Why pre-pandemic fraud risk is making a comeback

cropped white-dustin.png
"Many schemes we knocked down in 2017 to 2019 are coming back," said Dustin White, head of U.S. risk for Visa, at Payments Forum.

Fraudsters found low-hanging fruit during the pandemic by exploiting the rush to digital payments and remote work, but as those channels become more fortified crooks are  returning to some tried-and-true schemes.

Card-present transaction fraud is on the rise as consumers return to stores, according to Dustin White, Visa's vice president and head of U.S. risk, who spoke at Payments Forum recently in San Diego.

"Now that transaction volumes for card-present transactions have come back to pre-pandemic levels, a lot of old tricks are starting to pop up again," White said, noting that basic schemes such as testing stolen card credentials to make fraudulent transactions are on the rise along with crimes leveraging lax retail controls.

One example is crooks claiming their secure EMV chip-enabled card doesn't work and persuading retail clerks to let them swipe a fake card using stolen card credentials to complete a purchase.

"Many schemes we knocked down in 2017 to 2019 are coming back," White said. 

Friendly fraud–which got its start years ago–has also accelerated in the post-pandemic era as consumers learned how to successfully dispute gaming, gambling and other transactions they had actually made but wanted to disavow.

Visa is attempting to block these resurgent fraud types by increasing the data available to analyze in-store and digital transactions to recognize unusual patterns.

"We've expanded the suite of attributes we use to ensure transactions are legitimate," White said.

Fraudsters are working to outsmart these bulwarks by using artificial intelligence and other sophisticated technologies to steal card credentials to use online and in stores. 

"Fraudsters are very good at collaborating and sharing stolen card data and now they're  testing card credentials with machines," White said.

Visa sees about 2 million attacks on its network a day and quickly reacts to squelch them, he said.

"Fraudsters operate very quickly–they find an opportunity and hit it very hard and fast before it's blocked, but several months later they'll circle back and find a way to get through with an older scheme," he said.

Despite the perception that fraud appears to be worsening every year, on the consumer side it's actually declined in recent years. A decade ago consumer card fraud amounted to 8 or 9 cents for every dollar, but today it's about 7 cents per dollar, White said.

On the corporate side, the pandemic had a devastating effect on business-to-business fraud that is proving difficult to reverse, said Mary Rosendahl, managing director, Global Transaction Services-CashPro at Bank of America, during another Payments Forum panel on fraud trends.

"The shift to remote work exacerbated business email fraud and phishing in new ways, because people weren't sitting in offices together sharing intelligence about suspicious transactions. Lots of the education and knowledge about protecting the misuse of payment instructions got lost," Rosendahl said.

Business email compromise has continued to grow in the post-pandemic era because many companies are unaware of how sophisticated fraudsters have become, she said. 

"Ninety-nine percent of the fraud we see in corporate settings is coming from phishing and email, where criminals are using digital and other channels to simply trick unsuspecting employees into changing payment instructions to re-route the payment to them," Rosendahl said.

Fraudsters have succeeded in hijacking payments by claiming to be IT workers, and the post-pandemic talent shortage has made it easier for crooks to pose as clients and befriend unwitting employees to intercept payment instructions. "It can be temporary workers or veterans–people at all levels are fooled by very sophisticated schemes that look legit," she said.

Along with email, the widespread use of passwords for authenticating corporate payments is a persistent gap enabling fraud, said Mike Timoney, vice president of the Federal Reserve Bank of Boston, who joined Rosendahl on the same panel. 

"Even after all these years, many people at corporations are using obvious passwords like the word 'password' and simple numeric strings like '1,2,3,4,5," where they should be using at least a 16-digit password," Timoney said. 

The use of text messages to validate payments in corporate settings is also a gaping opportunity for fraudsters, he noted. 

"Companies think they're using multi-factor methods to avoid fraud, but text messages can be phished. SMS messages were developed for notifications and alerts, not security," Timoney said. 

Moving away from passwords, adding secure multi-factor authentication methods and biometrics are ways to protect against corporate payments fraud, he said.

Even as corporations adopt more secure payment-authentication methods, many are unreasonably afraid to let employees use mobile devices for business payments, Rosendahl said. 

"It can be a challenge convincing organizations who think mobile phones are risky for conducting corporate payments, but [with proper controls] the mobile device can actually be very secure," she said. 

Prioritizing fraud awareness and education on an ongoing basis is the best way to thwart corporate payment fraud, according to Rosendahl. 

"If corporate employees had awareness of the risks, and organizations made sure their people were always validating any changes in payment instructions, we could immediately wipe out a lot of business email fraud," she said. 

For reprint and licensing requests for this article, click here.
Payments
MORE FROM AMERICAN BANKER