Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 1, 2020
My Dog the Cybercriminal
As I write, my dog Coco gazes at me soulfully in a bid to wrangle a bite of my peanut butter sandwich or, even better, the whole sandwich. This cute yet parasitical behavior is typical. In fact, after some weeks of close association, I have come to realize that Coco exhibits not only the skills but also the personality traits of a cybercriminal:
- She tracks my every move and knows when she's most likely to get a treat, just as scammers prepare for phishing attacks by learning about a business's vendors, billing systems, and "even the CEO's style of communication ."
- She leaps at opportunities—butter on a counter, an open dishwasher—just as scammers are leaping at the chance to steal Economic Impact Payments, as Take On Payments reported in early May.
- She balances work and reward. Coco knows the difference between kibble and mozzarella cheese and differentiates her efforts accordingly. In trainer lingo, the mozzarella is a "high-value treat," analogous to the personal information a criminal might be able to obtain via health care and Medicare fraud.
- She repeats successful tactics, like counter surfing. Similarly, perpetrators of the "grandparent scam" know that what worked with imaginary bachelor parties in 2019 will work with imaginary emergency hospitalizations in 2020.
- She's persistent. Again and again, she noses my hand away from my keyboard. Eventually, a treat or walk will ensue. Again and again, scammers email fraudulent COVID-19 cures and investment opportunities in the hope of eventual success.
- She adapts. How can she get the treat? Sit? Lie down? Roll over? Sit again? Criminal enterprises continually experiment and adjust, for example, by changing the threat of shut-off in the "classic utility scam" to an offering of discounts on utility bills.
- She's adorable. Every dog is, but trust me, Coco is especially adorable, just like the photo in a phishing email posing as an appeal from a worthy charity .
- She is utterly unconcerned with the needs and preferences of others: the criminal mind at work.
No doggy day care. No walker. Me and Coco, 24/7. Did I mention that she's adorable?
It you sight any of these doggy behaviors, you can report coronavirus-related complaints to the Justice Department National Center for Disaster Fraud.
May 11, 2020
Seeing the Future through a Morning with Fifth Graders
Early in March, I spent the morning with four fifth-grade classes at an elementary school as part of their college and career day. My son had asked me not to talk about writing blogs and papers but rather to talk about "cool" things in payments and fraud. So that's exactly what I did with each class for 15 minutes, leaving the remaining 10 minutes of the time for questions or discussion. Looking back, I wish I had allotted more time for the final portion because these fifth graders were as engaging an audience as I have ever had. I left the school with two thoughts that I think the payments industry could find valuable, so thought it would be worthy of sharing with our readers today.
First, I was surprised by the general level of awareness that the fifth graders exhibited around online safety. Many had stories to share of both successful and unsuccessful attempts of their relatives being scammed online or through the phone. Others shared stories of their parents' bank accounts or cards being compromised. Several students talked about how they search safely on the internet. I was probably naïve going into the day about their level of knowledge and awareness seeing that these kids have grown up with this technology a part of their daily lives, but call me impressed that many of them are well aware of dangers lurking and eager to learn how to better protect themselves.
Second, I was blown away by the kids' access to and use of smart-assistant speakers. I have heard a number of people project that speech recognition is the future of commerce and if the kids I met with are any indication of their generation, then I think I can get on board with those projections. In an unscientific survey, I would estimate that nearly 90 percent of the kids had access to at least one smart-assistant speaker, and amazingly 75 percent had one in their room. Without naming any names, one company dominated this space for the group. While the "phone" aspect of the mobile phone for many kids is foreign as it's primarily used as a camera or texting device, it seems that they actually are comfortable having a conversation with a speaker.
As I walked back to my car, my mind was filled with thoughts about the future. On the one hand, I was smiling because this young generation is going to be better prepared in understanding the risks of the cyberworld that will continue to play a more prominent role in our lives. People will always be vulnerable but I left with confidence that our young people are aware that there are bad people lurking behind computer screens. On the other hand, my mind was spinning because I predict that commerce through a smart-assistant speaker will be as common a practice for them as dipping a card is for me. How different that world will look from where we are today!
May 4, 2020
Economic Impact Payments a Target for Fraud
Take Sutton's law, an old crook's advice—"Go where the money is"—and apply it to the fact that times of crisis are also times of prime hunting for fraudsters. And, in this time of crisis, the money is where the Economic Impact Payments (EIPs) are. This post breaks down some of the common fraud schemes the criminals are using to go after these payments.
The IRS has begun sending EIPs to eligible taxpayers. The EIPs are being disbursed either through direct deposit (via ACH) or by paper check. The first wave, an estimated 81 million payments, went to those who had provided their bank account information when filing their 2018 or 2019 taxes or through other federal programs. The IRS will continue sending payments over the coming months.
The first round of check EIPs were mailed with a pay date of April 24. It is estimated that five to seven million EIP checks will be mailed every week. Mailbox check theft and counterfeit checks are the two biggest concerns for EIP checks. Citizens, retailers, and financial institutions should know how to protect themselves from being victims of counterfeit U.S. Treasury Checks. To mitigate fraud risk, the U.S. Secret Service is partnering with the U.S. Treasury in a Know Your U.S. Treasury Check Campaign .
The direct deposit EIPs, which first posted April 15, are proving a little more difficult to combat. While fraudsters may not be able to misroute the EIP funds, they are using phishing emails or vishing calls to pose as EIP recipients' legitimate payments service providers and extracting personal information to facilitate future fraudulent transactions.
So expect a significant increase in account takeover attempts as fraudsters go after these funds. Cash-outs using person-to-person transfer services is often the first-choice channel, especially given the dollar values. Account takeover is often accomplished with social engineering or scams including pleas for help. Anticipate attempts of fraud by fake or spoofed websites, as well as social media messages requesting money or personal information. Some scammers are trying to collect "fees" from consumers to allow them to receive their EIPs. Others are impersonating the IRS in calls, emails, or texts, claiming they need to verify receipt of EIPs by getting financial, banking, or personal information. The IRS does not and will not communicate in this manner.
A further consideration around ACH EIPs is that financial institutions receiving these direct deposits are not required to match the name of the account with the name on the EIP, which means that a recipient's funds could be deposited into another person's account. Taxpayers should be aware that if they provided the account information of their tax preparers (or of the preparers' third-party vendor) on their tax returns, there will be delays in receiving their payments. Compounding this is the risk that those third parties may be unscrupulous and pocket the return money. This has happened with regular tax refunds, but the risk is heightened when so many are experiencing extreme economic hardship.
Stay up to date on trends and report fraud attempts using the following resources:
- FTC Coronovirus EIP Scams and FTC Complaints
- NACHA Current Fraud Threats
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3)—accepts online internet crime complaints
- Internal Revenue Service information about phishing and other scams; forward suspicious emails to firstname.lastname@example.org
April 27, 2020
My Internet Journey of Self-Discovery
I don't know how many times my social security number has been compromised, much less any other personally identifiable information (PII). Knock on wood, so far I have avoided identity theft, synthetic or otherwise. I have taken all of the recommended steps to protect myself—I get fraud alerts on my credit reports, I've implemented identity monitoring, and so forth. However, given that hackers frequently sell stolen data online, I fear my social security number lingers on the dark web in perpetuity, waiting to be compromised at any time. My curiosity being what it is, I set off on the interwebs to see what I could find.
An internet search string asking "How many times has my personal data been breached?" returned some interesting results. According to the website Have I Been Pwned?, a searchable repository of data breaches, my personal email address has been breached at least a dozen times going back to 2008. Not all these instances were known to me—I do not recall having a MySpace page! I have also been notified of other breaches that were not listed here, including from financial services companies and medical providers, so the number is surely higher.
I was surprised to learn that my email address was discovered in multiple credential stuffing lists, including "Collection #1," a large collection of credential stuffing lists discovered in January 2019. According to Have I Been Pwned, 773 million unique email addresses and passwords were included. Credential stuffing is an automated cyberattack where criminals attempt to gain fraudulent access to user accounts through use of these types of collections of user names and passwords. On the bright side, if there is one, the website indicated that none of my information had been "pasted," meaning posted on public content-sharing websites frequented by hackers. For over a decade, I have used a password vault to generate and store all of my user profiles and account logins and currently have over 200 different records. I do not reuse passwords, especially for profiles that have payments instruments tied to them, and I believe this practice has provided some measure of protection from this type of activity.
The next stop on my journey was the credit bureau to see what else I could learn about the state of my PII. Experian offers consumers a free "Dark Web Internet Surveillance Report." Although five associated records were located, according to this source, my social security number is currently not on the dark web.
My identity protection monitoring service was the final stop to review my digital exposure report on information about me found on the internet. Relief! My exposure is consistent with the reports from the other sources.
I would rate myself as average in terms of my digital footprint and doubt my internet habits differ from most people's. I doubt my breach experience differs much, either, but from this journey, I've discovered that the safeguards I have in place to protect my personal information seem to be working. Have you taken an internet journey to discover where your personal information may reside? What steps have you taken to ensure your identity remains safe?
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud