Financial institutions have gotten better in recent years at detecting card fraud and limiting the damage that it causes.
Within minutes of an unauthorized purchase, customers receive text alerts. New plastic gets issued quickly. The hassle is often minimal.
But card fraud is so routine that it may not be reported to law enforcement officials, according to a new report that found examples of card fraud being used to support organized crime, human trafficking and terrorism around the globe. It argues that financial institutions have long treated payment fraud as an expected cost of doing business.
“As long as fraud doesn’t get to be too big of a problem, the fraudsters are mostly left alone,” the report states.
The report, which drew pushback from financial industry groups, was written by Terbium Labs, a Baltimore-based firm that sells services related to companies’ exposure on the dark web. It argues that both the financial industry and law enforcement agencies should take card fraud more seriously.
To identify instances where card fraud was used to support graver criminal activity, the authors analyzed court records from various countries. They identified $1.05 billion in fraud losses associated with 115 cases that involved transnational crime.
But those findings represent only the tip of the iceberg, according to the report. That is in part because many instances of card fraud never get reported to the authorities. Another factor is that law enforcement officials may decide not to charge criminals with payment fraud if they are accused of bigger crimes.
“There’s big gaps in documentation and data availability,” said Emily Wilson, vice president of research at Terbium Labs.
One case cited in the report involved a criminal ring that allegedly used stolen credit card information to pay for travel arrangements for individuals being trafficked from Turkey to the United Kingdom.
The report also links credit card skimming operations to the Tamil Tigers, the separatist militant group in Sri Lanka that has been designated as a terrorist organization by many countries.
In some cases, criminal organizations may perpetrate card fraud on their own. In other instances, they may purchase stolen data. Identity kits containing full individual profiles and financial account information sell on the dark web for less than $1, according to the report.
Wilson said that criminal organizations can have different reasons for relying on stolen payment data to carry out serious crimes. For instance, using purloined card information can help hide the true identity of the criminals. The report noted that the Internet Research Agency in Russia used stolen identity information to open fraudulent PayPal accounts to fund its attack on the 2016 U.S. presidential election.
In other situations, perpetrators may rely on stolen payment information because it offers a source of financing for their bigger schemes. “Why spend your own money on crime when you could have somebody else do it for you?” Wilson asked.
The report recommends that the criminal justice system create updated, standardized reporting requirements in order to accurately and consistently track links between payment fraud and transnational crime. It also calls on the financial industry to change its perspective on fraud and to provide more data to law enforcement agencies.
Last year, depository institutions filed nearly 164,000 suspicious activity reports regarding fraud involving credit or debit cards, according to data from the Financial Crimes Enforcement Network. That was up from 49,000 such reports five years earlier.
Still, the scope of the card fraud problem appears to be much larger. In a report published in March, Javelin Strategy & Research estimated that 11.2 million adults were victims of existing card fraud last year.
Wilson said that card networks are better positioned to aid law enforcement than individual banks are, noting that they have access to more transaction data. Spokespeople for Visa and Mastercard did not respond to requests for comment.
But other industry groups argued Tuesday in response to the report that the financial sector does see card fraud as an important law enforcement matter.
“Fighting fraud is something the payments industry takes really seriously, and does not perceive it as a nuisance or a cost of doing business,” said Amy Zirkle, interim CEO of the Electronic Transactions Association.
“I think all of our member companies engage and have very sophisticated programs around card fraud, and do work with law enforcement when it’s necessary.”
Sarah Grano, a spokeswoman for the American Bankers Association, said that U.S. banks work with regulators and law enforcement officials to protect the financial system from constantly evolving and increasingly sophisticated threats.
“Financial institutions invest heavily in comprehensive controls to prevent, detect and ultimately report fraud to Fincen and law enforcement agencies,” she said in an email.