The payment landscape is evolving rapidly, driven by innovation in digital technology and consumer desire for on-demand banking and payment solutions. With multiple digital channels available to customers, virtual interactions are rising while contactless payments offer additional avenues for fraudsters to explore.
Digital acceleration and fraud
COVID-19 has accelerated digital transformation, with many companies having to adapt quickly in order to survive the challenging times. What used to be suitable in the past may no longer be enough in the new “digital ways of working”.
With an estimated 300 million office workers telecommuting globally, digital payment services are now even more important to businesses during such unprecedented times1 . Although mobile banking has been gaining popularity over the last few years, the Fidelity National Information Services (FIS) saw a 200 per cent jump in new mobile banking registrations in April 2020, fueled by the pandemic, while mobile banking traffic rose 85 per cent2 .
The accelerated shift to digital and mobile customer platforms has led to increased vulnerability to fraud. With more data records like personal and financial information stored digitally, and employees connecting remotely through unsecured networks during the pandemic, the risk of cyberattack has increased significantly. What companies should realise is that once data is stolen, it is out of their control. The data is usually sold off in the black market and used to perpetrate fraud or held ransom by cybercriminals.
In the last few months, IT security company Barracuda reported that 51 per cent of organisations in Asia Pacific have experienced at least one cybersecurity or data breach since their employees started working from home. Though the report is focused on Asia Pacific, it is concerning to note that 46 per cent of the organisations do not have an up to date cybersecurity programme that is able to cater to telecommuting3.
As the world adapts to a ‘new normal’ and the demand for digital financial services is expected to continue throughout 2021, businesses should be sensitive to upcoming trends in digital payment fraud in order to stay a step ahead of the fraudsters and disrupt criminal activities.
Let’s examine what digital payment fraud could look like in 2021.
#1 Authorised push payment fraud
Authorised Push Payment (APP) fraud has gained quite a reputation over the years.
APP is a form of fraud in which victims are manipulated into making payments to bank accounts controlled by fraudsters. The most prevalent form of APP for businesses is business email compromise (BEC). The attack is designed to bypass security controls as the request (usually through email) is no different from any day-to-day transaction a firm would receive.
The initial contact can seem innocuous, such as an email from a ‘supplier’ requesting a change to their bank account details where regular payments are deposited. Days later, the real supplier calls to say their payment has not been received – making the company a victim of payment fraud.
Standard Chartered recently weighed in on the spread of BEC scams (part of APP fraud) and how organisations should take preventive steps4 .
#2 Internet banking fraud
Internet banking services are widely available to corporates but not all capitalise on its full capabilities. In the new digital way of working, this is not an option. As companies continue to redesign and digitise their operating model, cybercriminals take advantage of an increased online reliance by using malware to attack computers.
The ways of distributing malware are growing in sophistication ranging from phishing emails from unknown senders, cloned advertising sites and malicious USB, to infected applications and public unsecured wi-fi networks. The most popular infiltration method is when malware is embedded in an email as an attachment or link, at times spoofing an email communication about the client’s internet banking account. Once the malware is downloaded, it could damage systems, spy on operations or steal confidential banking information.
In ransom malware or ransomware fraud schemes, fraudsters generally use extortion techniques to scare victims. These can include threatening to delete information, publish private files, encrypt corporate files, or even take over a system’s core functions. In 2020, several large corporations have been held to ransom and many caved in by paying cybercriminals a hefty sum to gain control of their internal operations. VMware Carbon Black threat researchers reported a 148% spike in ransomware attacks in March 2020 as compared to February5 . Cybercriminals often demand payment in the form of cryptocurrencies, which are highly attractive as a way of funding crime.
#3 Open banking and API fraud
Regulators are gradually liberalising the financial services sector by granting digital banking licenses and opening banking data and payment processing to third parties. These trends have created digital and cross sector convergence between banks and other industries like telecoms and newer players such as fintechs and e-commerce, in turn transforming the entire payments ecosystem.
Open banking allows banks to share certain data (with the consent of account holders) and add payments to third party providers. The delegated access of data is made through application programming interfaces, commonly known as APIs. APIs have not only opened a gateway of alternatives for consumers and businesses to access products and services, they have also given cybercriminals new opportunities to exploit security flaws to commit fraud and steal data.
Start-ups or smaller third party providers (TPP) may lack robust cybersecurity policies, cyber professionals or investment in strong application design security to protect customers. Cybercriminals exploit such vulnerabilities to gain entry to client data through TPPs that have direct partnerships with banks.
According to internet security experts Akamai, 75 per cent on of all credential attacks against financial organisations in 2019 directly targeted APIs6 . Cybercriminals use APIs to try and bypass security controls to steal data such as banking credentials, and personal and corporate information which they can use to perpetrate fraud by accessing bank accounts illegally or impersonating individuals.
#4 Mobile banking fraud
In April 2020, mobile banking registration jumped 200 per cent and recorded an 85 per cent spike in mobile banking traffic7 . Mobile banking is not new but as financial institutions enrich application features and more corporates subscribe to banking, e-payment and finance apps, the number of malicious application installations and mobile banking fraud attempts are expected to rise8 .
Quick Response or QR code scams are expected to make a comeback due to an increased demand for contactless and cashless payments during the pandemic9 . Scammers replace the original QR code with a fraudulent one and lures victims to either click on a fake website or download a malicious app, all with the ill intention of stealing money, sensitive data or both.
Malicious apps such as banking trojans are disguised as harmless apps such as a battery manager, weather or health app. These remain dormant after installation and strike when the user launches a legitimate banking app. The trojan creates a fake pop up login screen over the banking application and steals credentials. The user is likely to be oblivious to the breach. Once credentials have been captured, the trojan passes the user to the real banking app login page.
The other common scheme that most victims fall for is downloading a fake banking app on their phone. Fake banking apps are designed to convince the user they are legitimate. The phony app leads the user to a fake banking front (phishing site) and tricks the victim into entering their credentials. In December 2018 alone, McAfee reported nearly 65,000 fake apps detected on app stores10 .
The pandemic has provided even greater opportunities for digital payment fraud. In the new digital way of working, mobile banking fraud is a risk area that businesses cannot ignore.
How your company can stay one step ahead of the fraudsters
As banks continue to toughen and tighten their defences, fraudsters will turn to entities in the virtual payment ecosystem whose defences may be more vulnerable – this could be an organisation, a business or an individual.
Here are some general guidelines on how to protect yourself and your company from these fraudsters.
- Emphasise cyber hygiene
Put in place cyber hygiene guidelines for your company. At a minimum, ensure your computer antivirus software and mobile operating system are updated. Block vulnerable applications, create strong passwords and have multi-factor authentication in place, as an additional layer of security to block unauthorised logins. Use a secure network connection to access your company’s work environment.
- Incident response
Update your company’s incident response plan frequently. Be aware of the latest digital fraud incidents which could have an impact on how your company responds to a scam. Know the key people within your company who need to be contacted in the event of fraud.
- Raise employee awareness
It is essential to raise fraud awareness in employees by sharing updated information on relevant threats and their mitigating controls. Brief employees on what they should do if they suspect a fraud attempt. Always remind employees to avoid clicking on unknown or suspicious links. Simple verification steps can be taken such as mandating call-backs to customers and suppliers on trusted telephone numbers before making large payments. Remember, fraudsters are good actors. They could impersonate a customer or supplier to deceive your staff into authorising a payment or releasing confidential information.
- Set the right tone
Employees pay close attention to the behaviour and actions of their leaders, and they follow their lead. If the management stresses fraud vigilance and supports fraud prevention measures, employees will follow good fraud prevention behaviour.
Three steps to fighting payment fraud
Spot the warning signs: Employee education is important. Companies should train employees about the fraud red flags to look out for.
Stop suspicious activities: Robust fraud control protocols, including a clear response process reduces the risk of fraud.
Report: In the event of fraud being suspected, inform your bank immediately. The quicker you report, the higher the chances of recovery.
1 Channel News Asia, Remote working during Covid-19
2 CNBC, Mobile banking surge during Covid-19
3 Barracuda: Security concerns during remote working
4 Standard Chartered: Business Email Compromise scams
5 sdxcentral: Ransomware attacks spike during Covid-19
6 Akamai Security Research: APIs target for cybercriminals
7 CNBC: Mobile banking surge during Covid-19
8 FBI: Increased usage of mobile banking apps may lead to exploitation
9 Malwarebytes: QR code scams making a comeback