Brian Sims picks out the main points of the latest report issued by Financial Fraud Action UK which offers both encouragement and a modicum of disappointment for the anti-fraud community.
The latest set of statistics issued by Financial Fraud Action UK show that fraud losses on UK cards decreased in the first half of 2011 compared with the same time last year, as did fraud on online bank accounts.
However, cheque fraud – and fraud on phone banking accounts – increased over the same period.
Total fraud losses on UK cards fell to £169.8 million between January and June 2011. This represents a 9% reduction compared with losses in the first half of 2010. That half-year total is the lowest for eleven years and also the third consecutive decrease.
The sustained fall is due to the success of a number of industry initiatives such as the increasing use of fraud detection software, the roll-out of updated chip cards and the increasing roll-out of Chip and PIN technology abroad.
Lost and stolen card fraud losses rose slightly, increasing by £4.4 million. Initiatives such as Chip and PIN have made it harder to commit ‘high-tech’ frauds, and criminals are instead reverting to more basic frauds centred around stealing people’s cards and PINs.
These scams range from distracting people in shops or at cash machines and then stealing their cards without them noticing through to simply tricking them into handing over their cards and PINs on their own doorstep¹.
Online banking losses on the decline
Online banking fraud losses totalled £16.9 million between January and June 2011, representing a 32% fall on the 2010 half-yearly figure. A variety of factors have contributed to the decrease in online banking fraud, including increased customer awareness of computer security combined with banks’ use of fraud detection software.
Commenting on the survey results, William Beer - a director in PwC's Information and Cyber Security practice - told SMT Online: “While these numbers look very encouraging it's important to recognise the price customers have to pay for safe online banking. Two-factor authentication has now become common, with customers having to carry a keyfob or other device in order to log into their bank accounts. While this has lessened the risk of fraud, it has introduced an element of inflexibility into the system and should not be seen as a silver bullet."
Beer added: “The fact that the banks are doing such a good job in protecting their customers and themselves from online fraud means that organised criminals are now moving more towards other, possibly softer targets, such as the European Carbon Trading Market. It's also important to note that cybercrime is global, as are many of the banks that criminals target, so figures based solely on UK fraud might not tell the whole story."
According to Beer, the threats from the Internet represent a massive challenge shared by public and private sectors worldwide.
"To meet the imperatives of the cyber era, we believe that public and private sector organisations will need to adopt new structures, roles and governance while also engaging in close and continuing collaboration around the cyber agenda with other organisations."
Criminals focused on duping the customer
Phone banking fraud losses rose to £8.6 million (a 48% increase) between January and June. As with card fraud, criminals are focusing on the straightforward crime of duping a customer into believing they are dealing with a bank or police representative and getting them to disclose their financial security details – such as PINs, passwords and login details - which the criminal then uses to access the customer’s bank account over the phone.
Cheque fraud losses increased from £14 million in the first half of 2010 to £16.4 million during the same period in 2011. Although this represents a 17% increase, the overwhelming majority of this type of fraud is stopped before the cheque is paid.
In fact, more than £254 million of attempted cheque fraud was spotted and stopped during the clearing process in the first half of this year.
Fraud figures released by the National Fraud Authority (NFA) earlier in the year serve to put these banking fraud losses into perspective.
The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for only 1.2% of this figure. Furthermore, in the UK - unlike many other countries outside Europe - innocent victims of any type of payment fraud on their debit or credit card or account are protected and should not suffer any financial loss.
DCI Paul Barnard, head of the dedicated Cheque and Plastic Crime Unit (DCPCU) – the special police squad which is sponsored by the banking industry and has an ongoing brief to help stamp out organised payment fraud across the UK – said: “Losses are appreciably lower than they were a few years ago and everyone involved in tackling fraud has reason to be encouraged by this – and that includes bank customers who, as their own frontline of defence, have certainly played their part, too.”
Barnard continued: “However, there has been an increase in old- fashioned scams – criminals using distraction techniques and social engineering methods to get hold of people’s cards or phone banking details. We are urging everyone to be on their guard. Your bank or the police will never cold call you or e-mail you and ask you for your login details, cards or PINs. If anyone does, they are probably a criminal, so hang up the phone or delete the e-mail.”
Reduce your chances of being a victim
Consumers can significantly reduce the chances of being a victim of fraud by following these top tips:
ensure you are the only person who knows your PIN: your bank or the police will never phone or e-mail you and ask you to disclose it
your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’
shield your PIN with your free hand when typing it into a keypad in a shop or at a cash machine
only shop on secure websites: before entering card details ensure that the locked padlock or unbroken key symbol is showing in your browser
rip up or preferably shred statements, receipts and documents that contain information relating to your financial affairs when you dispose of them
never accept a cheque from someone unless you know and trust them, especially if the cheque is for a high value
when writing a cheque make sure you draw a line through all unused space on the payee line and the amount line to help prevent the cheque being fraudulently altered
make sure you have up-to-date anti-virus software installed on your computer
Typical social engineering scams begin with a fraudster phoning and claiming to be from the prospective victim’s bank, and saying either that their systems have flagged up a fraudulent transaction on their card or that their card is due to expire and needs replacing.
By seeming to offer assistance, the fraudster tries to gain the victim’s trust. In most cases the victim is then asked to ‘activate’ or ‘authorise’ the replacement card in advance by keying their PIN into their phone’s handset. The fraudster uses the audio tones from the keypad entries to decipher the victim’s PIN.
The fraudster or an accomplice then poses as a bank representative or a courier to pick up the customer’s card from them at their home, sometimes also giving the victim a replacement card (which is a fake). In some cases, a genuine courier company is hired to pick up the card (which the victim has been asked to place in an envelope). Once they have the victim’s card and the PIN the fraudster uses them to withdraw cash and go on a spending spree.
Reasons for the drop in card fraud
There is no one single reason for the drop in card fraud. Rather, it’s the result of a number of initiatives.
The increasing use of sophisticated fraud screening detection tools by retailers and banks is helping to tackle phone, Internet and mail order fraud (card-not-present fraud).
Additionally, there’s the continuing growth in the use of MasterCard SecureCode, Verified by Visa and American Express SafeKey (online fraud prevention solutions that make cards more secure when online shopping) by both online retailers and cardholders.
The work of the DCPCU has proven highly successful: figures show that it has been responsible for keeping more than £370 million of customers’ money out of criminal hands since its launch in 2002
For its part, the card industry continues to work closely with the retail community to raise awareness of the ways in which retailers can protect their Chip and PIN equipment from criminal attack.
Increasing numbers of retailers are also implementing the cardholder Data Protection processes required of them through the Payment Card Industry Data Security Standard (PCI DSS).
‘Fraud abroad’ losses have fallen by more than two-thirds in the past three years. One of the factors causing this is the fraud detection systems used by the banks and card companies, which monitor for unusual spending - meaning that potential fraud is stopped before it happens.
Investment in technical defence mechanisms
Continued investment by cash machine owners in technical defences to help prevent criminals from copying or skimming the magnetic stripe details from genuine cards has reaped dividends.
Cards with an updated integrated circuit card verification value (iCVV) have been rolled out since 1 January 2008. These cards - there are now 135 million of these cards in issue (as at 31 March 2011) - help tackle the type of fraud seen where fraudsters tamper with chip and PIN terminals to harvest card details.
If an iCVV card was compromised in this way, the data would be useless to the fraudster (ie a fake magnetic stripe card created via a compromise of this type would not work overseas in a non-chip and PIN country).
Issuers are also rolling out Dynamic Data Authentication (DDA) cards and (as at 31 March 2011) there were 74 million of these in issue.
Detail on the anti-fraud organisations
The UK Cards Association is the leading Trade Association for the card payments industry in the UK. With a membership that includes all major credit, debit and charge card issuers and card payment acquirers, the Association advances industry Best Practice, contributes to the development of legislative and regulatory frameworks and safeguards the integrity of card payments by tackling card fraud, developing industry standards and co-ordinating other industry-wide initiatives.
More information about The UK Cards Association is available at www.theukcardsassociation.org.uk
Financial Fraud Action UK is the umbrella under which the financial services industry co-ordinates its activity on fraud prevention, presenting a united front against financial fraud and its effects.
Financial Fraud Action UK (www.financialfraudaction.org.uk) works in partnership with The UK Cards Association on industry initiatives to prevent fraud on credit and debit cards, with the Fraud Control Steering Group on non-card fraud and the Cheque and Credit Clearing Company on credit clearing and cheque fraud.
The Fraud Control Steering Group is an unincorporated association of financial institutions who participate in retail banking and the payments market in the UK. It’s responsible for formulating and implementing policy and ensuring a co-ordinated industry approach to fighting payment, cheque and lending fraud.
The Cheque & Credit Clearing Company (C&CCC) is the industry body that manages the cheque clearing system in Great Britain, including the processing of bankers’ drafts, building society cheques, postal orders, warrants and Government payable orders.
Its wide remit also covers the management of the systems for clearing paper bank giro credits, euro-denominated cheques and US Dollar cheques. C&CCC shares information with Financial Fraud Action UK regarding fraudulent activity in the cheque and credit clearing world.
The Dedicated Cheque and Plastic Crime Unit (DCPCU) is a squad of police officers and banking fraud investigators who work together to help reduce the UK's card and cheque fraud losses. It’s fully sponsored by the banking industry.