Fraudsters trafficking in stolen consumer financial data are increasingly targeting individual credit and debit customers and their banks with sophisticated new schemes, Visa found in a new report examining the most recent serious threats to the payments industry.
Card fraud has been a persistent menace for issuers for years, but when Visa analyzed all reported fraud in the global payments ecosystem for the first half of 2023 and compared it with the same period a year earlier, several new themes emerged.
"Coordination between fraud professionals is increasing, leading to very sophisticated schemes that are focusing more directly on cardholders with advanced social engineering techniques," said Michael Jabbara, senior vice president, global head of fraud services at Visa.
Fraudsters are using advanced technology and systems to orchestrate the
Gen AI enables new threats
Fraudsters are also
"We think gen AI has the potential for a step-change in the amount of payment-card fraud we'll see in the next few years, because it allows fraudsters to be much more efficient and scale their attacks at a rate that wasn't possible before," Jabbara said.
One example is fraudsters using gen AI to create chatbots that mimic human beings well enough to trick consumers into believing they are speaking to a romantic prospect, an investing portal or a bank. "With new forms of AI, where one fraudster previously could defraud a few victims once with a single attack, now they can increase their harm exponentially by launching 5,000 threat attacks at once," Jabbara said.
The first line of protection against all card-fraud schemes is to enhance predictive models to identify aberrations in customers' behavior, along with systems to flag suspicious transactions and react quickly to freeze or block fraudulent payments, he said.
Globally, payments-related threats
Visa estimated that one in 10 adults have been targeted in a pig butchering scam, according to surveys and reported incidents. But the actual numbers of victims may be higher because about a third of adults decided not to report when they were victimized by certain embarrassing scams, Visa said.
Inheritance scams also are thriving in today's digital communications environment, in which scammers convince victims via official-looking letters, emails, texts and phone calls that a long-lost relative has left them money, Visa said. To claim the money, fraudsters persuade victims to share account information, which the fraudsters then use to make off with funds.
Humanitarian relief scams also remain prevalent in the U.S., where fraudsters posing as nonprofit organizations request charitable donations to fake sites, sometimes with links to cryptocurrency wallets.
Atypical transactions
"Consumer education is the key for banks to fight social engineering-based bank account and card scams," Jabbara said. The other important tool banks should be using to help protect customers from these scams is to use fraud-surveillance tools that spot unusual payouts to new or unknown payees.
"Banks should have, or create, very tailored and sophisticated profiles of customers so when their transaction behavior suddenly goes out of the norm when they're targeted by a social engineering scheme, the bank is able to flag a problem and reach out to intervene," he said.
Another fast-growing fraud scheme is "triangulation," where scammers create fake websites to sell luxury goods and services they offer at reduced prices. The victim pays and receives a cheaper version of the sought-after product, which the crooks pay for with stolen account credentials. The scammer requests positive feedback from the buyer, which boosts undeserved credibility. Triangulation fraud resulted in nearly $1 billion in merchant losses in 2022, the most recent period where Visa tracked related losses, according to the report.
Purchase Return Authorization, or PRA, is another rising form of fraud. In PRA, fraudsters trigger large purchases through legitimate websites or onboard fake merchants through stolen primary account numbers criminals control, followed by an immediate request for a return. When the financial institution refunds the money, the criminal intercepts those funds through ATM cash withdrawals or peer-to-peer transfers.
PRA increased 83% globally during the second half of 2023 compared with the same period a year earlier. In the U.S., each PRA incident results in a loss to the affected bank of about $115,000, Visa said in its report.
This scam relies on the willingness of banks to refund purchases before the transaction actually settles, which is something banks could prevent through tightening their policies, Jabbara said.
"Fraudsters figure out which banks have more open policies about refunding customers' money, and the bank ends up quickly issuing refunds that are not actually linked to a transaction. All of a sudden, the bank is sending refunds of $5,000 or $10,000 that fraudsters are pocketing," he said.
Token provisioning fraud — which exploits the process of adding a card to a digital wallet — is another area of growing risk for banks, Visa said in its report.
The vulnerability during token provisioning comes when fraudsters bypass traditional authentication processes meant to filter out criminals, by tricking call-center personnel or using spoofed phone numbers to intercept one-time passwords, according to Jabbara.
"Using biometrics, like a fingerprint or Face ID, to authenticate a token in a digital wallet is much more secure, but many banks aren't yet using the full biometric-based approach to provision tokens in the wallets, due to limited tech resources. The vast majority of fraud on tokens is on the first day because provisioning has gone wrong; about 40% happens on the first day," he said.
So-called enumeration attacks are also on the rise, a brute-force tactic where scammers use software to guess the account number, expiration date and three-digit code on the back of cards, building on partial account data they've stolen or purchased on the dark web, Visa said in its report.
"Criminals use automated scripts to create hundreds of thousands of test transactions with different combinations in an approach similar to credential-stuffing, but focused specifically on payments cards," Jabbara said.
Although enumeration fraud affects less than 1% of global e-commerce payment volume, the highest number of incidents typically occur in the U.S. Card issuers surveyed in the U.S. said enumeration attacks rose 10% in the second half of 2023 compared with the same period in 2022.
One reason enumeration fraud attacks are on the rise in the U.S. is that "there's a lot of [compromised card] information out there," Jabbara said.
Banks fight back
One way banks are thwarting enumeration fraud is by ensuring that when they issue new cards, the account numbers are random, not sequential, he said. While some banks have adopted randomized patterns for issuing new cards, not every financial institution is doing so.
"If a bank has a legacy system whose card-issuing logic isn't randomized, they would need to reissue their entire portfolio with random numbers that will make it much harder for criminals to cash in on enumeration fraud," he said.
Among the newest patterns of card-fraud schemes threatening banks, supply-chain and third-party fraud may pose the biggest new area of financial risk for banks, said Trace Fooshee, a strategic advisor with Datos Insights.
Banks that are already investing in internal and external systems to combat new payment card attacks must consider retooling to meet new threats, he suggested. Banks must look closely at how their systems could be exposed to criminals using gen AI to expand and multiply fraud.
"Right now we only have anecdotal evidence of large-scale use of AI in fraud attacks, but evidence suggests that the way in which it's used is in automating and improving how fraudsters acquire and accumulate the kinds of sensitive information they need to commit fraud," Fooshee said.
None of the emerging payment card threats are easy to prevent, and increasingly they will require cross-industry collaboration to resolve, he said.
Visa has spent $10 billion battling fraud since 2019. The firm employs more than 1,000 cybersecurity professionals, Visa said in its report. The Visa Risk Operations Center, or ROC, blocked 49.8 million suspicious transactions during the second half of 2023, amounting to about $5.8 billion.