Scams are now bigger business than Payment Fraud

by | Aug 3, 2020 | Newsletter | 0 comments

Just as the losses suffered through payments fraud have reduced through actions taken by the financial services industry (such as Chip&PIN on cards and 2-Factor Authentication on remote transactions), losses suffered through scams have risen sharply, and that is only counting the cost of those scams that are reported, which many are not. Non-reporting can be due to many reasons, for example: loss too small to bother; embarrassment at having been scammed; and lack of recognising/identifying the loss.  Reported or not, scams are on the rise and the problem deserves everyone’s attention.

Scams and Payments Fraud – recognising the difference

Historically, Payments Fraud has been defined as an unauthorised payment on an account made by a third party, the fraudster; that is, the account holder did not authorise for that payment to be made. Whereas a Payments Scam has been defined as an authorised payment on an account made by the account holder themselves (and not by anyone else). Whilst the difference may seem “black and white”, this is not necessarily the case.

Consider the difference between a scam where a customer is convinced that they are paying a legitimate person or company (but in reality it is an imposter/fraudster/criminal) and authorises the payment themselves, versus a scam where a customer unwittingly/unknowingly provides information that enables a scammer to set up and then authorise a payment from the customer’s account. Both are induced by scams, however the first is legitimately authorised by the customer, whilst the second is authorised by the scammer (posing as the customer).

Definitions – an inexact science

Looking at Australia, the Australian Competition & Consumer Commission (ACCC) has been tracking the rise of scams for some time. Table 1 below from ACCC Scamwatch[1] shows the top 10 types of scam reported by scam victims during the first half of 2020. Phishing and Identity Theft are in the top 3, and, as noted above, these could result in payments being authorised by the criminal “impersonating” the account holder. More important for this discussion are the top 10 scams by the amount of loss, shown in the second table. In fact, during the first 6 months of 2020, 13.5% of reported scams resulted in an actual financial loss.

Whilst the categories in Table 2 appear straightforward, it should be noted that 4 of these did not appear in the same table published in 2017. The arrival of “new” categories illustrates both how the scam environment is evolving and the difficulties in specifying appropriate definitions that clearly characterise the various forms of criminal activity.

Indeed, different countries use different terms; for example, FinanceUK brackets scams within two categories[2]

  1. Malicious Payee: within which Purchase scam, Investment scam, Romance scam and Advance fee scam are included; and
  2. Malicious Redirection: covering Invoice & Mandate scam, CEO Fraud, Impersonation (most frequently police and bank staff), and Other.

Scams – by the numbers

The ACCC Scamwatch service publishes financial loss data for what is reported/known, and these losses have been growing at an accelerating rate: total losses in 2019 were AUD143 million, a 34% increase on the 2018 figure of AUD107 million, itself an 18% increase on 2017.  The “run rate” for the first half of 2020 suggests that losses will grow again this year, perhaps beyond AUD160 million.  While Scamwatch.gov.au is the primary Government website used by Australians to report scams, the ACCC estimates that only around 13 per cent of victims make a report.

 

At a more granular level, whilst the total number of cases reported to the ACCC has not changed significantly since 2017, over the last 3 years:

  • The proportion of scams which have involved financial loss has increased by 51%;
  • The average loss in each incident has increased by 15%, from $6,462 to $7,449; and
  • The total reported loss has increased by ~60% from $90.8m in 2017 to $143 million in 2019.

However, the ACCC Scamwatch is only one of the services to whom Australian consumers and businesses can report scams, and the ACCC has led an effort to bring all of the information into one place.  For 2019, this shows that total reported scam losses in Australia amounted to AUD634 million (a 30 per cent increase on 2018, when AUD489 million was reported lost), eclipsing the total amount of payments fraud occurring on Australian accounts –  with these figures heading in different directions. 

Based on the combined data, the greatest losses in Australia in 2019 by type of scam were:

  • AUD132 million lost to business email compromise scams;
  • AUD126 million lost to investment scams; and
  • AUD$83 million lost to dating and romance scams.

Scammers continued to target businesses in 2019, with business email compromise scams causing the largest losses of any scam type. These scams affect businesses, suppliers and individuals by tricking people into paying invoices to scammers’ bank accounts instead of the legitimate account.

Scammers have moved to unexpected platforms to target victims. For example, in 2019 ACCC saw dating and romance scammers targeting unsuspecting victims through gaming apps, such as Words With Friends, and investment scammers targeting Facebook and Instagram users with ‘get rich quick’ cryptocurrency investment scams.

Is Australia unique?

No. Whilst scammers may or may not be global operators (which is certainly the case with payment fraudsters), scamming is a growing global “industry” with many common contact methods and scam methodologies used across multiple jurisdictions. Scam related financial loss is increasing just about everywhere.  In the UK, the value of scam losses rose by 29% in 2019 compared to the prior year, with reported cases up 45% over the same period.[3]

 

The table to the right shows the scam activity experienced in the USA in 2019, where the number of scam incidents increased by 21% and the value of losses rose by 28% as compared with 2018 data.[4]  The top method for scammers contacting consumers was via phone[5]; it is the same in Australia, where the most common contact method for all scams is email, but phone has been the #1 contact method associated with scams that result in financial loss.

 

However, it is not bad news everywhere. In New Zealand, the value of scam related losses in the 12 months to June 2019 was reported to be the same as in the prior year. Of concern, however, is that the number of scams resulting in financial loss almost doubled.[6]

What the future may hold

Predictions on fraud and scams are almost impossible to make, as criminals are always changing their methods and targets, partly to circumvent mitigations that have been enacted. They are opportunists. Globally, the COVID-19 pandemic has seen a spike in scams seeking to exploit fears about the virus, which included targeting government grants/payments and superannuation withdrawals. Indeed, in Australia there was also a spike in scam activity early in 2020 related to bushfire donations.

 
Table 3 shows that in the UK, where requirements for strong authentication are in force (placing controls on Card-Not-Present fraud), scams (also know as “Authorised Push Payments”) comprise 36% of total financial “fraud” losses.  As the financial services industry continues to rein in payments fraud, the importance of scam losses will almost certainly increase in the future around the globe. 

[Source: UK Finance]

 

Also in the UK it will be no surprise that 95% of scam transactions were via the Faster Payments platform, which has been operating for much longer than Australia’s NPP, where transfer to the scammer’s account is immediate and there is no, or little, recourse.

Unfortunately scammers will continue to invent new scams to which consumers, businesses, financial institutions and government will need to be alert.

The action plan: Education, Awareness, Tracking

Governments and financial institutions are taking responsibility to educate themselves, consumers and businesses regarding the types of scams and the circumstances scammers are exploiting to deceive account holders. Banks are doing more to identify account takeovers and shut down “fake named” and “mule” accounts that scammers use to receive payments, but that may not stop payments being received in the first place and then immediately funnelled out to out-of-reach locations.

Consumers and businesses need to become more aware of any external efforts influencing them to authorise what might be a fraudulent/scam payments, and immediately report their suspicions to their bank and the relevant Government authorities. In Australia, this is the Australian Cyber Security Centre (https://www.cyber.gov.au).  

One consistently strong message is that consumers need to protect their personal information. Scammers seek to steal money but, more often than not, their methods also involve the collection of personal information and data. Scammers use personal data to steal identities, open loans, and steal or launder money.

The ACCC[7] notes that a key pillar in scam prevention is the importance of telling others about scam experiences, or ‘word of mouth’. Many people who avoided scams did so because their friends or family had told them about the scams, or that the approach or experience seemed suspicious.

Remember, if something is too good to be true or if a demand for payment appears overly unreasonable, then it probably is and should be either ignored or authenticated via separate communications. Stay safe.