Money — and increasingly, digital transactions — makes the world go round. And since banks and the financial services industry overall serve as stewards for our money, they are also unsurprisingly a key target for fraudsters who continuously find new ways to exploit weaknesses in online payment methods.
A recent report released by the European Central Bank (ECB) and the European Banking Authority (EBA) found that money lost to payment fraud in the European Economic Area alone totaled €2.0 billion in the first half of 2023. In the U.S., 42% of financial institutions saw an increase in fraud in 2024, with a corresponding increase in the total cost lost to fraud.
In this article, we’ll provide a brief overview of payment fraud, the top 5 types of payment fraud and its impacts on the financial services industry, and recommendations on how to detect and prevent payment fraud.
What is payment fraud?
Online payment fraud is when a fraudster conducts unauthorized online transactions using stolen information, including login credentials or credit card details.
The financial services industry is constantly paying whack-a-mole to keep up with fraudsters, who evolve their tactics as quickly as financial institutions deploy new anti-fraud measures.
For example, fraudsters use various techniques to access customer data or business financial information, including pretending to be a bank and sending bogus text messages asking customers to enter their login details on a fake website. Fraudsters also purchase credit card details on the dark web and deploy bots for card testing attempts across websites.
How does payment fraud impact the financial services industry?
Payment fraud can have far-reaching consequences for businesses that provide financial services, including:
- Loss of customer trust and reputational damage. Imagine if you were a customer of a bank and someone accessed and drained your account. You’re now on the hook to file a complaint with said bank, have to wait for the investigation to be completed, and in the end, you may not get all of your money back. Even though the fraudster was the one who stole the money, the bank will be blamed for failing to protect its customers. And if it happens often enough or on a large enough scale, customers will move their accounts to a competitor that is perceived to have better anti-fraud security measures in place.
- Being subject to regulatory fines. The poster child for this is Morgan Stanley, which got slapped with a $60 million fine by the U.S. Treasury Department in 2020 for potentially exposing customer PII data. (A $5 million class action lawsuit was filed soon after by affected customers.)
- Getting sued. A proposed class action lawsuit was filed a few months ago against Ally Bank for failing to protect its customers against a data breach. Customers’ personally identifiable information (PII), including Social Security numbers, dates of birth, addresses, and more were exposed on an unspecified date, and allegedly are now for sale on the dark web.
- Significant financial losses. Just one fraudulent transaction (or even 10) doesn’t seem like much, but they add up fast. Payment fraud, credit card fraud, and check fraud contributed to a total of $137.2 billion in losses in the Americas in 2023. Globally? That number increases to $442 billion.
What are the top 5 types of payment fraud seen in financial services?
There are many ways payment fraud can rear its ugly head, but in the financial services industry, the following 5 types are the most commonly seen:
1. Account takeover fraud
Account takeover fraud can be devastating for victims. It happens when fraudsters gain access to customer accounts, often using credentials exposed in data breaches or obtained through phishing. Once they have access to an account, a fraudster can then transfer money to themselves, apply for loans, and change mailing addresses and login information, the latter of which effectively blocks the legitimate customer from accessing their own account.
2. Card-not-present fraud
Card-not-present (CNP) fraud has surged as online shopping has become increasingly popular. CNP fraud happens when a fraudster uses stolen credit card information for transactions where the physical card is not required, such as when making purchases online. In 2023, CNP fraud losses totaled $9.2 billion in the U.S. alone.
3. Credit card testing & credit card cracking
Because of all the data breaches over the past few years, a wealth of information is available for sale on the dark web, including credit card details. At the same time, the credit card info purchased on the web may be outdated or not have all the details needed to successfully complete a transaction — and that’s where credit card testing and cracking come in.
Credit card testing is exactly what it sounds like. To see whether a credit card is valid, a fraudster will attempt a number of small transactions to see if they’re successful. If those transactions go through, then they proceed to make a big purchase.
Card cracking is slightly different: The fraudster will have some of the credit card details but not all. Generally, they’ll write a bot script to test different combinations of numbers in quick succession to guess, for example, the CVV code and expiration date. Once they hit on a combination that works, they’ll proceed with making fraudulent purchases.
4. Check fraud
Surprisingly (to me), check fraud is still a big issue, even with the decline in the popularity of physical checks. Criminals can alter the payee or payment amount, forge account holders’ signatures, or print counterfeit checks, just to name a few tactics. In 2023, financial institutions in the U.S. lost $1.3 billion to check fraud.
5. Business email compromise
Business email compromise (BEC) schemes is a form of social engineering. (If you’ve ever received a text from your CEO asking you to purchase hundreds of dollars in digital gift cards, you’ve experienced the SMS version of a BEC.)
In short, fraudsters hack or spoof email accounts of executives or vendors and send messages to employees asking them to transfer funds or share sensitive company data. In 2023, over 21,000 BEC complaints were filed and totaled more than $2.9 billion in losses.
Preventing payment fraud in financial services
Preventing payment fraud in the financial services industry requires quickly adopting new anti-fraud strategies and technologies to counter fraudsters’ continuously evolving tactics. To help prevent payment fraud, we recommend:
- Educating employees and customers. Require regular training for employees so they can better spot social engineering and phishing attempts. For example, you may want to emphasize that executive leadership will never send an email or text message requesting them to buy gift cards for a customer. At the same time, providing information to customers on how to recognize fraud attempts — such as suspicious emails full of typos or random requests for personal information — can help empower them to protect their own money and data.
- Requiring multifactor authentication (MFA). If you’re a financial institution, implementing MFA is a must, not a nice-to-have. MFA helps reduce the chances of unauthorized access (and by extension, account takeovers). It’s an extra hurdle for users, but MFA adds an extra layer of security by requiring them to provide a different method of authentication on top of their login password. For example, it can be a biometric scan or a one-time passcode (OTP) sent to their device.
- Setting up automated alerts for potentially suspicious transactions. It may be a good idea to configure your risk and fraud detection systems to monitor transactions in real time and send alerts for any anomalies, such as transactions in unfamiliar locations or an unusually large purchase.
- Implementing device intelligence. Device intelligence can be an added layer of security on top of a password and MFA — or as an alternative to MFA. Device intelligence works by collecting and analyzing a number of signals from the browser, device, and network and assigning every device a unique visitor ID. You can choose to configure your risk and fraud systems to bypass MFA requirements for returning customers using previously identified devices, reducing friction for legitimate users — or require MFA for any new, unrecognized device.
Preventing payment fraud for financial services: Key takeaways
Payment fraud prevention isn’t easy and is a continued challenge for financial services and banks as fraudsters use new technologies to find new ways of bypassing online security checks.
Financial institutions can shore up their fraud detection and prevention efforts by taking a multifaceted approach that combines new technology like device intelligence with other requirements like MFA.
Learn more about how device intelligence can help you improve your payment fraud detection and prevention strategy in this self-guided, interactive demo.
