Fraudsters prey on bank customers returning to tourist hot spots

The U.S. cities best known for attracting tourists are drawing the attention of fraudsters who see the uptick in travel, hotel stays and car rentals as fertile ground for bank account, payment card and ATM scams.

Las Vegas saw a 411% spike in fraud attempts during the second quarter compared with a year earlier, while New York saw a 396% hike, according to the latest figures from the fraud detection software provider Feedzai. The company did not provide the underlying numbers of fraud attacks.

Las Vegas is the top destination for fraudsters perpetrating bank, card and payment scams.

The jump in fraud coincided with significant growth in digital payments — the number of peer-to-peer payments rose 146% year over year, and online banking and e-commerce shopping transaction volume increased 109%, said Feedzai's 2021 Q2 Financial Crime Report. Online card fraud attempts increased 23%.

"Scams have always existed in these tourist destinations, but as a whole it has really picked up," said Andy Renshaw, vice president of payment strategy at Feedzai.

"The online scams that have been prevalent through the pandemic have remained, but as travel starts up again, the more traditional fraud like card theft and card skimming seem to be coming back," Renshaw said. "The idea for fraudsters is to catch tourists off guard now because they are just getting back to traveling, so attacking them at places like an unattended terminal or ATM is common."

Lisbon-based Feedzai has U.S. offices in New York, Atlanta and San Mateo, California. Its research data came from more than 1.5 billion global transactions across all major industries from April through July of 2021.

Other tourist locations seeing triple-digit increases in fraud attacks were Charleston, South Carolina, (251%) and Nashville, Tennessee, (193%). Meanwhile, such attacks rose 97% in San Diego, 80% in Orlando, Florida, 56% in Chicago and 48% New Orleans.

Las Vegas has had nearly 14 million visitors in the first six months of 2021, according to data compiled by Statista. The tourism and marketing firm NYC & Company projects 38.2 million visitors will come to New York in 2021, as international travel remains slow. New York had 22.3 million visitors in 2020, a dramatic drop from a record high of 66.6 million in 2019, the firm reported.

Banks could take data from fraud research and use it to alert customers about the growing dangers in certain cities as well as establish customers' normal financial behavior, especially during trips, so that discrepancies are more easily identified.

The way people behave when they’re traveling is different from their everyday habits, Renshaw pointed out. "The banks will look at card transactions to create context," he said.

For example, a bank can flag suspicious behavior if card transactions appear eight minutes apart in two different parts of the country, Renshaw said. By collecting and analyzing data on a macro level, banks can string together information that relates to travel and piece together what their customers are doing at any given time.

"An airport retail store purchase, or someone purchasing travel insurance, those are things that you can string together," Renshaw said. "You watch for patterns and go by the sequences you see."

Feedzai tells its bank clients to inform their customers to purchase something at an airport shortly after landing. "That would anchor the customer in that city and destination and help identify [transaction] patterns," Renshaw said.

The tourism bureaus in New York and Las Vegas declined to comment, citing their focus is generally on marketing or event-based communications. Las Vegas Tourism Bureau does warn visitors of standard precautions — not to carry large amounts of cash, to keep phone numbers of credit card issuers and banks in an envelope in a safe place if needed in an emergency, to avoid using ATMs unless they are in well-lit areas and not to count ATM withdrawals in the open.

Different fraud paths

Cyberattacks are the key concern in tourist towns. Criminals are remote by design, so the increases in fraud attacks as consumers more readily shift to digital money movement are unsurprising.

"They think nothing of a 95% failure rate in fraud attacks," Renshaw said. "If they take over three or four bank accounts out of every 100 attempts, that is great business for them."

In cities that attract a lot of tourists, another dynamic may be at work that fuels fraud beyond the obvious attacks on payment credentials related to airline or cruise tickets, hotel stays, car rentals and ATM visits.

As lockdowns put many people out of work, especially in cities counting on tourism to drive the economy, some are likely to turn to fraud as an income source, said Trace Fooshee, senior analyst with Aite-Novarica.

"This has definitely been the trend with the mule activity as more mules are recruited by fraud rings to create bank accounts as landing zones and relay points for stolen money," Fooshee said.

Fraud rings are particularly fond of recruiting students and others who are hard up for money or looking for an easy way to make some money “working from home," he said.

In overall fraud categories, the most common scams during the quarter were purchase scams in which criminals promote the sale of electronics or other high-priced items through fake auction or discount business sites. They have purchased the items themselves, so they have serial numbers, warranty information and the scanning code on the box if requested — but they have no intention of delivering the product after payment.

Also, social engineering, impersonation scams, account takeover and smishing, or text-based scams, rounded out the top five most common fraud schemes in the Feedzai research.

The easiest target

Because banks generally have strong security layers, fraudsters have focused more of their attacks in recent months on consumers.

Consumers should be aware of any communications from their banks related to account or card security, Feedzai's Renshaw emphasized.

"Customer education has become one of the key tenets of fraud protection and banks are taking that seriously now, which is really a positive that has come out of the pandemic," Renshaw said. "A consumer has to understand how a bank will communicate with them and how it won't."

Banks will never send a text message with a link in it or any call to action, and they will always identify a customer in a certain way, Renshaw said. "A big thing for the customer is to be up to speed with what their bank policy is in terms of contacting them, and if they are not sure of something they see, they should just call the bank or look for advice on the bank website."

Aite's Fooshee agrees that fraudsters are seeking easier targets, rather than trying to navigate various layers of bank security. But the prize is the same no matter which doors they knock down: bank account or payment card credentials.

"Why bother trying to get through bank security, when consumer security is so incredibly poor?" Fooshee asked. "In going after the consumer, you have more places to go with automated attacks. Most everyone is reusing passwords for various accounts, so it is supereasy to get a hold of all of the consumer's identifiable information through social channels or marketplaces."

For reprint and licensing requests for this article, click here.
Bank technology Fraud detection
MORE FROM AMERICAN BANKER