Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 17, 2021
Common Learnings from Fishing and Phishing
As a youngster growing up in Southeast Georgia, one of my favorite summer pastimes was fishing with my older brother at the local creek using cane poles and some corn niblets or, if we really hit the bait treasure box, pieces of beef hot dog. There is a reason they call it fishing and not catching as most days we barely got a nibble. But there were those days when we would land a nice-sized bluegill.
As I grew older and my fishing opportunities expanded, I began to learn more about the science and techniques of fishing. To increase the catching, there was a level of knowledge needed as to what type of bait (artificial or live) and what fishing technique (bottom, slow, or fast retrieve) to use to target the species of fish I wanted.
I reviewed the FBI's 2020 Internet Crime Report recently and learned that there were more than 240,000 phishing/smishing/vishing/pharming incidents in 2020—an increase of 110 percent over 2019 (and these are just those that were reported). Losses from these incidents were estimated at $54 million. Reading about this made me flash back to my fishing learnings. I reflected that in phishing, as in fishing, there are those people who simply throw out a baited hook to see what bites they get. They blast out a generic email to tens of thousands of email addresses they bought or otherwise acquired illegally, promising fortunes if you only pay, in advance, a finder's fee or the taxes, with gift cards or cryptocurrency. (These messages have advanced over the years to eliminate the poor grammar and misspellings and provide a more believable scenario about the money that belongs to you.)
It has become obvious to me from my research, from seeing the attacks firsthand, and from listening to my colleagues that criminals are becoming more sophisticated in their messages. They are quick to take advantage of current health or natural disaster crises, sending links to “breaking news” that contain malware or links to false websites to capture your personal information or other credentials. They have become very skilled in identifying a target and researching that individual's hobbies or life events through social media, which allows them to craft a message that appears legitimate and appeals to the target's interest.
My colleagues and I are constantly trying to better educate the public about these threats through our posts, webinars and other publications. Just when we think we've seen it all, the criminals come up with a new twist on an old scheme, such as what we saw over the last year regarding the stimulus payments. The bad guys are always going to be out there hoping they can get a nibble from you so they can try to set the hook and reel you in. Don't let yourself be the catch of the day.
April 19, 2021
Criminals Also Like Convenience
The phrase "The customer is always right" was coined by London department store retailer Harry Gordon Selfridge in 1909 to encourage his employees to provide customers with exceptional customer service. Ever since, retailers across all industries have been trying to achieve the positive customer experience—and possibly a competitive advantage—that Selfridge was striving for by offering a variety of customer-oriented policies and services. One such service that gained popularity a couple of years ago is buy-online-pick-up-in-store, often shortened to BOPIS. The COVID pandemic has led to a modification of BOPIS: BOPAC, short for buy-online-pick up-at-curbside. Merchants are offering these options so they can provide a "frictionless transaction"—in other words, they want to reduce the actions customers have to take to obtain their products. This less-contact process also happens to address the CDC’s COVID health recommendations of minimizing contact with others.
Unfortunately, fraudsters have latched onto BOPIS and BOPAC because they’re a means to secure their ill-gotten gains faster and at a lower risk of confrontation once they have stolen the payment credentials of a legitimate cardholder. According to a report published last fall , BOPIS fraud increased 55 percent from the first half of 2019 to the first half of 2020. While merchants in the BOPIS model can ask customers for identification, many do not, for a couple of reasons. First, the person picking up the goods may not be the cardholder, as often happens in the home improvement and landscaping business. Some retailers have addressed this by requiring the cardholder during checkout to give the name of the pick-up person. Second, requesting identification adds a step to the process and therefore adds friction.
A major financial services company published a best practices guide a year ago that contains recommendations on how merchants can reduce their fraud risk for BOPIS/BOPAC transactions. These recommendations include manually reviewing orders of high-value or targeted merchandise and using video cameras in the pick-up areas.
As stores and shopping centers begin to open more and with longer hours, it will be interesting to see if customers return to browse and shop in the aisles or the convenience of BOPIS/BOPAC will continue to drive ecommerce traffic. What do you think?
September 21, 2020
Personal Responsibility for Irrevocable Payment Scams
Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.
You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraud.
In August, a UK-based consumer advocate organization called Which? released a research report based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.
The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?
My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?
August 17, 2020
Executive Spoofing Hits Close to Home
Sitting around a table outdoors, physical distancing with my family, the conversation turns to executive spoofing scams at work.
- Millennial works at a factory automation start- up: "Yeah, right. The CEO is sending me an email [snicker]."
- Millennial working in government contracting: "I get them all the time, sometimes from the CFO."
- Boomer works in software industry: "We got a warning just the other day that one is floating around. Don't send money."
We are talking about three businesses with employees numbered in the low hundreds. All privately held. Small fry, really. Every one of my family considers executive spoofing via phishing to be an everyday, ho-hum event.
Everyday, yes. Ho-hum, not so much. The FBI reports that 114,702 victims of phishing and its cousins vishing, pharming, and smishing lost almost $60 billion in 2019. Phishing is executed via email; vishing, via phone call or voicemail; pharming, via bogus websites; and smishing, via text message. Perpetrators request personal information or money. In addition, business email compromise (BEC), the foundational criminal act for executive spoofing of the sort my family members describe, resulted in more than $1.7 billion in losses related to 24,000 incidents in 2019, reports the FBI. The Association for Financial Professionals (AFP), in a survey of Treasury and finance professionals, found that BEC was the source of six in 10 fraud attempts in 2020.
A number of vendors offer products that use machine learning to fight these forms of fraud. Machine learning holds promise for automatically detecting these attacks. Nevertheless, as with much automation, the human being is the important last line of defense. A few days after that family meal, I see a scam alert. The gist: never, never, never will the Atlanta Fed president text me with a request to purchase $500 in gift cards.
The late Intel CEO Andy Grove said it perfectly: "Success breeds complacency. Complacency breeds failure. Only the paranoid survive." So please don't be ho-hum or complacent about these attacks and warn your family members and others.