Payments in the UK are feeling the chill this Christmas – especially in the retail sector, which rose only
0.2% last month, despite the Black Friday flurry. This figure is part of a wider trend of sluggish economic recovery in the wake of the pandemic, slumped consumer sentiment, as well as a general lack of confidence following Labour’s divisive September budget.
Notwithstanding these chills, the volume of credit and debit card transactions made in the UK this December will no doubt be of considerable volume, once the figures emerge. In December 2023, for example, UK Finance
recorded 244 million online debit transactions and 80 million online credit transactions, with a 7.1% and 10.8% year-on-year variation, respectively. Though likely to be slightly muted, this December will yield comparable stats – creating a highly fertile
ground for cybercriminals to run their fraudulent activities. To give an impression of the scale of the issue, UK Finance’s recent Annual Fraud Report 2024 showed that a whopping
£1.17 billion was lost to fraud in 2023.
As payment technologies continue to evolve, and the number of parties involved in a transaction increases, so too does the attack surface – and today cybercriminals wield more advanced tools than ever before. In order to avoid handing over an early Christmas
present to cybercriminals this holiday season, here are four payments frauds for consumers, banks and retailers, alike, to stay vigilant of.
1. Spear phishing
According to IBM, “spear
phishing is a type of phishing attack that targets a specific individual, group or organisation.” The personalised scam is often delivered via email, text message, or phone call, and “tricks victims into divulging sensitive data, downloading malware or
sending money to an attacker.”
A classic iteration of this during the festive season is the fake-delivery-email scenario, in which scammers become aware that their prospective victim is expecting a Christmas parcel and write to them informing them that they must carry out a certain action,
if it is to arrive on time. This sense of urgency is a common flavour in all payments fraud. A link will be included in the email body, which leads the victim to a phishing site, where card details are stolen, or which downloads malware.
According to UK Finance, there were
207,372 incidents of authorised push payments (APP) fraud in 2022, with gross losses of over £485 million.
To avoid falling for these kinds of attacks, consumers must look to verify the legitimacy of all incoming communications – particularly those urgently requesting sensitive or financial information.
2. Whaling
Alas, it is not just the consumer that is exposed to fraud risk this Christmas. Due to developments in artificial intelligence (AI) technology – some of which is now accessible, open source, on the dark web – the rates of successful whaling attacks are
on the rise, too.
Whaling – a form of spear phishing – is the name for cybercrimes directed at C-Suite executives of large companies. It is the process whereby fraudsters pretend to be known and trusted entities and encourage the victim to send large amounts of cash to a
fake account.
This year the inverse of this technique has dominated the headlines, with AI-rendered videos of CEOs asking colleagues to wire cash to their accounts. One of the most infamous of these cases was the deepfake
impersonation of WPP’s boss during a virtual meet with colleagues. Fortunately, this scam was unsuccessful.
But high-level executives can be the end-target of such scams too, especially during Christmas, when bonuses are being distributed and cybercriminals look to social engineering to attempt to divert the funds.
Once again, to avoid becoming the victim of whaling attacks, organisations and their employees should get up to speed with
APP fraud, the various types, techniques and tools, as well as how to report suspicious activity to line managers.
3. Chargeback fraud
The holiday season is also prime time for retailers to become the target of payments fraud. Perhaps the most common of such attacks is chargeback fraud, which Stripe
says “occurs when a customer intentionally disputes a charge in order to receive a refund, while keeping the product or service.”
The impact of chargeback fraud can be extremely serious for a retailer’s financial health and reputation. Indeed, chargebacks stemming from confusing billing descriptors are costing UK merchants over
£128 million every year. Particularly exposed this Christmas are businesses that sell high-value products or services, online retailers and service providers, and subscription-based businesses.
To evade chargeback frauds, retailers should provide customers with clear return and refund policies; use robust fraud-prevention tools; and manage chargebacks effectively by tracking and analysing payments data.
4. Fake marketplace fraud
Perhaps the most typical scam this time of year is the fake marketplace fraud. Unlike spear phishing and whaling, it does not rely on social engineering to convince victims to send funds directly. Instead, it convinces victims that they are in the process
of purchasing a legitimate product or service, online. Once the consumer has inputted their banking and personal details, their cash or identity can be stolen.
During Christmas, consumers’ propensity for philanthropy can be exploited through a similar mechanism, by asking for donations to false charities or causes. Exemplifying this was the
investigation last year around a questionable Christmas cake charity scheme launched by the Italian influencer, Chiara Ferragni. The Guardian reported that prosecutors argued consumers were duped into believing they were helping a Turin hospital by buying
the cakes.
To avoid fake marketplace scams, consumers are advised to research the sellers of products or services, look at customer reviews, and ensure secure payment methods are being used.
The naughty list
Every Christmas, the naughty list – of financial frauds, scams, and cyberattacks – grows. With increasingly complex tools and techniques, cybercriminals are now able to target almost every player on the payments value chain.
Of course, banking technology is in place to detect fraud patterns and anomalous behaviors, but what it cannot do it shore up the most vulnerable element of the chain – the human, who is exposed to social engineering, emotional manipulation and coercive
forces.
For now, it is in the interest of banks to educate their customers, and in the interest of consumers to become more familiar with the perils of payments fraud.