“Dear Good Sir/Madam,
I pray that the Lord has provided me with good faith in you, a trustful and honest person. My father, the venerable Muammar Gaddafi, 47th King of Ghana, recently passed away and I am seeing his estate. He entrusted me with US $4,000,000 in his accounts, which I am looking to entrust to you to help me get it out of the country. For your part I will reward you with a 20% fee. Please reply with your bank account number and a US $1,500 deposit to secure this blessed trust.
In good faith,
His Royal Highness, Joam Gaddafi, Prince of Ghana”
If you have had the displeasure of spring-cleaning your spam folder in your email, you may find one of these emails addressed to you by a Nigerian Prince. The sheer absurdity of this far-fetched tale is comical, but unassuming readers have been made victims to these types of frauds. According to a report released in 2019 by ADT Security Services, Americans lost $703,000 in response to these emails.
Indonesian are not immune to cyber security incidents. According to PwC insights, most cyber incidents reported by the Indonesian respondents are related to the loss or compromise of business information such as internal records, customer, employee and intellectual information. 31% of them have even experienced financial losses due to the cyber incidents.
The first step to protecting yourself against scams is to be educated about the types of payment frauds out there today. We’ve identified some common tools, methods, and techniques that fraudsters employ that you should be aware of, and how you and financial institutions can work together to navigate fraud risks in our increasingly digitized world.
Identity Theft
What is it?
Identity theft can happen through various ways, from something as simple as a fraudster getting a peek of your credit card PIN number during a point-of-sale transaction, to a complex undertaking that involves artificially impersonating an individual’s voice and face to make a virtual transaction.
Why is it happening?
Technology has paved the way for a new generation that prioritizes efficiency and ease of use. Both traditional banks and fintech companies compete with one another to provide the most “frictionless banking experience” for the tech-savvy generation, but it may come at the expense of security. Doing away paper contracts, physical tokens, and in-person ID verification, coupled with the plethora of personal information on our social media platform, gives fraudsters a greater chance at latching to our digital footprint. Fraudsters and hackers typically work together to conduct high profile data breaches in order to obtain a large volume of personal data, which can be used to facilitate other payment frauds.
What can be done?
On the average consumer’s part, we need to be vigilant about the type of information we are sharing on the Internet. Contrary to popular belief, it is no longer best practice to create an overly complicated password and change them frequently. According to SANS, requiring password expiration only encourages behavior where people are simply incrementing that number 1 at the end of their password to a number 2. Instead of changing passwords over time, build passphrases as length are better than complexity in terms of security. Long paraphrases are also easier to remember and easier to type. Also ensure that every account has a unique password. As tedious as this step is, it is a necessary chore to ensure that you can continue making purchasing out of a bank account that is filled and happy.
Governments, financial institutions, and tech conglomerates around the world are becoming more stringent in their defense against cybercrimes. Take the European Union for example, who, in 2018, implemented a new payment service directive that requires multi-factor authentication to increase security against identity thefts. Tech companies like Apple and Google require their customers to provide two different sets of information in order to register for an account, a type of account security system known as a two-factor authentication (2fa). Across Southeast Asia, including Indonesia, major credit cards and payment gateways implement 3D Secure (3DS) at online checkouts, where customers would need to enter a one-time password (OTP) sent to their mobile phone by the issuing bank to authenticate the transaction.
Social Engineering
What is it?
The email excerpt above from a Nigerian prince is merely a template that has gained notoriety due to the volume of scam emails that can be traced back to Nigeria. This type of email scam is a form of social engineering fraud that manipulates their victims, either emotionally or strategically, to make a payment upfront in return for a large-sum of money. Fraudsters posing as an insurance company or hospital would relay that their child or spouse is in debt and require a sum to be paid to a predetermined account number.
You may have a sharp nose for lies, and you certainly won’t fall for a request from an unknown Nigerian prince, but what if you’ve received an email from the World Bank? Just a few months shy of 2020, the World Bank Group released a statement to warn the public against advance-fee schemes using their name. The next scam email you receive under the guise of the World Bank may land in your main inbox, with an official stamp and signature from the Chief Finance Officer, and your personal bank details.
Why is it happening?
With the majority of our communications and banking transactions today taking place in a digital space, fraudsters need only to do a quick Facebook check to confirm your relationship status and who your relatives are. Social engineering frauds involve the same mechanisms of identity thefts, in which your personal information is used against you. But unlike identity thefts, you authorize the transactions instead of the fraudster. Since it is a customer authorized payment, banks have little way of detecting these scams.
What can be done?
Banks largely rely on customers’ feedback to alert them of social engineered scams, but the accountability ultimately falls on the individual. Fraudsters can obtain your number, email, and personal information either through phishing or a data breach, so make sure to keep your contact information private and protect your bank and social media accounts. Upon receiving a call or email from anyone that asks you to make an unsolicited bank transfer, remain calm and contact the official institution or organization involved for further information, using another phone to protect your personal safety.
Card-not-present
What is it?
We have discussed two types of frauds that target customers, but there are frauds that are also specific to merchants. A card-not-present (CNP) transaction is what you call a transaction that occurs entirely virtually, which means you are not physically there to swipe the card through a reader or EMV chip reader. These types of transactions are more common than you think: online purchases, digital payments, e-wallets, etc.
A card-not-present fraud occurs when a fraudster steals a victim’s credit card information – or sometimes, the credit card itself – to make an illegal and remote transaction. Fraudsters have also been known to create card number generators which they use to try their luck – they may not even have to steal your card info! If the fraudster has the victim’s Card Verification Value (CVV for short; this refers to the 3-4 digits on the back of a card) and billing address, we might as well treat it as an identity theft case.
Why is it happening?
The prevalence of card-not-present fraud is due to the fact that merchants have little way of verifying the purchaser’s identity if they are not physically present in a store at the POS. If a fraudster manages to successfully make a USD$100 purchase using your credit card on an e-commerce website or over the phone, your first reaction would be to call your bank and file a chargeback. In this case, the party that has to pay that USD$100 is not yourself or the bank, but the merchant.
What can be done?
Merchants and banks recognize the financial detriments of CNP frauds and have taken steps to create a multi-layered verification system. In the recent past, the two common methods for verifying online transactions have been (1) imputing your billing information, and (2) providing the CVV on the back of the card. In addition to this, many banks in Europe or Southeast Asia require 3DS to be verified by the cardholder entering an OTP, commonly received as text messages on our phones from banks, to authenticate a transaction. Banks are looking at more sophisticated technologies to prevent any more CNP frauds, but part of the responsibility lies with us to safeguard our credit card information from any peeping toms online and in real life.
Xendit’s security and fraud prevention
Xendit has achieved the most stringent and comprehensive certification: PCI Level 1 SAQ-D, which puts our systems readiness up there with the likes of Stripe, Braintree, Adyen. It is not easy to get certified, and giants (Facebook, Google, foreign governments, etc) need PGs to be PCI to even be considered (to be able to submit RFPs).
“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.” — Quick Service Restaurant (QSR) Magazine.
Card payments made through Xendit are also fully 3DS-enabled, adding that layer of security for CNP transactions. To protect merchants and cardholders, Xendit’s inhouse fraud detection system xenshield combines risk scoring and fraud management tools to review payments for fraud risk. Payments which we assess as having a high fraud risk, based on multiple factors, are automatically blocked before they go through. Merchants have the flexibility to set rules on blocking transactions based on velocity, user identity, and so on. These help lower chargeback risk and prevent losses to our users.
