Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 29, 2020
How Do You Love Me? Let Me Count the $$$$
The COVID-19 pandemic has affected everyone's life in some way. Sadly, criminals prey on the chaos created by such situations. We posted back in 2014 about a variety of advance fee scams where victims are duped into sending funds to the criminal, and more recently mentioned these scams in a post about elder financial exploitation. The latest figures from the Federal Trade Commission show that approximately 25,000 consumers reported losses of $201 million in 2019—nearly 40 percent more than in 2018—from romance scams. And this figure is only for reported losses. While the elderly are often a target, victims are adults of all ages and genders. With the social isolation created by the pandemic, romance scams appear to be increasing at a faster pace.
A romance scam often starts with the criminal placing a false profile on an internet dating site. In some cases, the website is completely fraudulent with a large base of false identities, and it collects payment card information for subsequent fraudulent transactions in addition to operating the advance payment scam. After some message exchanges on the dating site, the scammer will encourage the victim to use a private communication channel such as email or text messaging. In the past, the criminal would usually avoid video chats to reveal their true identity. Today, however, these criminal efforts have become increasingly sophisticated. They often have the same person whose photograph they used on the site do these video chats. The criminal will often claim to live or work in a foreign country or at considerable distance from the victim to discourage the victim from visiting. The scammer will often research social media sites to gain more information about the victim's hobbies and interests to help convince the victim that they are "true soulmates."
The criminal tries to deepen the relationship with frequent claims of affection and may even send small-value gifts to the victim to build trust. Once the criminal believes they have the victim "hooked," the financial requests begin. Often it will be a request to send money to pay for medical services for a close relative, or to help the scammer get through some financial hardship. The criminal may also request nonfinancial items, including intimate photographs or videos to be used for extortion later. There may be a request for money or payment card information for the scammer to purchase an airline ticket to come visit the victim, a trip that never happens due to a sudden illness or other excuse.
Education is the key to the prevention or early detection of such a scam. The FTC recommends the following:
- Never send money in any form to someone you haven't actually met. If someone you've met online asks you for money, report it to the Federal Trade Commission (FTC) at ftc.gov/complaint.
- Perform a reverse image search of the person's profile picture to see if it matches with another person's name or if there are other discrepancies. (Some apps provide this service, as does at least one search engine.)
- If you discover that you are, in fact, being scammed, stop communicating with the person immediately, but save the messages.
- If the initial contact was through a dating website, notify the site of the scam.
The Federal Reserve joins with the FBI, FTC, and consumer organizations in helping to educate the public against these criminal activities. Please use any channels you have to spread this educational effort and clean up this slimy activity.
Now go wash up.
May 4, 2020
Economic Impact Payments a Target for Fraud
Take Sutton's law, an old crook's advice—"Go where the money is"—and apply it to the fact that times of crisis are also times of prime hunting for fraudsters. And, in this time of crisis, the money is where the Economic Impact Payments (EIPs) are. This post breaks down some of the common fraud schemes the criminals are using to go after these payments.
The IRS has begun sending EIPs to eligible taxpayers. The EIPs are being disbursed either through direct deposit (via ACH) or by paper check. The first wave, an estimated 81 million payments, went to those who had provided their bank account information when filing their 2018 or 2019 taxes or through other federal programs. The IRS will continue sending payments over the coming months.
The first round of check EIPs were mailed with a pay date of April 24. It is estimated that five to seven million EIP checks will be mailed every week. Mailbox check theft and counterfeit checks are the two biggest concerns for EIP checks. Citizens, retailers, and financial institutions should know how to protect themselves from being victims of counterfeit U.S. Treasury Checks. To mitigate fraud risk, the U.S. Secret Service is partnering with the U.S. Treasury in a Know Your U.S. Treasury Check Campaign .
The direct deposit EIPs, which first posted April 15, are proving a little more difficult to combat. While fraudsters may not be able to misroute the EIP funds, they are using phishing emails or vishing calls to pose as EIP recipients' legitimate payments service providers and extracting personal information to facilitate future fraudulent transactions.
So expect a significant increase in account takeover attempts as fraudsters go after these funds. Cash-outs using person-to-person transfer services is often the first-choice channel, especially given the dollar values. Account takeover is often accomplished with social engineering or scams including pleas for help. Anticipate attempts of fraud by fake or spoofed websites, as well as social media messages requesting money or personal information. Some scammers are trying to collect "fees" from consumers to allow them to receive their EIPs. Others are impersonating the IRS in calls, emails, or texts, claiming they need to verify receipt of EIPs by getting financial, banking, or personal information. The IRS does not and will not communicate in this manner.
A further consideration around ACH EIPs is that financial institutions receiving these direct deposits are not required to match the name of the account with the name on the EIP, which means that a recipient's funds could be deposited into another person's account. Taxpayers should be aware that if they provided the account information of their tax preparers (or of the preparers' third-party vendor) on their tax returns, there will be delays in receiving their payments. Compounding this is the risk that those third parties may be unscrupulous and pocket the return money. This has happened with regular tax refunds, but the risk is heightened when so many are experiencing extreme economic hardship.
Stay up to date on trends and report fraud attempts using the following resources:
- FTC Coronovirus EIP Scams and FTC Complaints
- NACHA Current Fraud Threats
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3)—accepts online internet crime complaints
- Internal Revenue Service information about phishing and other scams; forward suspicious emails to email@example.com
March 30, 2020
Do We Use a Payments Risk Thermostat?
I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?
The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.
- We are not aware that hand washing is so effective.
- We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.
Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.
I think this paper positing a "risk thermostat" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."
So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)
As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:
- U.S. Secret Service : Watch out for phishing scams posing as medical or health providers, charity scams on social media.
- Federal Trade Commission (FTC): Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
- U.S. Securities and Exchange Commission Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.
As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.
Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.
February 10, 2020
Slowing Down the Mule Train
Slowing down the money mule train, that is. Money mules are those individuals who transfer money or goods received through fraudulent schemes on behalf of or at the direction of a criminal enterprise, often based outside the United States. It's a form of money laundering.
In December 2019, the FBI announced it was collaborating with other domestic and international law enforcement agencies to identify, stop, and prosecute major money mule networks. Two months later, it claimed that the operation had stopped the illegal actions of more than 600 domestic money mules—a 50 percent increase in their success rate over the entire previous year. (The U.S. efforts coincided with the European Money Mule Action, led by Europol, the European Union's agency that combats crime and terrorism.)
So who are these money mules and how are they recruited? The money mules fall into two main groups: innocent participants and those people who are as criminal as the leaders of the fraud schemes. It's the money mules who take the greatest risk; the leaders of the schemes use them to insulate themselves from arrest and prosecution.
The first group, the naïve participants, are generally recruited through online ads, résumés submitted to mainstream job search sites, or emails promising work-from-home employment as a "payment processing" or "money transfer" agent. Upon being "hired," these people must provide their bank account information so that deposits can be made to their accounts. If the victims say they want to open a new account to process these transactions, the contact dissuades them from doing so because new accounts face additional scrutiny and restrictions. When a deposit is made, a mule has to transfer those funds, minus the "commission," to another bank account. That account is usually outside the United States so the transfer occurs through an international money transfer service. The mule might also be asked to purchase gift cards, load funds onto them, and then provide the card numbers and PINs to the contact. Individual transactions are generally under $10,000 to avoid the filing of currency transaction reports or suspicious activity reports.
Sometimes truly innocent participants are caught in a "cuckoo smurfing" scheme. In this scenario, someone's bank account credentials are compromised without that person's knowledge. The criminal deposits or transfers money into the account and quickly moves it over to another account. The innocent participant isn't aware of this transaction until he or she checks the account.
However, the vast majority of money mules are people who clearly know they are acting illegally. They are often part of local, national, or international gangs, and use the proceeds of money mule activities to fund other criminal activities.
While there have been a number of enforcement successes, including the effort announced by the FBI, the constant attention being given to this problem indicates it persists. Hats off to all the various law enforcement agencies involved in this money mule crackdown. Hopefully, the increased publicity will prevent individuals from unknowingly becoming part of these networks as well as highlight the scams used to victimize others. What other actions do you think will help curb this type of crime?
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud