What are the key types of fraud I need to consider?

In their 'SUP 16 Annex 27F Notes on completing REP017 Payments Fraud Report' the Financial Conduct Authority (<a href="/glossarycollection/financial-conduct-authority" style="color:#48277C;" target="_blank" title="Financial Conduct Authority">FCA</a>) provides a breakdown fo fraud-types for the purposes of fraud reporting. The document contains a deeper description of each type: 

Credit transfers 

Issuance of a payment order by the fraudster 

This covers unauthorised payment transactions in which the fraudster uses stolen personalised security credentials in order to issue a payment order, either through contacting the victim’s bank or accessing the victim’s online banking service. For example, where a victim’s online banking has been accessed using stolen personal identity details and credit transfers have been made from the victim’s account to beneficiaries chosen by the fraudster. 

Modification of a payment order by the fraudster 

This covers unauthorised payment transactions where the fraudster has gained unauthorised access to the victim’s account in order to change the details of existing payment orders or payment instructions. For example, where a victim’s account has been accessed using stolen personalised security credentials in order to modify the beneficiary of the victim’s existing standing orders. A victim’s account could be accessed by a fraudster in order to modify a batch of payment details so that when payments are executed by the victim’s PSP, the funds are unintentionally transferred to a beneficiary or beneficiaries chosen by the fraudster rather than the intended beneficiary. [See <a href="https://www2.cipd.co.uk/NR/rdonlyres/710B0AB0-ED44-4BD7-A527-B9AC29B28343/0/empfraud.pdf" style="color:#48277C;">CIFAS paper, Table 2 Unlawful obtaining or disclosure of personal data</a>]. 

Manipulation of the payer by the fraudster to issue a payment order 

This covers fraud where the payer authorises a push payment to an account the payer believes belongs to a legitimate payee, however, the payer was deceived into inputting the sort code and account number (or other unique identifier) of a fraudster, or an account controlled by a fraudster. This is also referred to as ‘malicious misdirection’. For example, a scammer may contact a victim purporting to be from the victim’s bank. The scammer may then convince the victim to transfer money (using a credit transfer) to a different account, purportedly in order to safeguard it. However, that account is in fact controlled by the scammer. [See <a href="https://www.psr.org.uk/psr-publications/news-announcements/which-super-complaint-our-response-Dec-2016" style="color:#48277C;">Payment Systems Regulator response to Which? Super-complaint</a>]. 

Direct debits 

Unauthorised payment transactions 

This covers fraud where a victim’s account details (e.g. sort code and account number) have been used by the fraudster to set up direct debit payments to an organisation, without the victim’s knowledge or consent, resulting in unauthorised direct debit payments being taken from the account of the victim. 

Manipulation of the payer by the fraudster to consent to a direct debit 

This covers fraud where a payer is convinced by a fraudster to set up a direct debit and consent to payments being made to an intended payee (the legitimate payee), but the fraudster uses the victim’s details and consent to set up direct debit payments to a different (unintended) payee. 

Debit and credit cards: 

Issuance of a payment order by a fraudster 

Refers to the following types of unauthorised card payment transactions: 

Lost or stolen card fraud 

This covers any payment fraud committed as a result of a lost or stolen card (except where ‘card not received fraud’ has occurred). [See <a href="https://www.financialfraudaction.org.uk/fraudfacts16/assets/fraud_the_facts.pdf" style="color:#48277C;">FFAUK Fraud Facts 2016</a>]. 

Card not received fraud 

This covers fraud where a payment card is stolen (with or without the details of the PIN also being intercepted) whilst in transit – after the card company sends it out and before the genuine cardholder receives it. The payment card is then used by the fraudster to make transactions. [See <a href="https://www.financialfraudaction.org.uk/fraudfacts16/assets/fraud_the_facts.pdf" style="color:#48277C;">FFAUK Fraud Facts 2016</a>]. 

Counterfeit card fraud 

This covers fraud where the fraudster uses a card which has been printed, embossed or encoded so as to purport to be a legitimate card but which is not genuine because the issuer did not authorise the printing, embossing or encoding. [See <a href="https://www.financialfraudaction.org.uk/wp-content/uploads/2016/07/Fraud-the-Facts-A5-final.pdf" style="color:#48277C;">Fraud The Facts A5 Final</a>]. 

Card details theft 

This covers fraud where card details have been fraudulently obtained through methods such as unsolicited emails or telephone calls, digital attacks such as malware and data hacks, or card details being taken down from the physical card by a fraudster. The card details are then used to undertake fraudulent purchases over the internet, by phone or by mail order. It is also known as ‘card-not-present’ (CNP) fraud. [See <a href="https://www.financialfraudaction.org.uk/fraudfacts16/" style="color:#48277C;">Financial Fraud Action</a>]. 

Other 

Unauthorised transactions relating to other types of fraud should be recorded under ‘other’. 

Modification of a payment order by the fraudster (debit and credit card payments) 

This is a type of unauthorised transaction and refers to a situation where the fraudster intercepts and modifies a legitimate payment order at some point during the electronic communication between the payer’s device (e.g. payment card) and the payment service provider (for instance through malware or attacks allowing attackers to eavesdrop on the communication between two legitimately communicating hosts (man in the middle attacks)) or modifies the payment instruction in the payment service provider’s system before the payment order is cleared and settled. 

Manipulation of the payer to make a card payment 

This would cover card payments that have been authorised by the payer, i.e. using chip and pin, or authenticated online card payments. The customer believes they are paying a legitimate payee, i.e. a merchant, but the payee that receives the funds is not a merchant, but instead a fraudster. 

Cash withdrawals 

Issuance of a payment order by the fraudster 

This refers to the following types of unauthorised cash withdrawals at ATMs, bank counters and through retailers (‘cash back’) using a card (or using a mobile app in place of a card): 

• those resulting from a lost or stolen payment card; 

• those resulting from a payment card being stolen (with or without the details of the PIN also being intercepted) whilst in transit – after the card company sends it out and before the genuine cardholder receives it; and 

• those where the fraudster uses a card to withdraw money which has been printed, embossed or encoded so as to purport to be a legitimate card but which is not genuine because the issuer did not authorise the printing, embossing or encoding. 

Manipulation of the payer to make a cash withdrawal 

This refers to reported frauds where a payment service user has withdrawn under duress or through manipulation (using a card, or using a mobile app in place of a card). 

E-money transactions 

The same fraud types as above for debit and credit cards apply to payment transactions involving e-money. 

Money remittance and payment initiation services 

Fraudulent transactions 

Money remitters and PISPs are required under the EBA Guidelines to report ‘fraudulent transactions’. Money remitters and PISPs should use their discretion when determining what to count as a ‘fraudulent transaction’. Where money remitters or PISPs detect the frauds described above, these should be counted as ‘fraudulent transactions’.