadeo, who leads treasury operations at that utility, was asked by a moderator about “pain points” faced by companies amid rising payments fraud. With his response, D’Amadeo took on the banking and payments professionals packed in the room.

“There is a need in our country for fraud to be stopped before it even gets to us, and there’s a lot of data out there where, if the banking community shared information, they could prevent a good amount of fraud before it even occurred,” D’Amadeo said. “The banks need to do a lot more,” he said during an earlier panel, making the message clear for those attending the annual conference in Las Vegas.

His remarks sparked a mini-debate in the ballroom over whether banks are doing enough, jointly, to thwart criminals who shift from one bank to another, undeterred, in search of new victims.

JPMorgan Chase, the biggest bank in the U.S., didn’t respond to a request for an interview on the topic, but the moderator for one of D’Amadeo’s panels, JPMorgan Executive Director Steven Bernstein, opened with this: “Fraud is prevalent.”

Fraud has become a big problem for payments players, which include banks, processors, card networks and a host of intermediaries and fintechs. Now, the rise of faster digital payments, including the impending launch of the FedNow real-time system, and artificial intelligence innovations threaten to exacerbate the trouble.

Here’s how Thomas French, a senior fraud consultant at software company SAS Institute, described the current environment: “That's just a basket full of awful there, between scams, scams, scams and more scams. When you combine scams with faster payments, you get faster fraud.”

While there has always been fraud, it has worsened in the past year to 18 months, said French, who spent 27 years working for banks, including Bank of America and the former Wachovia and First Union. “It's the industrialization of fraud, where you’ve got different criminal rings doing different things,” he said in an interview this month. “I’ve never seen it so sophisticated, so fast, and so full of crooks in my 30-plus years.”

Bank customers have suffered alongside their financial institutions. The amount of money American consumers reported losing to fraud last year jumped 30% to $8.8 billion compared to 2021, the Federal Trade Commission said in February, and much of that fraud flowed through some part of the payment system. Those frauds took place in business, shopping, investment and online dating settings, among others. 

The FTC was able to identify a payment method for 17% of consumer fraud reports last year. Of those methods documented, the biggest losses were in bank transfers and payments, with those losses more than doubling to nearly $1.6 billion last year, compared to $762 million in 2021. That payment channel constituted the single biggest area of fraud losses for the past three consecutive years, the FTC data showed.

While the most dollars were lost through bank payments last year, the highest number of fraud reports were regarding credit cards, according to the FTC.

Businesses looped into losses

With such large losses, it’s not just consumers being targeted for the frauds. It’s also companies of all sizes, including D’Amadeo’s power company servicing the New York City area. With respect to incoming customer payments, the utility receives 500 to 600 fraudulent receipts daily from valid debit accounts, but they are accounts for which a fraudster likely bought information on the dark web. In some cases, they even brazenly use Con Edison account numbers. That fraud is minimal, relative to the utility’s three million customers, he said. 

But D’Amadeo worries more about outgoing payments. The company is “constantly” targeted by email scams in which con artists, purporting to be Con Edison executives or vendors, seek payments, putting hundreds of millions of dollars at risk. For instance, a firm to which Con Edison owes money may have been hacked, and the hacker sends the utility an invoice with accurate information, but an altered bank account directing money to the fraudster. 

“The biggest concern we have is on the disbursement side where we’re being compromised and duped into changing payment instructions to a counterparty and, look, if you don’t catch it within the first 24 hours, you’re not getting that money back,” he said.

Smaller companies are targets too. Jefferson Grace, a Las Vegas detective who also spoke at the conference, described how one local business owner that had been in business for 30 years went belly up after he misdirected $1.1 million in payments to a crook impersonating a vendor. He explained how fraudsters take over or mimic email addresses and glean executive names from social media sites, like LinkedIn, to send persuasive emails.

Email schemes that trick corporate executives into sending payments to swindlers has become a major stumbling-block. “We’ve put so much trust into email that was never designed to be there,” Grace said. Multiple speakers at the conference stressed the importance of executives following explicit payment processing instructions to avoid fraud.

A big part of the problem is valid accounts being tapped by bad actors. In that “synthetic identity fraud” trend some pieces of authentic information are used to create the appearance of normalcy.

“Synthetic identity is a concerning and growing threat factor,” Visa’s head of U.S. risk, Dustin White, said at another April industry conference, the ETA's Transact conference in Atlanta. “It's fairly sophisticated, and it's very devastating because it's not a $500, $1,000, $2,000 fraud run that a financial institution has to deal with. These are like $80,000, $100,000, $150,000 bust-out schemes, per instance,” he said. 

The Boston Federal Reserve Bank estimated that synthetic identities cost the U.S. $20 billion in 2021, White noted. “It's a very prevalent and growing threat vector,” he said.

The conundrum for payments and banking industry professionals alike is fixing the fraud without introducing too much “friction.” With the industry having made significant headway in making digital payments easy for consumers to use, banks and companies are reluctant to unwind features that have fostered more commerce, especially online.

Nacha pivots to fight fraud

Nonetheless, a consensus is emerging that something has to be done, and industry organizations capable of bringing the banks and payments communities together are mulling new approaches. One Citigroup executive at the Nacha conference caught up in the debate said: “It’s coming.”

A key player in any new effort would be Nacha, formerly known as the National Automated Clearing House Association. Indeed, it’s discreetly pressing for changes within its own community, including among its big bank operators, so that financial institutions take more responsibility to counter fraud.

Earlier this month, Nacha posted for public comment the outline of a new “risk management framework” it has under development in what it called a new era of fraud, where funds are mistakenly “pushed” by users into accounts where they shouldn’t be. The updated approach would address increasing fraud threats and attacks on ACH credits, wires, cards and other instant and digital payments, Nacha said.

“As a new risk management strategy, the Framework is intended to bring the ACH Network and the broader payments community together to address an emerging and important area of need, and to provide an overarching direction for new initiatives, guidance, rules and industry tools,” the May 2 Nacha executive summary said.

The aim of the new framework is to increase awareness of the illicit push schemes; reduce the success of those attempts at fraud; and improve the chances of recovering funds after the scams have occurred, Nacha said. A Nacha spokesperson, Dan Roth, didn’t respond to repeated requests for comment on the new framework.

Obstacles to cooperation

Part of the challenge in addressing the problem has been banks’ reluctance to share customer data with each other that might otherwise be helpful in fighting fraud, said Mark Dixon, who is vice president of education at the New England Automated Clearing House Association in Burlington, Massachusetts.

Banks have long been sensitive to sharing information in any way that might undercut their proprietary interests, but that attitude might be changing now, at least slightly.

“The industry is looking at how can we be more proactive with our communication,” Dixon said, pointing to Nacha’s new framework concept and a Nacha contact registry designed to help institutions talk to one another. “A challenge is going to be making sure all the institutions get on board with that.”

Increasing the difficulty is the fact that there are nearly ten thousand U.S. banks, creating a daunting task in allowing them to communicate with each other. 

As part of the effort, Nacha developed the contact registry in 2020 and had taken on the arduous task of asking bank personnel to sign in. So far, the registry has 45,000 contacts.

Nacha’s operating rules require financial institutions to provide the contacts so professionals from other institutions can reach them if need be, and all of them are supposed to be willing to share information as a part of the reciprocity of receiving it.

“The intent of the registry is to provide consistent and accurate information for a financial institution that may need to reach another financial institution regarding fraud scenarios like business email compromise and vendor impersonation,” Jeanette Fox, Nacha’s senior director for risk investigation and ACH network risk management, said in an emailed statement.

Early Warning Services, the bank-owned operator of the payment tool Ze also operates a national shared database to which the largest U.S. banks contribute account information, but professionals note it has a significant gap in coverage because smaller banks have more than a quarter of accounts.

Banks launch another initiative

Other banking organizations also are brainstorming new ways of combating fraud. The American Bankers Association is working on a new anti-fraud prevention project with Early Warning Services, according to one well-placed industry source who asked not to be identified.

That effort is starting out with just a handful of banks participating and is about to kick off a pilot phase, the source said, declining to provide further details. 

Sarah Grano, an ABA spokesperson, declined to comment, as did Meghan Fintland, a spokesperson for Early Warning Services.

Professionals from those organizations meet regularly to discuss fraud and risks, but French still has concerns that banks aren’t capturing and sharing as much information as they might. He notes that bankers are steeped in policies that keep them from sharing information with third-parties. Also, some professionals say they lean away from broadcasting new techniques for fear of tipping off fraudsters. “There is some sharing, but I think there’s a need and a desire for more sharing of different information,” said French, whose firm sells fraud analytics software.

Still, plenty of companies have been stepping up public campaigns to sell new fighting-fraud tools in recent months, including SAS Institute, card network company Mastercard, credit bureau Experian and a parade of fintechs introducing new services and products.

Europeans explore a new approach

Across the Atlantic in Europe, there has been more movement in terms of a collective industry response. A new concept of “authorized push payments” has taken root, with a sense of shared liability among banks for wayward payments, said Donna Turner, a former chief operations officer at Early Warning Services who is now a consultant for the auditing firm Ernst & Young.

European financial institutions on the sending side are now taking as much responsibility for fraud as those on the receiving end, Turner said. Increased data sharing among banks in Europe has unfurled with the open banking trend following a 2016 adoption of the European Union’s Second Payment Services Directive, known as PSD2.

Bank and payment actors on either side of a transaction have an increased incentives to change their behavior to fight fraud, Turner said in an interview this month. “It’s about protecting the ecosystem,” she added.

Participants in the U.S. payments ecosystem may be starting to embrace the same approach as they seek to build stronger industry defenses against fraud.

 

Dive Brief:

• A fifth of consumers worldwide have been victims of payment fraud in the past four years, according to an ACI Worldwide report based on consumer polling last year. 
• Of that group, more than a quarter (26.9%) have fallen victim to authorized push payment scams, which involve scammers tricking users into making payments to a destination account the scammer controls, ACI said in a news release issued Thursday. ACI called that type of payments fraud the top fraud threat globally. 
• Financial crime and fraud are projected to cost banks and financial institutions around the world $40.62 billion by 2027, ACI said. With the rollout of FedNow in the U.S., real-time payment volume is expected to grow 32.6% by 2027, ACI said, referencing the March report.

Dive Insight:

Though push payment scams are defrauding consumers abroad, ACI argues that the U.S. doesn’t have to suffer the same fate. U.K. consumers lost £1.2 billion to fraud scams last year, more than a third of which were push payment scam losses, ACI said. In the U.S., the July launch of FedNow, the Federal Reserve’s real-time payments system, presents the chance for the financial sector to anticipate risk and update its management technology, ACI said.

Push payment scams “are on the rise as fraudsters exploit human vulnerabilities and weaknesses in bank controls to manipulate mule accounts to receive funds from fraudulent activities and facilitate further illicit transactions,” Cleber Martins, ACI’s head of payments intelligence and risk solutions, said in a Thursday news release. 

“Banks need to safeguard their customers and revenue by shifting their focus from relying on traditional measures designed to prevent check or card fraud,” Martins said in the statement. “They need to arm themselves with the right fraud strategies to capitalize on the security of the real-time payment rails and reap the benefits of real-time payments without fraud management becoming a cost-center.” 

Fraud has become an increasingly large problem for payments players, and the onset of real-time payments has raised concerns about real-time fraud. Payments fraud came up at Nacha’s Smarter Faster Payments conference in April, during which Consolidated Edison Director Frank D’Amadeo urged banks to do more to combat fraud. 

Payments firms are also tackling fraud with currently available payment products. Earlier this month, American Express CEO Steve Squeri said the card company has seen an uptick in scammers targeting elderly customers via gift card fraud.

When the Federal Reserve’s new instant payments system arrives later this month, it will have features to help financial institutions deter high-speed fraud.

In a speech to the National Bureau of Economic Research, Cleveland Fed President Loretta Mester spelled out how the new real-time system will equip banks and credit unions to stop fraudsters from using the new payment rails to advance their schemes.

Mester focused on FedNow, which promises to complete payments within 20 seconds, as the likely launch of the new system nears later this month. The instant payment system has been in development since 2019 as the first major U.S. government payments upgrade in 50 years, she said.

It’s an important development in that payments help fuel any country’s economy, and determine to some extent, how efficient that commerce is. In addition, the U.S. is playing catch up with some other nations that have already implemented such real-time systems.

Faster payments are in demand by consumers and businesses alike, Mester noted. The FedNow system, with its ability to transfer funds around the clock, could help both avoid fees when money in accounts is running low, she noted. The system can also deliver faster paychecks to consumers, she added.

“FedNow will provide the public with more flexibility to manage their money and to make time-sensitive payments whenever needed,” Mester said.

FedNow has raised the specter of faster payments leading to faster fraud, but the central bank is attempting to ensure that isn’t the case.

Users of the new government system will have the option to create a list of “suspicious accounts,” from which they aren’t interested in sending or receiving payments through FedNow, Mester said. Indeed, participants in the new system will be able to reject payments and to limit use by certain accounts, she said. 

FedNow will also incorporate tools that help financial institutions investigate shady transactions, Mester said. In addition, FedNow’s request-for-payment function will include fraud-mitigating features, she added.

“Combating fraud is a dynamic endeavor, so the service will be offering more fraud-prevention tools over time,” Mester said in the speech.

She also addressed other FedNow challenges that have been raised as the launch date nears, such as its lack of interoperability with other payment systems, the possibility it could increase the risk of bank runs and the likelihood that it will be adopted only slowly and therefore not be widely available.

Education about the new system, with respect to financial institutions, businesses and the broader public will be key. The Fed has had an intense marketing campaign in place for months now, with the central bank announcing last month some 57 companies as early adopters

On the threat of bank runs, she stressed that financial institutions will have flexibility to impose restrictions that should fend off such problems. For example, banks will be able to lower dollar limits on transactions and could shift to a receive-only mode if they like, she said. 

With respect to interoperability, she explained that such cooperation between payment rails has been an issue in the past and that it sometimes took decades to create better connections. Still, FedNow is designed in keeping with the international ISO 20022 standard and it has that in common with the U.S. private real-time payments system known as the RTP network, which is operated by The Clearing House, which is owned by a group of banks, she noted.

“No doubt it will be a challenge for instant payments,” she said. “But the Fed continues to engage with RTP to discuss how best to accomplish this goal.”

As the Federal Reserve prepares for the launch of FedNow as early as May, it’s focusing on building fraud prevention features into the new real-time payments system.

“Fraud management features are a high priority for (financial institutions) and are being tested along with transaction flows in the countdown to launch,” the Federal Reserve said in a website post, citing FedNow Senior Vice President Nick Stanescu.

The central bank is zeroing in on the fraud prevention effort as other speedy payment systems fend off criticism that consumers can run into trouble when fraudsters trick them into sending payments that can’t be reversed. That’s been the case with Zelle, the peer-to-peer payments system operated by the bank-owned Early Warning Services. 

That system, introduced in 2017, has been battered by complaints from bilked consumers. Sen. Elizabeth Warren (D-MA) took up their cause last year, railing against Zelle and calling for increased regulations to protect consumers. For its part, Zelle has said that the fraud on its system accounts for well under 1% of transactions.  

FedNow won’t be offered directly to consumers, but rather to some 10,000 banks and other financial institutions that are connected to the FedLine network. Those financial institutions will, in turn, make the instant payment services available to corporate clients and ultimately consumers as well. 

After years of planning for FedNow, the payments system entered the final phases of testing and certification last month, with an aim to make the service available sometime between May and July of this year.

“Early adopters in the FedNow Pilot Program — FIs, processors and service providers among them — are now sending test payments messages to one another using the FedLine infrastructure,” the Feb. 6 Fed update said.

All of that development comes with an eye on fraud prevention, as users ultimately tap it for account-to-account money transfers and bill payments, among other services.

In a separate post, the Fed said the initial launch of FedNow will allow financial institutions to impose value limits for transactions and specify some situations in which transactions would be rejected. It also will offer features that let the institutions check whether a message was altered as well as options for running transaction reports.

The update made clear that the Fed is keenly aware of the troubles that have recently plagued Zelle and the inability to reverse payments so it’s seeking to find ways to bolster defenses against fraud. It will encourage financial institutions to mimic Zelle’s extra layer of prompts asking users if they’re sure they want to send a payment.

Identity theft and account takeovers are the types of schemes that the Fed is bracing for as it anticipates that criminals will infiltrate the new real-time payments system, as they have other forms of payment such as debit cards, checks and automated clearing house payments.

“The rise of instant payments is a reminder that while fraud itself may be as old as human civilization, new ways of making payments invariably introduce fresh fraud management challenges to financial services sectors and their customers,” the Fed post said.

The Fed said it may also eventually give financial institutions the ability to fine-tune their controls for certain types of customers that allow them to better screen out requests to send payments to bad actors. 

The central bank could also use the FedNow system to monitor for illegal activity, such as “aggregated concentrations of inbound and outbound activity” that may suggest illicit “mule activity.” It could also tap machine-learning capabilities to assess transactions.

The central bank did say that potential features planned for a roll-out in 2024 may allow financial institutions using the system to reject payments that exhibit “unusual frequency patterns” or show an unusual cumulative value over certain periods of time.

“This could address fraudsters’ efforts to work around transaction limits by originating large numbers of low-value payments in a short window,” the Fed said in the web post.

In the meantime, the Fed is relying on education to make sure the financial institutions know how to use the system in a way that mitigates fraud.

Financial institutions aren’t completely unfamiliar with how a real-time payments system works because a group of big U.S. banks introduced their own real-time payments system, called the RTP network, in 2017. Smaller institutions that have been reluctant to use a system run by their larger rivals are expected to tap FedNow for services.

Comments from Stanescu came in an interview of the Fed official with the trade publication Pymnts.com, the Fed said in its web post.