Our 'Newsletter on Financial Fraud' is your monthly insight into the various new fraud types and methods used by fraudsters globally in the banking space.
In this issue, we bring to light the effect of banking fraud creeping in and making banks lose millions to this plaguing menace.
The incidence of ATM, credit, debit card and net banking-related fraud has gone up by more than 35 percent between 2012-13 and 2015-16 in India, according to country's federal bank Reserve Bank of India (RBI).
According to RBI data, 8,765 cases were reported by banks in 2012-13 and the corresponding figures for subsequent three years were 9,500 (2013-14), 13,083 (2014-15) and 11,997 (in the first nine months of 2015-16) respectively. India ranked third after Japan and the US as countries most affected by online banking malware in 2014.
These cases may be miniscule for a country like India whose population is more than 1.2 billion but there should be no room for complacency as the government moves towards digitizing the country and wants every citizen to have a bank account.
Indian Minister for Communication and Information Technology Ravi Shankar Prasad said that several cyber-attack techniques were being used in combination while committing scams and net banking fraud.
"The fraudulent activities comprising of phishing, lottery scams, ATM/Credit Card frauds, internet banking frauds, and other banking frauds involve usage of email to trick the users to steal victims' identity credentials and commit fraud," he told the Indian Parliament a few days ago.
The Indian Computer Emergency Response Team (CERT-In), the nodal agency to look into the reports regarding phishing incidents affecting users of online banking, has tracked 534 phishing incidents in the first nine months of 2015. Of them, the phishing websites relating to 342 incidents were hosted in countries outside India.
"Details regarding involvement of scams using IP addresses from abroad are not available with RBI, but the country's premier investigation agency -- the Central Bureau of Investigation (CBI) -- has registered one case in 2014 involving IP address outside the country," the minister added.
A joint study entitled "New Age Crime" conducted by the Associated Chambers of Commerce and Industry of India (ASSOCHAM) and Mahindra SSG recently pointed out that India needs to invest at least $4 billion in public-private partnership (PPP) mode to address cybercrime-related challenges at both individual and organizational levels.
The investment has to be spread across upgrading technology, training cyber professionals, counselling of victims, creating cyber cells and others, the study pointed out. With the country facing acute shortage of cybersecurity professionals in India, there was a need for the government to reallocate the resources on cybersecurity projects. This will help the government to keep on such unscrupulous activities, the study added.
However, another report entitled Cyber and Network Security Framework, an ASSOCHAM-Mahindra SSG study, last year revealed that the total number of cybercrimes in all sectors could be around 300,000 in 2015, almost double the level of previous year, causing havoc in the financial space, security establishment, and social fabric.
"Phishing attacks of online banking accounts or cloning of ATM/debit cards are common occurrences. The increasing use of mobiles/smartphones/tablets for online banking and financial transactions has also increased the vulnerabilities to a great extent. The maximum offenders came from the age group of 18-30," the report said.
ASSOCHAM Secretary General D S Rawat said that the origin of these crimes was widely based abroad, including the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, the UAE and Algeria among others. As per the findings, nearly 12,456 cases were registered every month in India.
With increasing use of IT-enabled services such as e-governance, online business, and electronic transactions the protection of personal and sensitive data has assumed paramount importance.
"The economic growth of any nation and its security, whether internal or external, and competiveness depends on how well is its cyberspace secured and protected", Rawat said in a statement.
Leading Australian banks are cautioning account holders against using third-party payments providers who demand that they hand over online banking passwords and usernames to access their services.
Many online payments companies, such as POLi Payments and Acorns, require customers to share access codes for their bank accounts to execute transactions using their online systems.
While most Australian banks, including the four majors – NAB, ANZ, Commonwealth and Westpac – allow their customers to use third-party providers, they are increasingly concerned that sharing login details and other sensitive information may have created more opportunities for fraudsters to break into accounts.
The banks’ concerns are magnified by the fact that services such as POLi have partner agreements with offshore payments companies such as Neteller and Skrill.
The New Daily revealed on Wednesday that POLi Payments is a subsidiary of Australia Post, and is recommended by hundreds of offshore casinos as a reliable payment method. The government-owned postal service generates millions of dollars from the subsidiary.
Some banks such as HSBC Australia do not allow their customers to link their bank accounts to external providers, citing security and transparency concerns.
While regional and major banks have a business interest in encouraging their customers not to use rival payments providers, they suggest that customers are jeopardising the security of their bank accounts if they share important details such as passwords with third parties.
In recent months, the banks have begun to ramp their rhetoric about security and are advising clients not to share account passwords with third parties.
Most banks guarantee to compensate customers’ accounts if funds are stolen from their online accounts – so long as account holders do not share security information such as pin numbers and internet banking passwords with other individuals
It is not clear whether banks are prepared to extend such guarantees to cases where funds were stolen from accounts linked to third-party services.
A Westpac spokesperson said the bank did not have working agreements in place with many third parties, including POLi Payments.
“We do actively monitor all third-party payments options for security concerns,” the spokesperson said.
“However it is recommended customers make payments via our online banking or mobile apps, which guarantees the customer’s security.”
The country’s largest consumer bank, Commonwealth Bank, is also recommending that customers never share client IDs and passwords.
An ANZ spokesman warned that customers could be increasing the risk of fraudulent transactions on their accounts if they shared security information.
“ANZ encourages customers to only use their internet banking login details with ANZ’s site and not with any other websites,” the spokesman said.
“If customers provide their login details to a non-ANZ site it could result in unauthorized transactions on their account.”
As per the latest figures revealed by the Reserve Bank of India, bank fraud cases in India are on the rise. In the last one year, bank frauds have almost doubled. These frauds spread over a wide array of fake activities ranging from cheque fraud to acquiring bogus loans and credit cards. The states of Maharashtra and West Bengal are the top two states accounting for more than 50 per cent of bank frauds in the country. While such fraudulent bank activities are on the rise, RBI is able to close only a limited 30 per cent of such cases every year. Among the different types of banks operating in the country, public sector banks have been the ones to be worst hit when it comes to banking fraud.
Private banks in India account for 40 per cent of all fraudulent cases. Data reveals that public sector banks are better at handling fraud than banks in the private sector. Prevention of cheque fraud Kolkata leads the board with the maximum number of cheque forgery instances in the country. A number of new methods and techniques are being employed to forge cheques which have left banks stumped at how fraudsters are constantly maneuvering established security measures. In many cases, forged cheques have passed the highly secure fugitive ink test as well creating a need for more advanced methods of identifying spurious cheques. Reserve Bank of India has come up with a set of guidelines for banks to ensure preventive measures to lower cheque frauds. One measure aims to employ mobile technology in the form of SMS alerts to be sent out as soon as a cheque is received for clearing. Another step to scrutinize large value cheques is to alert customers via phone calls and obtain confirmations from the drawer/payer of the cheque. RBI stated that banks should exercise extra caution while clearing cheques that are above a certain threshold value. Also, higher-value cheques above, say Rs.5 lakh, should be scrutinized at multiple levels in order to capture frauds early and nip them in the bud. RBI is of the view that the increasing number of cheque frauds can be avoided if due diligence is exercised at the time of cheque processing. Contacting the base branch before processing a high value cheque would serve to facilitate this purpose. In more peculiar cases, fraudsters have been successful at furnishing and encashing cheques while the original cheque was still in possession of the customer. This was done by obtaining and using details of the customer obtained through fraudulent means. Such instances call for precautionary measures to ensure no leakage of personal information happens either at the bank level or at any third-party level (courier, printer).
Online payments vs. cheques while banks are growing increasingly vigilant about cheque security, there are steps customers too can take to prevent cheque fraud. One of the most effective way is to make use of online banking channels for payments, money transfers or availing various banking products. As a viable alternative to cheques, online banking allows for easier, quicker and more secure modes of transacting. This includes credit card bill payments, opening fixed deposits, buying insurance, making money transfers and a host of other paperless transactions that can be tracked by both the customer and the bank electronically.
A recent report by CBS showed that 86 percent of consumer chargebacks are deliberate. This is a growing trend of post EMV friendly fraud – where consumers make a purchase online and then request a chargeback from the issuing bank after receiving the goods or services they ordered. Instances of friendly fraud tend to spike after data breaches – another high-frequency occurrence lately – as true fraud rises and consumers “jump on the bandwagon” to receive a refund from the merchant.
Friendly fraud has always been a problem for merchants, but with the liability shift in October of 2015 and the migration slated to continue over the next few years, this type of fraud will escalate. In countries that have already migrated to the EMV standard, the uptick in fraud was palpable: The U.K. experienced a 62% increase in CNP shoplifting after it implemented EMV in 2005. Experts predict the U.S. will see similar outcomes and online merchants should be prepared.
CNP merchants now must navigate the threat of fraud from multiple angles. Online fraud is expected to more than double by 2018, increasing from $2.8 billion to over $6.3 billion. Recent studies show that more consumers are turning to their mobile devices to make purchases, a prime channel for friendly fraud. Since 2011, friendly fraud has gone up 41%. These factors put CNP merchants on treacherous territory.
Matters are complicated by the lack of collaboration between merchants and issuers. Without real-time order detail information sharing between the two, issuers are not as equipped as they could be to resolve inquiries and disputes on the first call. This leads to spikes in operational costs for banks…and avoidable chargebacks for merchants. When merchants share order details with issuers, the inquiry or dispute can be quickly resolved – either validated as true fraud, which can then be relayed directly to the merchant to resolve and refund the cardholder, or challenged as friendly fraud, arming the Issuer with information to stop bad actors in their tracks and eliminate “double dipping” and over-refunding.
The trend will only continue and merchants need to have a friendly fraud prevention strategy in place to protect payments against unscrupulous consumers looking to game the system.
Friendly fraud is traditionally defined as a situation where a consumer uses his or her credit card to make a purchase and then disputes the transaction with the issuer once the item has been received, causing a chargeback. There are two main categories for friendly fraud:
Whether the friendly fraud is deliberate or accidental, the merchant is left on the hook for both the cost of goods or services plus shipment costs and the fines and fees associated with the chargeback itself.
The fact is that convenience has become a driving factor for non-fraud consumer-initiated chargebacks. 86% of the time, the consumer is bypassing the merchant because s/he claims it’s “easier” than resolving the issue with the merchant. And on the flip side, consumers are also fraudulently charging back orders that they did receive, using the “I didn’t buy that” or “I never received that” excuse as a reason to dispute the charge. Unfortunately, both fraud and non-fraud chargebacks cost merchants the same in fees and penalties and both could potentially cost them processing privileges if their chargeback ratio breaks the acceptable threshold by the card brands.
CNP merchants must remain vigilant against this costly type of fraud and develop their own action plan based on the current payments climate. A dynamic landscape means the best fraud prevention strategy will be comprehensive, yet agile. Layered tools and using multi-layered authentication, biometrics and other emerging technologies can mean the difference between hundreds of thousands or even millions of dollars saved from fraud.
In a post-EMV environment, there is no single way for CNP merchants to confront every type of fraud scenario. So implementing at least two of the following best practices can protect online businesses from friendly fraud.
Authentication – From biometrics to one-time passwords to device fingerprinting authentication, this process validates both the legitimacy of the card and the identification of the consumer attempting to make a purchase.
Address Verification Services (AVS) – This is a service provided by credit card companies and issuing banks to check submitted addresses against the address on file. It can indicate if a transaction is authentic or fraudulent.
Tokenization – The card values are replaced with different values called tokens with this method. Data remains secure, and since the process includes the last four digits of the credit card, it can always be verified.
3-D Secure (3DS) – This tool offers real-time cardholder identification right from the issuer during an online transaction. It’s very beneficial because it can reduce fraud, especially when used with other risk management resources.
CNP merchants are in a vulnerable position due to the EMV migration, which will shift more fraud to online channels, and the continual increase of cyber crime each year. To prepare for the expected rise of friendly fraud, e-commerce businesses must understand how digital shoplifting can impact their bottom line. They also have to develop an action plan using a multilayered approach to ensure their online companies have fraud protections in place. Through the use of layered tools, CNP merchants will have a much better chance to confront friendly fraud in today’s post-EMV environment. Finally, a collaborative merchant/issuer approach to fraud and chargebacks can save both sides millions of dollars in unnecessary chargeback costs, operational expenses and lost customers due to poor service experiences.
Archive Section[-]  2018