Stand Up to Fraud

Here we explore a theoretical scenario where a small charity notices a significant rise in failed transactions, indicating that fraudsters could be using their site to validate stolen credit cards. Find out what steps they can take next.

Setting the scene

A small charitable organisation began noticing unusual activity on their donation platform. Over a few days, they saw a significant increase in failed transactions and small donation amounts under $5. After investigating, the Finance Director Marina realised they were victims of a card testing attack, where fraudsters use their donation site to validate stolen credit card details. This activity not only jeopardised their financial security but also threatened their reputation and donor trust. 

What steps should be taken?

1. Contact the payment processor to report fraudulent activity and get help with additional security measures.
2. Engage with an IT security provider for a thorough assessment and security recommendations.
3. Consult the web developer to implement CAPTCHA, device fingerprinting, and secure coding practices and consider more anti-enumeration best practice tips for businesses here. 
4. Notify the banking institution to monitor for suspicious activity and collaborate on fraud prevention strategies.
5. Consult with legal counsel to understand the implications of the attack and ensure regulatory compliance.

Businesses can implement several strategies to mitigate against enumeration fraud and card testing attacks:

• Add anti-automation tools like CAPTCHA to checkout pages to block bots.

• Use firewalls and detection tools to identify botnets and prevent attacks.

• Limit the number of transactions allowed within a short time to stop rapid attempts.

• Track unusual traffic spikes or patterns in form entries to catch threats early.

• Set minimum transaction amounts to discourage card testing with low-value purchases.

Here we explore a theoretical scenario where a small business falls victim to a phishing scam via email. Find out what steps they can take next.

Setting the scene

Jenny runs a furniture business in Auckland. One day, her assistant, Sarah, receives an email that appears to be from the company’s bank, requesting urgent account verification to avoid suspension. The email looks convincing, so Sarah clicks the link and enters the banking login details. Unbeknownst to her, the website is a fake, set up by fraudsters to steal their credentials. By the next morning, Jenny discovers that the company’s bank accounts have been emptied, causing a significant cashflow issue.

What action is recommended?

1. Contact the bank immediately to report the fraud and request that the accounts be frozen and investigated.

2. Disconnect the computer used to enter the details to stop any further fraudulent activity.

3. Report the incident to Netsafe, CERT NZ, Department of Internal Affairs (DIA).

4. Hire an IT security specialist to scan the system for malware and boost cybersecurity to prevent future attacks.

5. Train up on how to recognise phishing emails and suspicious links to avoid similar incidents in the future.

To safeguard against phishing, smishing and vishing scams, we recommend using the following tactics:

• Train yourself and employees to recognise phishing messages, suspicious links, and attachments to reduce the risk of scams.

• Use multi-factor authentication (MFA) to add an extra layer of security beyond just passwords.

• Ensure you and your staff use strong, unique passwords and update them regularly with password management tools.

• Regularly update all software to fix vulnerabilities that hackers might exploit.

• Install email filters to block potential phishing emails from reaching you and your team’s inboxes.

Here we explore a theoretical scenario where a small business falls victim to a ransomware attack via email. Find out what steps they can take next.

Setting the scene

Aisha runs a successful dentistry clinic in Wellington. Her clinic manager Simon receives an email claiming to be from the industry association for dentistry, stating that the clinic’s details need to be updated, with a link in the email. Simon clicks on the link and doesn’t realise that he has inadvertently downloaded malicious software that allows the attackers to access the clinic’s patient database. The attackers then lock the clinic work stations, demanding payment in cryptocurrency, or they will sell on all the patient data. The attackers also state that Simon and the clinic will be liable to be sued by their patients for not protecting their private data. Simon is given a deadline of 48 hours.

What action is recommended?

1. Disconnect the clinic's workstations from the internet to prevent further access by attackers.

2. Call the NZ Police using their online reporting tool, or by calling 105 if you need help.

3. CERT NZ is able to provide advice to victims who have been attacked and assist them to work out what they do next. Report cyber incidents to CERT NZ.

4. Contact a professional IT security firm to assess the extent of the breach, remove the malicious software, and restore access to the patient database.

5. Inform patients about the breach and reassure them that the clinic is taking steps to address the situation and protect their data.

6. Refrain from paying the ransom as it encourages further attacks and does not guarantee the safe return of data. Instead, focus on restoring systems and improving cybersecurity measures.

7. Consult Visa’s ‘What to do if compromised’ guide and follow the procedures and timelines for reporting and responding.

You can protect your business from ransomware attacks with a multi-layered cybersecurity strategy:

• Regularly back up data offline or in the cloud to recover quickly without paying a ransom.

• Keep all software updated to close any security gaps ransomware can exploit.

• Train yourself and employees to avoid phishing attacks and use safe online practices to prevent malware.

• Use strong antivirus software and tools to detect and stop ransomware early.

• Take other actions such as set up and perform regular backups, implement access controls, disable macros, turn on multi-factor authentication and secure your servers. Read more here .

• Create a plan to quickly respond and recover if a ransomware attack happens.

Here we explore a theoretical scenario where a business receives a fraudulent request to change the payment information of a supplier via email. Find out what steps they can take next.

Setting the scene

Tariq runs a small manufacturing company in Christchurch. He receives an email which appears to be from their regular supplier, requesting payment for an urgent invoice. The email claims the supplier has changed their bank details and provides new account information. Trusting the request, Tariq updates the payment details and transfers $10,000. Later, the supplier contacts Tariq, confused about the missing payment. The scammer, posing as the supplier, disappears with the funds. 

What action is recommended?

1. Contact the bank immediately to see if they can freeze the transaction.

2. Report the incident to Netsafe, CERT NZ, Department of Internal Affairs (DIA).

3. Inform the legitimate supplier about the fraudulent email and payment.

4. Review and enhance the company's cybersecurity measures.

5. Consider seeking legal advice for potential recovery options.

Safeguarding against billing fraud and false invoices requires a mix of preventive steps and careful monitoring:

• Vet new vendors carefully and regularly review existing ones to ensure they are legitimate.

• Implement strict approval processes and require multiple levels of authorisation.

• Train yourself and staff to understand billing fraud and always verify invoices before processing payments.

• Use accounting software to detect issues like duplicate invoices or unusual billing patterns.

• Perform regular audits to spot discrepancies or suspicious activity in financial records.

• Compare the email and the suspected fake invoice with a genuine one. Look for any discrepancies in the message or invoice, such as variations in payment methods or banking details.

• Train your staff about this type of fraud, providing clear steps to avoid it.

• Contact the business you’re dealing with using a phone number you have sourced independently. For example, you might have a business card, or you can search for their number online. Don’t use the contact information provided in the invoice or email.

• Update all your devices and software to the latest version. This can help address weaknesses and make it harder for cybercriminals to get into your devices and accounts.

Here we explore a theoretical scenario where a small business falls victim to an Account-to-Account Payment scam. Find out what steps they can take next.

Setting the scene

Salima, the owner of a small architectural firm in Hamilton receives an urgent call from someone claiming to be a tax official from the Inland Revenue Department. The caller explains that Salima owes a significant tax amount and must make an immediate payment to avoid penalties. Feeling under pressure, Salima is instructed to transfer the funds to the provided bank details. The caller uses pressure tactics, stressing the urgency and legal repercussions if the payment isn’t made immediately. Shortly after, Salima realises the payment might have been a scam.

What action is recommended?

1. Immediately contact the bank to try to stop the transaction and request a recall or reimbursement claim if the payment was fraudulent.

2. Report scam to Netsafe, CERT NZ, Department of Internal Affairs (DIA) and notify the Inland Revenue about the scam to ensure proper authorities are aware.

3. Verify any communication claiming to be from government agencies by contacting them directly through official channels.

4. Review the business’s payment processes and implement safeguards to verify unexpected or urgent payment requests.

5. Train up on how to recognise suspicious payment requests and avoid authorising any transactions without proper verification.

The following tips can help businesses safeguard against account-to-account payment fraud:

• Always verify any unexpected or urgent payment requests by contacting the sender directly through official and trusted channels.

• Regularly monitor your bank accounts for any unusual or suspicious activity that could indicate fraudulent transactions.

• Set daily limits on the amount and frequency of instant transfers to reduce the impact of potential fraud.

• Familiarise yourself with the new APP fraud reimbursement claim process.

• Train yourself and staff to recognise phishing and social engineering tactics commonly used by fraudsters to request unauthorised payments.

Here we explore a theoretical scenario where an e-commerce retailer notices multiple transactions from the same customer but using different cards each time, indicating potentially fraudulent activity. Find out what steps they can take next.

Setting the scene

Miriam, the owner of an e-commerce store, notices unusual activity on her website. Multiple back-to-back orders are placed from the same name and email but using different credit cards. While Miriam’s average order consists of three items, one order includes 54 items, and the shipping addresses don’t match the billing information. This suggests potential card-not-present fraud. Miriam isn’t sure if she should process the order, as if it’s fraudulent she will have to refund the victim and lose out on the value of the sale. 

What action is recommended?

1. Examine the suspicious orders for signs of fraud, such as mismatched billing and shipping addresses, unusually large orders, or different credit cards.

2. Implementing a robust real time risk system including, but not limited to, velocity checks, behavioural analytics, high risk payment indicators etc to discern between a usual shopper profile compared to suspicious orders.

3. Incorporate a manual review process for unusually large order to confirm if orders are genuine before accepting payment and delivering the goods.

4. Contact the customers to verify the legitimacy of these transactions and confirm if they authorised the purchases.

5. Implement enhanced security measures by adding verification steps like 3D Secure, CAPTCHA, Account Name Inquiry (ANI) and Address Verification Service (AVS) or CVV requirements for large or suspicious transactions.

6. Monitor the website closely for further signs of card-not-present fraud, flagging unusual activity, and acting swiftly to prevent further loss.

7. Report the fraud to your acquiring bank and the NZ Police by calling 105.

Protect your business with the following steps:

• Upgrade security protocols, for example by using secure technologies (tokenisation/3D Secure), and add in extra verification steps at the point of purchase.
• Use secure payment gateways with encryption to protect sensitive financial data.
• Set strict access controls to prevent unauthorised access to accounts.
• Train yourself and your team on common methods used by fraudsters to obtain account or card details.
• Monitor accounts for unusual activity and act quickly on suspicious transactions.
• Perform routine website scans to detect suspicious codes or malware injected by threat actors.

Here we explore a theoretical scenario where an online retailer receives a refund request from a customer who claims they did not receive their order, despite proof of delivery. Find out what steps they can take next.

Setting the scene

John, who runs a small online retailer, sells an electric heater to a customer, who later files a chargeback claim, alleging non-receipt of the item. John provides proof of delivery, but the customer persists, claiming they never received it. The bank initiates a chargeback, refunding the customer. John is left without payment, facing financial loss and loss of stock.

What action is recommended?

John should take the following actions:

1. Compile all relevant documentation, including proof of delivery and communication with the customer.

2. Provide the bank with evidence to dispute the chargeback and request a review of the case.

3. AProvide at least 2 out of 4 core data elements required under Compelling Evidence 3.0 and demonstrate history of 2 successful transactions which are non-disputed/fraud with at least 120 days prior to the dispute date. 

4. Attempt to resolve the issue directly with the customer to clarify any misunderstandings or concerns.

5. Ensure “Terms and Conditions” on the company’s website are up to date and clearly communicated to the customer

6. Implement measures such as signature confirmation or insurance for high-value items to mitigate future chargeback risks.

7. Ensure refund policy is reviewed and acknowledged by customers at point of checkout before payment is made.

Safeguard with preventive measures and proactive strategies:

• Use fraud detection tools to monitor transactions in real time.

• Implement strong authentication and address verification for online purchases.

• Keep detailed transaction records and respond quickly to disputes.

• Train yourself and staff to recognise fraud signs and handle transactions securely.

• Set clear refund and return policies to manage customer expectations and avoid disputes.

Here we explore a scenario where a small business falls victim to skimming fraud at their point-of-sale (POS) terminals. Find out what steps they can take next.

Setting the scene

A small, independent coffee shop in Tauranga, started receiving complaints from customers about unauthorised transactions on their bank accounts after using the café’s card payment system. Upon investigation, owner Neel discovered that a skimming device had been secretly attached to the POS terminal, stealing customers’ card data. The fraud not only put customer trust at risk but also posed serious financial and reputational threats to the business.

What action is recommended?

1. Immediately disconnect the compromised POS terminal and replace it with a secure system, such as one with EMV chip protection.

2. Report the fraud to the bank and payment processor to stop further fraudulent transactions and seek support with chargeback issues.

3. Engage a security expert to inspect the premises for other devices and recommend stronger security measures. 

4. Notify affected customers promptly, offering guidance on monitoring their accounts and contacting their banks to mitigate damage.

5. Report the fraud to the NZ Police by calling 105.

Businesses can implement several strategies to mitigate against skimming fraud:

• Regularly inspect payment terminals for signs of tampering, such as loose card readers, unfamiliar attachments, or damaged parts.

• Use EMV chip-enabled terminals and contactless payment methods, which are more secure than magnetic stripe cards against skimming.

• Train yourself and staff to recognise signs of skimming devices and report any suspicious activity around card readers immediately.

• Install tamper-evident seals on POS terminals and monitor them regularly to detect any signs of unauthorised access.

• Encourage customers to cover the keypad when entering their PIN and to use digital wallets for added security.