the definitive overview of payment industry fraud · pdf filethe definitive overview of...

FRAUD THE FACTS 2016THE DEFINITIVE OVERVIEW OF PAYMENT INDUSTRY FRAUD

2

Financial Fraud Action UK (FFA UK) is responsible for leading the collective fight against fraud in the UK payments industry. Its membership includes themajor banks, credit, debit and charge card issuers,and card payment acquirers. Through industry collaboration FFA UK seeks to be the authoritativeleader in defending consumers and businesses from financial fraud, by creating the most hostile environment in the world for fraudsters.FFA UK’s primary role is to drive collaborative action to reduce the impact of financialfraud and scams both across the industry, and with partners in the public sector,private sector, and law enforcement.

FRAUD THE FACTS 2016 FINANCIAL FRAUD ACTION UK 3

FFA UK’s key aims are to:

Provide a single cohesive industryvoice on financial fraud

Lead collaborative industry-wide activity to prevent and control financial fraud

Uphold the reputation of the industryby demonstrating its record on fraudprevention.

It does this by:

Managing the Industry StrategicThreat Management Process, whichprovides an up-to-the-minute pictureof the threat landscape

Sponsoring the Dedicated Card and Payment Crime Unit, a uniqueproactive operational police unit, with a national remit, formed as apartnership between FFA UK, the City of London Police and the Metropolitan Police Service

Acting as the single point of contactfor companies suffering data breachesto ensure that compromised accountinformation can be speedily, safelyand securely repatriated to the banks

Delivering UK-wide awareness campaigns to inform customersabout threats and how to stay safe

Managing intelligence-sharingthrough the payments industry fraudintelligence hub (Financial Fraud Bureau) and the Fraud IntelligenceSharing System (FISS) which feedsintelligence to police and other agencies in support of law enforcement activity

Informing commentators and policymakers through a press officeand public affairs function

Providing expert security assessments of new technology, aswell as the impact of new legislationand regulation

Publishing the official fraud lossesfor the UK payments industry, as wellas acting as the definitive source ofindustry fraud statistics and data

Formulating and implementing theindustry fraud data intelligence sharing strategy.


FFA UK and its members are also fully engaged in, and committed to the work of, theJoint Fraud Taskforce recently launched by the Home Secretary to use the collectivepowers, systems and resources of government, law enforcement and industry crackdown on financial fraud.

FFA UK works in partnership with The UK Cards Association in developingand delivering fraud strategy on credit,debit and charge cards. UK Cards is the trade body for the card payments industry in the UK, representing financialinstitutions which act as card issuersand acquirers.

It also works with the Cheque andCredit Clearing Company (C&CCC), whoare the industry body that manages thecheque clearing system in Great Britain.This includes the processing of bankers’drafts, building society cheques, postalorders, warrants and governmentpayable orders.

Criminals are increasingly using scams to trick peopleinto disclosing their personal details or parting withtheir money. Raising public awareness is key to beatingthe fraudsters. This year we will be launching a majormultisector campaign, helping people to avoid becoming a victim of frauds and scams.

INTRODUCTION

Katy WorobecDirector, Financial Fraud Action UK

CONTENTS

Introduction 5

Overview of fraud 10

Card fraud 12

Remote purchase fraud 16

Counterfeit card fraud 17

Lost and stolen card fraud 18

Card ID theft 19

Card non-receipt fraud 21

UK retailer face-to-face card fraud losses 22

Internet/e-commerce fraud 24

Card fraud at UK cash machines 26

Card fraud abroad 28

Cheque fraud 30

Online banking fraud 32

Phone banking fraud 33

Phishing 34

Preventing fraud 36

Membership list 38

Glossary 40

7


TRENDS AND STATISTICS

10

Drivers of the changing fraud figures

While it is not possible to place specificmonetary values on particular modusoperandi, intelligence reported into FFAUK by its members points to the keydrivers behind the reported figures.

The rise across all fraud loss types during 2015 owes much to the growthof impersonation and deception scams,as well as sophisticated online attackssuch as malware and data breaches.

These methods all aim to compromisecustomers’ personal and financial details, including card data, in order toenable the criminals to commit fraud.

In an impersonation and deception scam, a criminal approaches a customerpurporting to be from a legitimate organisation. These scams typically involve a phone call, text message oremail, in which the criminal claims to befrom a trusted organisation such as abank, the police, a utility company or agovernment department.

The fraudulent approach often claimsthat there has been suspicious activityon the recipient's account or that theiraccount details need to be ‘updated’ or‘verified’. The criminal then attempts totrick their victim into giving away theirpersonal or financial information, suchas passwords or passcodes, or intotransferring money directly to the fraudster.

2015 overviewFinancial fraud losses across payment cards, remotebanking and cheques totalled £755 million in 2015, an increase of 26 per cent compared to 2014.

Prevented fraud totalled £1.76 billion in 2015. Thisrepresents incidents that were detected and preventedby the banks and card companies and is equivalent to£7 in every £10 of attempted fraud being stopped. It isthe first time the full-year prevented fraud figure hasbeen collected by FFA UK.

Financial fraud includes 1st and 3rd party fraud on all core banking products/services(including credit and charge cards, current accounts and debit cards, savings accounts,cheques, overdrafts and loans): channels (including point of sale, remote purchases,online/telephone banking, branch counter) and customers (personal and business).


TOTAL 2015 FINANCIAL FRAUDLOSSES BY TYPE

There have been several high profiledata breaches reported in 2015, alongwith more frequent lower level attacks.This data can be used to commit frauddirectly, for example the use of stolencard details to make remote purchases.Other personal and financial informationobtained in a breach can be used in impersonation scams, while the publicityaround the incident itself can be used to add authenticity to the fraudulent approach.

Criminal gangs also use malware [malicious software which is unknowinglydownloaded onto a device or computer]and phishing emails as a means tocompromise customers’ security andpersonal details. Once obtained, fraudsters will use these details to access customer accounts or to commit fraud.

75%

22%

3%

Payment card

3

Remote banking

Cheque

12

CARD FRAUD +18%£567.5m VALUE +15%1,487,111CASE VOLUME

Overall card fraud losses as a proportion of the amount we spend on our cards hasincreased during 2015, rising from 7.5p per £100 spent in 2014 to 8.3p per £100 in2015 (in 2008 it was 12.4p for every £100 spent).

These trends owe much to the use of deception crimes, as well as the use of onlineattacks, such as malware and data hacks, to compromise card details. In response,the industry has redoubled its efforts to warn consumers and online businesses toinstall security software which is often available for free from a customer’s ownbank. To prevent stolen card details being used to make purchases online, retailersare advised to take steps to improve their security, including use of online protection services (including American Express ‘SafeKey’, MasterCard ‘SecureCode’ and ‘Verified by Visa’ ).

Fraud volumes

FFA UK also publishes the number of fraud incidents to convey more fully the dynamics of the fraud environment in the UK. The data follows much the same trendas fraud by value, with 2015 figures showing a significant increase in comparison to2014, particularly in the remote purchase (card-not-present (CNP)) and Card ID theft categories.

Fraud losses on UK-issued cards totalled £567.5 millionin 2015, an 18% increase from £479 million in 2014;the fourth consecutive year of increase. However,losses are still 6% lower than the peak of £609.9 millionseen in 2008. At the same time, total spending on alldebit and credit cards reached £856 billion in 2015,with 17.4 billion transactions made during the year.


FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

25%

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

£0m £100m £200m £300m £400m £500m £600m £700m

3%£427.0

28%

17%

7%

£535.2

14%£609.9

14%

£440.3

£365.4

£340.9

£388.3

16%

6%

18%

£450.4

£479.0

£567.5

ANNUAL FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015All figures in £ millions

% ChangeFRAUD TYPE 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 14/15

Remote Purchase (CNP) 212.7 290.5 328.4 266.4 226.9 220.9 246.0 301.0 331.5 398.2 20%Of which e-commerce 154.5 178.3 181.7 153.2 135.1 139.6 140.2 190.1 219.1 261.5 19%

Counterfeit 98.6 144.3 169.8 80.9 47.6 36.1 42.1 43.4 47.8 45.3 -5%

Lost & Stolen 68.5 56.2 54.1 47.9 44.4 50.1 55.2 58.9 59.7 74.1 24%

Card ID Theft 31.9 34.1 47.4 38.1 38.1 22.5 32.2 36.7 29.9 38.2 28%

Card non-receipt 15.4 10.2 10.2 6.9 8.4 11.3 12.8 10.4 10.1 11.7 16%

TOTAL 427.0 535.2 609.9 440.3 365.4 340.9 388.3 450.4 479.0 567.5 18%

UK 309.9 327.6 379.7 317.6 271.5 260.9 286.7 328.4 328.7 379.8 16%

Fraud Abroad 117.1 207.6 230.1 122.7 93.9 80.0 101.6 122.0 150.3 187.7 25%

Due to the rounding of figures, the sum of separate items may differ from the totals shown.E-commerce figures are estimated.

14

FRAUD TURNOVER RATIO 2006–2015Arrows show percentage change on previous year’s total

The fraud-to-turnover ratio places the card fraud losses in the context of the ever increasing use of cards.Fraud-to-turnover for all payment cards increased to 0.083% in 2015, equivalent to 8.3 pence of fraud forevery £100 spent.

0% 0.03% 0.06% 0.09% 0.12% 0.15%

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

15%0.095

27%0.091

19%0.074

18%0.061

24%0.118

5%0.124

16%0.071

4%0.074

1%0.075

11%0.083

ANNUAL CASE VOLUMES ON UK-ISSUED CARDS 2011–2015It is important to note that number of cases relates to the number of cards that havebeen defrauded, as opposed to the number of victims.

CARD FRAUD TYPE ON %UK-ISSUED CREDIT AND ChangeDEBIT CARDS 2011 2012 2013 2014 2015 14/15

Remote Purchase (CNP) 709,402 750,200 951,998 1,019,146 1,194,482 17%

Counterfeit (skimmed/cloned) 81,112 98,322 101,109 99,729 92,670 -7%

Fraud on lost or stolen cards 104,467 113,003 138,967 133,943 152,727 14%

Card ID theft 15,420 24,078 30,718 26,542 36,318 37%

Card non-receipt 8,536 9,018 9,125 9,302 10,914 17%

TOTAL 918,937 994,621 1,231,917 1,288,212 1,487,111 15%


CARD FRAUD LOSSES SPLIT BY TYPEAs percentage of total losses

50%

4%

7%

16%23%

13%8%

7%

2%

70%

Remote purchase

Card not received

ID theft

Counterfeit card

Lost / stolen card

Remote purchase

Card not received

ID theft

Counterfeit card

Lost / stolen card

16

Remote purchase fraud(internet, telephone, mail order)

The vast majority of this type of fraud involves the useof card details that have been fraudulently obtainedthrough methods such as unsolicited emails or telephonecalls or digital attacks such as malware and data hacks.The card details are then used to undertake fraudulentpurchases over the internet, phone or by mail order. It is also known as ‘card-not-present’ (CNP) fraud.

Online fraud against UK retailers totalled an estimated £155.5 million in 2015, a riseof 13% on the previous year. However, there was also a substantial rise in fraudagainst online retailers based abroad, rising 27% to £103 million.

+20%£398.2m VALUE +17%1,194,482 CASE VOLUME

REMOTE PURCHASE (CNP) FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

0 £100m £200m £300m £400m

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

16%£212.7

19%£266.4

15%£226.9

3%£220.9

37%£290.5

13%£328.4

11%£246.0

22%£301.0

10%£331.5

£398.2 20%


Counterfeit card fraud

Counterfeit card fraud occurs when a fake card is created by fraudsters using compromised details fromthe magnetic stripe of a genuine card. This type of fraudtypically occurs as a result of criminals stealing detailsfrom the magnetic stripe on UK cards which are thenused to make fake magnetic stripe cards for use overseas in countries yet to adopt chip cards.

£45.3m VALUE -5% -7%92,670CASE VOLUME

COUNTERFEIT CARD FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

0 £50m £100m £150m £200m

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2%£98.6

52%£80.9

41%£47.6

24%£36.1

46%£144.3

18%£169.8

17%£42.1

3%£43.4

10%£47.8

5%£45.3

18

Lost and stolen card fraud

This category covers fraud on cards that have been reported by the cardholder as lost or stolen. Lost andstolen cards can be used in shops that do not have Chip& PIN, or to commit a fraudulent telephone, internetor mail order transaction. If the PIN is also obtained,the card could be used in a shop or at a cash machine.

Initiatives such as Chip & PIN have made it harder to commit fraud using a card without also having the PIN. Fraudsters are instead focused on crimes which enablethem to steal people’s cards and PINs. These range from distracting people in shopsor at cash machines and then stealing their cards without them noticing (distractionthefts), to simply tricking them into handing over their cards and PINs on their owndoor step (often referred to as courier scams or telephone scams).

£74.1m VALUE +24% 152,727 CASE VOLUME +14%

LOST AND STOLEN FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

£50.1

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

23%£68.5

11%£47.9

7%£44.4

13%

18%£56.2

4%£54.1

10%£55.2

7%£58.9

1%£59.7

24%£74.1

£0m £10m £20m £30m £40m £50m £60m £70m £80m


Card ID theft

Card ID theft occurs when a criminal uses a fraudulentlyobtained card or card details, along with stolen personalinformation, to open or take over a card account heldin someone else’s name. This type of fraud is split intotwo categories, third-party application fraud and account takeover fraud.

£38.2m VALUE +28% 36,318CASE VOLUME +37%

APPLICATION FRAUD£14.1m +38%

Application fraud occurs when criminalsuse stolen or fake documents to openan account in someone else’s name. Foridentification purposes, criminals maytry to steal documents such as utilitybills and bank statements to build up useful personal information. Alternatively, they may use counterfeitdocuments.

ACCOUNT TAKEOVER£24.1m +22%

This involves a criminal fraudulentlyusing another person’s bank, credit ordebit card account, first by gathering information about the intended victim,then contacting their bank or credit cardissuer to masquerade as the genuineaccount or card.

The criminal then arranges for funds tobe transferred out of the account, or willchange the address on the account andask for new or replacement cards to be sent which is then used fraudulently.

20

ID THEFT ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

£22.5

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

5%£31.9

20%£38.1

£38.1 0%

41%

7%£34.1

39%£47.4

43%£32.2

14%£36.7

19%£29.9

28%£38.2

£0m £10m £20m £30m £40m £50m


Card non-receipt fraud

This type of fraud involves cards being stolen whilst in transit – after the card company sends them outand before the genuine cardholder receives them.Properties with communal letterboxes, such as flatsand student halls of residence, and people who do notget their mail redirected when they change addressare all vulnerable to this type of fraud.

£11.7m VALUE +16% 10,914 CASE VOLUME +17%

MAIL NON-RECEIPT FRAUD LOSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

£11.3

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

61%£15.4

32%£6.9

0%

35%

£8.4

34%£10.2

22%

£10.2

13%£12.8

19%£10.4

3%£10.1

16%£11.7

£0m £5m £10m £15m £20m

22

PLEASE NOTE: Figures in the following sections relate to the places where the cardwas used fraudulently rather than how the card or card details were compromised.This is simply another way of breaking down the overall payment card fraud totals and so these figures should not be treated as an addition to those already coveredin the earlier sections. Case volumes are not available for the place of misuse as it is feasible that one case could cover multiple places of misuse. So, for example, a lost or stolen card could be used to make an ATM withdrawal and also purchasegoods on the high street.

UK retailer face-to-face card fraud losses

Fraud losses on face-to-face purchases on the UK high street increased by 8% in 2015 to £53.5 million.However, losses are still 76% lower than the peak of£218.8 million in 2004, prior to the roll out of Chip & PIN in the UK.

The majority of this fraud is undertaken using more basic techniques, with fraudsters finding ways of stealing both the card and PIN in order to carry out fraudulent transactions in shops and stores. For example, criminals are targetingcards and PINs through distraction thefts and shoulder surfing, as well as social engineering methods to dupe victims into handing over their cards on their owndoorstep. This is because Chip & PIN has closed down opportunities for criminals to use compromised cards in the UK.

These totals include fraud incidents on both contactless cards and mobile devices.Fraud on contactless cards and devices remains low with £2.8 million of losses during2015, compared to spending of £7.75 billion over the same period. This is equivalentto 3.6p in every £100 spent using contactless technology while fraud on contactlesscards and devices accounts for only 0.5 per cent of overall card fraud.

£53.5m VALUE +8%


CARD FRAUD LOSSES AT UK RETAILERS(FACE-TO-FACE TRANSACTIONS) 2006–2015 Arrows show percentage change on previous year’s total

£43.2

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

47%£72.1

27%£72.1

7%£67.4

36%

1%£73.0

35%£98.5

26%£54.6

11%£60.8

19%£49.5

8%£53.5

£0m £20m £40m £60m £80m £100m

24

Internet/e-commerce fraud

These figures are included within the overall remotepurchase (CNP) fraud losses described in the previoussection. An estimated £261.5 million of e-commercefraud took place on cards in 2015, accounting for 46% ofall card fraud and 66% of total remote purchase fraud.

E-commerce fraud has now reached its highest point since data collection began in this area. However, this is to be anticipated given the considerable increase in genuine usage in this channel over the last 10 years with spending reaching £211 billion in 2015, meaning that for every £100 spent on the internet only 12.4p is fraudulent.

Please Note: These figures include spending and losses outside the UK.

£261.5m VALUE

INTERNET/E-COMMERCE FRAUD LOSSES ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

£139.6

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

32%£154.5

16%£153.2

12%£135.1

3%

15%£178.3

2%£181.7

0.4%£140.2

36%£190.1

15%£219.1

19%£261.5

£0m £50m £100m £150m £250m£200m £300m

+19%

26

Card fraud at UK cash machines

These figures show how much fraud takes place at cash machines in the UK on stolen cards, or where acard account has been taken over by the fraudster; in all cases the fraudster would need to have access to the genuine PIN and card. Some losses result fromcardholders keeping their PIN written down in a purse or wallet, which is then stolen.

Fraudsters also target cash machines in order to compromise or steal cards or carddetails in three main ways:

Entrapment devices: Inserted into acash machine’s card slot, these devicesretain the card inside the machine. The criminal then tricks the victim intore-entering their PIN while the criminalwatches. After the cardholder gives upand leaves, the criminal removes thedevice with the card and subsequentlywithdraws cash.

Skimming devices: Attached to the cash machine to record the details fromthe magnetic stripe of a card while a miniature camera captures the PINbeing entered. A fake magnetic stripecard is then produced and used with the genuine PIN to withdraw cash atmachines overseas, which have yet to be upgraded to Chip & PIN.

Shoulder surfing: Criminals watch thecardholder entering their PIN, then stealthe card using distraction techniques orpick pocketing.

£32.7m VALUE +20%


FRAUD LOSSES AT UK CASH MACHINES 2006–2015Arrows show percentage change on previous year’s total

£29.3

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

6%£62.0

20%£36.7

10%£33.2

12%

44%£35.0

32%£45.7

1%£28.9

10%£31.9

14%£27.3

20%£32.7

£0m £10m £30m£20m £40m £60m£50m £70m

28

Card fraud abroad

The majority (67%) of this type of fraud is attributed to remote purchase fraud at retailers based overseas.This category also includes those cases where criminalssteal magnetic stripe details from UK cards to makecounterfeit cards for use overseas in countries yet to upgrade to Chip & PIN. However, this type of fraud hasfallen when compared to previous years as a result of the increased adoption of chip technology aroundthe world.

International fraud losses for 2015 were £187.7 million, compared with losses at their peak in 2008 of £230.1 million, a decrease of 18%.

£187.7m VALUE

FRAUD COMMITTED ABROAD ON UK-ISSUED CARDS 2006–2015Arrows show percentage change on previous year’s total

£80.0

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

41%£117.1

47%£122.7

23%£93.9

15%

77%£207.6

11%£230.1

27%£101.6

20%£122.0

23%£150.3

25%£187.7

£0m £50m £150m £200m£100m £250m

+25%


TOP FIVE COUNTRIES FOR FRAUD ACQUIRED IN THE UK ON FOREIGN-ISSUED CARDSLosses are shown as a percentage of total fraud at UK acquired merchants on foreign issued cards

2015

2015

2014

2014

2013

2013

2012

2012

£0m

£5m

£10m

£15m

£20m

£25m

£30m

£35m

£40m

0%

10%

20%

30%

40%

50%

USA Canada France

Australia Germany

USA France Luxembourg

Italy Ireland

42

23.4

7.9 6.95.4 5.2

22.6

9.6 8.66.9 6.3

25.7

14.5

10.18.66.5

39.5

25.1

20.3

10.8

7.7

97 7

4

38

8 8 7 6

35

10 10 96

33

121086

TOP FIVE COUNTRIES FOR FRAUD ABROAD 2012–2015UK issued cards or card details used fraudulently overseas

-6%

30

CHEQUE FRAUD

There are three types of cheque fraud: counterfeit,forged and fraudulently altered.

Counterfeit cheque Fraud£8.5m

Counterfeit cheques are printed on non-bank paper to look exactly like genuine cheques and are drawn by afraudster on genuine accounts.

Forged cheque fraud£5.6m

A forged cheque is a genuine chequethat has been stolen from an innocentcustomer and used by a fraudster with a forged signature.

Fraudulently altered cheques£4.8m

A fraudulently altered cheque is a genuine cheque that has been made out by the genuine customer, but afraudster has altered the cheque insome way before it is paid in, e.g. by altering the beneficiary’s name or theamount of the cheque.

£18.9m VALUE 5,746 CASE VOLUME -30%

41%

29%

27%


CHEQUE FRAUD LOSSES 2006–2015Arrows show percentage change on previous year’s total

£38.3

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

27%£40.5

42%£39.5

14%£34.0

13%

12%£45.4

50%£68.3

2%£37.6

17%£31.2

35%£20.2

6%£18.9

£0m £10m £30m £40m £50m £60m£20m £70m

2011 2012 2013 2014 2015 % Change 14/15

CHEQUE FRAUD N/A 15,539 10,471 8,168 5,746 -30%

ANNUAL CASE VOLUMES CHEQUE FRAUD 2011–2015

32

+64%

ONLINE BANKING FRAUD

Online banking fraud occurs when the fraudster gainsaccess to, and transfers funds from, an individual’s online bank account.

In some cases, an individual may be duped by a criminal into making a fraudulentmoney transfer themselves.

A variety of factors are believed to have contributed to the increase in online bankingfraud, but it has been driven by a change in attack methods with criminals using social engineering scams such as phishing, vishing (phishing over the phone) incombination with more sophisticated online attacks such as infecting computerswith malicious software (malware).

Collection of industry fraud losses for online banking fraud began in June 2009. Case volumes were not collected until 2012.

£133.5m VALUE 19,691 CASE VOLUME +23%

ONLINE BANKING FRAUD LOSSES 2010–2015Arrows show percentage change on previous year’s total

£51.2

2010

2011

2012

2013

2014

2015

£63.7

20%

11%£57.0

3%£58.8

38%£81.4

64%£133.5

£0m £60m£30m £90m £120m £150m

2011 2012 2013 2014 2015 % Change 14/15

ONLINE BANKING FRAUD N/A 16,355 13,799 16,041 19,691 +23%

ANNUAL CASE VOLUMES ONLINE BANKING FRAUD 2011–2015


+92%

PHONE BANKING FRAUD

This fraud happens when a criminal fraudulently accesses the victim’s phone banking account.

To do this the criminal needs to be in possession of specific personal and financialinformation about the victim, to convince the phone banking system or operator thatthey are the genuine account holder. A criminal will use a variety of ways to acquireinformation about an intended victim such as social engineering, phishing, and vishing (by pretending to be from a trusted organisation such as a bank or the police).

Collection of industry fraud losses for telephone banking fraud began in June 2009.Case volumes were not collected until 2012.

£32.3m VALUE 11,380 CASE VOLUME +97%

PHONE BANKING FRAUD LOSSES 2010–2015Arrows show percentage change on previous year’s total

£22.2

2010

2011

2012

2013

2014

2015

£18.3

21%

34%£14.7

11%£13.1

28%£16.8

92%£32.3

£0m £20m£15m£10m£5m £25m £30m £35m

2011 2012 2013 2014 2015 % Change 14/15

TELEPHONE BANKING FRAUD N/A 7,095 5,596 5,778 11,380 +97%

ANNUAL CASE VOLUMES FOR TELEPHONE BANKING FRAUD 2011–2015

34

PHISHING


Phishing describes the practice of sending emails atrandom, purporting to come from a genuine companysuch as a bank, but increasingly other organisationssuch as HMRC, in an attempt to trick customers ofthat company into disclosing information at a boguscompany website operated by fraudsters.

Fraudsters send out thousands or even millions of spam emails trying to convincepeople to click on a link that will send them to the fake site. These emails usually claimthat it is necessary to ‘update’ or ‘verify’ a password, and they urge people to click on a link from the email that takes them to the bogus bank website. Any informationentered on the bogus website or form will be captured by the criminals for their own fraudulent purposes.

NUMBER OF PHISHING WEBSITES TARGETED AGAINST UK BANKS AND BUILDING SOCIETIES 2006–2015

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

14,156 25,797 43,991 51,161 61,873 111,286 256,641 26,995 23,729 16,462

36

COMBATTING FINANCIAL FRAUD


FFA UK delivers programmes of collaborative fraudprevention activity which combine education andawareness, intelligence-sharing and law enforcement.This work is driven by the Industry Strategic ThreatManagement process making it responsive to thechanging patterns in fraud in the market.

This integrated approach is designed to prevent avoidable fraud, to effectively identify patterns where fraud has been committed, and to support law enforcementin bringing the criminals to justice following an attack. To ensure a coordinated response to threats, we provide expert fraud prevention advice on new initiatives pioneered by the financial services industry – for example, on account switching andmobile payments. We also engage stakeholders, including regulators and government,to ensure that regulation works in step with fraud prevention programmes.

More information is available in the FFA UK Annual Review 2016 and on the website at:

www.financialfraudaction.org.uk

38

LIST OFMEMBERS as at 31 December 2015

Allied Irish Bank Group (UK) plc

American Express Services Ltd

MBNA Ltd

Bank of Ireland UK

Barclays Bank plc

Capital One (Europe) plc

C Hoare and Co

Citi Bank

Clydesdale Bank

The Co-operative Bank plc

Coventry Building Society

Danske Bank (trading name of Northern Bank Ltd)

Elavon Financial Services

First Data Europe Ltd

Global Payments UK Ltd

HSBC Bank plc

Investec Bank plc

Lloyds Banking Group plc

Metro Bank plc

Nationwide Building Society

NewDay Ltd

Royal Bank of Scotland Group plc

Sainsbury’s Bank plc

Santander UK plc

Tesco Bank plc

TSB Bank plc

Valitor hf

Vanquis Bank Ltd

Virgin Money UK

Worldpay (UK) Ltd

Yorkshire Bank

Yorkshire Building Society


40

GLOSSARY


Account takeover (ACTO)This involves a criminal fraudulentlyusing another person’s credit or debitcard account, first by gathering information about the intended victim,then contacting their bank or credit cardissuer whilst masquerading as the genuine cardholder. The criminal willthen arrange for funds to be transferredout of the account, or will change theaddress on the account and ask for newor replacement cards to be sent to thenew address.

AcquirerA corporation or financial institution with a business relationship with merchants, retailers and other serviceproviders to process their payment cardtransactions. Acquirers obtain financialsettlement from the card issuers, typically via the card schemes whichmaintain the clearing systems, and pay the proceeds to the merchant, charging a fee.

Application fraudApplication fraud occurs when criminalsuse stolen or fake documents to openan account in someone else’s name.

Card-not-presentCard account details alone are used to carry out a payment transaction. See also MOTO. Also known as remotepurchase fraud.

Card security codeThese are the three or four digits shownon the signature strip on the back of thecard (or front of the card for AmericanExpress). Also called card verificationdata, card verification number, card verification value, card verification valuecode, card verification code, verificationcode, card code verification, or signaturepanel code.

Card ID theftThis type of fraud occurs when a criminaluses a fraudulently obtained card orcard details, along with stolen personalinformation, to open or take over a cardaccount held in someone else’s name.

Card issuerA bank, building society or other organisation issuing payment cards, ATM cards or cheque guarantee cards toits customers. For payment and ATM-onlycards the card issuer undertakes responsibility to settle transactionsmade with the card (except in somecases where fraud has occurred).

Charge cardA payment card, enabling holders tomake purchases and to draw cash up to a pre-arranged ceiling, the terms ofwhich include the obligation to settle theaccount in full at the end of a specifiedperiod. Cardholders are normallycharged an annual fee.

42

Counterfeit cardA card which has been printed, embossed or encoded so as to purportto be a legitimate card but which is notgenuine because the issuer did not authorise the printing, embossing, or encoding.

Counterfeit cheques or draftsCheques or drafts that are manufactured,printed or copied onto non-chequepaper but usually drawn on accountsand presented for payment via theclearing system, special presentation,over the counter etc.

Credit cardA payment card enabling the holder tomake purchases and to draw cash up toa prearranged ceiling. The credit grantedcan be settled in full by the end of aspecified period or can be settled in part,with the balance taken as extendedcredit. Interest is charged on theamount of any extended credit; in thecase of cash withdrawals, interest isnormally charged from the transactiondate. Cardholders may be charged anannual fee.

Credit card chequeMany credit card issuers offer a facilityto cardholders that enables them todraw cheques on their credit card account provided they are within theircredit limit. Typically these are used for balance transfers, e.g. in repaymentof an outstanding loan from anotherlender, and for payments to third partieswhere there are no facilities to use a card.

Dedicated Card and Payment CrimeUnit (DCPCU)The Dedicated Card and Payment CrimeUnit is a unique pro-active police unit,with a national remit, formed as a partnership between Financial FraudAction UK, the City of London Police andthe Metropolitan Police together withthe Home Office. It is fully sponsored bythe cards and banking industries, withan on-going brief to investigate, targetand, where appropriate, arrest and seek successful prosecution of offenders responsible for card, cheque and payment fraud crimes. It is headed up by a Detective Chief Inspector and comprises officers from the Metropolitanand City of London police forces whowork alongside banking industry fraudinvestigators and support staff.

E-commerceTransactions which are conducted overan electronic network where the buyerand merchant are not at the same physical location e.g. payment cardtransactions via the internet.


Financial Fraud Action UKFinancial Fraud Action UK (FFA UK) isresponsible for leading the collectivefight against fraud in the UK paymentsindustry. Its membership includes themajor banks, credit, debit and chargecard issuers, and card payment acquirers.Through industry collaboration FFA UKseeks to be the authoritative leader indefending consumers and businessesfrom financial fraud, by creating themost hostile environment in the worldfor fraudsters.

Financial Fraud BureauAn intelligence unit responsible formanaging the payment industry’s co-ordinated initiatives on data sharingto reduce financial fraud. It providesdata directly to law enforcement, including the DCPCU and the NationalFraud Intelligence Bureau.

First party fraudWhere the genuine customer has knowingly committed fraud on their ownfinancial product e.g. credit card.

LiabilityThe obligation to pay an amount owing.In the case of card fraud, liability is usedto refer to the party that is responsiblefor covering or absorbing the amountdefrauded in respect of a cardholderdispute.

Mail non-receipt fraudInvolves cards being stolen while intransit – after card companies sendthem out and before the genuine cardholders receive them.

Mail order /Telephone order (MOTO) fraudA fraudster using fraudulently obtained,but genuine account details to obtaingoods or services from mail or telephonemerchants.

Mail re-directPost can be fraudulently re-directed to another address. The fraudster thenreceives any cards or cheques intendedfor the victim, possibly to facilitate identity fraud.

MalwareMalware includes computer viruses thatcan be installed on a computer withoutthe user's knowledge, typically by usersclicking on a link in an unsolicited email,or by downloading suspicious software.Malware is capable of logging keystrokesthereby capturing passwords and otherfinancial information.

MO –Modus OperandiLiterally translates as the 'method of operation' of a fraudster. It can beused to identify an individual or team of fraudsters as often they will use thesame method of operation to commitfraudulent activity.

44

Money muleRecruited by fraudsters to help launderthe proceeds of their criminality andconfuse the audit trail. They receive fundsinto their accounts, withdraw the moneyand send it overseas. In return they receive a small commission payment.

National Fraud Intelligence BureauThe City of London Police’s NationalFraud Intelligence Bureau uses millionsof reports of fraud to identify serial offenders, organised crime gangs andestablished and emerging crime types.

Organised Crime GroupDefined in the Serious Crime Act 2015(s.45(6)) as a group which has at its purpose, or one of its purposes, conductof criminal activities and consists ofthree or more people who agree to acttogether to further that purpose.

Personal Identification Number (PIN)A set of characters, usually a four-digitsequence, used by cardholders to verifytheir identity at a point-of-sale or at acustomer-activated device such as anATM. The number is generated by thecard issuer using a secure computerisedprocess when the card is first issuedand may be changed by the cardholderthereafter.

PhishingThe name given to the practice of sending emails at random purporting tocome from a genuine company operatingon the internet, in an attempt to trickcustomers of that company into disclosing information at a bogus website operated by fraudsters.

Remote purchaseA transaction where the merchant, retailer or other service provider doesnot have physical access to the paymentcard; examples are transactions by telephone, mail order or internet. Alsoknown as card not present fraud

Shoulder surfingFraudsters will look over the shoulder of unsuspecting individuals, and capturepersonal details to facilitate identityfraud or capture PINs at ATMs. They areknown to target individuals filling outapplication forms in shops or discussingpersonal details over the phone in a public.

SkimmerA reader and recorder of the magneticstripe data held on payment cards.

SkimmingCopying the magnetic stripe details of a payment card usually with a cardreader, for use in card counterfeiting.


SmishingSmishing involves a fraudster sendingtext messages (also known as an SMS)at random to mobile phones. The textmessages appear to come from a reputable organisation such as a bankor mobile phone company. The messagewill try to trick the customer into clickingon a link to a bogus website or calling aphone number, usually by claiming the need to verify or update details or reactivate an account. The criminalwill then attempt to get the customer to disclose personal or financial information, which they will use for their own fraudulent purposes.

SpoofsAn attempt to harvest personal information direct from potential victimsto facilitate identity fraud. The fraudsterwill make contact in various ways, including letters, telephone calls, canvassing, websites, emails etc.

SpywareSpyware is a type of malware that canbe installed on computers and collectslittle bits of information at a time aboutusers without their knowledge.

Third party fraudFraud committed against an accountholder by an unrelated third party. The overwhelming majority of fraudcommitted against financial institutionsand its customers are by, often unknown, third parties.

Trojan A destructive programme that masquerades as a benign application.Unlike viruses, 'Trojans' do not replicatethemselves but they can be just as destructive.

VirusA virus is a program that can replicateitself by inserting (possibly modified)copies of itself into other programs,documents or file systems; this processis described as the infection of a host.Although some viruses may be relativelybenign (e.g. displaying a political message on a certain date) most are destructive. This destruction will occureither immediately, after a set timedelay, or after the computer user takesa specified action. The replication itselfcan cause problems through the wasteof computer resources.

VishingVishing involves a fraudster phoning apotential victim and posing as someonefrom a bank or building society, the police or another legitimate organisationsuch as a telephone or internet provider.The fraudster will then attempt to getthe customer to disclose personal or financial information, which they willuse for their own fraudulent purposes or get the customer to transfer moneyto a fraudulent account.

Financial Fraud Action UK 2 Thomas More Square, London E1W 1YN

www.financialfraudaction.org.uk

This document is provided for information purposes only. While every effort is made to ensure the accuracy of any information

or other materials contained in this document, it is provided on the basis that Financial Fraud Action UK Ltd (and its members,

either individually or collectively) accept no responsibility for any loss, damage, cost or expense of whatsoever kind arising directly

or indirectly from, or in connection with, the use by any person of any information or other material contained therein. Any use

of the information or other material contained in this document shall signify agreement to this provision.

© Financial Fraud Action UK Ltd 2016. A company registered in England No. 9529683. Published by Financial Fraud Action UK Ltd.

the definitive overview of payment industry fraud · pdf filethe definitive overview of...

Documents