Fraud the Facts 2016

The definitive overview of payment industry fraud

The definitive overview of
payment industry fraud

Katy Worobec

Director, Financial Fraud Action UK


Introduction

Katy Worobec

Director, Financial Fraud Action UK

Criminals are increasingly using scams to trick people into disclosing their personal details or parting with their money. Raising public awareness is key to beating the fraudsters. This year we will be launching a major multisector campaign, helping people to avoid becoming a victim of frauds and scams.

FFA UK and its members are also fully engaged in, and committed to the work of, the Joint Fraud Taskforce recently launched by the Home Secretary to use the collective powers, systems and resources of government, law enforcement and industry crack down on financial fraud.

Katy Worobec

Director, Financial Fraud Action UK

FFA UK works in partnership with The UK Cards Association in developing and delivering fraud strategy on credit, debit and charge cards. UK Cards is the trade body for the card payments industry in the UK, representing financial institutions which act as card issuers and acquirers.

It also works with the Cheque and Credit Clearing Company (C&CCC), who are the industry body that manages the cheque clearing system in Great Britain. This includes the processing of bankers’ drafts, building society cheques, postal orders, warrants and government payable orders.



Trends and Statistics
2015 Overview


Financial fraud losses across payment cards, remote banking and cheques totalled £755 million in 2015, an increase of 26 per cent compared to 2014.

Prevented fraud totalled £1.76 billion in 2015. This represents incidents that were detected and prevented by the banks and card companies and is equivalent to £7 in every £10 of attempted fraud being stopped. It is the first time the full-year prevented fraud figure has been collected by FFA UK.

Drivers of the changing fraud figures

While it is not possible to place specific monetary values on particular modus operandi, intelligence reported into FFA UK by its members points to the key drivers behind the reported figures.

The rise across all fraud loss types during 2015 owes much to the growth of impersonation and deception scams, as well as sophisticated online attacks such as malware and data breaches.

These methods all aim to compromise customers’ personal and financial details, including card data, in order to enable the criminals to commit fraud.

In an impersonation and deception scam, a criminal approaches a customer purporting to be from a legitimate organisation. These scams typically involve a phone call, text message or email, in which the criminal claims to be from a trusted organisation such as a bank, the police, a utility company or a government department.

The fraudulent approach often claims that there has been suspicious activity on the recipient's account or that their account details need to be ‘updated’ or ‘verified’. The criminal then attempts to trick their victim into giving away their personal or financial information, such as passwords or passcodes, or into transferring money directly to the fraudster.

There have been several high profile data breaches reported in 2015, along with more frequent lower level attacks. This data can be used to commit fraud directly, for example the use of stolen card details to make remote purchases. Other personal and financial information obtained in a breach can be used in impersonation scams, while the publicity around the incident itself can be used to add authenticity to the fraudulent approach.

Criminal gangs also use malware [malicious software which is unknowingly downloaded onto a device or computer] and phishing emails as a means to compromise customers’ security and personal details. Once obtained, fraudsters will use these details to access customer accounts or to commit fraud.


Total 2015 Financial Fraud Losses by Type
PIE_CHARTS_1a_RGB

Financial fraud includes 1st and 3rd party fraud on all core banking products/service (including credit and charge cards, current accounts and debit cards, savings accounts, cheques, overdrafts and loans): channels (including point of sale, remote purchases, online/telephone banking, branch counter) and customers (personal and business).



Card Fraud


Value £567.5m +18%
Case Volume 1,487,111 +15%

Fraud losses on UK-issued cards totalled £567.5 million in 2015, an 18% increase from £479 million in 2014; the fourth consecutive year of increase. However, losses are still 6% lower than the peak of £609.9 million seen in 2008. At the same time, total spending on all debit and credit cards reached £856 billion in 2015, with 17.4 billion transactions made during the year.

Overall card fraud losses as a proportion of the amount we spend on our cards has increased during 2015, rising from 7.5p per £100 spent in 2014 to 8.3p per £100 in 2015 (in 2008 it was 12.4p for every £100 spent).

These trends owe much to the use of deception crimes, as well as the use of online attacks, such as malware and data hacks, to compromise card details. In response, the industry has redoubled its efforts to warn consumers and online businesses to install security software which is often available for free from a customer’s own bank. To prevent stolen card details being used to make purchases online, retailers are advised to take steps to improve their security, including use of online protection services (including American Express ‘SafeKey’, MasterCard ‘SecureCode’ and ‘Verified by Visa’ ).

Fraud volumes

FFA UK also publishes the number of fraud incidents to convey more fully the dynamics of the fraud environment in the UK. The data follows much the same trend as fraud by value, with 2015 figures showing a significant increase in comparison to 2014, particularly in the remote purchase (card-not-present (CNP)) and Card ID theft categories.


FRAUD LOSSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_1_RGB

Annual fraud losses on UK-issued cards 2006 – 2015

All figures in £ millions

Fraud Type 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 % Change 14/15
Remote Purchase (CNP) 212.7 290.5 328.4 266.4 226.9 220.9 246.0 301.0 331.5 398.2 20%
Of which e-commerce 154.5 178.3 181.7 153.2 135.1 139.6 140.2 190.1 219.1 261.5 19%
Counterfeit 98.6 144.3 169.8 80.9 47.6 36.1 42.1 43.4 47.8 45.3 -5%
Lost & Stolen 68.5 56.2 54.1 47.9 44.4 50.1 55.2 58.9 59.7 74.1 24%
Card ID Theft 31.9 34.1 47.4 38.1 38.1 22.5 32.2 36.7 29.9 38.2 28%
Card non-receipt 15.4 10.2 10.2 6.9 8.4 11.3 12.8 10.4 10.1 11.7 16%
Total 427.0 535.2 609.9 440.3 365.4 340.9 388.3 450.4 479.0 567.5 18%
UK 309.9 327.6 379.7 317.6 271.5 260.9 286.7 328.2 328.7 379.8 16%
Fraud Abroad 117.1 207.6 230.1 122.7 93.9 80.0 101.6 122.0 150.3 187.7 25%

Due to the rounding of figures, the sum of separate items may differ from the totals shown. E-commerce figures are estimated.


Annual case volumes on UK-issued cards 2011 – 2015

It is important to note that number of cases relates to the number of accounts that have been defrauded, as opposed to the number of victims.

Card Fraud Type on UK-issued credit and debit cards 2011 2012 2013 2014 2015 % Change 14/15
Remote Purchase (CNP) 709,402 750,200 951,998 1,019,146 1,194,482 17%
Counterfeit (skimmed/cloned) 81,112 98,322 101,109 99,729 92,670 -7%
Fraud on lost or stolen cards 104,467 113,003 138,967 133,943 152,727 14%
Card ID theft 15,420 24,078 30,718 26,542 36,318 37%
Card non-receipt 8,536 9,018 9,125 9,302 10,914 17%
Total 918,937 994,621 1,231,917 1,288,662 1,487,111 15%

FRAUD TURNOVER RATIO 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_2_RGB

The fraud-to-turnover ratio places the card fraud losses in the context of the ever increasing use of cards. Fraud-to-turnover for all payment cards increased to 0.083% in 2015, equivalent to 8.3 pence of fraud for very £100 spent.


CARD FRAUD LOSSES SPLIT BY TYPE

As percentage of total losses

PIE_CHARTS_2a_RGB
PIE_CHARTS_2b_RGB

Remote purchase fraud (internet, telephone, mail order)


Value £398.2m +20%
Case Volume 1,194,482 +17%

The vast majority of this type of fraud involves the use of card details that have been fraudulently obtained through methods such as unsolicited emails or telephone calls or digital attacks such as malware and data hacks. The card details are then used to undertake fraudulent purchases over the internet, phone or by mail order. It is also known as ‘card-not-present’ (CNP) fraud.

Online fraud against UK retailers totalled an estimated £155.5 million in 2015, a rise of 13% on the previous year. However, there was also a substantial rise in fraud against online retailers based abroad, rising 27% to £103 million.


REMOTE PURCHASE (CNP) FRAUD LOSSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_3_RGB

Counterfeit card fraud


Value £45.3m -5%
Case Volume 92,670 -7%

Counterfeit card fraud occurs when a fake card is created by fraudsters using compromised details from the magnetic stripe of a genuine card. This type of fraud typically occurs as a result of criminals stealing details from the magnetic stripe on UK cards which are then used to make fake magnetic stripe cards for use overseas in countries yet to adopt chip cards.


COUNTERFEIT CARD FRAUD LOSSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_4_RGB

Lost and stolen card fraud


Value £74.1m +24%
Case Volume 152,727 +14%

This category covers fraud on cards that have been reported by the cardholder as lost or stolen. Lost and stolen cards can be used in shops that do not have Chip & PIN, or to commit a fraudulent telephone, internet or mail order transaction. If the PIN is also obtained, the card could be used in a shop or at a cash machine.

Initiatives such as Chip & PIN have made it harder to commit fraud using a card without also having the PIN. Fraudsters are instead focused on crimes which enable them to steal people’s cards and PINs. These range from distracting people in shops or at cash machines and then stealing their cards without them noticing (distraction thefts), to simply tricking them into handing over their cards and PINs on their own door step (often referred to as courier scams or telephone scams).


LOST AND STOLEN FRAUD LOSSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_5_RGB

Card ID theft


Value £38.2m +28%
Case Volume 36,318 +37%

Card ID theft occurs when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account held in someone else’s name. This type of fraud is split into two categories, third-party application fraud and account takeover fraud.

Application Fraud

£14.1m +38%

Application fraud occurs when criminals use stolen or fake documents to open an account in someone else’s name. For identification purposes, criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Alternatively, they may use counterfeit documents.

Account Takeover

£24.1m +22%

This involves a criminal fraudulently using another person’s bank, credit or debit card account, first by gathering information about the intended victim, then contacting their bank or credit card issuer to masquerade as the genuine account or card.

The criminal then arranges for funds to be transferred out of the account, or will change the address on the account and ask for new or replacement cards to be sent which is then used fraudulently.


ID THEFT ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_6_RGB

Card non-receipt fraud


Value £11.7m +16%
Case Volume 10,914 +17%

This type of fraud involves cards being stolen whilst in transit – after the card company sends them out and before the genuine cardholder receives them. Properties with communal letterboxes, such as flats and student halls of residence, and people who do not get their mail redirected when they change address are all vulnerable to this type of fraud.


MAIL NON-RECEIPT FRAUD LOSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_7_RGB

PLEASE NOTE: Figures in the following sections relate to the places where the card was used fraudulently rather than how the card or card details were compromised. This is simply another way of breaking down the overall payment card fraud totals and so these figures should not be treated as an addition to those already covered in the earlier sections. Case volumes are not available for the place of misuse as it is feasible that one case could cover multiple places of misuse. So, for example, a lost or stolen card could be used to make an ATM withdrawal and also purchase goods on the high street.

UK retailer face-to-face card fraud losses


Value £53.5m +8%

Fraud losses on face-to-face purchases on the UK high street increased by 8% in 2015 to £53.5 million. However, losses are still 76% lower than the peak of £218.8 million in 2004, prior to the roll out of Chip & PIN in the UK.

The majority of this fraud is undertaken using more basic techniques, with fraudsters finding ways of stealing both the card and PIN in order to carry out fraudulent transactions in shops and stores. For example, criminals are targeting cards and PINs through distraction thefts and shoulder surfing, as well as social engineering methods to dupe victims into handing over their cards on their own doorstep. This is because Chip & PIN has closed down opportunities for criminals to use compromised cards in the UK.

These totals include fraud incidents on both contactless cards and mobile devices. Fraud on contactless cards and devices remains low with £2.8 million of losses during 2015, compared to spending of £7.75 billion over the same period. This is equivalent to 3.6p in every £100 spent using contactless technology while fraud on contactless cards and devices accounts for only 0.5 per cent of overall card fraud.


CARD FRAUD LOSSES AT UK RETAILERS
(FACE-TO-FACE TRANSACTIONS) 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_8_RGB

Internet/e-commerce fraud


Value £261.5m +19%

These figures are included within the overall remote purchase (CNP) fraud losses described in the previous section. An estimated £261.5 million of e-commerce fraud took place on cards in 2015, accounting for 46% of all card fraud and 66% of total remote purchase fraud.

E-commerce fraud has now reached its highest point since data collection began in this area. However, this is to be anticipated given the considerable increase in genuine usage in this channel over the last 10 years with spending reaching £211 billion in 2015, meaning that for every £100 spent on the internet only 12.4p is fraudulent.

Please Note: These figures include spending and losses outside the UK.


INTERNET/E-COMMERCE FRAUD LOSSES ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_9_RGB

Card fraud at UK cash machines


Value £32.7m +20%

These figures show how much fraud takes place at cash machines in the UK on stolen cards, or where a card account has been taken over by the fraudster; in all cases the fraudster would need to have access to the genuine PIN and card. Some losses result from cardholders keeping their PIN written down in a purse or wallet, which is then stolen.

Fraudsters also target cash machines in order to compromise or steal cards or card details in three main ways:

Entrapment devices: Inserted into a cash machine’s card slot, these devices retain the card inside the machine. The criminal then tricks the victim into re-entering their PIN while the criminal watches. After the cardholder gives up and leaves, the criminal removes the device with the card and subsequently withdraws cash.

Skimming devices: Attached to the cash machine to record the details from the magnetic stripe of a card while a miniature camera captures the PIN being entered. A fake magnetic stripe card is then produced and used with the genuine PIN to withdraw cash at machines overseas, which have yet to be upgraded to Chip & PIN.

Shoulder surfing: Criminals watch the cardholder entering their PIN, then steal the card using distraction techniques or pick pocketing.


FRAUD LOSSES AT UK CASH MACHINES 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_10_RGB

Card fraud abroad


Value £187.7m +25%

The majority (67%) of this type of fraud is attributed to remote purchase fraud at retailers based overseas. This category also includes those cases where criminals steal magnetic stripe details from UK cards to make counterfeit cards for use overseas in countries yet to upgrade to Chip & PIN. However, this type of fraud has fallen when compared to previous years as a result of the increased adoption of chip technology around the world.

International fraud losses for 2015 were £187.7 million, compared with losses at their peak in 2008 of £230.1 million, a decrease of 18%.


FRAUD COMMITTED ABROAD ON UK-ISSUED CARDS 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_11_RGB

TOP FIVE COUNTRIES FOR FRAUD ACQUIRED IN THE UK ON FOREIGN-ISSUED CARDS

Losses are shown as a percentage of total fraud at UK acquired merchants on foreign issued cards

Countries_charts_1_RGB

TOP FIVE COUNTRIES FOR FRAUD ABROAD 2012 – 2015

UK issued cards or card details used fraudulently overseas

Countries_charts_2_RGB


Cheque Fraud


Value £18.9m -6%
Case Volume 5,746 -30%

There are three types of cheque fraud: counterfeit, forged and fraudulently altered.

Counterfeit cheque fraud

£8.5m +41%

Counterfeit cheques are printed on non-bank paper to look exactly like genuine cheques and are drawn by a fraudster on genuine accounts.

Forged cheque fraud

£5.6m -29%

A forged cheque is a genuine cheque that has been stolen from an innocent customer and used by a fraudster with a forged signature.

Fraudulently altered cheques

£4.8m -27%

A fraudulently altered cheque is a genuine cheque that has been made out by the genuine customer, but a fraudster has altered the cheque in some way before it is paid in, e.g. by altering the beneficiary’s name or the amount of the cheque.


CHEQUE FRAUD LOSSES 2006 – 2015

Arrows show percentage change on previous year’s total

TABLE_12_RGB

ANNUAL CASE VOLUMES CHEQUE FRAUD 2011 – 2015

2011 2012 2013 2014 2015 % Change 14/15
Cheque Fraud N/A 15,539 10,471 8,168 5,746 -30%


Online Banking Fraud


Value £133.5m +64%
Case Volume 19,691 +23%

Online banking fraud occurs when the fraudster gains access to, and transfers funds from, an individual’s online bank account.

In some cases, an individual may be duped by a criminal into making a fraudulent money transfer themselves.

A variety of factors are believed to have contributed to the increase in online banking fraud, but it has been driven by a change in attack methods with criminals using social engineering scams such as phishing, vishing (phishing over the phone) in combination with more sophisticated online attacks such as infecting computers with malicious software (malware).

Collection of industry fraud losses for online banking fraud began in June 2009. Case volumes were not collected until 2012.


ONLINE BANKING FRAUD LOSSES 2010 – 2015

Arrows show percentage change on previous year’s total

TABLE_13_RGB

ANNUAL CASE VOLUMES ONLINE BANKING FRAUD 2011 – 2015

2011 2012 2013 2014 2015 % Change 14/15
Online Banking Fraud N/A 16,355 13,799 16,041 19,691 +23%


Phone Banking Fraud


Value £32.3m +92%
Case Volume 11,380 +97%

This fraud happens when a criminal fraudulently accesses the victim’s phone banking account.

To do this the criminal needs to be in possession of specific personal and financial information about the victim, to convince the phone banking system or operator that they are the genuine account holder. A criminal will use a variety of ways to acquire information about an intended victim such as social engineering, phishing, and vishing (by pretending to be from a trusted organisation such as a bank or the police).

Collection of industry fraud losses for telephone banking fraud began in June 2009.

Case volumes were not collected until 2012.


PHONE BANKING FRAUD LOSSES 2010 – 2015

Arrows show percentage change on previous year’s total

TABLE_14_RGB

ANNUAL CASE VOLUMES FOR TELEPHONE BANKING FRAUD 2011 – 2015

2011 2012 2013 2014 2015 % Change 14/15
Telephone Banking Fraud N/A 7,095 5,596 5,778 11,380 +97%


Phishing


Phishing describes the practice of sending emails at random, purporting to come from a genuine company such as a bank, but increasingly other organisations such as HMRC, in an attempt to trick customers of that company into disclosing information at a bogus company website operated by fraudsters.

Fraudsters send out thousands or even millions of spam emails trying to convince people to click on a link that will send them to the fake site. These emails usually claim that it is necessary to ‘update’ or ‘verify’ a password, and they urge people to click on a link from the email that takes them to the bogus bank website. Any information entered on the bogus website or form will be captured by the criminals for their own fraudulent purposes.


NUMBER OF PHISHING WEBSITES TARGETED AGAINST UK BANKS AND BUILDING SOCIETIES 2006 – 2015

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Total 14,156 25,797 43,991 51,161 61,783 111,286 256,641 26,995 23,729 16,462


Combatting
Financial Fraud


FFA UK delivers programmes of collaborative fraud prevention activity which combine education and awareness, intelligence-sharing and law enforcement. This work is driven by the Industry Strategic Threat Management process making it responsive to the changing patterns in fraud in the market.

This integrated approach is designed to prevent avoidable fraud, to effectively identify patterns where fraud has been committed, and to support law enforcement in bringing the criminals to justice following an attack. To ensure a coordinated response to threats, we provide expert fraud prevention advice on new initiatives pioneered by the financial services industry – for example, on account switching and mobile payments. We also engage stakeholders, including regulators and government, to ensure that regulation works in step with fraud prevention programmes.

More information is available in the FFA UK Annual Review 2016 and on the website at: www.financialfraudaction.org.uk



FFA UK Members as
at 31 December 2015


  • Allied Irish Bank Group (UK) plc
  • American Express Services Ltd
  • MBNA Ltd
  • Bank of Ireland UK
  • Barclays Bank plc
  • Capital One (Europe) plc
  • C Hoare and Co
  • Citi Bank
  • Clydesdale Bank
  • The Co-operative Bank plc
  • Coventry Building Society
  • Danske Bank (trading name of Northern Bank Ltd)
  • Elavon Financial Services
  • First Data Europe Ltd
  • Global Payments UK Ltd
  • HSBC Bank plc
  • Investec Bank plc
  • Lloyds Banking Group plc
  • Metro Bank plc
  • Nationwide Building Society
  • NewDay Ltd
  • Royal Bank of Scotland Group plc
  • Sainsbury’s Bank plc
  • Santander UK plc
  • Tesco Bank plc
  • TSB Bank plc
  • Vanquis Bank Ltd
  • Virgin Money UK
  • Worldpay (UK) Ltd
  • Yorkshire Bank
  • Yorkshire Building Society


Glossary


Account Takeover

This involves a criminal fraudulently using another person’s credit or debit card account, first by gathering information about the intended victim, then contacting their bank or credit card issuer whilst masquerading as the genuine cardholder. The criminal will then arrange for funds to be transferred out of the account, or will change the address on the account and ask for new or replacement cards to be sent to the new address.

Acquirer

A corporation or financial institution with a business relationship with merchants, retailers and other service providers to process their payment card transactions. Acquirers obtain financial settlement from the card issuers, typically via the card schemes which maintain the clearing systems, and pay the proceeds to the merchant, charging a fee.

Application fraud

Application fraud occurs when criminals use stolen or fake documents to open an account in someone else’s name.

Card-not-present(CNP)

Card account details alone are used to carry out a payment transaction. See also MOTO. Also known as remote purchase fraud.

Card security code

These are the three or four digits shown on the signature strip on the back of the card (or front of the card for American Express). Also called card verification data, card verification number, card verification value, card verification value code, card verification code, verification code, card code verification, or signature panel code.

Card ID theft

This type of fraud occurs when a criminal uses a fraudulently obtained card or card details, along with stolen personal information, to open or take over a card account held in someone else’s name.

Card issuer

A bank, building society or other organisation issuing payment cards, ATM cards or cheque guarantee cards to its customers. For payment and ATM-only cards the card issuer undertakes responsibility to settle transactions made with the card (except in some cases where fraud has occurred).

Charge card

A payment card, enabling holders to make purchases and to draw cash up to a pre-arranged ceiling, the terms of which include the obligation to settle the account in full at the end of a specified period. Cardholders are normally charged an annual fee.

Counterfeit card

A card which has been printed, embossed or encoded so as to purport to be a legitimate card but which is not genuine because the issuer did not authorise the printing, embossing, or encoding.

Counterfeit cheques or drafts

Cheques or drafts that are manufactured, printed or copied onto non-cheque paper but usually drawn on accounts and presented for payment via the clearing system, special presentation, over the counter etc.

Credit card

A payment card enabling the holder to make purchases and to draw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged on the amount of any extended credit; in the case of cash withdrawals, interest is normally charged from the transaction date. Cardholders may be charged an annual fee.

Credit card cheque

Many credit card issuers offer a facility to cardholders that enables them to draw cheques on their credit card account provided they are within their credit limit. Typically these are used for balance transfers, e.g. in repayment of an outstanding loan from another lender, and for payments to third parties where there are no facilities to use a card.

Dedicated Card and Payment Crime Unit (DCPCU)

The Dedicated Card and Payment Crime Unit is a unique pro-active police unit, with a national remit, formed as a partnership between Financial Fraud Action UK, the City of London Police and the Metropolitan Police together with the Home Office. It is fully sponsored by the cards and banking industries, with an on-going brief to investigate, target and, where appropriate, arrest and seek successful prosecution of offenders responsible for card, cheque and payment fraud crimes. It is headed up by a Detective Chief Inspector and comprises officers from the Metropolitan and City of London police forces who work alongside banking industry fraud investigators and support staff.

E-commerce

Transactions which are conducted over an electronic network where the buyer and merchant are not at the same physical location e.g. payment card transactions via the internet.

Financial Fraud Action UK

Financial Fraud Action UK (FFA UK) is responsible for leading the collective fight against fraud in the UK payments industry. Its membership includes the major banks, credit, debit and charge card issuers, and card payment acquirers. Through industry collaboration FFA UK seeks to be the authoritative leader in defending consumers and businesses from financial fraud, by creating the most hostile environment in the world for fraudsters.

Financial Fraud Bureau

An intelligence unit responsible for managing the payment industry’s co-ordinated initiatives on data sharing to reduce financial fraud. It provides data directly to law enforcement, including the DCPCU and the National Fraud Intelligence Bureau.

First party fraud

Where the genuine customer has knowingly committed fraud on their own financial product e.g. credit card.

Liability

The obligation to pay an amount owing. In the case of card fraud, liability is used to refer to the party that is responsible for covering or absorbing the amount defrauded in respect of a cardholder dispute.

Mail non-receipt fraud

Involves cards being stolen while in transit – after card companies send them out and before the genuine cardholders receive them.

Mail order / Telephone order (MOTO) fraud

A fraudster using fraudulently obtained, but genuine account details to obtain goods or services from mail or telephone merchants.

Mail re-direct

Post can be fraudulently re-directed to another address. The fraudster then receives any cards or cheques intended for the victim, possibly to facilitate identity fraud.

Malware

Malware includes computer viruses that can be installed on a computer without the user's knowledge, typically by users clicking on a link in an unsolicited email, or by downloading suspicious software. Malware is capable of logging keystrokes thereby capturing passwords and other financial information.

MO – Modus Operandi

Literally translates as the 'method of operation' of a fraudster. It can be used to identify an individual or team of fraudsters as often they will use the same method of operation to commit fraudulent activity.

Money mule

Recruited by fraudsters to help launder the proceeds of their criminality and confuse the audit trail. They receive funds into their accounts, withdraw the money and send it overseas. In return they receive a small commission payment.

National Fraud Intelligence Bureau

The City of London Police’s National Fraud Intelligence Bureau uses millions of reports of fraud to identify serial offenders, organised crime gangs and established and emerging crime types.

Organised Crime Group

Defined in the Serious Crime Act 2015 (s.45(6)) as a group which has at its purpose, or one of its purposes, conduct of criminal activities and consists of three or more people who agree to act together to further that purpose.

Personal Identification Number (PIN)

A set of characters, usually a four-digit sequence, used by cardholders to verify their identity at a point-of-sale or at a customer-activated device such as an ATM. The number is generated by the card issuer using a secure computerized process when the card is first issued and may be changed by the cardholder thereafter.

Phishing

The name given to the practice of sending emails at random purporting to come from a genuine company operating on the internet, in an attempt to trick customers of that company into disclosing information at a bogus website operated by fraudsters.

Remote purchase

A transaction where the merchant, retailer or other service provider does not have physical access to the payment card; examples are transactions by telephone, mail order or internet. Also known as card not present fraud.

Shoulder surfing

Fraudsters will look over the shoulder of unsuspecting individuals, and capture personal details to facilitate identity fraud or capture PINs at ATMs. They are known to target individuals filling out application forms in shops or discussing personal details over the phone in a public.

Skimmer

A reader and recorder of the magnetic stripe data held on payment cards.

Skimming

Copying the magnetic stripe details of a payment card usually with a card reader, for use in card counterfeiting.

Smishing

Smishing involves a fraudster sending text messages (also known as an SMS) at random to mobile phones. The text messages appear to come from a reputable organisation such as a bank or mobile phone company. The message will try to trick the customer into clicking on a link to a bogus website or calling a phone number, usually by claiming the need to verify or update details or reactivate an account. The criminal will then attempt to get the customer to disclose personal or financial information, which they will use for their own fraudulent purposes.

Spoofs

An attempt to harvest personal information direct from potential victims to facilitate identity fraud. The fraudster will make contact in various ways, including letters, telephone calls, canvassing, websites, emails etc.

Spyware

Spyware is a type of malware that can be installed on computers and collects little bits of information at a time about users without their knowledge.

Third party fraud

Fraud committed against an account holder by an unrelated third party. The overwhelming majority of fraud committed against financial institutions and its customers are by, often unknown, third parties.

Trojan

A destructive programme that masquerades as a benign application. Unlike viruses, 'Trojans' do not replicate themselves but they can be just as destructive.

Virus

A virus is a program that can replicate itself by inserting (possibly modified) copies of itself into other programs, documents or file systems; this process is described as the infection of a host. Although some viruses may be relatively benign (e.g. displaying a political message on a certain date) most are destructive. This destruction will occur either immediately, after a set time delay, or after the computer user takes a specified action. The replication itself can cause problems through the waste of computer resources.

Vishing

Vishing involves a fraudster phoning a potential victim and posing as someone from a bank or building society, the police or another legitimate organization such as a telephone or internet provider. The fraudster will then attempt to get the customer to disclose personal or financial information, which they will use for their own fraudulent purposes or get the customer to transfer money to a fraudulent account.