Now that the American hype machine known as Black Friday has rolled over us for another year, some consumers will be left ruefully reflecting on something other than so-called bargains.
Online fraudsters are becoming increasingly sophisticated in their tactics, ushering in a new wave of payment fraud.
Even where this fraud originates in the physical world, it still tends to involve digital payments, exploiting the small window between a real-time transaction being initiated and concluded.
It’s vitally important to recognise the risks behind some of these schemes and scams, to minimise the risk of falling victim to them.
Pay in haste, repent at leisure
We’ve written before about the prevalence of phishing and vishing scams, but newer schemes are also emerging, such as quishing.
It was reported in late November that customers at three Newcastle car parks had been scanning a QR code to pay for their parking – with unintended consequences.
Fraudsters had covered up the official QR codes in the car parks with their own, falsely redirecting consumers to a criminally owned website where everyone was charged £60.
An hour south in Teesside, one elderly consumer inadvertently handed over her payment data to a fraudulent QR code in another car park.
Even though her bank promptly blocked a string of bogus transactions, scammers rang the victim, posing as the bank and requesting additional information.
Armed with this additional data, the fraudsters then rang the bank, posing as the victim.
They created a new online account in her name which immediately racked up £13,000 in debt. Astonishingly, the bank cooperated with them.
And all this from something as simple as placing one QR sticker over another.
Quishing is perhaps the most well-publicised manifestation of Authorised Push Payment scams, where victims inadvertently send money to fraudsters posing as genuine payees.
The Payment Systems Regulator claim £240 million was lost to APP scams in the first six months of 2023, with UK Finance reporting a 22 per cent rise on the same period last year.
This has happened in tandem with steep declines in payment card or remote banking fraud, as more stringent customer authentication drives criminals down new paths.
The new wave of payment fraud also includes voice cloning, using AI to mimic a familiar person’s voice as it requests money.
Meanwhile, pharming redirects people to fake websites to steal their data. Also known as payment diversion or mandate fraud, it’s prevalent among small businesses with less robust IT security.
So what can I do?
Firstly, never use a QR code to make payment.
TransPennine Express, which managed the Teesside car park, is now removing all QR payment systems, and other companies are likely to follow suit.
Be very sceptical of sales on social media sites such as TikTok, requests for money from people you haven’t met (especially through dating apps) or so-called investment schemes.
Help is on the way – APP scams will result in mandatory reimbursement by next April, while individual companies are increasingly adopting technologies like transaction monitoring.
It’s worth remembering that an estimated 98 per cent of unauthorised fraud cases are fully refunded, according to recent data from UK Finance.
However, vigilance remains the best policy. Always be suspicious, ignore “overdue account” emails and never make a payment unless you’re confident about its authenticity.