The New Payments Platform may already be the fraudsters' payments system of choice, if European experience is any guide.
Analysis by the European Banking Authority has uncovered business innovation and adaptability on the part of the dark forces driving payments fraud.
Fraudsters have adapted their techniques and are using more complex types of fraud, such as those based on what is commonly referred to as ‘social engineering’ the EBA explained in an Opinion published overnight.
"Instant payments feature notably higher fraud rates than traditional credit transfers, and a relevant part of the fraud losses are borne by the customers, especially for credit transfers" the EBA related in the opening of its draft Opinion.
The Opinion on new types of payment fraud and possible mitigants is timely.
While the mandatory application of Strong Customer Authentication (SCA) in the EU "has been successful in preventing fraud based on the stealing of customers’ credentials, fraudsters managed to adapt their techniques, giving rise to fraud types of a more complex nature, in particular leveraging on social engineering."
Loads of work by banks and payment processors to refine standards and clarify processes has produced results on what used to be the most problematic fraud domain.
There has been a significant decline of remote card payments fraud in Europe.
Interestingly, mail order or telephone order is not just typically higher, but last year was reported to be "significant in volume".
So one trick by the fraudsters is to simply employ legacy methods and exploit lazy legacy systems at banks.
The crooks have far better targets than MOTO.
For fast payments and instant payments, fraud rates in Europe in 2022, by value, are about 10 times higher on average than conventional Credit Transfers.
Instant payments - in Australia's case the NPP - by design do not offer the possibility for users to recover funds in case of fraudulent payments, and to the extent there are protocols in place they are limited.
Another key lesson for Australian banks is that in the EU, cross-border fraud rates in volume are about 9 times higher than for domestic transactions, for both cards and credit transfers.
Noting the link between scams and fraud, the EBA said "an increasing number of payment fraud takes the form of manipulation of the payer, or the so-called 'Authorized Push Payment' fraud, where the payer is manipulated into making a payment to the fraudster."
The EBA draws attention to three types of fraud it said are "more complex" and "widespread". These are:
-
Manipulation of the payer - alongside APP fraud there is 'CEO fraud'; a fraudster impersonating a high-level 6 business director or executive, manipulating an employee to initiate and authorise a payment, often for a large amount.
-
Mixed social engineering and technical scam - In this fraud type fraudsters combine phishing techniques (including vishing and smishing), used to steal the customers’ personal security credentials to gather account information and issue payment orders, with social engineering aimed at manipulating the PSUs to authorise the payment orders issued. The fraudsters directly carry out some operations on the account of the victim.
-
Enrolment process compromise - This fraud type is a complex scam geared towards enrolling fraudster’s devices as a second factor of the SCA, to be used together with the customer’s personal security credentials stolen by the fraudster via phishing/smishing/vishing techniques. In these scams, often leveraging on specific vulnerabilities of the enrolment procedures, the aim of the fraudster is taking over the payment account completely, thus enabling multiple fraudulent payments.