Payment fraud includes a number of different fraud types including card not present fraud, skimming, jackpotting and business email compromise. Criminals are continuously evolving their approach and adapting to new security measures, increasing the success rate of attacks.
In its 2019 Internet Organised Crime Threat Assessment Report (“the Report”), Europol’s European Cybercrime Centre (EC3) presents the combating of payment fraud as a key priority, and outlines the key considerations for each crime type.
Card not present fraud
Card not present (CNP) fraud may be committed once a person’s credit card data has been compromised through a method such as a third-party breach, phishing email or scam text message. The scammer attempts to make a fraudulent credit card transaction online or over the phone, whilst not physically possessing the card.
CNP fraud is most commonly committed in relation to the purchase of high-value good such as electronic devices and mobile phones, but is increasingly moving into other areas such as booking hotels.
The availability of credit card details is unprecedented, with stolen credit card details also being sold on the dark web for use by other criminals.
A relatively new development is the provision of technologically sophisticated crime-as-a-service platforms which provide criminals with a simple user interface that enables them to commit acts of fraud and evade detection.
Whilst CNP fraud is a major problem in and of itself, it also facilitates other crimes such as human trafficking, allowing criminals to purchase plane tickets, book hotels and rentals whilst avoiding detection.
The Report highlights the need for the private sector to bring fraudulent transactions to the attention of law enforcement, and stresses the importance of public-private partnerships in fighting this type of fraud.
‘Skimming’ refers to the copying of card magnetic-stripe track data at Point of Sales terminals and ATMs. In addition to the use of a skimming device which is typically composed of metal or plastic, criminals may also install a camera on the ATM in order to steal the PIN.
Skimming remains one of the most common frauds in Europe due to the fact that not all payment terminals and ATMs in Europe contain the necessary anti-skimming measures. The stolen card data may then be sold on the Darknet or used to perform bank withdrawals.
Certain older ATMs may be vulnerable to ‘jackpotting’, where the criminal either uses malware or a ‘black box’ hardware device to connect to the ATM dispenser and empty it of cash.
Malware such as WinPot and Cutlet Maker is available on the Darknet, leading to increased jackpotting attacks on ATMs.
The physical component of jackpotting attacks also appears to be evolving with innovative methods being used to connect to the ATM, including:
- disconnecting the front of the ATM from its base in order to allow direct access to the connections
- removing the screen from the ATM and performing a few technical operations to gain access
- melting a hole above the monitor of the ATM and plugging a USB cable into the ATMs printer cable
- breaking the deposit slot plastic, opening the monitor and connecting the ATM USB cable
Business email compromise
Business email compromise (BEC) attacks involve the impersonation of company staff, typically members of senior management who can authorise transfers, deceiving employees into transferring funds to the criminal’s account.
BEC has also been a priority for European law enforcement, with attacks becoming “more professional and convincing”. Whereas traditionally social engineering was the method of choice, a variety of different methods are now being used including network intrusion, malware and the hacking of legitimate email accounts to impersonate key individuals.
According to the Internet Crime Complaint Centre, between December 2016 and May 2018, there was a 136 % increase in identified global exposed losses due to BEC attacks, and more than USD 12 billion in losses since October 2013.
Future threats and developments
As echoed throughout other sections of the Report, as long as existing crimes remain profitable, criminals will continue to carry them out. Current threats may therefore provide a good indication of the kinds of threats that will be faced in the future, with a degree of inevitable evolution.
The Report also highlights the potential for instant payment schemes to complicate fraud prevention and mitigation, allowing for various frauds to be expedited with less chance of being flagged as suspicious transactions by the financial sector.
Another key area to monitor is that of open banking, which refers to enabling third-party developers to build applications and services around financial institutions. Whilst designed to provide greater financial transparency options for account holders, it is predicted that this will make both customers and third-party providers more vulnerable to attacks.
The Report highlights the need for:
- cooperation between the public and the private sector
- organisational training to ensure that employees are able to detect social engineering and other scams
- improved cooperation and information exchange on cross-border fraud cases – this will be facilitated through the non-cash-payment fraud (NCPF) Directive which Member States have two years to implement