Australians are facing a card fraud epidemic as overseas fraudsters continue to target the country, leading to significant losses for consumers.
New data from Australia has shown that although domestic card fraud continues to fall, overall rates of card fraud are being driven higher by fraudsters operating from offshore jurisdictions.
Last week, the Australian Payments Network (AusPayNet) released its latest data on card fraud, covering the 2023 calendar year.
In 2023, AusPayNet found that the overall rate of card fraud in Australia hit 70.2 cents per A$1,000 spent. This represented a 22 percent increase on the previous year, and the country’s highest card fraud rate since 2018.
The growth was driven almost entirely by card-not-present (CNP) fraud, which now accounts for 90 percent of all card fraud in Australia.
Moreover, the growth in CNP fraud was driven by offshore card fraud, defined by AusPayNet as fraud that targets Australian-issued cards that have been used with overseas merchants.
The growth in offshore card fraud helped push the total value of card fraud 32 percent higher year-on-year to A$762m ($524m).
As noted by AusPayNet, this significantly outpaced the growth rate of the total value of card transactions, which rose by 8 percent to A$1.1trn ($760m).
Andy White, CEO of AusPayNet, said there is “good news and bad news” within the data. “While it is encouraging to see domestic CNP fraud continue its decline, the sharp rise in overseas CNP fraud is a growing concern,” he said. “Essentially, 3 percent of card spend is now accounting for 48 percent of all card fraud.”
White attributed the rise in offshore card fraud to the fact that many overseas merchants do not use strong customer authentication (SCA).
He also noted that offshore fraudsters continue to steal card credentials via a variety of methods, including cyber and phishing attacks using websites and SMS.
“Stopping card fraud is important, as we know that criminals use this information to also commit higher value scams, such as bank impersonation and remote access scams,” he said.
“The nexus between fraud, scams and cybercrime, as well as its global nature, makes addressing offshore fraud difficult. However, AusPayNet is actively working with card schemes, financial institutions and merchant bodies in Australia to identify strategies to counteract offshore fraud.”
In collaboration with the National Anti-Scam Centre, AusPayNet is expanding its efforts to take down fraudulent websites, including those involved in online shopping and phishing scams.
In August, lawmakers in Australia passed a new bill that will lead to the creation of an SMS Sender ID Registry, which aims to protect businesses from SMS impersonation scams.
The registry will also assist the Australian Federal Police (AFP) in their efforts to disrupt transnational organised crime that engages in SMS phishing.
“We remain focused on making Australia a much harder target for fraudsters and better protecting consumers from the growing threat of overseas CNP fraud,” said White.
“At the same time, we would urge consumers to be cautious when responding to email or online advertising links to online shopping sites, especially overseas,” he said.
Australia’s Independent Payments Forum (IPF) issued a similar warning to consumers: “Be careful and buy Australian when shopping online to take advantage of the anti-fraud measures we've adopted here,” it said.
Lack of SCA overseas makes Australian consumers an easy target
The lack of SCA among overseas merchants contrasts with domestic merchants, who are strongly encouraged, and in some cases required, to offer this extra layer of protection.
White attributes the “containment” of domestic CNP fraud to AusPayNet’s Fraud Mitigation Framework, an industry-wide initiative that was adopted in 2019.
The framework defines the minimum requirements for an issuer or merchant (or acquirer or payment gateway) to authenticate CNP transactions online.
It encourages firms to use a risk-based analysis to define which transaction types require authentication.
Some low-risk transaction types, such as recurring payments, trusted customers and wallet transactions, are exempt from authentication.
However, there are also elements of the framework that become mandatory when a merchant or issuer exceeds certain fraud thresholds.
The Merchant Fraud Threshold is set at A$50,000 ($34,000) in fraud losses, or to a 20 basis points fraud-to-sales ratio per quarter. The Issuer Fraud Threshold is set at a 15 basis points fraud-to-sales ratio per quarter.
If a merchant breaches the fraud threshold for two consecutive quarters, their acquirer will require the merchant to perform SCA on all transactions until their fraud rate falls below the threshold for a quarter.
After three consecutive quarters of breaches, the framework recommends that merchants pass all transactions through to the issuers for authentication.
In cases where merchants continue to exceed the thresholds after four (or more) consecutive quarters, sanctions and fines may be enforced by AusPayNet.
Adyen, a major acquirer and payment processor in Australia, has urged merchants to implement SCA “sooner rather than later”.
“Not only because it may soon be a global standard, but also for its multifold benefits,” it said. “Stronger shopper authentication enables more secure payment flows, and thus higher card authorisation rates.”