As the payment card industry continues to strengthen its overall fraud posture with the introduction of security features like machine learning fraud detection, chip cards, EMV 3DS (previously termed 3DS 2.0), and one-time passcodes, criminals have resorted to classic techniques such as social engineering to successfully perpetrate account takeover attempts.
These often include criminals impersonating bank employees—utilizing consumers’ increased comfort with digital communications (as an offshoot from the pandemic) to trick them into disclosing account information that can be leveraged by the criminal to conduct or expand fraudulent attacks. One-time passcodes are a prime example of account-related security information that legitimate account holders are duped into sharing with criminals.
Combatting Card Fraud
Continuous cardholder education is critical to fraud prevention success. According to the experts, identity fraud scams can be avoided when the cardholder knows what to look for. For example, they should be suspicious of any company contacting them via phone, text, or email for any reason. Telltale signs include “misspelled email addresses, suspicious requests for money or random messages through social media from criminals claiming to represent a bank,” according to Javelin Research.
Some of the more common account takeover tactics that ICBA Bancard clients report include:
Scams that begin with voice calls that ultimately lead to the cardholder unknowingly downloading malware on their phones. Cardholders should be leery of links sent to them via SMS (text) and email. Often, malicious links are disseminated with a well-timed call by the fraudsters to the cardholder to enhance the authenticity of the scam.
SMS messages that mimic suspicious activity alerts, but actually include links directing cardholders to a malicious website or to download malware that puts a cardholder’s personal data at risk. Often, the malware is designed to look like an official app that mirrors what’s in market today, making it more difficult to spot.
Impersonators that convince the cardholder to reveal personal account information by impersonating a trusted entity such as their bank, or a government agency like the IRS, or a Social Security office. This is typically paired with a phone number spoofing technique to further convince cardholders that the call is from a legitimate source.
Because an educated consumer is often your best bet for preventing the success of social engineering attacks, be on the lookout for opportunities to instruct your cardholders on how to recognize legitimate alerts related to potentially fraudulent activity. Use multiple channels to educate cardholders. Mailers, in-branch educational materials, and warnings on banking websites that require acknowledgement are all effective ways to get the message out to better protect your cardholders.
Your customers are the first line of defense. The more fraud savvy they become as an extension of your bank’s education efforts, the more likely they are to adopt a stronger individual risk posture and avoid behaviors that lead to card- and banking-related losses.