Latest Visa Biannual Threats Report highlights emerging scams targeting consumers, merchants and financial institutions.
10/23/24 view full report here
Visa releases the Fall 2024 Biannual Threats Report: The latest edition of the report brings to light several emerging threats and scams targeting banks and consumers, including a surprising resurgence of small-scale physical crime.
“Visa invested $11 billion dollars in technology and infrastructure in the past five years, and our network is more secure than ever,” said Paul Fabara, Chief Risk and Client Services Officer at Visa. “As payments become safer, fraudsters are reverting to tried-and-true tactics that target the weakest link in the ecosystem: consumers. Visa is committed to removing risks across a transaction, regardless of how you’re paying, but that doesn’t mean consumers should let their guard down.”
Key themes highlighted in the report include:
- The resurgence of physical theft: Scammers are going back to basics with an increase of physical theft over the past six months, capitalizing on the window between the theft and the victim’s awareness. After a theft, the most common ways the criminals are capitalizing on their theft by purchasing gift cards or physical goods to resell, or even using the card number online for money transfers. Similarly, in March of 2023, Visa identified an emerging threat dubbed “digital pickpocketing,” where cybercriminals use a mobile point-of-sale device to tap against unsuspecting consumers’ wallets and initiate a payment, often in crowded areas.
- Government impersonation scams: Consumers are falling victim to scams where fraudsters pose as representatives from the government, including agencies like the USPS, the FBI and the IRS. In the first three months of 2024, the average government impersonation scam victim in the U.S. lost $14,000 in cash, totaling more than US$20 million. Additionally, between 2022 and 2023, there was 90% increase in losses from cash payments due to government impersonation scams1. As government impersonation scams move towards cash, Visa predicts that banks will see an increase in large cash withdrawals by customers at ATMs.
- The rise of authentication bypass scams: Looking for a way to get around two-factor authentication, fraudsters are doubling down on one-time-password phishing scams, which allow criminals access to full account funds and information via increasingly convincing texts, emails or phone calls. These scams have grown more convincing in part due to the prevalence of Gen AI.
Key Takeaways
While many of the scams highlighted in the report target consumers, the research contains key takeaways for financial institutions and merchants as well.
- Gas station fraud: After a successful small authorization, fraudsters are making large fuel purchases at gas stations using accounts that do not have enough money to cover the total. In the past six months, activity has significantly shifted from targeting issuers in the U.S., Latin America and Caribbean to issuers in Central Europe, Middle East and Africa, showing how these scams spread globally.
- Enumeration: Merchants continue to be targeted by cybercriminals who test payment data with scale and speed, leading them to access consumer account information. Enumeration, or automatic testing of common payment data to guess account numbers, remains a top threat to the payment ecosystem, with significant fraud occurring in the year after a successful enumeration attack. Industries most impacted over the past year include restaurants, government services, and charitable and social service organizations.
- Token provisioning fraud: Tokenization remains one of the safest ways to pay, but as the technology gains momentum, scammers have taken to obtaining tokens illegitimately—and cashing out under the radar of financial institutions. Recently, Visa has noted a marked delay in when cybercriminals choose to cashout compromised accounts, hoping to evade detection after initial provisioning fraud.
- Ransomware: More sophisticated ransomware attacks are affecting more companies and individuals. Although there was an overall decrease of 12.3% in attempted ransomware attacks seen during the period of this report, there was a 24% increase in targeting of third-party providers like cloud or web hosting services, creating the opportunity for more fraud per attack. Just one attack to a third-party provider affected an estimated 2,620 organizations along with 77.2 million individuals, making these third-party providers a prime target for criminals2.
Newly Expanded Payment Fraud Disruption Team
This report also marks the first edition published under the newly expanded Payment Fraud Disruption team, now part of the Payment Ecosystem Risk and Control (PERC) team, which works to protect the Global Payment Ecosystem against threats and abuse by transforming risk controls, leveraging intelligence-driven solutions, and upholding Visa’s Rules and Standards.
The full report can be found HERE. To find out more about how Visa works to prevent fraud and protect the payments ecosystem, visit visa.com/security.
About Visa
Visa (NYSE: V) is a world leader in digital payments, facilitating transactions between consumers, merchants, financial institutions and government entities across more than 200 countries and territories. Our mission is to connect the world through the most innovative, convenient, reliable and secure payments network, enabling individuals, businesses and economies to thrive. We believe that economies that include everyone everywhere, uplift everyone everywhere and see access as foundational to the future of money movement. Learn more at Visa.com.