Payment-related fraud continues to diversify as EMV chip cards make counterfeit fraud at the point of sale far harder to commit.
For example, the FBI last September said cumulative global losses, as reported to the bureau, from business email compromises and other email fraud totaled $26.2 billion from June 2016 to July 2019. But the problem is likely much bigger, according to findings from interviews with fraud-control executives at 20 of the top 40 U.S. banks queried by research firm Aite Group LLC.
“That’s about one-third of the actual losses,” Trace Fooshee, a senior analyst at Boston-based Aite and former head of fraud strategy at SunTrust Bank, said Tuesday. “We think that number is closer to $100 billion rather than $26 billion.”
Business email compromises typically involve fraudsters tricking or coercing finance employees through authoritative-looking emails into thinking the CEO wants money transferred from a company account into an outside account for a seemingly legitimate reason. Fraudsters, of course, control the recipient account.
Meanwhile, synthetic identity-fraud losses are rapidly growing problem for credit card issuers, according to Kolin Whitley, senior director of North America risk at Visa Inc. While it has several variants, synthetic ID fraud usually involves the creation an identity based on stolen data elements from one or more other people’s identities in order to open credit card accounts or obtain other financial services. Recent estimates attributed 20% of issuers’ credit losses to synthetic ID fraud, according to Whitley, “but I think that number is much higher.”
“It’s a $6 billion-plus industry going on today, it’s ramping up exponentially,” Whitley said, adding that the average loss per account is about $10,000.
Both Whitley and Fooshee were speakers at separate fraud-related sessions Tuesday at the Payments Summit conference in Salt Lake City sponsored by the Princeton Junction, N.J.-based Secure Technology Alliance.
A new threat is so-called “deep-fake” fraud that uses biometric technology to create false facial images or even voices. Card issuers’ call centers have a difficult time flagging sophisticated deep-fake fraud, according to Whitley. “It’s scary,” he said.
There is some good news on the fraud front. According from a new report by security technology provider FireEye Inc., the median “dwell time” in data breaches—the time between a fraudster’s entry into a victim’s computer system to the time of detection—fell to 56 days in 2019 from 78 days in 2018. Dwell times have fallen every year since 2011, when the median was 416 days, according to Milpitas, Calif.-based FireEye. The report is based on global breach investigations by FireEye’s Mandiant unit.
And Visa has reported that counterfeit fraud, the leading type of POS fraud, is way down thanks to the replacement of vulnerable magnetic-stripe cards by EMV cards.