Tricksters switch tactics and aim at ‘soft’ targets

Organised crime gangs are operating lucrative payment card frauds which target “weak” links in security, as Clare Gascoigne reports

Back in May, a police raid at an address in Hackney, London found details of more than 3,500 debit and credit cards on four computers.

Three men were convicted of fraud and handed jail sentences totalling seven years; the trio had bought almost £10,000-worth of goods with the cards.

That raid was one tiny element in a perpetual fight against third-party fraud within the banking industry; a fight that, until recently, the industry was clearly winning.

Fraud losses on UK cards totalled £388 million in 2012 – a significant drop on 2008, when the figure was £610 million, according to Financial Fraud Action UK, the umbrella body for the banking industry’s anti-fraud agency.

The reduction was down to improved security, such as chip and PIN, the now ubiquitous system of unique numbers that has been in operation for nearly a decade.

But such improved security has led to a return of old-fashioned methods of theft, such as deception and distraction. “New” frauds include “vishing” [voice phishing], when financial information is extracted over the phone by conmen pretending to be fraud investigators, and “shoulder surfing”, when thieves watch someone using a hole-in-the-wall cash machine to obtain a PIN and then distract the individual in order to steal their card as it pops out.

Such methods are surprisingly effective and have led to a 17 per cent rise in fraud losses, between January and June 2013, to £216 million compared to £185 million in the first six months of 2012.

According to Etay Maor, fraud prevention manager at Trusteer, an IBM company: “Bank servers tend to be more secure than end-users’ devices, making the end-user an easier target. With BYOD [bring your own device – the policy of allowing employees to use personal technology at work] being practically standard, once the end-user’s device is a target, the organisation he or she works for is also at risk.”

Yet despite the rise, card and banking fraud is a relatively small part of the overall cost of fraud to the UK, accounting for only about half a per cent of the estimated £52-billion cost in 2012, according to figures from the National Fraud Authority.

But it is an issue the banking industry takes very seriously, since fraud “can damage brand image and erode the trust that is vital to the success of the financial services industry”, according to a report published in July by Value Partners, management consultants, and Locke Lord, an American law firm.

It found the cost of third-party financial fraud in Europe was more than €3 billion in 2012 and is set to increase. Globally, card fraud alone is expected to reach more than €7 billion a year by 2015.

Partly this is due to the introduction of new technologies, such as mobile banking, the operation of bank accounts using smartphones. “The challenge for the industry is that, as it innovates, the fraudsters innovate too,” says Craig Jones, head of communications at Financial Fraud Action UK. “The industry needs to respond quickly.”

It also needs to be sharing information globally. A report from Europol, the European law enforcement agency, published earlier this year, found that payment card fraud is “dominated by well-structured and globally active organised crime groups”.

This means that as security has increased within the EU, criminals simply transfer their activities elsewhere. In 2011, “almost all fraudulent face-to-face transactions with EU cards took place overseas”, says Europol, which criticised the banking industry for accepting a certain level of fraud as part of the “cost” of business.

“The missing links,” it concludes, “are the legal solutions on co-operation with non-EU states and the communication of data with private industry.”