Module V

Part B
Payment fraud
Payment fraud pertains to any illegitimate or unlawful transaction conducted by a cybercriminal. There
are three ways to define payment fraud:
 Fraudulent or unauthorized transactions
 Lost or stolen merchandise
 False requests for a refund, return, or bounced check
Some of the most popular techniques:
Skimming
Criminals utilize the skimming technique to steal credit or debit card information. They attach tiny
gadgets known as “skimmers” on card readers at ATMs or point-of-sale (POS) terminals
Identity theft
Identity theft happens when a fraudster acquires and utilizes another person’s personal information, such
as their credit card number, bank account information, or social security number, to open new accounts,
make unauthorized transactions, or engage in other types of fraud. Hackers can penetrate firewalls by
using outdated security measures or by stealing login credentials from public Wi-Fi.
Phishing
Phishing is when people try to trick you into giving them sensitive information like your login details,
credit card numbers, or personal data.
Business email compromise
BEC is a type of payment fraud where scammers pretend to be executives or vendors to trick employees
into giving them money or personal information. They do this by hacking or spoofing email accounts and
using social engineering tricks to deceive the victims.
Card-not-present scam
CNP fraud is a fraudulent transaction that occurs when the card is not physically present, like in online or
over-the-phone purchases. Fraudsters use stolen credit card information to make unauthorized purchases,
which can be challenging to detect and prevent since there is no physical verification of the card.
Page jacking
E-commerce website owners should be aware of potential hacking threats. Hackers can steal a portion of
the website and redirect traffic to a harmful website, which could lead to a breach in network security.
How does fraud happen?
Fraudsters have become clever at stealing personal information online. They often pose as legitimate
representatives and use various methods to trick credit card users into providing sensitive data.
 Phone calls
 Email
 Texting malware to Smartphones
 Instant messaging
 Rerouting traffic to fraudulent websites
 Online auctions
Here is a summary of how organizations should identify and react to the most typical types of payment
fraud:
Phishing
 Encourage employees to practice safe browsing habits, identify phishing emails, and verify the
sender’s identity.
 Use DMARC (see the “Business email compromise” section below) for sender authentication and
implement filtering and scanning technologies to block or flag suspicious emails.
 Integrate firewalls, intrusion-detection systems, and network segmentation to safeguard internal
systems. Also, make sure all software and systems are up to date.
 Require multi-factor authentication for critical systems to reduce unauthorized access using stolen
credentials.
 Analyze logs, network traffic, and system data to detect and respond to phishing attempts and
suspicious activity.
 Ensure that third-party vendors adhere to your organization’s security standards and not expose your
company to phishing attempts.
Skimming
 Check ATMs and POS terminals often for any indications of tampering or unauthorized equipment.
 Use tamper-evident security precautions, such as security locks or seals.
 Make sure that card transactions involve encrypted and secure data transmission.
 Upgrade to contactless or chip-and-PIN payment methods, which are less prone to skimming.
 It is important for employers to provide their employees with training on how to identify and report
suspicious activity related to skimming devices.
 Collaborate with partners in the industry and law enforcement to exchange valuable information and
share best practices.
Identity theft
 Deploy strong data measures in place, including encryption, safe storage, and access limits.
 Keep an eye out for any suspicious behavior in transactions and account activity.
 Implement multi-factor authentication for online transactions and accounts.
 Verify the customer’s identification, particularly for extravagant transactions or account changes.
 Educate customers on how to prevent identity theft and protect their personal information.
Business email compromise
 It is important to provide training to employees on how to spot and report any suspicious emails.
 Deploy email security measures to authenticate the sender’s identity and prevent spoofing. Such
measures consist of the following:
DMARC: Domain-based Message Authentication, Reporting, and Conference (DMARC) is a system that
ensures emails are authentic and prevents suspicious emails from appearing to come from your domain.
DKIM: Domain Keys Identified Mail is a method of adding a digital signature to emails to verify that
they were sent from trusted sources and were not tampered with.
SPF: Sender Policy Framework is a method to verify that an email is sent from a server that is authorized
to send emails for a specific domain and prevent unauthorized senders.
 Establish multi-level approval protocols for the exchange of sensitive information and financial
transactions.
 Promote secure communication channels and verify requests through a phone call or in person when
uncertain.
 It is important to consistently update and patch your software, operating systems, and security tools to
ensure optimal performance and protection against potential threats.
Protect sensitive cardholder data by adhering to the Payment Card Industry Data Security Standard (PCI
DSS).
1) For adding new payees, specific OTPs are needed from a secondary channel, making the process more
secure.
2) New OTPs are required for high-value transactions, enhancing security for important financial
dealings.
3) The time limit for OTPs is closely managed to reduce the chance of misuse.
4) Using digital signatures and Key-based Message Authentication Codes (KMAC) to identify and stop
unauthorized transactions.
5) Educating customers about their rights as per the Consumer Protection Act and the responsibilities and
risks linked with internet banking.
6) Informing customers via an alternate method for transactions exceeding a value specified by the
customer
7) Teaching customers how to react to SSL or EV-SSL certificate alerts to avoid falling victim to
phishing. An SSL certificate error happens when a web browser is unable to verify the installed SSL
certificate on a website.
8) Introducing systems to assess transaction patterns and highlight unusual activities, ensuring that
transactions align with the customer's typical behavior.
RBI Guidelines

The PSS Act, 2007 provides for the regulation and supervision of payment systems in India and
designates the Reserve Bank of India (Reserve Bank) as the authority for that purpose and all related
matters.