A new payment fraud trend report published by the European Payments Council (EPC) finds company executives, payment service providers (PSPs) and payment infrastructures have become the main target of fraudsters.
In its 2021 Payments Threats and Fraud Trends report, the EPC concludes that fraudsters “appear to” shift their main focus from consumers, retailers and small and medium-sized businesses to company executives, employees, PSPs and payment infrastructures, adding that these attacks are more frequently leading to authorised push payments (APP) fraud.
The report also identifies a trend of fraudsters shifting away from malware to social engineering attacks, but warns that malware continues to be a major threat, with ransomware becoming “the top cyber threat faced by European cybercrime investigators”.
It notes that both social engineering and malware attacks should be addressed by raising awareness and educating customers and employees. At the same time, there are various steps that service providers can take to help reduce APP fraud and malware.
For instance, they can implement techniques that help customers verify that websites and emails are genuine, and their IT departments should implement adequate protection and control functions in their applications, including specific measures for cloud service usage.
The EPC also notes that advanced persistent threats (APTs), whereby fraudsters establish a long-term presence on a network to mine highly sensitive data, “must be considered as a potential high risk not only for the payment infrastructures but also for all network related payment ecosystems”.
Service providers can take various measures to fight APTs, including adopting a “security defense-in-depth strategy and architecture”, using “advanced security data analytics, technologies of early detection with real-time reporting and visualisation”.
At the same time, the EPC concludes that DDoS attacks are not on the rise anymore, but they still frequently target the financial sector.
Finally, it stresses that fraudsters often withdraw money or use money mules — a person who allows others to transfer ill-gotten gains through their bank account — hence raising awareness of these practices can also be an important tool to fight fraud.
“PSPs must understand the emerging threats, the possible impacts and should keep investing in appropriate security and monitoring technologies as well as in customer awareness campaigns,” the EPC says.
Different fraud for different payment methods
The report assesses fraud related to specific payment instruments and lays out various trends and typical fraud types for card payments, payments using SEPA schemes, and mobile wallets.
It finds that criminals are changing their approach concerning card payment fraud to use more high-tech frauds like APT, while they also continue to mine old techniques such as using lost and stolen cards, sometimes in combination with social engineering.
Card-not-present fraud remains a significant factor for card fraud losses.
For SEPA Credit Transfer (SCT) and Direct Debit (SDD) transactions, fraudsters mainly use impersonation and deception scams, as well as online attacks to compromise data.
The report identifies “an increase” in APP fraud during the past year.
The EPC noted that as supporting SEPA schemes, such as SEPA Proxy Lookup Scheme and SEPA Request-to-Pay, are relatively new, “it is too early to observe real-life fraud cases targeting them to draw any meaningful conclusions”.
However, the EPC expects that the same patterns of threats and fraud will emerge in these schemes as well.
Finally, the EPC finds that mobile wallets are most often exposed to targeted attacks on the mobile device’s key stores to unlock credentials, user interfaces and NFC controllers.
“Regardless [of] the threats specific to particular schemes or payment processes, an important aspect to mitigate the risks and reduce the fraud is the sharing of fraud intelligence and information on incidents amongst PSPs,” the report stresses.
Instant payments require instant detection
In addition to all the fraud types described above, instant payments are exposed to additional threats because of their real-time, 24/7 processing and settlement.
As the payor’s account is instantly debited and the funds are immediately available on the account of the payee, payments processors must detect fraud and block transactions in real time. As there is less time to detect fraud and prevent the use of ill-gotten funds, certain types of fraud are likely to increase in instant payments schemes.
The EPC warns that although fraudsters usually use social engineering and malwares the same way as in traditional payments, proceeds sent through instant payments could be spent or withdrawn immediately.
It also stresses that instant payments systems are likely to be used more intensively by fraudsters with money mules.
Additionally, as clearing and settlement take place at almost the same time as the payment orders, the EPC noted that disruptions caused by APTs and DDoS might also affect these layers of transactions.