Threats to the payment ecosystem in 2023 chiefly comprised of financial scams, with threat actors increasingly adopting AI technologies to stay at the top of their games, according to a VISA report.
The top scams identified by the US-based payment card services operator included pig butchering, inheritance scams, humanitarian relief scams, and triangulation frauds.
“The latest biannual threat report reveals an alarming increase in financial scams, both in scope and breadth, with criminals making significant profits globally,” said Michael Jabbara, SVP, global head of fraud services at Visa. “There is an increased need to remain vigilant, especially on social media and email platforms, which are the primary channels for these scams. The imperative to implement best practices that mitigate, prevent, and disrupt these threats and protect the consumers and business globally has never been stronger.”
The report, which is based on threat data within the seven months of June 2023 to December 2023, also revealed that threat actors are likely to continue adopting and adapting innovative technologies like GenAI to exploit system vulnerabilities at enterprise entities and individual cardholder data for fraudulent financial gain, Jabbara added.
Pig butchering on a steep rise
One of the leading scams in 2023 was Pig Butchering, a confidence trick or investment fraud of manipulating victims towards making heavy cryptocurrency-based contributions to a seemingly sound investment scheme. Visa observed threat actors evolving the “romance scams” during holiday times into crypto-based pig butchering lures.
“In a pig butchering scam, threat actors use social media, dating websites, and various apps to lure victims into online relationships and subsequently convince victims to invest in specified cryptocurrency trading platforms,” said Jabbara. “Such scams tend to occur during holidays when people are feeling especially lonely and are experiencing heightened anxiety around being single – such as Valentine’s Day and New Year’s – and bad actors exploit vulnerable individuals in that heightened state of mind.”
Visa reported that 10% of the surveyed adults as targeted in a pig butchering scam. In April 2023, the US Department of Justice (DOJ) seized over $112 million in funds linked to pig butchering scams.
“Actors have started to use AI and other technologies in combination with holiday lures to cultivate more convincing phishing campaigns, such as dating profiles using AI and deepfakes to create the most compelling profiles,” VISA said in the report. “They have also begun outsourcing stages of the attack to AI technology, such as initial correspondence with victims.”
Phishing scams escalated
Phishing-based scams, which refer to threat actors sending out emails, text messages, phone calls or social media posts in order to trick their victims into downloading a virus, or divulging personal or financial information, recorded a jump in 2023.
Fifteen percent of US adults surveyed by VISA were targeted in Inheritance scams, where victims are notified about an inheritance left by a long-lost relative, often coming from a seemingly legitimate law firm or other professional entity. Red flags for such scams include secrecy, urgency, requests for personal information, and the need for an initial payment to secure future gains, according to Visa.
Humanitarian relief scams, calling for donations across social media for tragic current events like the Israel-Hamas conflict, rose with over 500 scam emails in circulation related to the conflict. Another scam, a Triangulation fraud, had a significant footprint in 2023 with scams costing merchants up to $1 billion in a single month. These frauds have threat actors creating illegitimate online storefronts offering in-demand products at low costs to collect payment information.
Organizational threats included ransomware, PRA and AI-based attacks
Ransomware attacks across the payment ecosystem observed a steady growth in 2023, with 59% of them happening in the US. The attacks registered a 92% growth in 2023 as against the same June-December period in 2023. Purchase Return Authorization (PRA) fraud, another fraud attack contributed to $115k per attack in losses to banks. PRA attacks refer to initiating fake purchase returns to single or multiple actors-owned cards.
The report also pointed out that fraudsters increasingly adopting AI to identify vulnerabilities within fraud controls implemented by banks.
“AI, advanced machine learning models, and AI chatbots are increasingly being used to fabricate malicious code to steal sensitive information,” said Jabbara. “Beyond the creation of fraudulent AI programs, LLMs can be trained to circumvent the controls restricting popular LLM responses via malicious prompts that contain spaces at the end of each character and request the legitimate LLM to respond in a similar manner to a nefarious actor. Known as the ‘Masterkey’ model, threat actors can essentially ‘jailbreak’ ALMs to generate malicious responses for their own benefit.”
Being wary of fake charity, enabling multi-factor authentication (MFA), verifying incoming messages and emails, and using secure payment methods over direct money transfers, wire transfers, and peer-to-peer mobile applications are a few best practices recommended by Michael to secure against financial fraud.