How Visa And The US Secret Service Are Flattening The COVID-19 Fraud Curve

Fraudsters don’t get furloughs, they aren’t much for vacationing, and they certainly aren’t above taking advantage of a bad situation.

In fact, taking advantage and exploiting others’ misfortune for personal gain is more or less the job description of the average fraudster.

And as of today, fraudsters find themselves in extraordinary times as people are online en masse working from home and shopping due to the coronavirus pandemic. Add to that $2 trillion in stimulus funds about to flow forward from federal coffers in a variety of forms, and one has a recipe for a fraud outbreak the likes of which the world has never seen.

“This is a once-in-a-lifetime target-rich environment for fraudsters,” said U.S. Secret Service Special Agent in Charge Thomas C. Edwards. “The number of people that are potential targets, that could be easily duped by sophisticated cons, is the greatest I’ve ever seen in my life.”

Edwards talked with Karen Webster and Visa’s Vice President of North America Risk Lori Hodges.

Hodges noted that fraudsters will be bringing their absolute A-game to bear on what is the weakest link in the digital economy — the consumers and small businesses within it. And given the state of cybersecurity worldwide over the last five or so years, they are bringing a lot of resources to the fight.

“They have enormous amounts of data on us as us consumers due to the myriad of breaches that have occurred over the years, not just merchants’ breaches and payment card breaches, but government databases, health insurance databases and credit rating bureaus,” Hodges said. “And they’re quite sophisticated from an analytics perspective.”

The best cure to keep the fraudsters at bay during difficult times: inoculation by education, Edwards and Hodges agreed, because the best way to protect the weakest link is to significantly strengthen it.

Stopping the Fake Phone Calls

There are all kinds of frauds taking root out there, but among the more popular are the spoofing scams in which the consumer gets a phone call from “the IRS” or “their bank” making requests that absolutely no consumer should ever acquiesce to.

The IRS version, Edwards noted, involves getting a call from someone reporting to represent the IRS or another federal agency informing the consumer they owe some fabulous sum of money, and that they need to immediately resolve the situation with a payment and possibly some other important details about their bank account.

These calls, he noted, are both rather convincing and menacing as victims are threatened with jail time and told the police are on the way to arrest them.

“This is a very difficult time for everybody, and fraudsters have jumped on the opportunity and take advantage of people who are desperate,” Edwards said, noting he sees this in regional pockets during natural disasters like hurricanes, but suddenly this is a phenomenon that has quite literally gone global.

And on the financial services side, Hodges said, one sees the same strategy in play, albeit with slightly different tactics in use.

Customers will get calls that look like they are from banks on a caller ID, and then find themselves talking to a customer representative who sounds very realistic and asks to authenticate them with a text message before asking the customer to verify all kinds of vital information about their accounts. Some fraudsters, she noted, have gotten good enough to even use specific banks’ waiting line music and messaging to add to the verisimilitude of the experience.

It feels right, Hodges noted, because it’s patterned on the correct banking journey a customer would be used to. But it’s fundamentally wrong, and consumers need to know that from the word go to avoid getting scammed.

“Banks do not call you and ask you for your personal information,” she said. “They already have it, and if they call you, they wouldn’t have to authenticate you because they’ve called you, which is, again, a thing they mostly do not do. When a consumer calls their financial institution, that is when the authentication of who you are … occurs. It never occurs elsewhere. And they will absolutely not ask for personal information.”

Edwards concurred the same is true of the IRS and all other government agencies

The fraudster is asking for information, Hodges said, because they have most of what they need on that customer to do some real damage — minus maybe one or two last pieces. The call or phishing email is generally meant to give them the full data set they need to mint the keys that will get the inside of that person’s entire financial life.

Flattening the Fraud Curve

The full shape of the fraud picture is still emerging, both Edwards and Hodges noted, but here is what’s coming: fraudsters will set up fake charity sites to harvest illicit funds from consumer goods. Those go up and down so fast it can feel like playing the worst game of whack-a-mole.

Or, Hodges said, fraudsters will take advantage of the chaotic environment and merchants and non-profits not practicing proper security hygiene and changing their administrative passwords often enough, making it easier to slide digital skimmers onto website checkout pages and start scraping consumer card information on every transaction.

These folks are very sophisticated, Hodges noted, and they are creative. Industry has done a terrific job of upgrading to artificial intelligence (AI) and machine learning (ML) tools to spot fraudsters at the digital point-of-sale (POS). The “good old days” of people just stealing card numbers and using them till they couldn’t anymore are in the past; the next generation of fraudsters are using the troves of illicitly gained consumer data already out there to build more complicated and harder to spot long cons that get consumers and small businesses the keys to their entire digital life. They can build the best locks in the world, Hodges said, but if consumers “unlock the front door and put out the mat, things get a lot more challenging.”

Edwards and Hodges said the best thing they can do is arm consumers and businesses with the right information. Anyone calling looking for data should raise alarm bells, doubly so if they make threats on a time limit. If one wants to donate, go directly to the charity of choice, avoid clicking links guiding you there. And most importantly, Edwards noted, people have to realize that fighting cybercrime is their problem too, and their vigilance is the best first line of defense against a fraud epidemic.

“Much like our public health officials have said people need to be careful and told them how, law enforcement, credit card firms, insurance companies, we need to get the information out to consumers so they can protect their financial health as well as their physical health and flatten the curve on fraud,” Edwards said.