At the ISMG Fraud Summit in London last week, ISMG’s Tom Field, Vice President of Editorial, offer attendees a preview the yearly Faces of Fraud survey, which looks at how the impact of rising retail point-of-sale breaches and increased payment card fraud compares to that of account takeover, check fraud, insider crimes and the emerging realms of virtual and mobile payments.
From the preliminary results shared, there are number of interesting points that I found worth taking note. One is that while 55% of respondents indicated that their fraud financial losses increased, (39%) indicated that fraud losses are within an “acceptable” level. Financial institutions have invested millions of dollars in fraud protection technologies in the last five years, however, just because we may have won the battle, the war is far from over. The potential mistake here is to think that the fraud problem has been fixed forever.
Another particular area of concern is how fraud in Europe will change after the United States’ EMV implementation. As the U.S. migrates to the EMV standard, we certainly expect to see a rise in fraud in both European and U.K. financial institutions and merchants. Why you may ask? Well, for a while the U.K./Europe benefited from the fact that the U.S. had not yet implemented EMV. Criminals looking to perform physical card attacks, such as skimming, moved to non-EMV regions, like the U.S. As EMV gets implemented in the U.S., there will be less of a gap and fraudsters will undoubtedly look for ways to beat EMV in all regions. Refer to the map below:
In previous EMV implementations, there has always been somewhere else for the card fraud to go, but with the U.S. being the last major area to implement EMV, this time there is nowhere else for the card fraud to shift.
We predict that U.S. financial institutions will see a drop in card protection fraud with a huge rise in card-not-present (CNP) fraud. Europe/U.K. will also see a rise in CNP fraud as criminals look for other methods of attack.
There is a piece of good news – European merchants will be in a better position as they will have much less risk when accepting transactions from U.S. cardholders.
In the US as well as in Europe, there is a big focus on protecting the transaction and the details in flight during a transaction. Very few consider the social engineering side of the problem, and the loss of data before a transaction is even made. Institutions may be protecting themselves too late in the fraud cycle. Instead, companies need to focus on the early stages of fraud protection, such as the planning stage when the criminal is actually building the attack and not the actual transaction phase. Here you can significantly reduce the criminal’s chances of completing the fraud cycle.
As the U.S. shifts to the EMV standard, it is important that European institutions do not tailor their fraud prevention strategy to exclusively identifying when fraudulent transactions are happening – leaving significant exposure in other areas of the fraud cycle.