Are fraudsters really that clever?

Fraud in the payments arena has been with us forever. Artifices such as the debasement of gold coins by adding less precious metals, the printing of counterfeit banknotes, the manufacturing of bogus payment cards, are all examples of deception.

Click image to zoom Tap image to zoom

And fraudsters have evolved just as quickly as have the different payment options – sometimes quicker. Indeed, they could be seen as the epitome of a successful business model with a strategy team, market researchers, operations experts and a flexible workforce.

"Despite regular alerts to cardholders about how to avoid being scammed, this is still a regular occurrence.”

In an era of organisational realignment and speed of pivot, it could be argued the fraudster business has a lot to teach management gurus. They were agile and fast to market with minimal viable products before these became fixtures of modern management.

Nowhere is this better exemplified than in the move to exploit digital payments and e-commerce, both of which have been turbo-charged by the COVID-19 pandemic. Between using the pandemic and bushfires earlier in 2020 to their advatange, scammers cost Australians $A77 million in the first six months of 2020. Business email compromise (BEC) scams, in which scammers impersonate a supplier or senior staff through email and requests money be sent to a fraudulent account, took in more than $A132 million in 2019.

With virus concerns, the attraction of contactless cards and digital wallets has seen the use of cash as a payment mechanism dramatically decline while e-commerce has become more of the norm in many retail environments where previously consumers had been physically involved. In April 2020, 5.2 million Australians shopped online, spending $A2.7 billion, which was over 11 per cent of total retail sales, more than double a year earlier.

The Ritz

Fraudsters have long been attracted to ‘scams’ related to non-cash payments, in particular those based on payment cards. Despite regular alerts to cardholders about how to avoid being scammed, this is still a regular occurrence.

A recent example of card fraud concerns the luxury Ritz Hotel in London where scammers posing as hotel staff had been able to steal payment card details. In the pandemic, many hotels and restaurants insist that when making a booking, customers must give their payment card details, in particular the card number and expiry date. The scammers would then phone people with the exact details of their booking, asking them to ‘confirm’ their card details. The call appeared to have come from the hotel’s real phone number, a tactic known as ID spoofing. If queried by the customers, the scammer would say the payment card had been ‘declined’ and could they provide details of a second card. Having then deceptively acquired payment card details, the scammers would use them to buy expensive products online, which they could then re-sell.

Fraud on payment cards has already been acknowledged and responded to by the participants in the payments eco-system such as card issuers, merchants who accept card payments or regulators who oversee the industry.

As evidence of this, payment card fraud in Australia in 2019 was at its lowest level in five years. According to the Australian Payments Network, fraud represented 56.6 cents per $A1000 spend and the average value of a fraudulent transaction was $A123.

Card-not-present (CNP) remains the biggest category of card fraud with $A403 million, of which $A306 million was attributed to Australian online merchants. This is being addressed by the CNP fraud mitigation initiatives which encourage the uptake of stronger customer authentication, technological advances such as tokenisation and real-time monitoring. Nevertheless, as the example of the Ritz Hotel scam demonstrates, to facilitate a fraud, a certain degree of identity theft is necessary.

Fraud pivots

Agile fraudsters have already pivoted to follow the money and identity theft is now the name of the game. New figures released in August 2020 from the Australian Competition and Consumer Commission (ACCC) reveal identity theft has increased year-on-year by 55 per cent. In 2020 so far, 24,000 people have reported their personal details have been stolen, with scammers now targeting COVID-19 financial relief payments and early access superannuation payments.

Australians over 65 have reported the most cases of identity theft historically according to the ACCC but there is now a generational shift in the fraudster’s activity to focus on younger demographics of 25-44 years of age. This change of focus probably reflects the broader societal trends for the use of digital technology, where users can overlook the downside of readily sharing personal information.

If the fraudster has hacked into a person or an organisation’s identity, they can use that to create false accounts to use in the faster payment system to try to ‘lure’ their victims into agreeing to a money transfer using what has been called Authorised Push Payments (APP) scams.

Mind the APP

APP fraud involves the fraudster tricking their victims into willingly making large bank transfers to them. In countries and markets where APP functionalities exist, the fraudster may pose as someone from your bank claiming your account has been compromised and you should quickly act to move your money to a different account. Needless to say, this account will belong to the fraudsters.

Other common tactics include impersonating conveyancers to have deposit or settlement monies incorrectly transferred or receiving an invoice from a trusted tradesperson with new specified bank account details, the fraudsters having previously hacked into the tradesperson’s email account, provide a fraudulently manipulated invoice via an APP to divert the payment.

The UK has had 122,437 incidents of APP fraud in 2019, with associated losses of 455 million UK pounds.  In May 2019, eight of the UK’s major banks signed up to the first set of standards, which detailed how to treat victims of APP fraud. This Contingent Reimbursement Model (CRM) is based on the principle that the starting point should be to assume that victims of APP fraud should be reimbursed in full. This voluntary code is designed to give victims the chance of fairer and more consistent redress.

The UK’s Financial Ombudsman Service has however highlighted inconsistencies in how different banks are applying the Code and the Payment Systems Regulator has also expressed its concern the rates of reimbursement are lower than expected.

Unsurprisingly other countries (who have already or are looking at introducing similar models) are closely watching how the code is implemented. The need to balance both individual and commercial outcomes will continue to influence any decisions which given the COVID economic and social impacts will be the subject of even more scrutiny.

Viral fraud

Fraud can therefore be seen as a virus.

It can be ‘contained’, as demonstrated by the success in reducing payment card fraud, even on CNP. However, just as with a virus, warnings are not of themselves enough.

There is a need for action to investigate if they could be avoided (for example, where did fraudulent APP payments go to?) and consideration given to remediation for those people who have been the victim of this type of fraud, through no fault of their own.

Fraudsters then appear to be well capable of following the money. Are we able to not only follow the fraudsters but get ahead of them?

Steve Worthington is a bluenotes columnist and professor at Swinburne University Business School

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

13 Oct 2017

In payments, fraud never changes

Steve Worthington | Professor at Swinburne University

The way we pay is changing rapidly but one thing endures: risk.

08 Oct 2018

Cybersecurity risk in business – it’s personal

Cosi De Angelis | GM Transaction Banking & Asset Finance Solutions, ANZ

To truly assess risk, a digital business strategy must consider cyber risks inside the business and the home.