The number of financial frauds consisting in phishing login details in electronic banking services is growing worldwide, including Poland. Fraudsters use the Internet and telephone, impersonating, inter alia, the Polish Financial Supervision Authority, the Credit Information Bureau or banks. As the Bank Cyber Security Center of the Polish Bank Association points out, the methods used by criminals include, inter alia, telephones in which undetermined people call potential victims and pretend to be commonly recognized financial institutions, try to obtain sensitive data used, for example, to log in to electronic banking. Fraudsters can also persuade the people they call to install software on the computer or phone that will allow them to take control of the victim’s device and obtain further data – such as logins and passwords for banking services, as well as SMS codes authorizing transactions financial.
There is also growing pressure on the payment systems to alleviate the risks of payment frauds, especially to protect the users of financial payment methods against malicious viruses and malware. Below there are presented the most common types of financial crimes and suggested methods of implementing protection against them.
This can be presented as a low-risk, high-profit criminal activity. Payment card frauds can be split into two types: card-not-present fraud, which occurs largely online, and card-present fraud, which typically occurs at retail outlets and ATMs.
Victims of unauthorized payment card fraud are legally protected against losses. Industry analysis indicates that banks and card companies refund customers in over 98 per cent of cases.
Debit and credit card fraud occurs when someone uses your card without your permission. Even if a criminal doesn’t have your physical card in hand, they can still make unauthorized transactions with your credit card number, PIN and security code. Someone could even use your card information to try to gain access to your other accounts. Either way, fraudulent activity could potentially hurt your credit in several ways, such as by causing your credit card balances to spike.
Card-not-present fraud involves the unauthorized use of credit or debit data (the card number, billing address, security code and expiry date) to purchase products and services in a non-face-to-face setting, such as via e-commerce websites or over the telephone. In the majority of cases, the victims are unaware of the unauthorized use of their cards, which remain in their possession.
Often referred to as carding, this type of illegal activity has grown steadily, as compromised card details stolen by means of data breaches, social engineering attacks, data-stealing malware and phishing tools become more readily available on forums, marketplaces and automated card shops in the deep web and Darknet.
Criminals also use social media profiles to advertise the ‘sale’ of discounted goods to consumers. When a customer goes to buy the product, the criminal uses stolen card details to purchase the item from a legitimate source and then keeps the payment from the customer. More than 1,600 social media accounts linked to scam activity were taken down last year following the work of the DCPCU, a specialist fraud squad funded by the banking and finance industry, which has been working with social media platforms to identify accounts which feature posts relating to payment crime.
Counterfeit fraud occurs when a criminal skims or copies the data held on the magnetic stripe of a legitimate credit or debit card and uses this data to create a fake plastic card, which contains the real cards details – this is known as a counterfeit card. This card is then used to purchase goods or services or to withdraw cash at ATMs in countries that have not yet implemented Chip and PIN technology.
Card skimming can occur by means of a small handheld skimming device when the cardholder is paying for goods and services. It can also happen at ATMs if a criminal attaches a skimming device to the ATM. For skimmed card data to be of greatest use to the criminal, they also need to know the PIN number for the card.
With skimming at an ATM, the criminal usually also attaches a micro-camera to the ATM that records the PIN being entered. Both the skimmer and the camera are well hidden and often hard to detect.
When skimming occurs while paying for goods or services, the criminal will usually try to observe the cardholder while they are keying in their PIN.
Counterfeit card losses totalled £12.8 million in 2019, a decrease of 21 per cent compared to 2018 and 92 per cent lower than the peak reported in 2008 (£169.8 million).
Card ID theft occurs when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account held in someone else’s name. This type of fraud is split into two categories: third-party application fraud and account takeover fraud.
Losses due to card ID theft decreased by 20 per cent in 2019 to £37.7 million, with the number of cases decreasing by 15 per cent to 54,165. Intelligence suggests that the main driver of card ID theft is data harvesting by criminals through methods including phishing emails, scam texts and the theft of mail from external mailboxes and multi-occupancy buildings.
‘Card never arrived’ fraud occurs on cards ordered by a customer that they never receive. When you make an application for a credit card, 99% of the time that card will be sent to you in the mail. Card-never-arrived fraud is what happens when that card is either intercepted before it arrives, or if your card thief simply pinched it from your letterbox, which is more likely.
Criminals typically target properties with communal letterboxes, such as flats and student halls of residence, and external mailboxes to commit this type of fraud. People who do get their mail redirected when they change address are also vulnerable to this type of fraud.
To protect against this type of fraud, the Australian Payments Network recommends installing a lockable mailbox, or at the very least checking your mailbox regularly.
Card not received fraud losses fell by 17 per cent in 2019 to £5.2 million.
UK retail face-to-face card fraud covers all transactions that occur in person in a UK shop. Fraud losses on face-to-face purchases on the UK high street decreased eight per cent in 2019 to £64.3 million.
The majority of this fraud is undertaken using low-tech techniques, with fraudsters finding ways of stealing the card, and often the PIN, to carry out fraudulent transactions in shops. This includes criminals using methods such as ATM card entrapment and distraction thefts, combined with shoulder surfing and PIN pad cameras. Criminals also use various social engineering methods to dupe victims into handing over their cards on their own front doorstep, often known as courier scams.
These figures cover fraudulent transactions made at cash machines in the UK, either using a stolen card or where a card account has been taken over by the criminal. In all cases the fraudster would need to have access to the genuine PIN and card. Some losses result from cardholders keeping their PIN written down in a purse or wallet, which is then stolen, or from distraction thefts in shops and bars.
Criminals use a variety of methods to target cash machines, including card skimming, when they fit a small device in the slot of the ATM or use a concealed device to capture your PIN. They may also use a technique called card trapping; when a device is fitted to the card slot to stop your card being returned to you. They can also simply watch over your shoulder when you are using an ATM or card machine. The criminal then steals the card using distraction techniques or pickpocketing.
This category covers fraud occurring in locations overseas on UK-issued cards. The majority (86 per cent) of this type of fraud is attributed to remote purchase fraud at overseas retailers. VALUE £170.7m -2% This category also includes cases where criminals steal the magnetic stripe details from UK-issued cards to make counterfeit cards which are used overseas in countries yet to upgrade to Chip and PIN. International fraud losses for 2019 were £170.7 million, compared with losses at their peak in 2008 of £230.1 million, a decrease of 26 per cent.
Cheque fraud losses increased to £53.6 million in 2019. The volume of fraudulent cheques increased by only 41 per cent, indicating that a small number of highvalue fraudulent transactions led to the rise in losses last year, rather than any change to the longer-term trend.
Intelligence suggests the increase was largely a result of fraudsters targeting high-value corporate accounts, where losses per case are typically far higher than on individual customer accounts. Personal customers only accounted for a small fraction of the total losses. This raises the question of whether large firms need to enhance the security features on cheques to deter fraudsters. It also reflects better awareness among consumers of the risks of fraud, due in large part to industry-led educational campaigns. A total of £550.8 million of cheque fraud was prevented in 2019, up by 152 per cent on 2018.
Fraudsters convince the victim to install a program that allows them to take control of the computer remotely. In some cases, they do “training” under the guise of “training” before using the investment platform. In others, alleged representatives of the bank or brokerage house in which the client has an account are contacted. By taking advantage of customers’ trust, they take control of their computer and perform a series of transactions from their bank account.
Total remote banking fraud totalled £150.7 million in 2019, one per cent lower than compared to 2018. The number of cases of remote banking fraud increased by 38 per cent to 43,906. This reflects the greater number of people now regularly using internet, telephone and mobile banking, and attempts by fraudsters to take advantage of this. In 2019, 81 per cent of the adult population used at least one form of remote banking.
In an authorized push payment scam, a criminal tricks their victim into sending money directly from their account to an account which the criminal controls. Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of authorized push payment scams. Typically, this involves the criminal posing as a genuine individual or organisation and contacting the victim using a range of methods including via the telephone, email and text message. Criminals also use social media to approach victims, using adverts for goods and investments which never materialize once the payment has been made.
Losses due to authorized push payment scams were £455.8 million in 2019. This was split between personal (£317.1 million) and nonpersonal or business (£138.7 million). In total there were 122,437 cases relating to a total of 121,658 victims. Of this total, 114,731 cases were on personal accounts and 7,706 cases were on non-personal accounts.
The increase in online shopping has provided criminals with an new opportunity to trick people into paying for goods and services that don’t exist, often advertised via auction sites or social media with images taken from genuine sellers’ to convince you they’re the real deal. Criminals also use cloned websites with slight changes to the URL to trick you into thinking you’re purchasing from a genuine website. They may also ask for payment prior to delivery and send you fake receipts and invoices that appear to be from the payment provider.
Purchase scams were the most common form of APP scam in 2019, with the 73,336 cases accounting for 60 per cent of the total number of APP scam cases. A total of £59 million was lost to purchase scams in 2019, with the vast majority of losses being from personal accounts. Payment service providers were subsequently able to return £9.7 million of the losses. Typically purchase scams involve lower-value payments, with the smaller average case value meaning that they accounted for only 13 per cent of the total value of APP scams.
Investment scams involve promises of big payouts, quick money or guaranteed returns. Always be suspicious of any investment opportunities that promise a high return with little or no risk. A criminal convinces their victim to move their money to a fictitious fund or to pay for a fake investment. The criminal will usually promise a high return in order to entice their victim into making the transfer. These scams include investment in items such as gold, property, carbon credits, cryptocurrencies, land banks and wine.
The criminals behind investment scams often use cold calling to target their victim and pressurize them to act quickly by claiming the opportunity is time limited. Email, social media and letters are also used in investment scams, with criminals seeking to take advantage of recent pension reforms. FCA analysis suggests that the rise in investment fraud is being driven in part by criminals targeting consumers online, for example through adverts on search engines or social media channels.
A total of £95.4 million was lost to investment scams in 2019, with payment services providers subsequently able to return £12.3 million. The nature of the scams means that the sums involved in individual cases can be higher, so while investment scams accounted for only six per cent of the total number of APP scam cases, they accounted for 21 per cent of the total value.
Romance scammers create fake profiles on dating sites and apps, or contact their targets through popular social media sites like Instagram, Facebook, or Google Hangouts. The scammers strike up a relationship with their targets to build their trust, sometimes talking or chatting several times a day. Then, they make up a story and ask for money. Once they have established their victim’s trust, the criminal will then claim to be experiencing a problem, such as an issue with a visa, health issues or flight tickets and ask for money to help.
A total of £18.1 million was lost to romance scams in 2019. The nature of the scam means that the individual is often convinced to make multiple, generally smaller, payments to the criminal, as indicated by an average of around five payments per case. Romance scams accounted for two per cent of the total number of APP scam cases in 2019 and four per cent of the total value. Payment service providers were only able to return £2.4 million of the losses, often due to the fact that the payments were made over an extended period meaning the criminal had moved the money by the time the scam was reported.
An advance fee scheme occurs when the victim pays money to someone in anticipation of receiving something of greater value—such as a loan, contract, investment, or gift—and then receives little or nothing in return.
The variety of advance fee schemes is limited only by the imagination of the con artists who offer them. They may involve the sale of products or services, the offering of investments, lottery winnings, “found money,” or many other “opportunities.” Clever con artists will offer to find financing arrangements for their clients who pay a “finder’s fee” in advance. They require their clients to sign contracts in which they agree to pay the fee when they are introduced to the financing source. Victims often learn that they are ineligible for financing only after they have paid the “finder” according to the contract. Such agreements may be legal unless it can be shown that the “finder” never had the intention or the ability to provide financing for the victims.
Advance fee scams were the third most common form of APP scam in 2019, accounting for nine per cent of the total number of cases. A total of £17.2 million was lost to advance fee scams last year, meaning by value these scams accounted for four per cent of all APP scams.
These scams happen when criminals pose as a regular supplier and persuade you to change the bank account details you hold on file. You’re then tricked into sending money to the account which is controlled by a criminal rather than the genuine supplier. Criminals carry out extensive research about your business to find out who your suppliers are and when regular payments are due. These scams often involve a criminal intercepting emails, gaining access to your supplier’s email account or spoofing their emails.
Invoice and mandate scams were only the fourth most common type of APP scam in 2019. However, they resulted in the largest share of losses at 25 per cent, totaling £114.1 million. The majority of losses by value, some £82.4 million, were from non-personal or business accounts, where the average payment was £16,209. This reflects the fact that businesses make higher-value payments more regularly.
CEO Fraud is a type of spear-phishing email attack in which the attacker impersonates your CEO. Typically, the attacker aims to trick you into transferring money to a bank account owned by the attacker, to send confidential HR information, or to reveal other sensitive information. The fake email usually describes a very urgent situation to minimize scrutiny and skepticism.
To commit the fraud, the criminal will either access the company’s email system or use spoofing software to email a member of the finance team with what appears to be a genuine email from the CEO. The message commonly requests a change to payment details or for a payment to be made urgently to a new account. CEO fraud was the least common form of APP scam in 2019, accounting for less than one per cent of total cases. A total of £17.8 million was lost, equivalent to four per cent of the total case value.
In this scam, the criminal contacts the victim purporting to be from either the police or the victim’s bank and convinces the victim to make a payment to an account they control. These scams often begin with a phone call or text message, with the fraudster claiming there has been fraud on the victim’s account, and they need to transfer the money to a ‘safe account’ to protect their funds. However, the criminal controls the recipient account. Criminals may pose as the police and ask the individual to take part in an undercover operation to investigate ‘fraudulent’ activity at a branch.
To commit this fraud, the criminal will often research their victim first, including using information gathered from other scams and data breaches in order to make their approach sound genuine.
In this scam, a criminal claims to represent an organisation such as a utility company, communications service provider or government department. Common scams include claims that the victim must settle a fictitious fine, pay overdue tax or return an erroneous refund. Sometimes the criminal requests remote access to the victim’s computer as part of the scam, claiming that they need to help ‘fix’ a problem.
A total of £50.2 million was lost to this type of scam in 2019, with payment service providers subsequently able to return £15.9 million. Impersonation: other scams accounted for seven per cent of all APP scam cases last year, representing 11 per cent of total losses.