In a coordinated operation led by Europol’s European Cybercrime Centre (EC3) and the Merchant Risk Council, 59 scammers have been arrested for using stolen credit card numbers to purchase luxury items. The operation, called e-Commerce Action 2022 (eComm 2022), took place across Europe in October and involved the participation of 19 countries, including the UK, France, Germany, Spain, and Sweden.
To crack down on this fraud type, EC3 and the Merchant Risk Council received direct assistance from merchants, banks, logistic companies, and payment card schemes. According to Europol, investigations are ongoing in various countries, with more arrests expected in the coming weeks.
2022 e-Commerce Action
Following several months of preparation, law enforcement in participating countries raided various locations where illegally purchased goods had been dispatched. During the month-long operation, 59 arrests were made, triggering a series of new investigative leads.
The findings of eComm 2022 identified three critical threats to the e-commerce sector:
- Phishing and smishing fraud: Where criminals contact people by phone, text messages, or email and attempt to convince them to hand over their credit card information
- Account takeover fraud: When a fraudster hacks an account and has direct access to funds that are not theirs.
- Triangulation fraud: When online criminals set up a fake or replica website and entice buyers with cheap goods.
On the day Europol and the Merchant Risk Council announced the results of e-Comm 2022, an awareness campaign was launched in collaboration with law enforcement across Europe. The campaign focuses on sharing practical advice on how to outwit criminals trying to abuse online shopping activity. Such advice includes:
- Ensuring employees are aware of the fraud issues affecting online stores
- Staying up to date on the types of payment fraud involving businesses and having the tools in place to prevent them
- Getting to know your customers to be able to verify their payment
Fraud in the UK
On November 12, 2022, The House of Lords Fraud Act 2006 and Digital Fraud Committee published a report on the scale of fraud in the UK, specifically commenting on how the “fraud chain” can be disrupted. Key conclusions from the report state that despite digital technology leading to new opportunities for fraudsters, the people in charge of these new technologies are not doing enough to prevent the exploitation of their services. Furthermore, the report notes that while the Fraud Act is sound, its efficacy is hindered by broader issues relating to shortfalls in preventing and detecting fraud and its use in prosecuting fraud cases.
The Lords Committee also highlights that fraud currently represents 41% of all crimes against individuals in England and Wales. According to the National Audit Office’s Progress Combatting Fraud report, this translates to an estimated 3.8 million actual or attempted incidents of fraud each year.
Strong Customer Authentication (SCA)
In 2021, the Financial Conduct Authority (FCA) set out a further set of rules in the Payment Services Directive 2 (PSD2) to help protect customers from e-commerce fraud. Based on previous legislation, PSD2 introduced the Strong Customer Authentication criteria (SCA), which includes a two-factor ID requirement, among other security measures.
Under the two-factor verification process, businesses must ensure that electronic payments are verified by at least two of the following three identifiers:
- Possession of a physical payment object, such as a payment card or mobile phone (in the context of mobile wallet payments)
- Knowledge of a PIN number or password
- Biometric data, such as a fingerprint or voice ID
In addition to heeding the advice from Europol and the Merchant Risk Council, compliance staff should be aware of the upcoming European Payments Council’s annual Payment Threats and Fraud Trends Report. Published on November 24, 2021, last year’s report highlighted the need for payment service providers (PSPs) to understand the emerging threats and their possible impacts while investing in appropriate security and monitoring technologies.
Originally published November 18, 2022, updated November 18, 2022