United Kingdom (and EU regulation)

EPC yearly update on payment threats and fraud trends

On 8 December 2022, the European Payments Council (EPC) published its annual report on payment threats and fraud trends.

The report provides an overview of the most important threats and other “fraud enablers” in the payments landscape, including engineering and phishing, malware, Advanced Persistent Threats, Distributed Denial of Service ((D)DoS), botnets and monetisation channels. For each threat the report provides an analysis of the impact and context and suggests controls and mitigations.

Key points in the report include:

Social engineering attacks and phishing attempts are still increasing, and they remain instrumental often in combination with malware, with a shift from consumers, retailers, SMEs to company executives, employees (through “CEO fraud”), payment service providers and payment infrastructures and more frequently leading to authorised push payments fraud.
Awareness campaigns are still very important countermeasures against social engineering, and these campaigns should be coordinated, involving also public administrations. They should target individual and corporate customers, as well as employees.
Malware – existing in various forms – remains a major threat, in particular ransomware has been on the rise during the past year, requiring new mitigating measures. Measures against malware include proper maintenance of own devices by the customers, including mobile devices (regularly update the operating system, use only needed software, install and activate anti-virus and anti-malware tools, enable secure access, etc). Service providers’ customer relations departments should inform their customers about these measures, and IT departments should implement adequate protection and control functions in their applications.
One of the most sophisticated and lucrative types of payment fraud now and for the future seems to be Advanced Persistent Threat. It must be considered as a potential high risk not only for payment infrastructures but also for all network related payment ecosystems.
The number of (D)DoS attacks has increased and are still frequently targeting the financial sector. There is a continuation of botnets and because of the high volume of infected consumer devices (e.g. PCs, mobile devices, etc.) severe threats remain. Extortion or ransom DDoS attacks started to become a new threat.