Fraud prevention in the payments

What is the current state of fraud in the payments industry? What are the key threats, and how are they evolving?

Markus: Today, the most emergent threats are around social engineering fraud. This has seen a rise in Europe after the introduction of PSD2 regulations. As technical fraud attacks have become more difficult to carry out, social engineering fraud has emerged as the immediate answer. 
We can distinguish different kinds of social engineering fraud. The most emergent and threatening kind are scams that involve manipulating a customer. Even though no technical attack happens, a fraudster will convince their victim to initiate a transaction and transfer funds to them. This is an area where the protections are still relatively poor, the attacks are complex, and losses are relatively high. 
These types of attacks are becoming increasingly complex, with fraudsters often using several channels of attack. For example, once you take over an online banking account, you might provision the cards to Google Pay or Apple Pay, or an e-commerce channel, to maximize the cash out from a single attack event. 

Are there any specific technologies now being used more frequently in fraud attacks?

Markus: The classic scenario is the phishing scenario, now including phishing via voice, SMS, or QR codes. It’s always the same pattern. You gain access to sensitive data, and now with two-factor authentication you must add some additional element. You’d have to let the two-factor authentication happen; so, you either trick the customer, or you somehow register a method yourself to carry out the two-factor authentication. 
But the pattern is always somehow related to phishing or another kind of social engineering. Traditionally, this was done via email, but now fraudsters might contact their victims via social media, messenger services or online marketplaces – whatever they consider the best entry point to be.

Augusto: Social engineering fraud is also happening on the physical card side. In certain countries, fraudsters are calling the cardholder, pretending to be from their bank. The cardholder sees on their phone that their bank is calling them – the named caller will be their bank – and the fraudster pretends to be an agent from the bank. They’ll then trick the cardholder into cutting their card in half and handing it over to a driver, who comes to pick it up. Once they have hold of the card, the fraudster convinces the cardholder to give them their PIN. Now, they have a full card and PIN at their disposal to perform any kind of physical card transaction. This is a growing trend in Europe, and particularly in the Netherlands. One Dutch bank I’ve spoken with said that these fraudsters are mainly targeting their older, more senior customers, because they trusted the bank the most. When these customers see the bank calling, they don’t suspect anything. These types of fraud situations are increasing because of the growing need to balance security with customer convenience. When you lower the security to increase the convenience for customers, these kinds of situations emerge.

Why is it important for banks, payment service providers (PSPs), and merchants to reconsider their fraud strategies in response to these threats?

Augusto: The two main reasons are brand and reputation. Today, it’s so easy for customers to move to a different bank. They have so many options to switch banks or change accounts. And with social media, any bad or negative customer experiences are heard louder and wider. I think this is the reason all banks are now putting more effort into fraud prevention – not only because of the financial losses that fraud brings to banks, but because of the reputational and image risks as well. Those risks are much higher today than previously.

Markus: The fraud prevention experts I speak to are reporting an acceleration in the sophistication of fraud attacks in the last couple of years. There are always new and emerging trends, and fraud is always adapting, but the difference now is that the rate of adaptation is much faster, and attacks are more elaborate. Fraudsters are adapting to prevention mechanisms much more efficiently. A new phenomenon is “fraud-as-a-service,” where organized groups specialize in different aspects of the fraud process. In addition, generative AI is being used to make attacks more sophisticated. For example, now you can easily write phishing emails without any errors, produce deepfake videos, or imitate voices. A common problem for fraudsters used to be talking directly to victims – they needed someone who spoke the language in the right tone. Now, they can just use generative AI. It increases the speed of adaptation for fraudsters a lot.

Do you think the impact on brand and reputation is as important for merchants as it is for banks and payment service providers?

Markus: For financial institutions, fraud is clearly a reputational problem. For the e-commerce merchants, I’m not so sure. I believe that consumers usually view the problem of fraud as sitting with the financial institutions rather than the merchant, even if the merchant’s fraud prevention measures are bad. When the losses happen on the credit card or account side, the bank is who the customer has contact with, so that’s typically where they’ll look for fault.

What are the most vulnerable points along the payment journey, which fraudsters target?

Markus: It’s clear that most online channels are vulnerable. Instant account-to-account transactions are proving very problematic in Europe, but they’re not yet rolled out to the rest of the world. In e-commerce, it doesn’t matter much whether transactions are initiated via card, e-wallet, or other app-based payment services – whatever exists can also be targeted. There are lots of problems around the provisioning of cards into e-wallets like Apple Pay or Google Pay. Some card issuing banks aren’t even issuing physical plastic cards anymore; they’re just issuing virtual cards. These can be directly provisioned by fraudsters into e-wallets, and then it’s up to the fraudster how they want to cash out. They can then buy a new phone to provision the next card or attack a different online channel.

So, the emergence of digital wallets as a popular method of payment is making consumers more vulnerable to fraud, not less?

Markus: Yes, in a sense. From an e-commerce perspective, you don’t need a plastic card in hand to attack an online channel. You just need the card number. Once you have that it doesn’t matter much if you have it in an e-wallet or not. These e-wallets just add another potential layer of vulnerability to the payments process.

Augusto: On the physical card side, things are secure nowadays. Nearly all transactions are now made using chips, and more banks are declining mag [magnetic] stripe transactions. Even Mastercard is planning to remove this phase because it’s become very easy to copy. So that’s one less vulnerability and one less problem. Physical chip transactions are also typically secure because of the evolution of technologies involved, such as symmetric and asymmetric cryptographies.

In which environments are you seeing payment fraud rise the fastest – digital, physical, or phygital?

Augusto: Payment fraud is evolving and increasing everywhere, especially social engineering fraud. Manual interception is a growing trend as well, with fraudsters intercepting physical cards before they reach cardholders. They’ll replace the chip on those cards, so that when the cardholder finally gets hold of it the chip is fake. But digital environments are still the focus of fraudsters. It’s easier to “cash in” from digital channels than it is from the physical cards, which is harder work and perhaps not as lucrative to the fraudster.

Markus: From digital to physical – there are threats at all points. There are still physical attacks on ATMs, for example. But digital environments pose the most risks, because fraudsters can scale up their operations in the digital space so well. One of the most frightening recent developments came from the UK, with the introduction of instant account-to-account payments. Basically, the number of fraud attacks exploded, and regulators needed to act. From the fraudsters’ point of view, these payments were easy to target because you don’t need cards, merchants, or infrastructure – you only need your attack vector, and either to convince an individual to initiate an instant transfer or find a way to do it yourself. Once the transfer is made, the money can be transferred via multiple accounts, with very low risk of being caught. That’s happened already in the UK and Australia, and people are afraid it will happen across Europe now too with the EU introducing new instant payment regulations.

Why are instant account-to-account payments so insecure? Is that surprising, given that it’s an innovative new payment method?

Augusto: It’s not surprising, because the fraud advantages are obvious. In account-to-account, everything is instant and relatively anonymous, and you don’t need the same infrastructure as on the payment cards side. The protection mechanisms in account-to-account are built to assume there is time to clarify if transactions are executed or not. If you now must do that instantaneously, you need extremely powerful systems. In the card context, these systems already exist. They could also exist in the online account-to-account area, but they need to be extremely fast. You don’t have the chance to fail in your decision. 

What common mistakes are companies in the payment space making when they try to prevent fraud? What are the biggest missteps?

Markus: One common mistake is that financial institutions are improving their fraud prevention mechanisms at one end but not reflecting that across all channels. Often, they have good transaction scoring mechanisms in place but there may be a loophole somewhere in the registration procedure that they haven’t considered. The scoring mechanism can work perfectly fine, but it becomes useless if fraudsters can easily take over the authentication method of the customer and cash out everything in the account. That’s a systems problem that I believe happens occasionally. It’s clear why it’s happening, too. These are huge organizations dealing with different kinds of financial services. When you design a new process like a new onboarding procedure or payment method, you must involve fraud specialists to assess all the risks. It’s very complex, and you need lots of fraud experts to do that. Sometimes that just doesn’t happen at the right point in time.

Augusto: What I see is that banks are now competing with fintechs on convenience. They want to increase convenience for customers, which was not the case before fintechs existed. Where before you needed a physical transaction to activate your card, now you can activate your card via mobile. Card activation on mobile is increasing some types of fraud, especially mail intercepts. Customers activate a card on their mobile without ever knowing that the card’s chip is fake. That was not a problem when the only option was physical card activation. 

How are emerging technologies such as AI, biometrics, and tokenization being used to fight fraud?

Augusto: On the card side, there are new technologies being implemented, like cards with a biometric reader. You can replace the PIN with your biometric and make a physical transaction using biometric authentication. Also, cards with a dynamic CVV (Card Verification Value, a security code on the card) are becoming more popular, with cardholders having access to secure codes. Today, there are options that do not require cards to have a battery. Dynamic security codes can help in online transactions using your physical card. Increasingly, banks are looking for authentication mechanisms in physical transactions too. Discussions are ongoing to implement new technologies that allow you to tap your physical card on your mobile and use that as an authenticated method. 

Markus: I think that looks a bit like a solution from 20 years ago! But, from a security point of view, it’s ultimately strong. You can’t phish a physical card – you must collect it in-person, and this is so much stronger than everything done today. The digital onboarding procedure can always be attacked, but collecting physical cards at the post box, for example, is just not scalable as a means of social engineering attack. From a digital point of view, artificial intelligence (AI) and machine learning are considered powerful tools for fighting both technical and social engineering fraud attacks because they involve lots of additional data, behavioral and device data, from checkout and authentication devices. But there is conceptual problem that is often overlooked, which is that the algorithms these technologies are built on only work if you have very, very good-quality data, and properly flagged fraud transactions. And they only work for historical data. If certain fraud patterns are only just emerging, an AI’s algorithms will be relatively blind to them at first glance. If the data quality of the fraud flagging AI tool is low (because it hasn’t used enough people to investigate cases properly), then these models just won’t work. So, there is a conceptual shortcoming in using only AI and machine-learning-based methodologies in this context. Fraud experts writing traditional rules will probably always be required, or at the very least they will be for the next few years. To clarify transactions, you still need to contact the customer to ask them if a transaction was real or not. Then, you need real people. 

How should the payments industry balance security and user experience in the context of fraud prevention?

Augusto: Balancing fraud prevention and user experience is an eternal battle. It’s like in the previous example I mentioned, with fraudsters replacing chips in payment cards to bypass security measures. This is known as “caesarean” fraud, and it’s popping up all over the world, but especially in LATAM. This type of fraud is easier because the customer experience of card activation has been made easier. Companies should look at different methods of card activation for customers rather than just one-click mobile activation. In the US, several banks are implementing this process where you need to tap your card on your mobile, with your banking app, and only then is the card activated. 

Markus: Two-factor authentication is actually a very good expression of this balancing act between security and user experience. From my point of view, there are other methods that are neither user-friendly nor all that secure, like one-time passwords and security questions. Biometric authentication, with face ID or fingerprint, plus possession-factor authentication from the mobile: these together are a good balance between convenience and security. But banks need to be careful not to make too many compromises on security, especially around the onboarding procedure. Everyone believes that if their card is issued instantly and they get the virtual card number immediately, then card activation should also be instant. That’s dangerous. If there is no break in between and you don’t have an independent channel for transferring the card activation code, or the code is sent out in a way that can be easily read out on your mobile – then that code can be phished. But if you adapt the process slightly so that the activation link is five lines long, for example, so that it can’t easily be read out on mobile – that’s much better. It’s the same convenient process but just tweaked slightly to make it less vulnerable to fraud. Today, I believe the balance between security and convenience should always lean more towards security. Two-factor authentication is a no brainer, and using facial recognition is smooth, well known to everyone, and very secure.

How can companies help consumers feel safer when making payments, without overwhelming them?

Augusto: It’s important to introduce security through mechanisms consumers already understand. Dynamic CVV codes, for example, are gaining traction again because they’re familiar and intuitive – people know the concept of a security code on their card. Biometric payment cards are another example. Everyone’s used to unlocking their phone with a fingerprint, so using that same technique for payments just feels natural. You increase security without needing to explain the technical side. 

Markus: I agree. Smooth and transparent authentication supported by data analytics should be the default. But with scams and social engineering on the rise, you also need clear communication. Many banks don’t explain why they never ask for a PIN over the phone, for example – they just say it. Consumers don’t always understand the threat unless it’s explained in human terms. Even a simple prompt like explaining why your app requests your location data – to help prevent fraud, not to track you – can build trust.

Have G+D’s technologies directly helped to reduce fraud and build trust with clients?

Augusto: On the card side, it’s straightforward: almost all physical transactions are now chip-based, which is secure by design. The chip standard has become the global baseline for payment cards, and we’re already supporting its future evolution.

Markus: From a digital perspective, one of the most important contributions in reducing fraud has been the rollout of EMV^® 3-D Secure. Before two-factor authentication became mandatory under PSD2 regulations, card-not-present fraud in e-commerce was rampant. The introduction of 3-D Secure brought that under control – not eliminated but clearly reduced. It’s still the industry’s go-to solution for unauthorized online card fraud, especially in non-European markets where PSD2 isn’t enforced.

What role does G+D play in helping clients tackle fraud across all channels?

Augusto: We’re uniquely positioned because we work with global players like Visa and Mastercard as well as local payment programs. We’re often building and testing technologies today that won’t reach the market for another three to five years – things like asymmetric and elliptic curve cryptography, AES-based symmetric encryption, and even post-quantum cryptography. Our role is to make sure the security foundation is always future-proof.

Markus: On the digital side, our strength lies in trust and compliance. When financial institutions need a partner for secure data-sharing about fraud – especially under stricter privacy regulations – G+D is a trusted entity. Banks and regulators know that we don’t sell or misuse data, and that means we’re uniquely placed to be a bridge between innovation and compliance. G+D Netcetera also has a very good reputation. Its innovation power, and also its agility, is outstanding when compared with other security or fraud prevention providers in the market. In the coming months and years, I expect we’ll be tackling some very relevant fraud-related topics, since we have the right people working on it at the right time. 

Is regulation keeping pace with the evolution of fraud?

Augusto: For physical cards, yes – the chip is secure and highly configurable. Regulation helps keep those standards high. But for emerging forms of fraud, especially social engineering, regulators need to catch up. They also need to support the cryptographic transitions we’re already working on – so that fraudsters can’t simply wait for outdated standards to fail.

Markus: In Europe, we’re probably the most regulated payments market globally – but it’s often too slow. PSD3 and scam liability rules are years away still. Meanwhile, court cases are already happening. Regulation can drive innovation, but only if it moves quickly enough. Another issue is the perceived conflict between fraud prevention and data protection under GDPR. That needs to be clarified – and soon – or important initiatives like fraud data-sharing will remain stuck in limbo.

What’s one piece of advice you’d give to clients – banks, PSPs, or merchants – today?

Augusto: Make more use of the card as a multi-purpose security token. It’s already in your customers’ hands – why not use it for authentication, for additional services, or even as part of your multi-channel fraud prevention?

Markus: Collaborate. Banks and PSPs have more to gain by working together than by competing on fraud prevention. Fraudsters already share information – the industry should, too.