The payment ecosystem is grappling with a rapidly evolving fraud landscape, characterized by a sharp rise in purchase return authorization (PRA) attacks, increasingly sophisticated ransomware schemes and the growing misuse of artificial intelligence (AI) by cybercriminals, a new report by Visa Payment Fraud Disruption (PFD) says.
The State of Scams: Fall 2024 Biannual Threats Report, released end of October, highlights emerging threats and scams targeting the payment ecosystem, emphasizing the heightened complexity of fraud schemes and the availability of AI-driven tools.
Booming use of AI
According to the report, threat actors are increasingly leveraging AI to perpetuate fraud. One notable example is the use of AI for voice cloning to enhance imposter scams by creating a façade of legitimacy. AI is also employed to conduct reconnaissance on individual victims or victim organizations by scraping publicly available information and open social media. This information allows threat actors to create more convincing phishing emails or other forms of engagement between threat actors and victims.
Over the past two years, Visa PFD says it has observed spikes in the volume of threat actor discussions in underground communities related to the release of new AI technology, including malicious versions of AI chatbot programs such as “Fraud GPT” and “Worm GPT” in cybercrime underground marketplaces.
It expects threat actors to continue to use advancements in AI technology to enhance financial scams, making scams more challenging for victims to identify and likely resulting in an uptick in financial losses.
The rise of purchase return authorization attacks
Another trend outlined in the report is the surge of PRA attacks. In a PRA attack, cybercriminals hack into legitimate merchant systems to create fake purchase return requests. They then direct the refund requests to payment cards or accounts they control, and quickly withdraw the money at ATMs or transfer it to their wallets using peer-to-peer (P2P) payment systems.
In H1 2024, Visa PFD says it opened a record number of PRA investigations, accounting to an 81% increase from H2 2023. Each of these attacks result in potential losses of nearly US$184,000 for Visa’s issuing partners, reflecting an increase in the average cost of 58% compared to H2 2023, the company estimates.
These figures underscore the growing prevalence of PRA fraud and the escalating financial impact of these attacks on the ecosystem.
Resurgence of physical theft
The report also notes the resurgence of physical theft, where scammers are going to back to basics. In these scenarios, criminals would typically exploit the delay between the theft and the victim’s awareness by purchasing gift cards or physical goods to resell, or by using stolen card numbers online for money transfers.
A new form of fraud, dubbed “digital pickpocketing”, has also emerged. In this scheme, threat actors create a fraudulent merchant using merchant ecosystems, and register a mobile device as mPOS terminal. Threat actors then attempt to tap the mPOS against an unsuspecting consumer’s purse, wallet, or pocket to initiate a card-present-transaction on the mPOS.
Another variation of this scheme involves the threat actor using previously stolen cards to conduct the fraudulent transactions using the mPOS registered to the created fake merchant.
Ransomware and data breaches gain in sophistication
Although ransomware and data breaches decreased in H1 2024, these threats continue to pose significant challenges.
In particular, the report notes that attackers are increasingly targeting third-party service providers such as cloud storage providers, file transfer services, and remote software providers, to maximize their impact and access a larger number of customers accounts at once. Visa PFD identified a significant increase of 24% of such cases between H2 2023 and H1 2024.
However, the overall number of individual ransomware and data breach incidents tracked by Visa PFD decreased by 12.3% in H1 2024 compared to H2 2023.
Digital skimming attacks experience a shift in focus
Finally, digital skimming continues to be a prominent threat this year, despite a slight drop in the number of cases in H1. In these attacks, threat actors deploy malicious code onto the checkout page of a merchant website to harvest payment account data and other personally identifiable information, such as primary account number, card verification values (CVVs), and expiration dates, entered into checkout forms by the merchant’s customers.
In H1 2024, Visa PFD’s Global Risk Investigations (GRI) team recorded a 6% decrease in digital skimming incidents targeting either e-commerce merchants or third-party providers, compared with H2 2023.
However, the team observed a shift in focus, with the number of digital skimming attacks targeting third-party providers declining by a staggering 83% compared with H2 2023. This change in victimology may be related to more highly targeted attacks against singular e-commerce merchants with direct access to sensitive payment account data, the report says.
Featured image credit: edited from freepik