Visa expects more fraud from pandemic activities in 2021

Fraudsters are continuing to take advantage of the COVID-19 pandemic to exploit online shopping, curbside delivery and unemployment, according to Visa.

In Visa’s newly released biannual Payment Fraud Disruption Report, the card network noted that the payments threat landscape was largely influenced by the ongoing COVID-19 pandemic, with scammers taking full advantage of changes in consumer shopping behaviors and the rise in unemployment insurance claims. And with the pandemic still raging, fraudsters show no sign of slowing down.

“The flurry of physical store merchants creating online storefronts with third-party help and adding curbside delivery created a new vector for these threat actors,” said David Capezza, senior director of payment systems intelligence at Visa. “It’s as if an invitation was sent out for these actors [the criminals] to take advantage of these new merchant activities that were not present before the pandemic."

Capezza highlighted one activity, called enumeration attacks, that targets merchants going online for the first time. In such an attack, the fraudster will attempt to use a payment card knowing only partial details such as the account number. The fraudster will attempt to make multiple purchases using a bot that will guess at full card details including the expiration date and CVV. Newer merchants to the online channel are more vulnerable, as many are unlikely to have deployed the tools to stop enumeration attacks.

Once a scammer has successfully made a purchase through an enumeration attack, they use the full account data to attempt to drain the account with more fraudulent purchases.

“If a merchant doesn’t have velocity checks, CAPTCHA tools, or other fraud mitigation measures in place, then these attacks can occur at an unabated level," said Capezza. “The threat actors will just use an automated bot to make thousands of guesses until they figure out the full card details. We’ve developed some machine learning tools to help Visa clients to help identify enumeration fraud.”

Visa noted that unemployment insurance fraud was another major area of activity. This was likely due to a combination of factors ranging from record job losses as businesses closed, an increase in unemployment benefits provided by Federal stimulus payments and state agencies being overwhelmed.

When scammers fraudulently apply for unemployment insurance and are approved, they load the funds to a prepaid card or a virtual payment account.

Data from the U.S. Department of Labor confirms the trend identified by Visa.

Puerto Rico recorded the highest level of unemployment insurance fraud in the nation at 20.96% for 2020, up seventeenfold from the 1.22% level recorded in 2019. Arizona, which had been the leader in unemployment insurance fraud since 2018, fell to sixth place, despite reaching almost 10% of all unemployment dollars paid out ending up in criminal hands. South Carolina and Tennessee saw their fraud rates more than double, while Alabama saw its rate grow nine-fold from 1.4% in 2019 to over 13%.

In a PayDirt podcast interview with Tia Ilori, senior director of global fraud and breach investigations at Visa, spoke at length about what Visa is doing to help states identify unemployment insurance fraud using payment cards.