Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 27, 2022
The Ransomware Threat Continues to Grow
For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.
In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.
Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.
The defenses against a ransomware attack remain the same:
- Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
- Make frequent offline data backups and regularly test the backup process.
- Install security patches and software updates as soon as possible.
- Monitor remote desktop protocols, if they're used, and carefully review access controls.
What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.
June 13, 2022
Quishing: Another "Fish" in the Fraud Ocean
We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.
And now there's quishing. Again.
Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.
QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.
The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.
April 18, 2022
Smishing: Phishing with a Different Bait
The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience, though we have to remind ourselves of our colleague Claire Greene's warning that each of us is a sample of one. What we experience may not be, and probably isn't, what the average person might encounter.
I was recently reminded of this warning with regard to my own experience with smishing attacks. Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.) Over the last several weeks, I have been getting one to two text messages a day on my phone asking me to click on a link to respond—usually to a customer satisfaction survey allegedly from a major retailer, with the offer of a gift card as a reward for responding. One message informed me that a product I had ordered (and already received) from an online retailer couldn't be shipped until I clicked on the link to pay an international tax of $2.83. I am confident that all these messages were "smishing" attempts.
Although a part of me was tempted to assume my experience was indicative of a very recent trend, I decided to research whether I was indeed average in experiencing an increased number of these attacks. It appears Claire was right—although my research showed that smishing attacks have substantially increased, seems I am fortunate to have only recently become a target. A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reported that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI's Internet Crime Complaint Center (IC3) doesn't separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3's Internet Crime Report 2021 shows that these complaints increased 34 percent from 2020 to 2021.
The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:
- A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
- An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
- Poor English grammar or improperly formatted phone numbers
- An unknown sender. It is best to report or delete messages you weren't expecting from people you don't know.
Be aware that what appears to be the sender's phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.
Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:
- Keep your mobile device software and browsers updated with the latest security upgrades.
- If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.
I realize that the criminals launching these types of attacks are generally using automated systems to transmit hundreds of thousands, if not millions, of the messages in hopes of getting even just a small percentage of recipients to click on the link. So even if you are like me and not average, there is a good chance you have been or are likely to be the target of a smishing attack. I hope you will use information to not become a victim, and distribute it to help keep others from falling victim.
March 7, 2022
Cash Is Critical in Times of Crisis
Before I get into the meat of this post, I want to acknowledge that the events in Ukraine are on all our minds. Our hearts and thoughts are with those caught up in this conflict.
Among the photos coming out of Ukraine are images of the Ukrainian people lined up at ATM machines. These pictures underscore that cash, and access to it, is critical in times of crisis and uncertainty. Here at home in the Southeast, the Atlanta Fed is always on alert during hurricane season in the event that we have to step up our supply of cash to banks.
In addition, understanding the continuing role of cash in an increasingly digital world has been a core focus in the payments research we do through the lens of diversity, equity, and inclusion. Cash remains an important payment option among our many other options, including cards, checks, apps, and digital currencies. There are many reasons some people prefer to use cash: it helps them manage their budget, they don't have a bank account, they lack access to internet or smartphones and therefore lack access to digital payment apps, they're comfortable with cash from a lifetime of use, they're seeking anonymity, or they just plain choose to use it.
Although some businesses had already stopped accepting cash by the time the pandemic hit, the pandemic opened the door for many other businesses to stop taking it. Some businesses stopped offering in-person services and went to online platforms where customers could not use cash, such as order ahead, curbside pickup, and delivery subscription services. Concerns about money and hygiene, the coin supply disruption, and the ease of using cards and apps also discouraged cash use.
Those who use cash, whatever their reason, have been affected by the decisions of these businesses and by other decisions stemming from the pandemic, according to survey data. They've also been affected by the reduced number of ATMs in the United States due to bank and business closures, often in rural and low-income areas, or due to changing policies affecting independent ATM operators. Access issues to ATMs even in the United States can make it more difficult, and perhaps more expensive, for people to get cash when they need it most.
In times of natural disasters, when electronic systems could fail, people turn to cash. People also turn to cash in times of manmade disasters. The reliance on cash as the go-to payment in times of crisis and as a personal choice underscores the need for cash preservation and ease of access.
While the Ukrainian people have much more important things to deal with, and our thoughts are with them as they navigate this crisis, understanding the role that access to cash plays in people's lives is something we will continue to look at here at the Atlanta Fed.