Take On Payments

March 6, 2023

Is Your Tax Refund at Risk of Theft?

With the start of a new year, I create a folder labeled "tax documents." This is where I place the W-2s, 1099s, receipts, and other tax-related documents in advance of prepping our tax return, which we begin in earnest on February 1. Fingers crossed that by planning ahead and keeping careful records we avoid mistakes in our filing (and that we underpaid just a little bit).

Now, when I talk about tax return fraud, I'm not talking about mistakes or intentional misstatements, income omissions, or incorrect deductions. I am referring to what is classified as stolen identity refund fraud (SIRF). In this type of fraud, the criminal obtains your name and social security number and then proceeds to file a tax return as early as possible, claiming a refund. You, the victim, don't generally find out this has happened until, in the course of your own filing, you receive a message from the Internal Revenue Service (IRS) that a tax return has already been filed for your social security number. The criminal often arranges to have the refunds sent via the ACH network to money-mule accounts or loaded onto prepaid debit cards. Sometimes the criminal requests that a check be mailed to an address where they can steal the check out of the mail.

The operators of the ACH network have been active in combating tax return fraud, and the IRS and the Department of Justice have made the investigation and prosecution of SIRF a high priority. In 2017, the IRS spearheaded the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center  (the IDTTRF-ISAC, or just ISAC), a collaborative effort of the IRS, state agencies, and the private-sector tax industry. At the heart of the ISAC operation is a platform that collects SIRF data, performs aggregated analysis, and then distributes anonymized reports to the participants.

The IRS continues to support major education efforts to help filers minimize the threat to the broader issue of identity theft. The IRS's Guide to Identity Theft is available in eight languages on the IRS website. An important tool for consumers to have is the IRS Identity Protection Personal Identification Number (IP PIN). The IP PIN is a six-digit number the IRS provides to the taxpayer to include with an electronic return. Originally available only to filers who had previously experienced tax return fraud, the IP PIN is now available to all consumers as of January 2021. You can find instructions on the IRS's website on obtaining one online or through an application. If you don't already have an IP PIN, I strongly encourage you to get one as soon as possible.

Best wishes as you gather all your tax documentation and that you are able to avoid the tax refund criminals.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• March 6, 2023 in
  • ACH
  • authentication
  • cybersecurity
  • data security
  • identity theft
• Permalink
• Comments

October 17, 2022

Webinars Address ATM Crimes, Financial Exploitation

ATM attacks don't generally appear in the news, despite their growing threat. As we've written before, these attacks can be both cyber and physical, and the physical attacks can be against both machine and the personnel servicing the machine. Another disturbing crime that may not appear enough in the headlines is the financial exploitation of senior adults. Two upcoming events in our Talk About Payments webinar series will give you the opportunity to learn more about these issues from the experts. The first, on November 3, covers ATM attacks. The second webinar takes place the following week, on November 10, and addresses the exploitation of seniors and community-based approaches to help mitigate vulnerabilities. More details about these webinars, as well as registration links, are below. We hope you will join us for both events.

November 3: ATM Attacks and Defenses
Because many financial institutions have closed or reduced the operating hours of many of their banking offices since the start of the pandemic, customer withdrawals of cash from ATMs have increased significantly. Unfortunately, the criminal element has shifted some resources to attacking ATMs and the personnel servicing them, including those who make currency deliveries. More than half of all ATM attacks in the United States involve thefts of the ATMs themselves, according to ATM Security Association data. The growth in dispenser jackpotting is also troubling. Because the methods of ATM crime can vary from city to city and month to month, it is critical that that ATM operators stay informed about current trends.

A panel of ATM experts join moderator David Tente, executive director of the ATM Industry Association, in discussing trends in cyber and physical attacks against ATM terminals and service personnel along with measures that can mitigate the risks. The panelists are:

• Brenda Born, supervisory special agent, Federal Bureau of Investigation
• Brad Moody, executive vice president of operations, Lowers & Associates
• John Toneatto, vice president of security and investigations, Loomis

The webinar takes place on November 3 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.

November 10: Financial Exploitation of Aging Adults
Did you know that more than 10,000 US adults turn 65 every day, and that many of them will be victims of financial fraud? Elder financial exploitation is a growing problem, according to the National Council on Aging, which estimates financial losses of at least $36.5 billion dollars a year. With the rapidly aging population, we must identify and protect elderly citizens exposed to financial exploitation risks.

In the November 10 episode of our Talk About Payments webinar series, Drs. Thomas Blomberg and Julie Brancale, criminologists from Florida State University, describe the current research, theory, and policy responses associated with this growing social problem. They also address the patterns and variations of financial exploitation of older adults and discuss why some older adults may be more or less vulnerable than others. The presentation concludes with a discussion of areas in need of additional research and policy attention. Scarlett Heinbuch, a payments risk expert at the Atlanta Fed, moderates the discussion.

The webinar takes place on November 10 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.

We encourage financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to join us for these informative webinars. You will be able to submit questions during the webinar. Please let your colleagues know about these webinars!

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• October 17, 2022 in
  • ATM
  • cybersecurity
  • identity theft
  • payments risk
  • privacy
• Permalink
• Comments

September 12, 2022

The Not-Quite-Forgotten Check

When did you last write a check? Last month, I wrote my first check in almost 10 years to send funds to sponsor an out-of-state friend for a charity event. This was after I failed to convince my Luddite friend to sign up for an electronic peer-to-peer (P2P) app so I could send the funds almost instantly.

That experience caused me to think a bit more about that somewhat forgotten payment method: the hand-written paper check. The triennial Federal Reserve Payments Study as well as the annual Diary of Consumer Payment Choice (DCPC) have consistently shown that check usage continues to decline. The 2020 DCPC revealed that of the average of 35 payments (including cash) made per month, 2.3 were made by check. The 2016 DCPC showed an average of 46 payments per month with 3.3 of those using a check. While the share of overall payments made by check dropped by just about one-half of a percentage point, the absolute number of checks written dropped by 30 percent in just those four years.

With the decline in check usage, why are financial institutions and merchants seeing an increase in fraud losses related to checks? The simple answer is because checks are easy to counterfeit or alter. The industry has made efforts over the years to improve check document security, including techniques such as microprinting, holograms, embedded fibers, and tamper-resistant paper. Despite these defenses, most would consider the check to be "low tech" and, as this blog has often stated, criminals go for the low-hanging fruit, making checks ripe for the picking. Anyone with graphics software and a high-quality printer can readily turn out counterfeit checks. Blank check stock, some even incorporating the defenses mentioned above, can be purchased at most office supply and stationary outlets. The 2022 Association of Financial Professional's Payment Fraud and Control: Key Highlights  report noted "that check fraud remains the most prevalent form of payments fraud," with two-thirds of their professionals reporting their organization had experienced some level of check fraud.

Losses from check fraud come in a variety of forms. I wrote about cashier's check fraud scams in a recent post. Criminals often use money mule networks to cash counterfeit checks or to purchase with a counterfeit check merchandise that the criminal then sells at a discounted price. The criminal may deposit counterfeit or altered checks and then take advantage of the time gap between funds availability and when the check is returned after being identified as fraudulent. Check out this comprehensive guide to check fraud.

The industry is now seeing small to mid-size financial institutions and merchants targeted. To mitigate check fraud, the best action for both consumers and businesses is to monitor checking accounts closely to spot any unauthorized items posting to the account. For businesses, consider positive-pay software that automatically alerts you of incoming checks with altered amounts or checks that may have been counterfeited. For financial institutions, software that verifies document integrity or detects transaction data anomalies can be useful. For merchants, third-party check verification services as well as strong customer documentation will help minimize losses.

Although it may be another decade before I write another check, the prevalence of check fraud relative to check use suggests that Take On Payments will continue to highlight this topic and discuss the industry's efforts to combat fraud.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• September 12, 2022 in
  • checks
  • identity theft
• Permalink
• Comments

June 13, 2022

Quishing: Another "Fish" in the Fraud Ocean

We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.

And now there's quishing. Again.

Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.

QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.

The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• June 13, 2022 in
  • cybersecurity
  • data security
  • identity theft
  • payments risk
• Permalink
• Comments