Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 13, 2017
Phone Scams and Phishing
According to a recent report from the Anti-Phishing Working Group (APWG), more phishing attacks were recorded in 2016 than in any prior year since the group began monitoring in 2004. The APWG defines phishing as a criminal mechanism employing both social engineering, often through the use of email, and technical subterfuge to steal consumers' personal identity data and financial account credentials.
While phishing attempts through electronic channels are undoubtedly up, the telephone call remains a valuable tool for fraudsters. The Federal Trade Commission (FTC) just released its 2016 Consumer Sentinel Network Data Book and revealed that of the fraud-related complaints it received in 2016 with the method of initial contact reported, 77 percent of the respondents claimed that initial contact was made via telephone. Only 8 percent reported email as the method of initial contact. Thinking broadly about these reported trends by the APWG and the FTC, I have two observations:
- No doubt phishing emails are a growing concern based on the data from the APWG. The FTC data just might reveal what I have been hearing for the last few years: the sophistication of phishing schemes is increasing each day. About 45 percent of the fraud complaints filed with the FTC did not report the method of initial contact. Maybe these individuals did not want to report that information. Or with the increasing sophistication of phishing emails, perhaps many of these individuals still do not realize that email was in fact the entrée for fraudsters to obtain payment, personal, or financial information. Educating the public and our employees to recognize phishing emails is vitally important.
- Phone scams are likely to increase as chip-enabled EMV cards and their acceptance become more widely adopted, making it more difficult for fraudsters to conduct counterfeit card fraud. Look no further than the United Kingdom, where the Financial Fraud ActionUK's Fraud The Facts 2016 report notes that overall financial fraud increased by 26 percent from 2014 to 2015, due in large part to the growth of impersonation and deception scams. It further notes that these scams typically involve a phone call, text message, or email. With the FTC reporting a 40 percent increase in the number of fraud complaints from 2014 to 2016, with the telephone being the initial method of contact, it is imperative for individuals to carefully handle calls before providing sensitive information.
The Retail Payments Risk Forum often stresses the importance of consumer education, as fraudsters often see the consumer as a weak link. Education is critical to preventing individuals from falling for phishing emails or phone scams. We strongly encourage individuals to exercise caution before opening attachments within emails or sharing personal or financial information over the phone. And before making good on an unexpected payment request from an email or phone call, it's a great practice to directly reach out to the payee through a known legitimate email address or phone number. For more information about recognizing and handling telephone scams, visit this FTC web page.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 18, 2016
The 411 on Banning the RCC
Are you proficient in recognizing phone scams? One that I've frequently experienced is when the caller tells me I've won a cruise and all I have to do is pay the taxes. To help combat phone fraud, the Federal Trade Commission (FTC) amended the Telemarketing Sales Rule. Part of the amendment prohibits payment types commonly used in deceptive and abusive telemarketing practices. Effective June 13, 2016, telemarketers can't ask for payment by cash-to-cash money transfers, PINs from cash reload cards, or bank account information, which would allow them to create a remotely created check (RCC). Fraudsters prefer RCCs because reversals are more difficult, notes the FTC. In particular, RCCs sail quickly through the clearing and settlement process making for easy collection by fraudsters and clunky adjustment processes for financial institutions.
Financial institutions (FIs) are the gatekeepers to payment systems and, with the amendment to the rule, have a new risk for what their customers do. FIs have always had the compliance risk of understanding their customer's business. As an FI, how would you know if you had a telemarketing customer already on board or one attempting to apply today? Further, how would you know if a current customer is accepting payment via RCC, since RCCs look like traditional checks? If you have third-party processors as customers, these questions become more difficult. Then, the risk is to identify if your customer's customer is a telemarketer processing banned payments through your bank.
Most agreements between FIs and business customers typically include a clause binding their customers to process payments in compliance with applicable laws of the United States. What additional steps should FIs take to manage the risks that apply to different industries and different payment types?
There are limited ways to identify RCCs because such items are cleared like traditional checks. Effective November 2015, the standards for the MICR (magnetic ink character recognition) line were changed to include a "6" in a certain position in the line to indicate an RCC. This is a standard and not a requirement. But if the 6 is used, that is one way to identify an RCC. If the standard is not used, nothing uniquely identifies an item as an RCC unless one examines the signature block on the check, since RCCs have no signature. An FI or a processor may not have the ability to look at every item included in every deposit, but could have random testing in place to attempt to identify the illegal use of RCCs.
Another indicator of deceptive practices by a business customer is anomalies in return rates. A large number of adjustments may signal that abuses are taking place. An RCC is often confused with an ACH entry and some telemarketers may convert their RCCs to ACH to spread out alarming return rates.
It will be all hands on deck to stop abusive RCC practices, but the FTC has charted the course with its new rulemaking.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 20, 2015
Phone Scams: Still Calling Around
With 2014 filled with news about data breaches and faster payments and new technologies trying to jumpstart various payment applications, it was easy to forget about that old-fashioned device, the telephone, and the role it can play in fraud. (It's been almost a year since I wrote the post "Phone Fraud: Now It's Personal!" about fraud schemes involving telephones.)
Pindrop Security recently released some research on the most frequent consumer phone scams, reminding us of how criminals can use a low-tech device combined with high-tech research tools to scam millions of consumers out of tens of millions of dollars each year.
We can generally place the underlying tactics of the scams into one of four categories:
- Scare tactics. Often, the caller poses as a governmental agency official such as an IRS agent or law enforcement officer and advises the victim they have an outstanding debt or arrest warrant. The caller tells the victim to send in a certain amount of money immediately to cover the debt or pay a fine—or be arrested, have a lien placed against the home, or face other serious actions. The criminal's goal is to obtain funds directly from the victim.
- Attractive offers. In this type of scam, the caller generally wants the victim's payment card or bank account number—although, as we outlined in an earlier post on advance fee scams, the caller may also be after direct payments. The offer may be for anything from a free vacation to a government grant, or from a reduction in the victim's mortgage or credit card interest rate. In any case, the caller insists the victim pay a handling fee. Sometimes, the caller asks questions about the victim's banking accounts to make sure the victim "qualifies" for the special offer. With the information obtained, the fraudsters generate payment transactions or use that information for future identity theft efforts.
- High-pressure techniques. Most scams involve high-pressure techniques; the criminals want to create a sense of urgency to get the victim to act quickly, without thinking. A common scenario is when the caller tells the victim that his or her bank account or payment card has been frozen because of suspicious activity and then urges the victim to provide sensitive account information to restore the account to normal status. The caller can then use the information the victim has provided to initiate fraudulent transactions or identity theft.
- Information-gathering. A criminal may call to get "additional" information about a customer to go into an identity profile that the criminal can use later in committing an identity theft crime. Often the criminal has already gathered some information about the targeted victim through social media or public records to weave into a cover story about why they are requesting the information to make the story more believable.
Since any of us can be a target of such calls, we must educate ourselves—and the public and our colleagues—about these scams constantly so we can all be on the alert and safeguard our accounts and personal information.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Phone Scams: Still Calling Around:
February 24, 2014
Phone Fraud: Now It's Personal!
One recent Sunday evening, I received a call on my mobile phone from a number with a 374 area code. I did not recognize this number, and it wasn't in my stored contacts. I answered the call, and there was that brief pause that alerted me it was likely a mass marketing call. I was getting ready to launch into my standard "No, thank you, and this number is on the Do Not Call registry, so please don't call again," when a female voice with a strong foreign accent identified herself as a representative from the Microsoft Windows Security Center. "Microsoft" and "security" are two words that are likely to grab anyone's attention quickly, so I stopped myself. She then asked me to verify that I had a computer running Microsoft Windows. I mean, who doesn't but the most diehard Apple user? All kinds of warning bells were sounding in my head, but I played along to see where this routine was going.
In a recent post, I wrote about the growing problem of criminals targeting bank call centers. Well, criminals target consumers, too. Sometimes the callers claim to be representatives of the consumer's financial institution, and they try to get account or payment card information. I ended the post post with descriptions of some of the new technology being used to fight against this type of fraud. Unfortunately, most consumers don't have access to the technology the banks do to help identify the fraudsters.
But back to my call. The caller informed me that the Microsoft Windows Security Center had received a message that my computer was infected with a virus. She added that the Security Center had a download available to remove the virus and protect my computer, it would cost only $19.99, and she could take payment over the phone with a credit card. I asked which of my computers sent the message because I didn't want to pay to have the download put on noninfected computers. My response seemed to confuse her. But then she said that the download could be installed on up to three computers at no additional charge—what a bargain! I then told her a security scan the night before had found nothing wrong and I didn't believe she was from Microsoft, and I hung up. When I tried to trace the phone number, I learned there is no 374 area code in the United States, but 374 is Armenia's country code.
While the earlier post showed the need for financial institutions to use a cross-channel fraud mitigation strategy, we must always keep in mind that consumers are also under frequent attack. As we at Portals and Rails have stated many times, continuing education is a vital factor in helping customers protect their money, and this experience only reinforces that need. I was informed enough to sniff this call out for the scam that it was, but would my 84-year-old mother-in-law have been as savvy? Maybe I should give her a call to make sure!
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Phone Fraud: Now It's Personal!:
- FIDO Tightens Authentication's Leash
- Staging the ATM
- Can Migrants Teach Us Anything about Millennials?
- Responsible Innovation, Part 2: Do Community Financial Institutions Need Faster Payments?
- Calculating Fraud: Part 2
- Watching Your Behavior
- Responsible Innovation Part 1: Can Community Banks Remain Competitive?
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud