Online banking losses in the UK reached nearly £30 million ($48 million) in the first half of 2014, as criminals targeted the accounts of businesses that allow higher-value transfers, according to banking organisation Financial Fraud Action UK (FFA).
Is card fraud getting a bit worse, a bit better or is it much the same? That depends how which type fraud is considered and what is measured.
As far as online bank fraud is concerned, the answer appears to be a resounding ‘yes’, with losses rising to £29.3 million between January and June, compared to only £17.1 million for the same period on 2013.
Take a longer view going back to 2008 and it’s clear that the figure is not far from the longer-term average – with telephone bank fraud static at around £7 million, banks seem to have kept a lid on online fraud albeit that it’s not getting better either.
For remote purchase fraud (aka card not present fraud) – mainly across the Internet - the rise is harder to explain away. The new half years figure is £174.5 million, up 23 percent from £142 million in 2013. The FFA downplays this, pointing out that consumers spent £47 billion during the period, but it’s still a jump to the highest absolute figure ever recoded, beating even 2008’s £163.9 million.
Total card fraud of all types reached £247.6 million, a 15 percent increase over the same period in 2013. Again the FFA is at pains to put this into some context. Fraud is proportionally no worse than in 2013, it said, accounting for only 7.4p in every £100 spent.
Technologies such as Chip and PIN have slashed fraud rates on high-street purchases in the last decade which has caused criminals to adjust their tactics by attacking individual consumers rather than bank systems, the organisation said.
The classic example of this which anecdotal reports suggest is now a serious issue in the UK, is the sort of social engineering attack where customers are phoned up by criminals posing as a legitimate organisation. Given the success of this type of con, it looks as if the success off Chip and PIN has pushed some of the face-to-face fraud to the remote fraud column.
Some have predicted that this will result in a lot more often inconvenient phone checks being carried oud on transactions.
The FFA’s own research showed that a quarter of consumers took no action to challenge the identity of cold callers, a figure that rose to a third for younger consumers.
“Be aware of the warning signs: your bank will never ask you for your 4 digit PIN, to transfer or withdraw money, or to give your card to a courier,” said DCI Perry Stokes, head of the Dedicated Cheque and Plastic Crime Unit, a police unit sponsored by the cards industry.
A key target for attackers was now businesses. “Intelligence suggests criminals are targeting business accounts which typically allow higher value fraudulent transactions,” said the FFA.
Break into an individual’s account and the pickings might be measured in hundreds of pounds. Do the same to a business account and it could easily be tens of thousands before anything untoward was noticed.
Last month, a separate estimate from Worldpay (which sees 44 percent of card transactions in the country) estimated that seven million UK credit and debit cards had been put at risk during data breaches, or three million in 2013 alone. Exactly how much fraud arises from these breaches is incredibly hard to estimate because compliant firms encrypt credit card numbers. But personal data is lost and this could feed back into social engineering attacks that the FFA is worried about.