Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
July 12, 2021
Young and Old Want to Keep Their Money Safe
My colleague Doug King recently moderated a panel about age-related attitudes toward banking and payment practices. He spoke with a boomer, a gen-Xer, a millennial, and a gen-Zer.
Most notable about these panelists: not how different they were from each other but how alike. Keeping in mind that a sample of four is not representative and that all were Federal Reserve employees, panelists of every age agreed about risk when it comes to their money: they hate it.
All four had used a brick-and-mortar bank one way or another in the last year, and there was no interest in switching to a digital-only bank or fintech option—even though all panelists struggled to remember the last time they had written a check. One panelist said, "I stick with what I know." Another: "I just don't have time to do the research." A third, "I'm staying with the traditional, just in case." They wanted not the bricks, not the mortar, but rather the security implied by the existence of solid real estate.
They admitted to more risk-averse behavior: no one—not the youngest, not the IT guy—owned crypto assets. Too risky, they said. Most are storing card numbers with an online merchant with high brand recognition but not at other online shopping websites. It's worth the small amount of time to put in the number at lesser known sites, said three of the four.
Do you see a marketing opportunity out there? Some newer services are selling the idea of speed—that is, payments that are fast and frictionless. Or the social benefits of tagging payments with emojis. Or convenience. Or a user-friendly app. But these four people, at least, want safety.
Of course, newer ways to pay do offer security enhancements—for example, two-factor authentication when you use a phone with fingerprint or face ID authentication to pay. And, with so many choices available, panelists said they would like to better understand their payment options. This means that maybe customers are waiting to hear more about product features and benefits that emphasize security and, according to these four, at least, that are delivered by recognized brands they already know and trust.
May 17, 2021
Common Learnings from Fishing and Phishing
As a youngster growing up in Southeast Georgia, one of my favorite summer pastimes was fishing with my older brother at the local creek using cane poles and some corn niblets or, if we really hit the bait treasure box, pieces of beef hot dog. There is a reason they call it fishing and not catching as most days we barely got a nibble. But there were those days when we would land a nice-sized bluegill.
As I grew older and my fishing opportunities expanded, I began to learn more about the science and techniques of fishing. To increase the catching, there was a level of knowledge needed as to what type of bait (artificial or live) and what fishing technique (bottom, slow, or fast retrieve) to use to target the species of fish I wanted.
I reviewed the FBI's 2020 Internet Crime Report recently and learned that there were more than 240,000 phishing/smishing/vishing/pharming incidents in 2020—an increase of 110 percent over 2019 (and these are just those that were reported). Losses from these incidents were estimated at $54 million. Reading about this made me flash back to my fishing learnings. I reflected that in phishing, as in fishing, there are those people who simply throw out a baited hook to see what bites they get. They blast out a generic email to tens of thousands of email addresses they bought or otherwise acquired illegally, promising fortunes if you only pay, in advance, a finder's fee or the taxes, with gift cards or cryptocurrency. (These messages have advanced over the years to eliminate the poor grammar and misspellings and provide a more believable scenario about the money that belongs to you.)
It has become obvious to me from my research, from seeing the attacks firsthand, and from listening to my colleagues that criminals are becoming more sophisticated in their messages. They are quick to take advantage of current health or natural disaster crises, sending links to “breaking news” that contain malware or links to false websites to capture your personal information or other credentials. They have become very skilled in identifying a target and researching that individual's hobbies or life events through social media, which allows them to craft a message that appears legitimate and appeals to the target's interest.
My colleagues and I are constantly trying to better educate the public about these threats through our posts, webinars and other publications. Just when we think we've seen it all, the criminals come up with a new twist on an old scheme, such as what we saw over the last year regarding the stimulus payments. The bad guys are always going to be out there hoping they can get a nibble from you so they can try to set the hook and reel you in. Don't let yourself be the catch of the day.
May 3, 2021
You Can Deploy 19th-Century Technology against a 21st-Century Scourge
Just like last year, and in 2019 before that, the Association for Financial Professionals (AFP) is reporting that business email compromise (BEC) is at the heart of fraud attempts against businesses: an AFP survey found that 6 in 10 attempted or perpetrated frauds are built on BEC.
Many of us are familiar with the seemingly urgent—and fraudulent—email from a faux CEO or other executive demanding that we immediately purchase gift cards for a pressing need or instantly transfer funds to an impatient vendor demanding payment. The language of these requests plays on our insecurities and fears. Adrenaline surges, muscles tense, heart rate speeds up. We are ready—and want to—spring into action. And when payments are frictionless, that’s easy to do. The click of a mouse, and the problem goes away.
Then, the second thoughts. Uh-oh. Our lizard brains have betrayed us again.
But the 520 corporate treasury professionals who responded to the survey hold out hope. These treasury pros reported using processes to remove from the fraud equation an email from a perpetrator to an accounts payable clerk, CEO, or other employee. They include implementing a payment request database and then prohibiting the email receipt of payment requests or creating a secure supplier web portal so that payees—not the payor—control updates to bank account information.
Another effective solution, not so new: the voice call. This 19th-century invention, variously credited to Antonio Meucci, Elisha Gray, and Alexander Graham Bell, can add friction at just the right point in the fraud-prevention process, what my colleague Jessica Washington calls "fast access to live humans." Some respondents to the AFP survey, for example, reported that they required a voice call-back to confirm changes requested by email or to ascertain the bona fides of parties applying for credit, friction that creates a necessary opportunity for a double-check.
At the Telephone Museum in Waltham, Massachusetts, you can admire 19th-century contraptions of wood and cloth and even teach your kids to use a rotary dial. The Mickey Mouse phone, the hamburger phone, and the "princess" phone of my childhood are all there. While the younger set investigates some antediluvian communications device, be sure to take a moment to remind yourself of its efficacy in the present day.
April 19, 2021
Criminals Also Like Convenience
The phrase "The customer is always right" was coined by London department store retailer Harry Gordon Selfridge in 1909 to encourage his employees to provide customers with exceptional customer service. Ever since, retailers across all industries have been trying to achieve the positive customer experience—and possibly a competitive advantage—that Selfridge was striving for by offering a variety of customer-oriented policies and services. One such service that gained popularity a couple of years ago is buy-online-pick-up-in-store, often shortened to BOPIS. The COVID pandemic has led to a modification of BOPIS: BOPAC, short for buy-online-pick up-at-curbside. Merchants are offering these options so they can provide a "frictionless transaction"—in other words, they want to reduce the actions customers have to take to obtain their products. This less-contact process also happens to address the CDC’s COVID health recommendations of minimizing contact with others.
Unfortunately, fraudsters have latched onto BOPIS and BOPAC because they’re a means to secure their ill-gotten gains faster and at a lower risk of confrontation once they have stolen the payment credentials of a legitimate cardholder. According to a report published last fall , BOPIS fraud increased 55 percent from the first half of 2019 to the first half of 2020. While merchants in the BOPIS model can ask customers for identification, many do not, for a couple of reasons. First, the person picking up the goods may not be the cardholder, as often happens in the home improvement and landscaping business. Some retailers have addressed this by requiring the cardholder during checkout to give the name of the pick-up person. Second, requesting identification adds a step to the process and therefore adds friction.
A major financial services company published a best practices guide a year ago that contains recommendations on how merchants can reduce their fraud risk for BOPIS/BOPAC transactions. These recommendations include manually reviewing orders of high-value or targeted merchandise and using video cameras in the pick-up areas.
As stores and shopping centers begin to open more and with longer hours, it will be interesting to see if customers return to browse and shop in the aisles or the convenience of BOPIS/BOPAC will continue to drive ecommerce traffic. What do you think?