Counteracting the threat of fraud in the payment sector

By Markus Navratil, Anti-Fraud Solutions Expert at G+D Netcetera

The global eCommerce market continues to expand at an unprecedented pace, with sales projected to exceed $8 trillion by 2027. This growth is largely driven by the convenience and efficiency of digital transactions today.

However, this growth has been accompanied by an escalating challenge in the form of fraud. Although stronger security measures such as mandatory two-factor authentication (2FA) within the European Economic Area (EEA) have effectively reduced certain card and account-to-account (A2A) fraud threats, attackers have shifted tactics by targeting the weakest link in the chain – human users.

Social engineering fraud, which manipulates individuals into sharing sensitive information and authenticating transactions, has become especially prevalent. Financial institutions now must adopt sophisticated technological solutions combined with proactive consumer education to combat this evolving threat effectively.

Understanding the evolving fraud landscape

Digital banking and payment fraud can manifest in multiple forms, but social engineering stands out for its frequency, severity and adaptability. One prevalent type is phishing, where fraudsters deceive consumers through seemingly legitimate SMS or email notifications, often impersonating trusted logistics providers or digital marketplaces. Users are typically tricked into revealing payment details, login credentials and one-time passwords on fraudulent websites, enabling attackers to conduct unauthorised transactions or account takeovers.

Increasingly, fraudsters have targeted customer onboarding and registration processes. Attackers impersonate bank representatives via convincing phone calls or messaging interactions, persuading victims to disclose registration codes and authenticate the registration procedure to the fraudster’s device. Similarly, criminals perform provisioning fraud, where they directly register compromised cards onto mobile wallets like Apple Pay or Google Pay.

Account takeovers facilitated by compromised SMS-based one-time passwords (OTPs) have also surged recently. Fraudsters intercept these authentication codes to gain control of customer accounts, leading to unauthorised transactions.

Additionally, fraud-as-a-service platforms have emerged, leveraging vast repositories of personal data available on the dark web and equipping even novice fraudsters with the sophisticated tools required to launch large-scale social engineering attacks.

In situations where technological and social engineering attacks are no longer successful due to sophisticated prevention mechanisms, fraudsters manipulate bank customers to authorise transactions themselves (known as authorised push payment). Advances in artificial intelligence further exacerbate the threat. Large language models (LLM) and deepfake audio and video technologies enable attackers to impersonate individuals or trusted organisations convincingly, rendering traditional fraud detection methods increasingly ineffective. Given the complex and varied nature of these threats, financial institutions must embrace comprehensive anti-fraud solutions to protect customers effectively.

Adopting advanced technological defences

Successfully combating social engineering fraud requires a multifaceted approach, incorporating advanced authentication technologies, secure data practices and behavioural analytics.

Tokenisation of payment data serves as a crucial initial defence. By replacing sensitive card numbers with non-sensitive tokens, financial institutions ensure that even if fraudsters gain access to compromised data, it remains useless for future transactions. Coupled with functionalities such as Click to Pay, tokenisation not only enhances security but also significantly improves user convenience by reducing repetitive data entry.

Another critical advancement is the adoption of passwordless authentication methods. Passwords and OTPs remain prime targets for attackers employing social engineering techniques. Passkeys and biometric authentication methods, driven by FIDO Alliance standards, offer strong protection by relying on cryptographic keys securely stored on the user’s device. These approaches significantly elevate security while streamlining the consumer authentication process.

One of the most crucial steps an organisation can take to enhance security is hardening onboarding and registration procedures by making them phishing-resistant. Financial institutions should phase out vulnerable activation codes or QR codes. In addition to strong KYC procedures for account opening, this can be a procedure based on cards tapped on the NFC chip of a mobile or links transmitted via an utterly secure channel.

Integrating behavioural analytics further bolsters anti-fraud capabilities. Financial institutions should merge contextual behavioural data from online banking environments with technical insights from authentication platforms. Such integration enables early detection of suspicious activity, permitting institutions to intervene proactively before fraud occurs. To strengthen this further, effective intelligence sharing between banks and their service providers will help enhance overall fraud visibility, thereby reducing vulnerability.

Educating consumers to fortify human resilience

Advanced technological measures alone cannot eliminate fraud threats – consumer education remains indispensable. Well-informed consumers better recognise and resist social engineering attacks, reducing overall susceptibility. Banks have a responsibility to actively educate their customers on identifying common fraud tactics, safe transaction verification and digital hygiene best practices.

The introduction of transaction verification measures is also key. These measures enable banks to authenticate specific real-time payments directly with consumers. Coupled with proactive communication, these measures reassure customers, reinforcing trust in legitimate bank interactions and mitigating fraud risks.

Looking ahead: Strengthening eCommerce security

The continued rise of eCommerce and digital payments ensures that fraudsters will persistently adapt their methods, particularly within social engineering. However, institutions prepared to adopt integrated fraud-prevention strategies, combining robust technological measures, behavioural analytics, secure authentication methods and proactive consumer education, can effectively counter emerging threats.

However, the evolving payments landscape demands ongoing vigilance and continued innovation. Collaboration between financial institutions, technology providers, regulators and end-users remains critical. Embracing comprehensive fraud prevention methods and empowering consumers through education will ensure that humans are no longer the weakest link in digital payment security.