Invoice and CEO Scams Dominate Fraud Impacting Businesses

Cyber Security Threat Summary:
“Losses to fraud reported by the organization's more than 300 member firms, which provide credit, banking, markets and payment services in the U.K., declined 8% from 2021, although still involved 3 million cases of fraud. "These numbers are big but slightly down on where we were in 2021, both in terms of the number of cases and the value of losses," said Lee Hopley, director of economic insight and research at UK Finance. The industry reported preventing about $1.5 billion worth of fraud in 2022, although she said the actual amount is likely higher, given the challenges of measuring fraud prevention. Nearly two-thirds of the industry's known 2022 fraud losses resulted from unauthorized fraud, which refers to a victim not providing authorization for a transaction - for example, when a criminal uses stolen payment card data. Typically, victims can receive full compensation for this type of fraud.

About 40% of losses reported in 2022 tied to 6,729 different cases of authorized push payment, or APP, which is when a victim gets tricked into directly sending money to a fraudster. Attackers perpetrate such social engineering via scam communications - including phone calls, text messages, emails, fake websites and social media posts - designed to trick victims into sharing personal information, such as bank account details or passwords. Victims of APP scams have no legal right to reimbursement in Britain, although lawmakers are trying to change that. For businesses, the most common type of APP fraud in 2022 was the invoice or mandate scam, in which a victim tries to pay a legitimate payee, only for the fraudster to trick the victim into sending the funds to an attacker-controlled account. Second to that is CEO fraud, in which a scammer tricks an employee into believing they're a senior executive, and gets them to transfer funds to an attacker-controlled account” (BankInfoSec, 2023).

Security Officer Comments:
“The prevalence of invoice and CEO fraud "highlights the importance of implementing robust fraud prevention measures, such as multi-factor authentication and staff training, to protect against increasingly complex forms of fraudulent activity," said Hinesh Shah, a forensic accountant who specializes in investigating financial crime for law firm Pinsent Masons. "Protections such as Strong Customer Authentication and Confirmation of Payee are having an impact, but too much money is still getting into the hands of criminals," the UK Finance report said. SCA requires online payments to be authenticated using two different factors, while Confirmation of Payee is a name-checking service implemented by many banks which is designed to reduce some types of fraud and misdirected payments. Victims of APP have no legal recourse for reimbursement, although since 2019, 10 British financial services firms who collectively handle about 90% of relevant transactions have increased their alerts and guidance to customers and vowed to reimburse victims” (BankInfoSec, 2023).

Suggested Correction(s):
“Lawmakers have criticized the current industry-led approach to APP reimbursement as lacking independent oversight or enforcement and being prone to delays - even when it works. A government review last year found "reimbursement to victims of APP scams remains inconsistent, with many victims continuing to suffer losses without reimbursement." These shortfalls result in part from some firms failing to contribute to a voluntary fund for reimbursing victims, as well as inconsistent approaches to handling such cases, it found. Proposed legislation making its way through Parliament aims to change that. The Financial Services and Markets Bill would require the country's Payment Systems Regulator "to establish a system for mandatory reimbursement of APP fraud over the Faster Payments system," according to the House of Commons Treasury Committee. The committee aims for the new system to be fully operational by the end of 2023. The UK Finance report describes the current initiative in lukewarm terms. "Relying on the banking sector alone to reimburse victims of fraud means the platforms that facilitate the majority of the fraud have no financial incentive to stop it," it said. "At the end of the day, the criminal still gets away with victims' money. Under the current, voluntary system, UK Finance reports that reimbursement for victims whose institution participates in the Contingent Reimbursement Model was about 48% of losses in 2021 and 60% for the first half of 2022. Victims of institutions not participating in the program received 27% reimbursement overall in 2021 and 44% in the first half of 2022, it found” (BankInfoSec, 2023).

Link(s):
https://www.bankinfosecurity.com/invoice-ceo-scams-dominate-fraud-impacting-businesses-a-22188