For many banks, corporates and SME’s (Small, Medium sized Enterprises) their main SEPA focus right now is to ensure compliance. Of course security, validation and verification is of utmost importance, but in the rush and haste of SEPA compliance, one may drop their guard and it is exactly at this moment that the SEPA scammers may seize their opportunity.
In 2008, at the start of the SEPA journey an Experian study found that 86% of corporates had not assessed the payment fraud risk presented by SEPA. The corporates went further and believed it was the banks responsibility to protect them from fraud. Source: http://www.computerweekly.com/news/2240085571/Corporates-ignore-Sepa-fraud-risk/
Well, what are the threats and where are they….:
SEPA Scam 1: Trojan Horses / Malware
The below article, from November 2013, highlights an incident where malware was developed specifically to target high value SEPA accounts in Germany. McAfee investigated the incident and explained that rather than targeting hundreds of accounts, the perpetrators infected dozens of accounts so that the scam was harder to detect and as a result went unnoticed for longer periods.
One of the claims here is that the faster payments process that is brought about by SEPA, particularly for cross border payments within SEPA, has exposed a gap for Trojans, malware and the like, to exploit.
Be aware of this threat….
SEPA Scam 2: SEPA Direct Debits
Another Experian survey identified that 32% of European treasurers were worried about direct debit fraud brought about by the cross border SEPA direct debits – source: http://omni-channelretailing.com/item.php?news_id=6433
The concern here is particularly around the SEPA Direct Debit (SDD) CORE scheme. To complete a SDD CORE transaction very limited information is required and there are minimal checks. The suggestion is therefore that somebody in SEPA country A could issue a SDD CORE transaction with a corporate in SEPA country B and this may be executed as instructed with very little intervention or notification. Since the threat lies particularly with SEPA CORE debits one could argue that there is an 8 week refund right available, but equally such debits could very easily go unnoticed.
Be aware of this threat…..
If you’re not sure about SEPA Direct Debits, read this Quick SEPA Direct Debit Overview, and here you’ll find the differences between the 2 SEPA Schemes.
SEPA Scam 3: The Migration to IBAN – Internal Risks
As you work on the data migration to BIC/IBAN, you may be using spreadsheets and/or flat files to capture the required SEPA BIC/IBAN information. Lets suppose you are working with a third party vendor and /or using an online tool to convert and validate the BIC / IBAN information. Following on from the conversion/validation the converted data may be entered manually into your ERP source system. There are many and various touch points here, is your data secure the whole time? The likelihood is that your handling thousands of records here, and it is another opportunity for somebody to change one of the BIC/IBAN details to reflect an unauthorised BIC/IBAN. This again, could quite easily be uploaded into your ERP unnoticed.
Advice here is to check and cross reference your data at each stage to ensure its integrity.
Just in case you’re not sure what the IBAN is, check out the IBAN Definitive Guide
SEPA Scam 4: The Migration to IBAN – External Risks
Outside of your organisation fraudsters are using the switch to IBAN as a way of luring people into entering their bank account information into bogus websites. The fraudsters send phishing emails, using SEPA as the pretext to unsuspecting individuals, who click a link and enter the bank details into a bogus website.
Source – http://blog.emsisoft.com/2014/01/20/the-sepa-switch-and-internet-fraud/
SEPA Scam 5: The XML File
Historically legacy payment file formats consisted of flat files which to the unfamiliar eye were made up of jumbled numbers and letters. Somebody who is a little familiar with the output file may be able to identify the creditor name, and if they looked very carefully, the amount. But mostly it was quite difficult, without a file specification to know where each element started and finished.
That changes with the SEPA Credit Transfer XML file. Now it is very easy to identify where the supplier information is, the amount and the supplier bank details. All of this information is now contained in nicely labelled tags. In the SEPA world, the untrained eye can very easily see that the IBAN is contained within a tag called <IBAN>.
You need to ensure that the data is either encrypted, or there is sufficient security in place to prevent unauthorised changes to the SEPA Credit Transfer file. More so then before you need to ensure that while the SEPA payment file is in transit, or between systems, that the payment data is protected from unauthorised changes.
Incidentally, the data for debit and credit card fraud in SEPA actually shows a decline! When it comes to fraud, the promotion of the standardised SEPA card scheme which aims to use chip and PIN (Personal Identification Number) appears to be one of the success stories. Source: http://www.eurotreasurer.com/news/cash-management/ecb-report-card-fraud-in-sepa-countries-declining/
Fraudsters continue to find ways to exploit new payment schemes and processes, SEPA is no exception. As a corporate you need to be aware of the various scams and in turn build the appropriate preventative processes to safeguard your business. Please do share any fraudulent activities relating to SEPA that you may be aware of….
Pingback: Trends in Payment Fraud
Pingback: Why Payment File Uploads into Internet Banking Are a Pain...
Last June 2016 I was victim of ciber crime / phishing from someone that come into my email and changed 2 invoices related with IBAN information. The lost was 48.250 Eur and i informed the english Bank about this fraud but they didn´t care…this SEPA way is very dangerous because no mather I filled the netbanking order with all data including my customer name (company) nobody checked it and taht is not acceptable! Is anything I can do? Is any insurance rellated with it or a way to press Bank to return or pay the money involved…
J Costa (Portugal)
January 2023 I was a victim of Sepa fraud through Stripe merchant processing. Luckily it was a small transaction amount. Client made “payment” on the 6th, Stripe confirmed the payment. 3 days later, Stripe received a dispute notice from the clients bank and automatically pulled the payment from my account and charged me a $10 USD service fee. All without ever notifying me of the dispute, reversal of funds and fee. It was just through monthly bookkeeping did we find we were hit by this scam.
Stripe said that they do not offer any protection or support for this type of fraud and it is the seller’s responsibility to check their account daily to know if they are scammed and they should use Strip Merchant SEPA services at their own risk.
STRIPE Merchant Services will not offer any support, protection or notifications about disputes or fraud, even though their website clearly states they will offer support for certain sepa transactions. I am now trying to communicate with their legal depart for false advertising on their website and to at least to recover my $10 fee (more of the point then the actual cost).
So please be careful when accepting sepa payments, or working with Strip. There are high risks for both either.