Scam attempts are something all of us have to regularly deal with, from the mundane phishing email to ads for “exciting cryptocurrency investment opportunities.” One of the scams that personally annoys me is the “Microsoft Tech Support” call, usually from a spoofed local number. If you answer the call, you’re told there is a virus on your computer and that you should install their software to deal with it. The goal of this scam is, at best, to scam you out of a few hundred euros for useless software. At its worst, it’s an attempt to hold your computer hostage or to get access to your bank accounts.

Generally, scams can be categorised into two types: Global scams, which you’ll find in every country, and localised scams, that are limited either by payment infrastructure or by cultural differences. First, let’s look at some of the global scams.

Fake Invoice Scam
One scam that targets every registered company is the fake invoice scam. This scam looks like it’s for some valid service, such as “your internet registration”, but in reality the recipient is lying or grossly misrepresenting the service they’re offering.

The clever versions of this scam take advantage of known relationships between companies by first sending an email about a change of banking information for a company. They then send fraudulent invoices on behalf of the company, perhaps even by hacking into the company’s invoicing systems. In a variant of this attack, the fake invoice is sent from what appears to be a C-level executive of the victim, often the CEO or CFO, simply instructing an accountant to pay an invoice. But, of course, if the invoice is paid, the money is quickly sent abroad to make it harder to reclaim.

The fake invoice and the CEO scam are why we advise companies to use Strong Customer Authentication (SCA). Particularly when accessing critical internal services and implementing systems where more than one person must sign off on at least any payments to new or changed recipients. 

Confidence Scam
In addition to scams targeting companies, many scams target individuals. A scam which has become quite familiar over the last couple of years are variations of “confidence scams”. One example might be a fake dating profile which eventually tries to sell you phoney cryptocurrency investment products. The overarching idea with these is to avoid an easily traceable bank transfer by tricking people into transferring funds through cryptocurrencies. As you probably already guessed, this makes it much harder to get your money back.

Too-Good-to-be-True Scam
Another type of scam which puts out extensive nets to catch victims are web shops selling brand goods for too-good-to-be-true prices. These might pop up for a short time, and you’re unlikely to get anything for your money. A more troublesome variant is fake products on prominent websites like Amazon or Aliexpress. For example, it can be challenging for a non-technical buyer to tell that the USB memory stick they just ordered from a 3rd party seller on Amazon doesn’t have the claimed capacity. With a big online retailer, you might not have much luck with doing a chargeback on a credit card, but at least you might have recourse through a complaints procedure.

Fake Check Scam
While many scams target a global audience, some scams are more common in some countries, either because of cultural differences or differences in customer authentication mechanisms and payment systems.

An example of a scam that takes advantage of differences in payment systems is the fake check scams that are common in the USA. In this scam, you get a check for something you’ve sold or for some service, but usually for more than you initially charged. After you deposit the check in your bank account, you’re told to repay some of the funds. After a week or two, your bank will realise that the check never cleared, and you’ll lose the funds you repaid. In most other countries, payments are cleared same-day, making this scam much harder to implement.

Verification Code or Dongle Scam
Another type of scam primarily seen in countries outside Europe (particularly in the US) is various phone verification code scams. This scam takes advantage of SMS still being used for one-time codes. The victim is asked to confirm a transaction or their identity by repeating a number they receive by text message. They do so not realising that the number they’re receiving is the code used to identify them to their bank or for signing up for some service. If they give the code to the scammer, the scammer gets control of the account.

Of course, it is not just SMS that can be exploited to get one-time codes. Here in Norway, the infrastructure for securely identifying yourselves online is fairly advanced. However, there are still users of one-time offline code generating “dongles” that can be used to identify yourself with a bank. Recently, there have been several cases where scammers called elderly people to convince them to hand over their codes, giving attackers access to their bank accounts. If you’re a user of this type of dongle, you cannot really identify which transaction or authentication verification you’re authorising. That makes this type of attack much more efficient.

SIM-Swap Attack
Our CEO, Fabien Ignaccolo, recently wrote a post on the African market. A unique feature of Africa is that M-wallets based on phone SIM cards are much more common than in Europe or the US. This increases the danger of SIM-swap attacks, where the scammer gets hold of a replacement SIM card, basically also stealing the balance on your account. In addition, many “government official scams” also target Asian and African citizens abroad. The victim is told to pay money to someone claiming to be from their government to keep their visa.  

For payment providers, looking at common scams can be an excellent risk management exercise.

For example, if you’re still using SMS for one-time-PIN codes, your authentication methods are not strong enough. If one of the parties is in the EU, you can be liable for certain types of fraud. Scams can have a direct impact on both you and your customers. Investing in Strong Customer Authentication is just one of the actions you should take. Technology alone cannot guarantee any person or business protection against fraud; it should also be part of your standard product development process. 

———

Would you like to read further into this topic? I suggest our series on , and how we have worked to make the payment process as as possible.

However, if you want to read more on fraud in particular, check out two of our previous posts: a and a . Or, follow us on where we discuss commons scams to look out for (among many other topics)!