The financial industry has made significant strides in mitigating the prevalence of scams within payment infrastructures. Initiatives such as the Payment Systems Regulator (PSR) guidelines, confirmation of payee (CoP) protocols, enhanced warnings, and the profiling of inbound payments to identify mules are just some of the methods used to stem the tide of payment scams collectively.

The industry’s concerted efforts have undeniably made it more difficult for fraudsters to exploit payment systems. Consequently, fraudsters will always redirect their attention towards the next vulnerable avenue: Could this be card scams?

Why card scams represent a new dynamic in the industry

Credit card fraud remains pervasive: Between 2019 and 2023 alone, the United States  witnessed a staggering 53% surge in reported cases of credit card fraud.

However, whereas credit card fraud typically involves the unauthorized use of cards, card scams regularly entail nefarious social engineering tactics such as investment, purchase, and romance scams, where they prey on their victims’ trust and vulnerabilities. Fraudsters also continue to socially engineer customers to either authenticate a transaction on behalf of the fraudster or give away authentication passcodes to allow the fraudster to complete transactions or load cards to digital wallets.

For example, with a view to committing Authorized Push Payment (APP) fraud, fraudsters will make scam phone calls and send text messages and emails to solicit personal details and passwords. This information is then used to identify targets and manipulate them into authorizing payments.

While these types of scams aren’t new, they are becoming more prevalent and increasingly sophisticated. In 2022, social engineering scams in the United States caused financial losses amounting to almost $8.3 billion, impacting 234,000 Americans. In the UK, £580 billion was stolen by criminals through social engineering schemes within the first half of 2023 alone.

There is also increasing evidence demonstrating how fraudsters are targeting cards to create mule accounts, whereby customers in financial difficulty authorize fraudsters to overpay their credit card balance, only to then be persuaded to transfer the positive balance to the fraudsters themselves.

Why the migration of scams from payments to cards has been able to thrive

Following the implementation of Strong Customer Authentication (SCA) through the second Payment Services Directive (PSD2), the industry has seen a reduction in unauthorized fraud, however, with more transactions requiring authentication through 3-D Secure (3DS), fraudsters have instead targeted victims to give away one-time passwords (OTP’s) or authenticate on their behalf. Fraudsters have also looked to take advantage of alternative payment methods such as digital wallets offered by, for example Apple, Samsung, Google. Customers are being socially engineered to give away registration codes to allow the fraudster to use their card on their own fraudulent devices.

In terms of purchase scams — where unsuspecting individuals are tricked into making payments for nonexistent goods or services — some methods exist to mitigate financial losses through the dispute chargeback processes. However, this approach involves considerable and also unsustainable operational expenses for banks, particularly as the volume of such activities continues to increase.

And, while banks have invested heavily in detecting money mules within their portfolios, fraudsters continue to target alternative products with vulnerabilities.

In recent years we have seen the introduction of fraud reporting through UK Finance specifically related to payment scams. The same currently does not exist for card scams with the majority still reported as unauthorized. It is difficult to understand how big this issue could be unless specific reporting is introduced for cards.

Moreover, there remains a shortage of standardized fraud labels for card scams, making it difficult for machine learning models or adaptive rules to efficiently detect card scam activity.

Will regulation be introduced to address the prevalence of card scams?

We have started to see regulation related to card scams with the first release of guidelines for the Payment Services Directive 3 (PSD3) which would see banks liable for customers that have been socially engineered into authenticating on behalf of fraudsters. Could we see further clarification given to gross negligence if a customer is either socially engineered to authenticate a payment or to make a payment themselves?

The increase in scams relating to cards only underscores the highly adaptable nature of fraudsters, emphasizing the need for continued innovation in fraud prevention strategies and technology.

It’s clear that there is a need for further intervention in this domain, especially as cases of social engineering continue to rise. And, just as financial institutions are investing in identifying mules and scams, it’s important to remember that many fraudsters are skilled professionals — often operating within expansive networks — and have access to the ample resources needed to optimize their modus operandi.

Being vigilant of card scams might not be enough and as card scams continue to grow it is likely we will see a continued push for regulation that effectively addresses the evolving tactics of fraudsters and provides comprehensive protection for consumers and financial institutions alike.