Payments Scams - financial loss with willing participation
Last year EPAA published an article by EPAA Ambassador Lance Blockley of The Initiatives Group titled “Scams Are Now Bigger Than Payments Fraud”. Throughout 2020 and 2021, losses from scams have continued to increase rapidly, the opposite of most payments fraud.
Now 18 months into the Covid 19 pandemic, with all the change it has brought, The Initiatives Group has taken another look at the trends in financial scamming.
Willing participation
It is important to note that financial scams are associated with account holders knowingly authorising a transaction. This is different to payments fraud, where the fraudster gains access to account details and, unknown to the account holder, authorises fraudulent payments. When we are scammed, we are “willing participants”.
Covid-19 Pandemic – the scamming opportunity of 2020-2021
Covid-19 induced lockdowns, working from home, limited physical access to retail and services have all led to the acceleration of digitisation in our daily lives. Those who were already internet banking, transacting online and participating in social media increased their usage. Those who were not, typically older generations, were forced to become digitally engaged. Criminals took advantage of this digital shift and the heightened fears and anxieties through:
- impersonating parcel delivery companies, e-commerce platforms, broadband providers and others;
- fake online shopping stores selling products that do not exist or will never be fulfilled, such as cures for Covid-19 and face mask;
- imposter scams, involving contact from government officials regarding promises of stimulus relief for individuals and economic relief or loans for small business, or providing links to “more information” where phishing of personal information occurs;
- used car sale scams increased rapidly with the growth in used car sales (e.g. sellers impersonating defence personnel being redeployed, as a reason for a quick, too good to be true price sale);
- romance baiting, where dating apps are exploited to lure victims into investment scams.
In the USA, financial losses due to scams increased by 73% during 2020, with imposter scams being 63% of the total.In Australia, just for scams reported to Scamwatch, the YOY increase in value of losses for the first quarter of 2021 was 65%.
The number of cases in the UK increased by 22% and the value of losses by 5% - compared with 2019/2018 increases of 45% and 29% respectively. The volume and value increasing at a decreasing rate may augur well for the future. Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of these losses.
Business email compromise scams (BECS)
In 2019, BECS became the biggest cause of cybercrime financial losses in the USA, totalling US$1.7bn. At the same time, PWC reported that almost 25% of incidents in Singapore were “relatively low sophistication BECS”, and that criminals targeted financial services companies because victims were likely accustomed to large value transfers, and leveraged victims’ compromised credentials and a lack of multi-factor authentication6.
There are 3 common scenarios:
- Scammers exploit the relationship and trust between companies and their vendors by impersonating the vendor and urging the target to pay invoices to the scammer’s account.
- Scammers impersonate senior personnel and direct staff to make scam payments.
- Scammers intercept legitimate invoices (usually pdf invoices attached to emails) and change the bank account details for payments.
In a recent case, the FBI reported the successful sentencing of a Lithuania-based BECS scammer who, between 2013 and 2019, successfully scammed USD120 million from two companies.
“It was a big, sophisticated research effort,” said Special Agent Jonathan Polonitza, who investigated this case out of the FBI’s New York Field Office. Armed with these details and two years of research, one of the fraudsters simply called the companies pretending to be a vendor. The caller told each company to change their bank account information for an upcoming payment.”
However, incidences of BECS are not limited to business-to-business. In Australia a number of BECS cases were reported where consumers were scammed when making payment for their new Tesla cars.
Rather than enabling final payments through a secure website, Tesla sent the purchasers an email with an invoice for over AUD$70k attached. The email was intercepted by the scammers, the bank details on the invoice were changed, and the customers willingly transferred their payment to the (unknowingly) wrong bank account - and then did not get their new Tesla!
And, for end users trying to avoid being a victim of BECS, we give the final word to the FBI:
- Enable multi-factor authentication for all email accounts;
- Verify all payment changes and transactions in person or via a known telephone number;
- Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
Director The Initiatives Group,