Uncategorised

Do you specialise in Mobile Fraud Prevention or AI for Fraud Prevention Solutions? We want to hear from you!
By:

Each month on Merchant Fraud Briefing we’re shining the spotlight on a different part of the market – and in October we’ll be focussing on Mobile Fraud Prevention & AI for Fraud Prevention.

It’s all part of our ‘Recommended’ editorial feature, designed to help industry buyers find the best products and services available today.

So, if you specialise in Mobile Fraud Prevention or AI for Fraud Prevention Solutions and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Jennie Lane on 01992 374 098 | j.lane@forumevents.co.uk.

Here’s our 2023 Features List in full:-

October – Mobile Fraud Prevention & AI for Fraud Prevention

November – Biometrics for Fraud Detection & IP Intelligence/Proxy Detection

December – POS Verification & Chargebacks

For more info, contact Jennie Lane on 01992 374 098 | j.lane@forumevents.co.uk.

Visa highlights AI threat in latest data
By:

Visa’s latest Biannual Threats Report highlights a ‘significant’ rise of phishing schemes proliferated through generative AI tools, and a marked increase in enumeration and ransomware. While the global fraud rate trended lower than normal expected fraud levels during the report’s time period (January – June 2023), Visa shared that it helped to proactively block $30 billion in those time periods.

However, threat actors were successful in conducting targeted and sophisticated fraud schemes impacting specific institutions, technology, and processes.

Highlights of the report’s findings include:

  • Ransomware attacks continue to evolve and grow in prevalence. March 2023 surpassed prior ransomware attack records for the most attacks in one month with nearly 460 attacks; a 91% increase over February 2023 numbers and 62% higher compared to the same period in 2022. A 2023 ransomware report identified that exploited vulnerabilities were the most common (36%) root cause of ransomware attacks, followed by compromised credentials (29%). Interestingly, ransomware attacks and related threat actors do not always target payment data specifically but will compromise any data accessible during their attacks including payment data or personal identifiable information.
  • Enumeration attacks continue to impact merchants and consumers alike. The period covered in this study saw a 40% increase in enumeration attacks over the previous six months. Visa used its Visa Account Attack Intelligence to identify these attacks in real time to alert merchants and stop fraud in its tracks.
  • Card-Not-Present merchants emerge as bigger target. Online merchants were responsible for 58% of total fraud and breach investigations, while brick and mortar merchants made up 20%, and ransomware/fraud scheme made up 7%.

Retail-specific schemes saw a measurable uptick during the past six months, including:

  • False, spoofed, or counterfeit merchants: Consumers are being targeted through websites that seem like their favorite merchants. These sites are established to take customers’ orders but do not fulfill the goods or services ordered and instead steal customers’ payment account information.
  • The rise of malvertising: Some scammers are developing fake ads to try to garner personal information. Victims of these schemes are targeted with search engine-optimized scams that prey on what they might be interested in legitimately purchasing.
  • Flash-fraud scams: Flash fraud merchants, also known as bust-out schemes, which is when threat actors establish a legitimate merchant and process a small number of legitimate payments to establish credibility, are also on the rise. Once a satisfactory payment processing history is established, the seller suddenly submits a large number of fraudulent transactions—often using stolen payment account data – and quickly disappears after they obtain the funds from the stolen accounts.
  • Free gift scams: An emerging crypto scam in the retail space is the “free gift” scam, where bad actors offer a “free gift” through a pop-up window asking the victim to confirm the transaction. When clicked, the malicious payload is executed, which includes a file with malicious NFT, allowing fraudsters to communicate with the victim’s wallet and authorize cryptocurrency transfers from the victim’s wallet to the fraudster’s.

“While we are pleased by the lower-than-expected fraud rate over the last few months, this edition of the Biannual Threats Report continues to underscore just how savvy fraudsters continue to be,” said Paul Fabara, Chief Risk Officer at Visa. “The same way criminals take advantage of technology advances, so does Visa, and the $30 billion of fraud prevented in the last six months alone is a great testament to that.”

While the threat landscape is more complicated than ever, consumers can take solace in the ways Visa is working to protect them. Visa Payment Fraud Disruption’s efforts over the past six months have resulted in significant crackdowns on cybercrime activities with help from global law enforcement and government agencies.

Visa says it also helped bring fraudsters to justice around the world. In May 2023, the US Secret Service took down a major cybercrime platform called Try2Check. Its administrator, Denis Gennadievich Kulkov, faces 20 years in prison. A local enforcement action called Operation Urban Justice was launched in California targeting Electronic Benefit Transfer (EBT) fraud, which led to the arrest of 20 suspects believed to be part of an Eastern European crime syndicate. In April 2023, an international law enforcement coalition led the Genesis Market Takedown, arresting 119 people involved with the cybercrime platform.

Image by hartono subagio from Pixabay

Evolving payment methods to push remote physical goods fraud up by 400%
By:

A study from Juniper Research predicts that the greatest merchant losses to fraud will be via remote physical goods purchases, with losses reaching $5.1 billion across emerging markets in 2028, up from $1 billion in 2023.

Juniper anticipates fraud losses in Africa & Middle East to reach $1.1 billion in 2028; growing 643% from $150 million this year. This is largely due to limited adoption of effective fraud prevention tools in the region. Such tools are needed to keep pace with the rapidly increasing number of transactions, evolving payment methods and growing threats.

The research recommended merchants in the region adopt fraud detection and prevention systems as a priority, or rapid eCommerce growth will translate into massive fraud growth; damaging merchant profitability.

The research urges players to implement AI for analysing trends in fraudster behaviour. This is important in emerging regions, as smartphone adoption causes mCommerce to grow at a rapid rate. Therefore, fraud detection and prevention vendors must utilise data collected throughout the whole eCommerce process to further train and develop their AI fraud detection and prevention models.

Research author Cara Malone said: “With the growing use of AI, it is increasingly important for fraud detection and prevention providers to educate their clients, as AI utilises a variety of data to examine patterns within fraud. AI is extremely advantageous in a space where fraudsters attack at scale, rather than attacking a specific customer.”

Image by THAM YUAN YUAN from Pixabay

Understanding the Payment Card Industry Data Security Standard (PCI DSS) and how it works
By:

In today’s digital age, the seamless and secure processing of payments is paramount for retail businesses. As such, understanding and adhering to the Payment Card Industry Data Security Standard (PCI DSS) is not just a requirement – it’s essential for maintaining customer trust. Here are the vital considerations for retailers navigating PCI DSS compliance, based on input for delegates and suppliers attending the Merchant Fraud Summit…

  1. Understanding the Basics:
    • PCI DSS is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment. It was created by major credit card companies as a guideline to protect sensitive payment card information against theft.
  2. Scope Determination:
    • One of the first steps for a retailer is to accurately determine the scope of their Cardholder Data Environment (CDE). This encompasses all processes, systems, and personnel involved in cardholder data storage, processing, or transmission.
  3. Storage of Sensitive Data:
    • PCI DSS requires that no sensitive authentication data, including full magnetic stripe data, card validation codes, and PINs, be stored post-authorisation. Retailers must use tokenisation or other means to reduce the risk associated with data storage.
  4. Encryption:
    • It’s crucial to encrypt sensitive cardholder data both in transit (while being sent over networks) and at rest (while stored). Using strong cryptography and encryption techniques is paramount to ensure that data, even if intercepted, is unreadable and useless to potential fraudsters.
  5. Regular Vulnerability Assessments and Penetration Testing:
    • Retail businesses must periodically evaluate their systems for vulnerabilities. This includes scanning for weaknesses and conducting penetration tests to determine how resilient systems are against cyber-attacks.
  6. Restricted Access:
    • Ensure that only personnel who need access to cardholder data to perform their job duties have access. Employ robust authentication measures and consider multi-factor authentication for added security.
  7. Vendor Management:
    • Many retailers use third-party vendors for payment processing or other parts of their CDE. It’s vital to ensure that these vendors also comply with PCI DSS standards. Remember, a chain is only as strong as its weakest link.
  8. Regularly Update and Patch:
    • As cyber threats evolve, so too must defenses. Regularly update and patch systems to protect against known vulnerabilities.
  9. Educate and Train:
    • Human error can be a significant vulnerability. Regularly train staff on the importance of PCI DSS, the retailer’s specific processes, and the dangers of phishing or other scams.
  10. Consider Alternative Payments:
    • With the rise of digital wallets, contactless payments, and other alternative payment methods, retailers have more options than ever. However, each comes with its own security considerations. Ensure that all methods adhere to PCI DSS or their respective standards.

PCI DSS compliance is not just about avoiding penalties; it’s about building and maintaining trust with customers in a digital age where data breaches can severely tarnish a retailer’s reputation. By understanding the scope, employing best practices, and continuously adapting to the changing digital landscape, retailers can provide both a seamless and secure payment experience.

Are you looking for PCI DSS solutions for your retail business? The Merchant Fraud Summit can help!

Image by Ahmad Ardity from Pixabay

Fines relating to mismanagement of data subject rights could hit $1bn
By:

By 2026, fines due to mismanagement of subject rights will have increased tenfold from 2022, to total over $1 billion, according to Gartner.

The analyst defines subject rights requests (SRRs) as a set of legal rights that enable individuals to make demands and, in some instances, changes for clarity regarding the uses of their data.

“For security and risk management (SRM) leaders in B2C organizations, automating subject rights or consumer privacy rights management has become a basic requirement and a prerequisite for building trust,” said Nader Henein, VP Analyst at Gartner. “The management of SRRs can enhance customer trust levels by providing a positive privacy user experience (UX).”

However, inefficient handling of SRRs and an immature privacy UX can erode the benefit from millions of dollars spent on developing positive customer sentiment.

Organizations handling data must address SRRs in a defined time frame. Poor or delayed responses to SRRs can negatively impact an organization’s trust with its customers. As a result of long waits for a response, customer experience (CX) and sentiment are also negatively impacted. In addition, regulators regularly impose fines for failure to comply. These rulings also mandate prompt execution of requests.

SRM leaders should take the opportunity when they receive an SRR to engage with privacy-aware customers. “Data subject rights should not be treated exclusively as a legal requirement,” said Henein. “To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”

In addition, many jurisdictions require digital organizations to address the privacy rights of their employees. Data held on incoming, current, or past employees is worthy of the same care as data pertaining to customers. The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data.

“To ensure data subjects receive responses within acceptable time, cost, and scale limits, SRM leaders should consider establishing a foundation of metrics around SRRs,” said Henein.

“While the need for scalable subject rights delivery and fulfillment will not go away, the demand for more automation will lead to a faster move toward a zero-touch model,” said Henein. “This model will enable users to self-serve informative rights through a privacy portal where individuals will be able to browse their information in detail and understand how it is being used and by whom.”

Maintaining a manual SRR process renders an organization more likely to face regulatory fines and suffer associated reputational damage. It also entails maintenance costs. By contrast, being transparent about, and involving customers in the SRR process and implementing a more automated approach to SRR fulfillment offers clear benefits to organizations.

Image by Gerd Altmann from Pixabay

Your agenda at the upcoming Merchant Fraud Summit
By:

The Merchant Fraud Summit takes place over a day & consists of 1-2-1 meetings with innovative suppliers to help with your upcoming plans, insightful seminar sessions and numerous opportunities to network with peers.  

Click here to confirm your attendance (booking form takes less than two minutes to complete).

AGENDA: 1st November 

08:00 – 08:45: Registration

08:45 – 09:30: Opening Presentation –Fraud: How it’s done, and what to look out for!” 

09:40 – 10:00: Seminar – “How to optimize your 3DS Strategy” 

10:40 – 13:00: Face to Face Meetings

13:00 – 13:45: Networking Buffet Lunch

13:55 – 14:15 Seminar – “Failure to Prevent Fraud Offence” 

14:20 – 14:40 – Seminar “Fraud, terrorism financing and organised crime – time for a joined-up approach?”

14:45 – 16:50: Face to Face Meetings

Network with peers such as; Royal Mail, John Lewis Group, Virgin Media, Selfridges, Tesco, Dr. Martens, Sky, Experian Ltd, River Island, Dreams Ltd, EasyJet, Bet365, Hertz International, Post Office Ltd, Mitchells & Butler, Cazoo Ltd, The Very Group, FHG, Totesport Ltd, PwC UK, Appreciate Group PLC, Weightmans, Phoebe Philo, Stenn International & more.

To secure your complimentary place, please book here

Or let us know here if you have any questions.

Bribery and corruption concerns drive 650% increase for Regtech AI KYC checks in banking sector
By:

A new study from Juniper Research has found that the total number of Know Your Customer (KYC) checks for banking, conducted using AI, will reach almost 175 million globally by 2028; up from just over 23 million in 2023.

The demand for regtech solutions is increasing across not only financial services, but also industries such as healthcare and cybersecurity, as continuous verification of identities becomes fundamental in preventing financial crime and non-compliance.

One example of this is the rise of virtual GPs and ePharmacies. Here, Juniper says it is vital for KYP (Know Your Patient) verification to be employed, in order to prevent fraud, such as identity theft and financial exploitation. By implementing these KYC verifications, businesses can avoid fines for failing to carry out customer assessments.  

The report encourages cross-border businesses to adopt regtech solutions in order to reduce risk across different regulatory jurisdictions. As multinational companies expand into new regions, they are faced with a fragmented regulatory framework comprising jurisdictional differences across varying markets. Failure to meet compliance demands can lead to businesses facing penalties; resulting in serious economic and reputational consequences.

The recent emergence of “Failure to Prevent” offences specifically target organisations to hold them accountable for failures in their compliance system. Implementing regtech solutions enables organisations to defend themselves from this type of allegations.

The report found that innovative vendors are using AI and machine learning to decipher email and phone call data to identify bad actors across organisations. This is vital as lawmakers and regulatory bodies are cracking down on bribery and corruption offences, which severely undermine fair competition and contribute to slow economic growth.

Juniper Research recommends that as businesses expand their operations and move into new regions, they deploy AI-powered regtech solutions to automate monitoring of regulatory compliance; reducing manual checks being required and overall risk.

Image by Gerd Altmann from Pixabay

Understanding the Authorised Push Payment (APP) fraud threat
By:

In today’s digital age, where electronic transactions have become commonplace, the spectre of fraud continuously looms large. One such deceptive practice that has been increasingly plaguing the UK’s financial landscape is Authorised Push Payment (APP) fraud.

At its core, APP fraud involves a fraudster deceiving individuals into sending them money. These payments are ‘authorised’ because the individual unknowingly gives consent, believing they’re making a legitimate transaction. The scammer often masquerades as a trusted figure or institution, such as a bank representative, solicitor, or even a family member, thereby manipulating the victim into transferring funds directly to a bank account controlled by the fraudster.

There are various ways in which APP fraud can manifest:

  1. Purchase Scams: A victim pays in advance for goods or services that don’t exist, usually facilitated through online marketplaces.
  2. Advance Fee Scams: A victim is convinced to pay a fee, believing they’ll receive a larger amount of money in return, but they never do.
  3. CEO Fraud: Impersonation of a senior executive or a trusted supplier, asking for an urgent fund transfer.

The consequences of APP fraud extend beyond financial losses. For many victims, especially those who lose significant sums, the emotional and psychological toll can be profound.

Combatting APP fraud requires collective vigilance. Banks and financial institutions in the UK have started to adopt more robust verification processes for new payee registrations, sending warning messages about potential scams, and offering better education for customers about these types of fraud.

The UK’s Payment Systems Regulator has also been pushing for more protections for victims, including potential reimbursement if they’ve taken reasonable care.

For individuals, it’s essential to remain sceptical of unsolicited requests for money, even if they appear to come from trusted sources. Always double-check payment details directly with the institution or individual in question, using contact details you’ve sourced independently.

In conclusion, while the digitisation of banking has offered unprecedented convenience, it also presents new avenues for deception. Awareness and education about APP fraud, combined with rigorous verification procedures, are our best defence against these malicious schemes.

Image by vicky gharat from Pixabay

PSR proposes £415,000 cap on APP fraud claims
By:

The Payment Systems Regulator (PSR) has launched two consultations in the lead up to the implementation of its new authorised push payment (APP) fraud reimbursement requirements.

In June, the PSR set out its final position on tackling APP fraud, which will mean the vast majority of victims will be reimbursed within five days of the fraud being reported to their bank.

The PSR’s reimbursement requirements will ensure action is taken across the payments ecosystem to prevent APP fraud from happening in the first place, but also encourage, and reinforce the importance of, consumers remaining cautious when making payments.

Before the new requirements come into force next year, the PSR said it would seek views on the maximum level of reimbursement and claim excess, as well as on the consumer standard of caution.

In this consultation, the PSR outlines its proposed approach to the consumer standard of caution. The PSR proposes that the standard should consist of three things:

  • A requirement for consumers to have regard to specific, directed warnings given by their bank, which make clear the intended recipient is likely to be a fraudster. Although banks will need to take into consideration the complexity of an APP scam, including any social engineering consumers may have faced.
  • A prompt reporting requirement where consumers who are, or suspect they are, a victim of an APP scam should notify their bank promptly and, in any event, not more than 13 months after the last fraudulent payment was made.
  • An information sharing requirement where consumers should respond to any reasonable and proportionate requests for information made by their bank to help them assess a reimbursement claim, or to determine if a consumer is vulnerable.

If it can be demonstrated that the consumer has been grossly negligent in not meeting one of more of these requirements, then they may not be reimbursed.

However, gross negligence is a very high bar which will critically depend on the individual circumstances of each case. The PSR only expects it to apply in a small minority of cases. Gross negligence will never apply where a victim’s vulnerability is a factor in them being defrauded.

In June, the PSR confirmed that sending banks will have the option to apply a claim excess under the new reimbursement requirements, except in cases where the consumer is vulnerable. The regulator stipulated there will be no minimum threshold for claims, but there will be a maximum limit.

The PSR is now seeking views on the most appropriate way of structuring a claim excess. This includes whether an excess should be a fixed amount (similar to an insurance claim excess) or a percentage of the reimbursement claim amount.

The PSR also proposes that the maximum reimbursement level should be in line with the prevailing Financial Ombudsman Service limit of £415,000 per claim – which around 99.98% of APP fraud falls within. The regulator is also consulting on whether the maximum level will apply to vulnerable consumers.

Chris Hemsley, Managing Director at the PSR, said: “The changes we are delivering will bring a major shift in preventing fraud, increasing reimbursement for victims, and incentivising the banks to do more to help their customers. The two aspects we’re consulting on now will help to strike the right balance between encouraging people to be careful when making payments, while ensuring they have confidence in knowing they’ll be better protected if they do fall victim to fraud.”

Image by PublicDomainPictures from Pixabay

Risk prevention in digital payments for e-commerce: Where to start
By:

The e-commerce landscape is expanding at a breakneck pace, with digital and alternative payment methods emerging as the driving force behind this growth. While these payment methods offer unprecedented convenience, they also bring about a new set of challenges in terms of risk prevention. For e-commerce businesses, understanding and mitigating these risks is vital to maintain customer trust and ensure smooth operations. Here are the key considerations around risk prevention solutions for digital and alternative payments…

1. Robust Authentication Mechanisms:
As cyber threats continue to evolve, relying solely on traditional usernames and passwords may no longer suffice. Implementing multi-factor authentication (MFA) can drastically reduce the risk of unauthorised access. MFA demands additional verification steps, like OTPs (One-Time Passwords) sent to a user’s phone, biometric verification, or smart tokens, making unauthorised access much more challenging.

2. Encryption and Data Security:
Ensure that sensitive data, especially payment information, is encrypted during transmission and at rest. Leveraging SSL (Secure Socket Layer) certificates for your website can assure customers their data is transmitted securely. Additionally, consider tokenization, which replaces sensitive data with unique symbols, ensuring actual payment data remains concealed.

3. Regularly Monitor and Audit Transactions:
Monitoring transactions in real-time can help spot suspicious activities. Set up alerts for large transactions, multiple transactions from the same IP, or transactions where the delivery address and cardholder address differ. Auditing can also highlight patterns or trends that might indicate fraudulent activity.

4. Stay Updated on PCI DSS Compliance:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies accept, process, store, or transmit credit card information maintain a secure environment. Staying compliant not only ensures safety but also enhances your business’s reputation.

5. Integration with Reputable Payment Gateways:
Collaborate with trusted payment gateways known for their security measures. Such gateways often come with built-in fraud prevention tools, SSL encryption, and ensure that the payment process remains seamless for the customers while ensuring security.

6. Alternative Payment Method Considerations:
With the rise of digital wallets, cryptocurrencies, and other alternative payment methods, it’s essential to stay vigilant. Ensure that any third-party service you integrate with adheres to best security practices. Additionally, keep an eye on the transaction fees and ensure they don’t erode your margins.

7. Regularly Update Systems and Software:
Cyber attackers often exploit vulnerabilities in outdated software. Regularly updating your e-commerce platform, plugins, and any other related software can fend off many potential threats.

8. Educate Your Staff:
Your employees should be well-aware of the best practices when handling customer data and transactions. Training them on recognizing potential phishing attacks or scams can prevent inadvertent breaches.

9. Offer Secure and Trusted Checkout Badges:
Displaying badges from trusted security providers can reassure customers and lead to a higher conversion rate.

While the convenience and versatility of digital payments can boost an e-commerce business’s growth, it’s imperative to stay proactive in risk prevention. By taking these considerations to heart and investing in robust security measures, businesses can ensure they provide a safe and seamless shopping experience for their customers.

Are you researching Risk Prevention solutions for your e-commerce business? The Merchant Fraud Summit can help!

Image by Rudy and Peter Skitterians from Pixabay