Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 4, 2020
Economic Impact Payments a Target for Fraud
Take Sutton's law, an old crook's advice—"Go where the money is"—and apply it to the fact that times of crisis are also times of prime hunting for fraudsters. And, in this time of crisis, the money is where the Economic Impact Payments (EIPs) are. This post breaks down some of the common fraud schemes the criminals are using to go after these payments.
The IRS has begun sending EIPs to eligible taxpayers. The EIPs are being disbursed either through direct deposit (via ACH) or by paper check. The first wave, an estimated 81 million payments, went to those who had provided their bank account information when filing their 2018 or 2019 taxes or through other federal programs. The IRS will continue sending payments over the coming months.
The first round of check EIPs were mailed with a pay date of April 24. It is estimated that five to seven million EIP checks will be mailed every week. Mailbox check theft and counterfeit checks are the two biggest concerns for EIP checks. Citizens, retailers, and financial institutions should know how to protect themselves from being victims of counterfeit U.S. Treasury Checks. To mitigate fraud risk, the U.S. Secret Service is partnering with the U.S. Treasury in a Know Your U.S. Treasury Check Campaign .
The direct deposit EIPs, which first posted April 15, are proving a little more difficult to combat. While fraudsters may not be able to misroute the EIP funds, they are using phishing emails or vishing calls to pose as EIP recipients' legitimate payments service providers and extracting personal information to facilitate future fraudulent transactions.
So expect a significant increase in account takeover attempts as fraudsters go after these funds. Cash-outs using person-to-person transfer services is often the first-choice channel, especially given the dollar values. Account takeover is often accomplished with social engineering or scams including pleas for help. Anticipate attempts of fraud by fake or spoofed websites, as well as social media messages requesting money or personal information. Some scammers are trying to collect "fees" from consumers to allow them to receive their EIPs. Others are impersonating the IRS in calls, emails, or texts, claiming they need to verify receipt of EIPs by getting financial, banking, or personal information. The IRS does not and will not communicate in this manner.
A further consideration around ACH EIPs is that financial institutions receiving these direct deposits are not required to match the name of the account with the name on the EIP, which means that a recipient's funds could be deposited into another person's account. Taxpayers should be aware that if they provided the account information of their tax preparers (or of the preparers' third-party vendor) on their tax returns, there will be delays in receiving their payments. Compounding this is the risk that those third parties may be unscrupulous and pocket the return money. This has happened with regular tax refunds, but the risk is heightened when so many are experiencing extreme economic hardship.
Stay up to date on trends and report fraud attempts using the following resources:
- FTC Coronovirus EIP Scams and FTC Complaints
- NACHA Current Fraud Threats
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3)—accepts online internet crime complaints
- Internal Revenue Service information about phishing and other scams; forward suspicious emails to firstname.lastname@example.org
March 30, 2020
Do We Use a Payments Risk Thermostat?
I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?
The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.
- We are not aware that hand washing is so effective.
- We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.
Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.
I think this paper positing a "risk thermostat" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."
So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)
As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:
- U.S. Secret Service : Watch out for phishing scams posing as medical or health providers, charity scams on social media.
- Federal Trade Commission (FTC): Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
- U.S. Securities and Exchange Commission Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.
As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.
Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.
February 10, 2020
Slowing Down the Mule Train
Slowing down the money mule train, that is. Money mules are those individuals who transfer money or goods received through fraudulent schemes on behalf of or at the direction of a criminal enterprise, often based outside the United States. It's a form of money laundering.
In December 2019, the FBI announced it was collaborating with other domestic and international law enforcement agencies to identify, stop, and prosecute major money mule networks. Two months later, it claimed that the operation had stopped the illegal actions of more than 600 domestic money mules—a 50 percent increase in their success rate over the entire previous year. (The U.S. efforts coincided with the European Money Mule Action, led by Europol, the European Union's agency that combats crime and terrorism.)
So who are these money mules and how are they recruited? The money mules fall into two main groups: innocent participants and those people who are as criminal as the leaders of the fraud schemes. It's the money mules who take the greatest risk; the leaders of the schemes use them to insulate themselves from arrest and prosecution.
The first group, the naïve participants, are generally recruited through online ads, résumés submitted to mainstream job search sites, or emails promising work-from-home employment as a "payment processing" or "money transfer" agent. Upon being "hired," these people must provide their bank account information so that deposits can be made to their accounts. If the victims say they want to open a new account to process these transactions, the contact dissuades them from doing so because new accounts face additional scrutiny and restrictions. When a deposit is made, a mule has to transfer those funds, minus the "commission," to another bank account. That account is usually outside the United States so the transfer occurs through an international money transfer service. The mule might also be asked to purchase gift cards, load funds onto them, and then provide the card numbers and PINs to the contact. Individual transactions are generally under $10,000 to avoid the filing of currency transaction reports or suspicious activity reports.
Sometimes truly innocent participants are caught in a "cuckoo smurfing" scheme. In this scenario, someone's bank account credentials are compromised without that person's knowledge. The criminal deposits or transfers money into the account and quickly moves it over to another account. The innocent participant isn't aware of this transaction until he or she checks the account.
However, the vast majority of money mules are people who clearly know they are acting illegally. They are often part of local, national, or international gangs, and use the proceeds of money mule activities to fund other criminal activities.
While there have been a number of enforcement successes, including the effort announced by the FBI, the constant attention being given to this problem indicates it persists. Hats off to all the various law enforcement agencies involved in this money mule crackdown. Hopefully, the increased publicity will prevent individuals from unknowingly becoming part of these networks as well as highlight the scams used to victimize others. What other actions do you think will help curb this type of crime?
February 3, 2020
Fuel Pump EMV Chip Liability Shift Looms Large
It has been quite some time since the Retail Payments Risk Forum has blogged about the state of the EMV chip in the United States. Perhaps the lack of coverage is a nod to the success and growth of EMV chip issuance and acceptance since the point-of-sale (POS) and ATM liability shifts that began in 2015 and 2016, respectively. The Federal Reserve's newly released payments study found that 57 percent of in-person card payments in 2018 used chip authentication compared to 2 percent in 2015. Talk about phenomenal progress over a three-year period! Yet there is more to do, and 2020 will be a big year for closing a big gap—EMV chip acceptance at the fuel pump, or what the industry generally calls automated fuel dispensers (AFDs).
In October, all of the global card networks' liability shifts will be implemented for AFDs. As a brief reminder, this liability shift means that petrol retailers will now be responsible for incurring the fraud losses on all non-EMV-chip-authenticated transactions initiated by EMV cards at their pumps. According to several industry associations that represent the convenience and petroleum store industry, this liability shift date will be a challenge for many station operators to meet given a limited availability of EMV-compatible AFDs as well as the technicians to install and certify the machines as EMV ready.
Through the years, the Risk Forum has stressed that criminals tend to gravitate to the easy targets when it comes to committing card fraud, or really any fraud in general. Card skimmers at AFDs pulling data off a card's magnetic stripe have been a major problem for decades. I have no doubt that the fraudsters are fully aware of the impending liability shift and will be stepping up their AFDs attacks in 2020 before the window of counterfeit card opportunity closes. Those retailers who are delaying their EMV migration or are unable to migrate by the liability shift date will become giant bulls' eyes. Expected card fraud losses in 2020 for the industry are not inconsequential—one industry association has estimated losses of $451 million. I should also note that the costs faced by the industry to migrate to EMV are also significant, at an estimated $3.9 billion.
After witnessing the successful rush by the industry to implement EMV chip at the POS and ATM, I am confident that the AFD EMV chip implementation ahead of the October liability shift will be a success, but all involved will definitely experience challenges. My confidence stems from the positive momentum I have seen from everyone involved in the payments industry working together for the common good to mitigate card fraud. With counterfeit card fraud losses through June 2019 down by over 60 percent since September 2015, I look forward to seeing even more decreases in counterfeit card fraud following this year's AFD liability shift.