2020 brought much upheaval. Along with that kind of disorder comes a corresponding uptick in the amount of fraud cases. From natural disasters to pandemics and everyday life in between, panic brings a chance of wrongdoing. If there’s an opportunity to scam, the fraudsters are on it.
As the number of payment options rise, so do the chances of fraud. A December 2020 survey from the Association of Certified Fraud Examiners (ACFE) claims that as of November 2020, 79% of respondents said they have seen an increase in the overall level of fraud (compared to 77% in August and 68% in May), with 38% noting that this increase has been significant (compared to 34% in August and 25% in May). As we look toward 2021, they expect this trend to persist; 90% anticipate a further increase in the overall level of fraud over the next 12 months, with 44% saying this change will likely be significant.
But what can be done about it? At the November 2020 Payments Management Conference, numerous sessions grappled with this topic and offered a range of ideas as well as future education plans.
An unsurprising rise in phishing
Rayleen Pirnie, NEACH’s Director of Risk and Fraud, discussed the unprecedented amount of phishing, which is increasing at a rate of 350% year over year, she said. For example, fraudsters come up with emails or texts mocked up to resemble those from PayPal and Amazon requesting personal information. Or they create fake communications from the Centers for Disease Control and Prevention (CDC) to capitalize on pandemic anxiety.
But not only are fraudsters going out to collect information and sell it; they’re also using. phishing scams to infect devices: The links direct to sites loaded with malware on both computer and phone.
“Pre-pandemic, about one device in every four was infected. Now, it’s more like half,” Pirnie said. “That means not only do we need to watch for threats requesting information but also the chance that fraudsters could use phishing to monitor the device you use for online banking and wires: Not just where you bank, but also your username and password.”
Using mobile to do the dirty work
Part of this uptick in device infections stems from the more widespread use of digital services, particularly on the mobile channel. As consumers increasingly use mobile banking, especially with branches closed during COVID-19, the fraudsters have followed, using mobile malware.
A common type of mobile malware is a mobile app update designed to look legitimate, but downloading it infects the phone. The malware lies dormant until the user goes into a financial app on the phone; it then creates an overlay on the user’s financial site. So, it doesn’t look any different, but the overlay is collecting financial information. In some devices, Pirnie said, fraudsters can turn biometrics off or have malware pop up after fingerprint authentication has occurred.
“The average phone doesn’t have the security of the average computer,” Pirnie said. “There has been a push to get mobile providers to start promoting the use of some type of security on devices, however.”
But it’s not just about adding protection to your device. Although mobile has served as a launchpad for this kind of fraud, many others also remain a cause for concern. Other types of fraud touched on at the PMC 2020 Conference included:
Social engineering manipulates people to break from normal security procedures in order to access information for financial gain. Most of the time, fraudsters already have gained some of your info from phishing or other scams. According to the Identity Theft Resource Center, the volume of personal information exposed in data breaches increased by 126% between 2017 and 2018 to more than 446 million records exposed. As Pirnie mentioned in her presentation, for about $6, they can get your full name, address, and the last four digits of your social security number; about $14 will buy you that information plus a full social security number, mother’s maiden name, and date of birth. From there, they have enough information to figure out the best way to target you.
According to McKinsey, synthetic identity fraud is the fastest-growing type of financial crime in the U.S. Synthetic identity fraud is a combination of using actual and false data to create an identity that is not a real person. For example, someone taking a young child’s social security number to create a credit bureau profile for a 30-year old. (In fact, a 2018 Child Identity Fraud Study from Javelin Strategy and Research estimated that one million children were victims of identity fraud in 2017.)
States are overwhelmed with unemployment claims, and fraudsters are taking advantage. For example: Filing unemployment claims with stolen identities, or money laundering of unemployment benefits through debit cards. A September New York Times article suggests that the Labor Department reports about 15 million claims for benefits nationwide, but comparing state to federal records show that total may overstate the number of recipients by five million or more. Elyssa Morgan, Director of Membership, recently filmed a short video in Members Corner addressing this important topic—who’s liable, how to identify fraud, how to return funds, and how to flag it for follow-up.
According to Kathy Shea, NEACH Education Director, who also presented at the conference, checks are the payment method most subject to fraud. And checks also remain the most used payment between businesses, who have been slow to adopt electronic payments. Seventy percent of organizations polled in a 2019 Association for Financial Professionals (AFP) survey report being exposed to check fraud. In May of this year alone, Shea said, more than 160,000 fraud cases were filed.
There are many types of check fraud, including forged checks, counterfeit checks, check washing (forgers erase the ink on a legitimate check and reuse it by writing themselves a check), and check kiting (writing a check, depositing it, and withdrawing money before the check has time to clear).
Ways to mitigate check fraud include positive pay and reverse positive pay (in which bank and businesses compare checks written and received), adding security features to checks, and using artificial intelligence and machine learning to develop automated solutions to monitor for check fraud.
During the pandemic, card fraud reportedly increased somewhere between 55 and 125%, depending on what source you read, Pirnie explained. That includes everything from consumers being scammed by online shopping to home testing cures to remorse buying to using stolen identities to open up accounts.
How to classify fraud?
With all these different types of fraud and within each type, how can you arrange a nomenclature around it so the payments industry and customers can speak a common language? Although the Federal Reserve has no regulatory role in payments to help reduce fraud, they are collaborating with the industry to help address that concern.
Jim Cunha, Senior Vice President at the Federal Reserve Bank of Boston, spoke about the Fraud Classifier that the Fed, along with payments industry volunteers, has created to develop a standard way of classifying and defining fraud. This can help financial institutions understand fraud and explain it to their customers in a consistent language.
The Fraud Classifier model is used like a flowchart or decision tree, Cunha explained. It’s focused on the fraud event, and not the payment rail. “We wanted to classify any type of fraud, in any payments system. It starts with whether the party was authorized or not, and then how it was executed. We wanted the model to strictly focus on the fraud event itself,” he said.
They plan to work closely with the payments industry to get the model adopted, including working to make it available on industry websites and integrating it into industry field studies. For more information on the Fraud Classifier, visit FedPaymentsImprovement.org.
How can we prevent it?
While Pirnie pointed out that you can’t completely prevent fraud, you can monitor it and mitigate your risk. Through tasks such as monitoring for a name mismatch with multiple payments to the same account or using your organization’s existing systems for know-your-customer and anti-money laundering screens, you can minimize your FI’s exposure. But all things considered, a chief part of fraud mitigation efforts relies on internal education.
“Internal education helps us understand what type of fraud this is, and the red flags that make us more likely to catch it,” Pirnie said. “Your account-holders and business clients might not understand why there’s a discrepancy. They may call the FI to find out what happened. We need to be trained to proactively identify that a fraud has occurred and help them understand what to do.”
She continued, “We are all very busy and everyone has so much to do, but if you want to be on the front lines of detecting fraud, it starts with internal and then client education.”
Next steps to learn
Pirnie is putting together a Fraud Committee at NEACH in 2021.The committee’s goal is to help NEACH understand fraud’s challenges and trends, and the best methods to guide and educate NEACH members,
In January, applications will go out to members to join a 12-person committee solely focused on fraud education and prevention. “We are seeking a small, but diverse, group. We envision having representation from both large and small financial institutions, along with businesses and FinTechs, as well as representatives dealing with fraud identification, mitigation, prevention, and investigation,” Pirnie said.
Also, members not on the committee will still be able to contribute through ongoing surveys and other opportunities. By May, Pirnie believes, the group will have a solid vision of concrete next steps.
“Because fraud is so big, this will help us hone in on what members need: education topics, member resources, and more,” she added.