If we take a look at some of the most recent  numbers reported for payment fraud, it’s obvious that the amounts are staggering:

• Last year, Juniper Research estimated that merchant losses to online payment fraud would exceed $206 billion in the period between 2021 and 2025, with much of this being driven by identity fraud.
  
  
• In the USA, 2.8 million consumers reported being targets of fraud, losing a total of more than $5.8 billion in 2021 - a 70% increase compared to 2020. Note that this is only what was reported to the Federal Trade Commission, so the real number is likely to be much higher.
  
  
• While it is hard to estimate the amount of fraud targeting banks, a report by the Nilson Report estimates that the major card brands (Visa, Mastercard, etc.) saw $28.58 billion worth of fraud in 2020.

In total, we’re likely talking about a yearly amount that lands in the $100s of billion worldwide. A lot of this fraud goes through payment systems, particularly in countries where cash is getting less common and bank accounts and cards are becoming more tempting targets for fraudsters. While chargebacks and other protections strengthened by the PSD2 and Open Banking legislation might protect European consumers, the rest of the world is still in the planning stages for similar legislation. 

While Strong Customer Authentication (SCA) has led to lower fraud rates in Europe, the cost of fighting fraud is on the rise. This is because even if consumers might not be directly hit, the final cost of fraud is paid by the consumers and businesses via increased fees and more expensive services and goods. As such, it should come as no surprise that in late April this year, Visa and Mastercard announced that they would increase their processing fees, partly due to increased demand for “fraud prevention”. The additional fees would net them an additional $1.2 billion on top of existing fees. When we take a step back, the total amount of processing fees paid by US merchants alone was $137 billion in 2021, according to a report by the Nilson Report. Note that much of this goes to chargebacks for consumers hit by fraud.

Should you want to learn more about the origin of fraud, our “Back to Basics” post on digital fraud goes over many of the various types that are common today, and serves as a great introduction to the topic.

The types of fraud we see spike in popularity closely follows how people pay for goods and services, meaning that they differ from country to country. Here is a great example:  

While cheque fraud is still a significant problem in some countries, here in the Nordics, cheques have been nearly entirely phased out. People under the age of 40 probably haven't even ever seen a cheque book, making cheque fraud non-existent. Instead, what we’re seeing is social engineering scams targeting the SCA mechanisms themselves, where people are tricked into giving up the 2FA BankID credentials that protect their identity online. 

There is also a growing amount of phishing and short-lived fraudulent online shops that try to trick people into buying goods and services that are simply never delivered, and large amounts of fraudulent invoices are sent to companies every day. So far we’ve not seen any large scale attacks directly on BankID, which is the by far most common SCA mechanism in Norway, but that is something we should expect.

Taking Europe as a whole, card-not-present fraud is decreasing, with the EBA reporting reduced fraud rates due to stronger SCA implementations. But, while one type of fraud goes down, another goes up, such as automated fraud targeting banking and payment apps. One of my favourite examples of this is this video of a banking trojan targeting PayPal, executing automated payments on behalf of the user. It is certainly a good example of how important it is to design a secure SCA flow.

Strong Customer Authentication, like what we in Okay provide, helps a great deal for many types of fraud. Namely, automated attacks on apps and card-not-present fraud. But sadly, it is unlikely that we’ll see an end to fraud. With money flowing even faster through our payment systems combined with more people getting access to bank accounts and payment systems every year, fraud and the battle to avoid fraud will continue. 

Engaging in fraud will always be a potential way to make a “quick buck” in the future, just as it is today. Even with stronger authentication mechanisms, fraud based on social engineering and blackmail style attacks (such as what we see with ransomware) will grow in prevalence. And, even in the digital future that I wrote about in my previous post, the infrastructure that surrounds us will still be vulnerable to attacks to an ever greater extent. The difference will be that instead of your PC getting infected with malware, it might be the controller for your heat pump, an automated door lock, or even worse: both at the same time.

In addition to more automated infrastructure style attacks, we’ll also see more social engineering fraud taking advantage of the advancements in machine learning and artificial intelligence, perhaps by impersonating you or your family members when contacting payment providers and merchants. This is another area where proper SCA mechanisms can help.

One thing is for certain: there will be no end to the work of protecting against innovative new forms of fraud. Choosing an SCA solution that targets both the fraud of today and the future is therefore of high importance, and we at Okay are here to help you.

——————

If you’re interested in the security of payments, be it for today or tomorrow, please follow us on LinkedIn and keep reading this blog.