Digital Transactions Authoritative, insightful and timely information for payments professionals
Now that criminals have milked the bulk of their opportunities related to pandemic relief efforts, they are turning their attention back to their old standby, payments-related fraud. Not surprisingly, their target of choice is e-commerce, which has rocketed due to restrictions on the number of consumers allowed in physical stores and a general preference for purchasing digitally, according to Visa Inc.’s Biannual Payment Ecosystem Report.
In the back half of 2020, curbside-pickup fraud in particular flourished as many merchants added order online, pick-up curbside capabilities. What makes curbside pickup vulnerable to fraud, the report says, is the lack of controls around order and buyer verification.
“For example, merchant employees often only required the order-verification number and did not check cardholder ID or implement additional authorization checks,” the report says. “Banks also had to adapt fraud models to account for this significant shift in activity, which made capturing fraudulent activity in this channel difficult.”
The spike in curbside pick-up fraud is not surprising as it was a problem prior to the pandemic, says Julie Conroy, research director for Boston-based research firm Aite Group.
“There is a whole class of merchants that have had to contend with e-commerce and card-not-present transactions that never had to prior to the pandemic, so it’s no surprise that this type of fraud is rising,” Conroy says. “We are constantly hearing from merchants [that] there has been a 25%-to-30% uptick in card-not-present transactions during the pandemic and that card-not-present fraud is rising at a commensurate rate.”
According to Aite Group, card-not-present fraud losses are projected to total $7.9 billion in 2021, up from an estimated $7.2 billion in 2020.
In addition to the rise in curbside pick-up fraud, enumeration fraud remains a leading threat. In this scheme, criminals use automated programs to test combinations of payment data via e-commerce transactions to identify the account number, CVV2 code, and/or expiration date.
“Threat actors adapted to the Covid-19 pandemic by illicitly creating and subsequently using Covid-19-related merchant names to conduct enumeration attacks, as well as targeting donation related merchants,” the Visa report says.
Another growing threat is point-of-sale malware attacks, in which criminals target e-commerce merchants to obtain compromised payment accounts. Despite the increase in these types of attacks, criminals are still targeting a small percentage of physical merchants with them.
POS malware attacks are intended to harvest Track 1 and Track 2 magstripe data from the merchant’s point-of-sale environment. The attacks are usually launched by sending a merchant a phishing email that launches the malware into the merchant’s POS system when opened or the merchant clicks on a link in the message.
“These types of attacks are a throwback to the days before chip cards, when mag-stripe data was stolen for counterfeit cards,” says Conroy. “Today, counterfeit cards can only be used at merchants that don’t have terminals with chip readers or online merchants that don’t require a CVV2 number.”
Another problem around POS malware is that criminals typically target small merchants for attack and then repackage the data into a large bundle for sale on the dark Web. When the data is sold in bulk, it becomes difficult to detect the actual point of compromise, Conroy says.
“Fraud thrives on confusion and fear, and now that criminals are through focusing on pandemic relief fraud, they are returning to the type of fraud they were committing prior,” says Conroy.
