The “Fraud Triangle” is upon us. According to anti-fraud researchers, this triangle, caused by global inflation, rising interest rates, and continuous rounds of layoffs, creates a ripe environment for committing fraud. This, coupled with the continued expansion of ecommerce, threatens to bring merchant losses from online payment fraud to an expected $362 billion globally between 2023 to 2028, with losses of $91 billion alone in 2028, according to Juniper Research.
As the fraud landscape continues to evolve, this article will attempt to educate merchants and individuals alike on the most rampant trends in financial fraud this year, describing their prevalence, and what, if anything, can be done for their prevention.
Push Payment Fraud
It’s an old story with a new twist: A widow is looking for love the second time around, and transfers money to her love interest, unaware that it’s a social engineering scam. The catch is that she’s sent payments in real time, which can’t be reversed after the payments are made. The fraudster, impersonating her love interest, walks away scot-free with her money.
In the U.K. specifically, 41% of fraud has been estimated to be tied to push payments. In the US, authorized push payment (APP) fraud loss is set to exceed $3 billion by 2026.
On a global scale, push payment fraud is rising with the evolution of real-time payments everywhere, such as the Faster Payments Service in the UK. Fraudulent push payments can be particularly damaging, as they link fraudsters with hundreds and even thousands of victims via social media channels, messaging and mobile apps. Bad actors can leverage social media to glean information about their victims, send malicious links that lead to malware, and even launch fake support accounts that are engineered to capture their victims’ sensitive information.
The somewhat good news is that the UK Payment Systems Regulator (PSR) recently announced new reimbursement requirements for banks and payment companies to pay back their customers that fall victim to APP fraud. But not everyone agrees that payment regulators are solely to blame.
“Regulation can be helpful, but some amount of liability has to lie [with] the sender of the payment,” said Lee Kyriacou, VP of real-time payments at The Clearing House, in an interview with PYMNTS. “Banks need to continually educate account holders about account security best practices, such as using complex passwords, two-factor authentication and providing prompts to payers such as, ‘Are you making this payment to someone you know? This payment is irrevocable.’”
When it comes to preventing APP fraud, Kyriacou explains that because of the high-volume nature in which scammers operate, banks and payment providers must look at their customers’ accounts to examine who is receiving large numbers of peer-to-peer (P2P) payments, which can help identify the bad actors and shut them down.
“Banks can look at [things such as] how many times has there been a fraud report for this receiver? How many transactions has this receiver had in the last 24 hours compared to a month ago? When was the first time this receiver got a payment on the network? Then you’re starting to provide them information [from which] a sending bank can then figure out [whether this is] a typical receiver for this customer or not,” added Kyriacou.
Goods Lost in Transit Fraud (GLIT)
Have you ever signed for a package telling Amazon you’ve received it? This is so that the retail giant can protect itself against fraud. Goods Lost in Transit fraud (GLIT) is when a consumer orders a product and receives it but either claims it didn’t arrive or was damaged and demands a refund. Since businesses want to enhance the customer experience with flexible return policies, some consumers don’t even consider this fraud, rather simply pushing the envelope of return policies.
But make no mistake, this type of return fraud can reduce a retailer’s overall profitability by 10%–20%. Experts estimate that the US retail industry alone loses over $7.8 billion from fraudulent returns.
Although merchants can’t stop return fraud completely, there are steps they can take, such as requiring customers to sign for delivery and having drivers and handlers document the process of receiving goods with cellphone pictures. Another tip for growing businesses is to stay vigilant. Don’t be too eager for new customers to the point where you fail to spot customers who are taking advantage.
SIM swap fraud
Although it’s not exactly new, SIM swap fraud is an emerging type of fraud in geographic regions with developing mobile payment systems. It’s an advanced form of social engineering that exploits vulnerabilities in SIM cards of mobile phones, such as M-Pesa in Nairobi.
The reason it’s so effective is because banks use the mobile numbers of customers to sync their accounts, asking users to prove their identities with multi-factor authentication or a one-time password. But when a SIM is compromised, it’s a fraudster who attempts to gain access to an account via a phishing attempt. Once they’ve received a mobile number, they can link to a bank account and withdraw funds.
Fortunately, in the US at least, the Federal Communications Commission has stepped in, requiring wireless providers to implement secure authentication methods when swapping SIM cards. These include embedded SIM cards (eSIMS) by manufacturers, in which the absence of a physical SIM makes it harder to steal and compromise.
In developing countries, however – or in countries where government help cannot be relied upon or simply don’t have the resources, time, or energy to get involved with consumer protection – there is a need for help from the private sector, as seen with Safaricom’s latest solutions for SIM-Swap-Check and ATM Vicinity checks for banks to reduce fraudulent transactions.
“The rapid growth of Kenya’s fintech sector has been accompanied by a rapidly evolving threat environment targeting both customers and fintech operators,” explains Peter Ndegwa, CEO of Safaricom. “It is, therefore, necessary for different players to partner around innovations that protect customers and their funds to safeguard the gains made.”
Brand Impersonation
Another emerging trend in merchant fraud tactics is brand impersonation, in which malicious actors create a fake version of a company’s website mirroring the legitimate brand, and trick users into interacting as usual with the site, submitting sensitive information such as passwords, usernames and even credit card information.
How does this happen? One of the main ways is by injecting JavaScript code into the website to alter it in subtle ways not easily picked up on by the user, such as buttons, logos or other minor elements of the page. With 98.5% of websites using JavaScript as their client-side scripting language, this fraud tactic has all sorts of permutations, including website spoofing, cross-site scripting (XSS), and cross-site request forgery (CSRF/XSRF).
Since the manipulation caused by the JavaScript code occurs in real time when a user visits the page, it is challenging to detect since it often appears to look like a trusted brand. Regular code testing using Content Security Providers (CSPs) that restrict the type of content a page can load, and maintaining JavaScript libraries with code that is regularly updated, patched, and tested can all help to defend against web spoofing.
“JavaScript dependency injection has numerous benefits, such as improving code modularity and increasing code reusability. But it also leaves the application vulnerable to cyberattacks… Your application can become a victim of these vulnerabilities at any moment — and when hackers use these vulnerabilities to steal data from customers of your applications, they expose them to fraud and more potential attacks,” explains Ran Arad, Director of Product Marketing at Memcyco, a website impersonation protection platform that detects spoofing in real time.
Bust Out Fraud: The Long Road
With the increasing amounts of social security numbers available on the dark web, Bust Out Fraud is said to cost credit card companies an estimated $1.5 billion annually. How does it work?
A fraudster – or more likely, an organized group of criminals – opens up a fake credit card or bank account via a social security number. They continue behaving like regular consumers for months and even years to build up a line of credit, increase their limits, and open up numerous other fake accounts. Once they reach this point, they max out the cards with no intention of paying back the credit, “bust” themselves out, and continue the scheme with stolen identities.
Although this type of fraud is one of the hardest to detect, credit card companies are now on the alert for the first signs of it. First, they check for large numbers of credit applications in a short period, as this is how a fraudster might set the groundwork for increasing his credit limit at a later time. They also check for invalid personal data that a fraudster might fill out in order to complete the application. At a later point in the fraud execution, the credit card company becomes aware of sudden increases in credit limits, maxing out on credit limits and making only minimum payments. In retrospect, they also see that the fraudster wasn’t available at the provided contact information for long periods of time.
By being alert to these types of activities, credit card companies are better positioned to detect bust out fraud in the beginning stages – before it’s too late.
The Path to Financial Reconciliation
For better or worse, banks, governments, financial institutions, and even consumers will need to work together to find solutions to the emerging and rampants fraud tactics plaguing society. It’s a double-edged sword between trying to catch the fraudsters while compensating the victims. As the economic landscape shifts, we’ll have to wait and see how anti-fraud policies and regulations develop on a global scale in the struggle against financial fraud.
The article was contributed by Ralph Tkatchuk Founder and Operator at TK DataSec Consultancy