From safeguarding online purchases to strengthening eCommerce ecosystems, strong customer authentication (SCA) helps confirm remote electronic transactions, reshaping the digital commerce landscape.
While its mandatory implementation in Europe has effectively curbed fraud stemming from the theft of customers’ credentials, a new report by the European Banking Authority (EBA) revealed a concerning trend. Despite the presence of SCA, fraudsters have managed to adapt, employing increasingly sophisticated techniques, especially using social engineering tactics.
Fraudulent activities now encompass three primary categories: manipulation of the payer; mixed social engineering and technical scams; and enrollment process compromise, the report said.
When it comes to manipulation of the payer, fraudsters employ social engineering tactics to coerce customers into making payments directly to them, per the report. These techniques often exploit personal information gathered from social networks, and perpetrators may impersonate trusted entities such as relatives, friends, business associates or a payment service provider (PSP). In the corporate space, schemes like “CEO fraud” involve duping employees into initiating large payments under false pretenses.
Mixed social engineering and technical scams blend phishing techniques like vishing and smishing to pilfer customers’ personal security credentials, the report said. Subsequently, fraudsters employ social engineering tactics to persuade payment service users (PSUs) to approve fraudulent transactions. Unlike typical impersonation schemes, fraudsters in this category directly tamper with victims’ accounts, heightening the risk.
Meanwhile, enrollment process compromise involves fraudsters exploiting vulnerabilities in enrollment procedures to register their devices as a secondary factor for SCA, supplementing stolen credentials obtained through phishing, smishing or vishing. This maneuver grants them total control over payment accounts to execute multiple fraudulent transactions, according to the report.
Additionally, the report highlighted that instant credit transfers, or instant payments, exhibit an elevated fraud rate compared to traditional credit transfers. This phenomenon is partially attributed to the limited ability PSPs have to recoup funds in cases of fraudulent instant payments, compounded by the swift execution time of these transactions.
Nick Fleetwood, head of data services at Form3, underscored the susceptibility of instant payments to fraud earlier this year, citing an increase in both fraud losses and instances of attacks over recent years.
“We’ve seen a 27% increase in fraud losses, but a 68% increase in cases [of instant payment-based attacks] over the last three years because there’s the ability to tie in a sense of urgency,” Fleetwood told PYMNTS in January.
In response to these evolving fraud dynamics, the EBA proposed additional security measures to complement existing regulatory frameworks, including a Third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR), acknowledging the need for a multifaceted approach to combat fraud effectively.
Fleetwood, on the other hand, emphasized the importance of a collective effort in using technology and data analysis to create a robust defense mechanism against fraudulent activities. He also highlighted the concept of “consortium intelligence,” where all stakeholders contribute to a shared data model, as instrumental in keeping fraudsters at bay.
The consortium approach has proven effective at identifying 80% of fraud within a system, he said.
“This makes it very inefficient for a fraudster [to be successful] using instant payments because they’re in a position where 80% of that fraud will be stopped,” he said. “Consortium intelligence will become a key aspect in the fight against fraud in instant payments … and beyond.”