Take On Payments

March 20, 2023

The Ransomware Battleground in 2022

The Retail Payments Risk Forum team has been writing a lot about ransomware in Take on Payments since 2018, when criminals shifted their targets from consumers with small ransom payouts to large government entities, educational institutions, and healthcare industries with their deeper pockets. Some of the initial victims in the United States were the cities of Atlanta and Baltimore and Florida's Monroe County School District. As with consumer attacks, criminals get to the bigger targets primarily by using phishing or smishing messages to obtain account credentials. They then exploit known software security gaps and make brute force attacks.

The number of ransomware attacks has ebbed and flowed over these last five years. The FBI's Internet Crime Complaint Center (IC3) receives voluntary reports on ransomware attacks and, according to the most recent data, in 2021 there were 3,729 reported attacks with net losses of approximately $50 million. This was an increase of 51 percent from the previous year. Our June 2022 post highlighted findings of IC3's annual report and some of the tactical shifts made by the criminal organizations to further their success rate.

While the IC3 report for 2022 has not been released, reports from some private cybersecurity firms (for example, here and here) give perspective on the current ransomware environment. The findings in these reports reveal a dynamic battleground:

• The number of attacks in 2021 declined but the focus on large companies and educational institutions continues. Some experts attribute the decline to the disruption of criminal organizations in Eastern Europe by the Russian invasion of Ukraine.
• While initial ransomware attacks were limited to file encryption, criminals now also deploy data extraction. They threaten to sell or publish that data to coerce an increased ransom payment.
• Ransom payments increased 144 percent in 2021 over 2020. The average reported ransomware payment in 2022 was $4.7 million. These attacks reflect a more diverse target base including smaller businesses, health care providers, and municipal governmental agencies.
• Ransomware-as-a-service offerings have increased, making it easier for less sophisticated criminals to perpetrate these attacks.

From my perspective, the ransomware battle between the criminals and their targets continues unabated. Despite increased security and education efforts, ransomware is still identified by the FBI as the major cyber threat against business. Law enforcement has had some victories with high profile arrests but still struggles to keep up with the pace of ransomware activity.

Defenders against ransomware crime must remain agile. What new tactics and weapons can businesses and law enforcement deploy? Let us know what you think.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• March 20, 2023 in
  • cybersecurity
  • data security
• Permalink
• Comments

March 6, 2023

Is Your Tax Refund at Risk of Theft?

With the start of a new year, I create a folder labeled "tax documents." This is where I place the W-2s, 1099s, receipts, and other tax-related documents in advance of prepping our tax return, which we begin in earnest on February 1. Fingers crossed that by planning ahead and keeping careful records we avoid mistakes in our filing (and that we underpaid just a little bit).

Now, when I talk about tax return fraud, I'm not talking about mistakes or intentional misstatements, income omissions, or incorrect deductions. I am referring to what is classified as stolen identity refund fraud (SIRF). In this type of fraud, the criminal obtains your name and social security number and then proceeds to file a tax return as early as possible, claiming a refund. You, the victim, don't generally find out this has happened until, in the course of your own filing, you receive a message from the Internal Revenue Service (IRS) that a tax return has already been filed for your social security number. The criminal often arranges to have the refunds sent via the ACH network to money-mule accounts or loaded onto prepaid debit cards. Sometimes the criminal requests that a check be mailed to an address where they can steal the check out of the mail.

The operators of the ACH network have been active in combating tax return fraud, and the IRS and the Department of Justice have made the investigation and prosecution of SIRF a high priority. In 2017, the IRS spearheaded the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center  (the IDTTRF-ISAC, or just ISAC), a collaborative effort of the IRS, state agencies, and the private-sector tax industry. At the heart of the ISAC operation is a platform that collects SIRF data, performs aggregated analysis, and then distributes anonymized reports to the participants.

The IRS continues to support major education efforts to help filers minimize the threat to the broader issue of identity theft. The IRS's Guide to Identity Theft is available in eight languages on the IRS website. An important tool for consumers to have is the IRS Identity Protection Personal Identification Number (IP PIN). The IP PIN is a six-digit number the IRS provides to the taxpayer to include with an electronic return. Originally available only to filers who had previously experienced tax return fraud, the IP PIN is now available to all consumers as of January 2021. You can find instructions on the IRS's website on obtaining one online or through an application. If you don't already have an IP PIN, I strongly encourage you to get one as soon as possible.

Best wishes as you gather all your tax documentation and that you are able to avoid the tax refund criminals.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• March 6, 2023 in
  • ACH
  • authentication
  • cybersecurity
  • data security
  • identity theft
• Permalink
• Comments

August 22, 2022

Not-So-Common Scams Result in Large Losses

We often write in this blog about the scams that criminals seem to favor at the time and describe defenses that targeted individuals or companies can use to thwart these scams. The most popular continues to be the broad category of advance fee scams. I thought it would be helpful to review two other types of financial scams that are not so frequent but that can result in large losses for victims.

Cashier's check fraud
A genuine cashier's check is a direct obligation of the bank that sells it. In a more innocent time, cashier's checks were viewed "as good as gold." Regulation CC generally requires a bank to make the funds of a deposited cashier's check available the next business day, but a fraudulent cashier's check could take several days or weeks to be returned to the bank of first deposit.

Criminals use this time gap to their advantage. In some cases, the check is for the exact amount of the item being purchased, and the criminal departs with the goods. For remote purchases, the criminal may send the seller a cashier's check for an amount in excess of the purchase price: $1,500 instead of $1,000, for example. Then the criminal claims the amount was a mistake and asks the seller to send the merchandise as well as refund the overpayment. When the fraudulent check is returned, the seller is out not only the merchandise but also cold hard cash.

Fraudulent cashier checks can be very difficult to spot given the advanced technology of printers and graphics software. Here is some fraud prevention advice:

• Accept a cashier's check only from someone you know or trust.
• Never accept a cashier's check with an amount higher than the purchase price.
• Consider using an escrow service instead of a cashier's check, where the goods are held by a trusted third party until the payment funds are fully verified.
• Be aware of the difference between when funds from a cashier's check become available versus when the check finally clears.

You can find more information about cashier's check fraud on the website of the Federal Deposit Insurance Corporation (FDIC).

High-yield investment fraud
In this type of scam, a fictitious financial institution or company, often located outside the United States, offers a risk-free, guaranteed return on a savings or investment instrument that is substantially above the market rate. The scammer claims to be able to achieve these returns by using sophisticated trading techniques involving "prime bank" financial instruments in foreign markets. Often, there is a promise that the funds are insured by a country's financial oversight agency or by the World Bank, a claim supported by certificates that look legitimate.

These scammers target their victims through advertisements in national and financial publications. They may also solicit victims with executive phishing attacks that have obtained contact information of high-net-worth individuals. The criminals assert that the victim will be part of an exclusive group and therefore should not discuss the investment with others, sometimes even requesting execution of nondisclosure agreements.

If there are other financial scams that you think we should address, please let us know by leaving a comment.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• August 22, 2022 in
  • checks
  • cybersecurity
  • data security
  • payments risk
• Permalink
• Comments

July 11, 2022

Drawing the Line on Consumer Protection

Consumer protection regulations are designed to ensure that consumers are treated fairly in their dealings with a business. But what is fair from the perspective of the consumer is often quite different from that of the business when there is a dispute.

This post was triggered when I read an article about a series of lawsuits filed by consumers hoping to gain class-action status against financial companies in situations where the consumer has authorized an immediate payment from their account to someone who later turned out to be a fraudster. The consumers claim that they should be reimbursed by the financial institution because they were scammed.

Regulation E  is quite clear on where the line is drawn as to the customer's liability in an electronic transaction. If the transaction is unauthorized, the customer's liability is generally zero as long as they report the transaction within a specified amount of time. The regulation is very specific in its definition of unauthorized: "an EFT from a consumer's account initiated by a person other than the consumer without authority to initiate the transfer and from which the consumer receives no benefit." In the cases discussed in the article I read, the consumers admit that they voluntarily initiated the push payment transactions, so the financial institutions appear to be justified in denying reimbursement because the transactions did not meet the definition of "unauthorized" and therefore the liability protections of Regulation E did not apply.

In a late 2021 post, I wrote about how banks in the United Kingdom have adopted a Contingent Reimbursable Model (CRM) that could give customers who are victims of authorized push payment scams some financial relief. The debate within the United Kingdom as to how equally the CRM is applied continues to this day, with consumers claiming that it doesn't go far enough to ensure that financial institutions fairly and uniformly evaluate a consumer's claims.

As push payment usage continues to increase in the United States, is there a need to redraw the line by implementing regulations that will give greater protection to consumers in such scams? While I am empathetic toward those who suffer these financial losses, I believe the payments industry has made a reasonable and good faith effort to educate customers when they should use authorized push payments and when they should not. What do you think?

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

• July 11, 2022 in
  • data security
  • payments risk
• Permalink
• Comments