With compromised credit cards and data breaches often in the news, fraud is top of mind with many people. Though EMV has made card payments safer, experts predict card-not-present fraud will remain a growing problem for years to come.
When the first surge of major corporate data breaches was reported in 2014 and 2015, many Americans hoped it was just a brief trend. Those hopes faded as even more large companies became the target of cybercriminals, with it only being revealed in 2017 that the 2013 breach of Yahoo was the largest ever, affecting all three billion of its user accounts.1
According to the cybersecurity company Risk Based Security, the number of publicly reported data breaches in Q1 2020 was actually down 58% compared to the same period in 2019. It attributed this decline both to reporting disruptions as a result of COVID-19 and the unusually high number of breaches reported in 2019.
But at the same time, the first quarter of 2020 also saw a record high number of records lost, nearly 8.5 billion. However, this was largely due to a loss at ElasticSearch that exposed 5.1 billion records. Yet adjusting for this incident, the number of records still increased 48% compared to Q1 2019.
Of all the industries affected by publicly disclosed data breaches, health care was hit most frequently at 106 incidents in Q1 2020. The information sector had 104 incidents, public administration saw 84 and finance and insurance saw 72 incidents. Retail was fifth with 61 incidents.2
However, the broader trend shows public data breaches appear to have peaked in the first half of the 2010s, and have even fallen slightly towards the end of the decade.1
Four out of five of the largest data breaches ever recorded occurred in 2018 and 2019. These included data breaches reported by Aadhaar, First American Financial Corp., Verifications.io and Facebook.2
Card fraud and identity theft
The Federal Trade Commission’s (FTC) 2019 Consumer Sentinel Network Data Book shows 3.2 million reports related to problems consumers faced in the U.S. marketplace. The top three kinds of reports were those related to identity theft, imposter scams and telephone and mobile services. Of the 1.7 million fraud reports, 23% incurred a loss. These losses totaled $1.9 billion, with a median loss of $320. In total, the FTC reported 650,572 cases of identity theft.
Meanwhile, credit card new account fraud reports rose by 88%. In fact, the No. 1 type of identity theft reported was credit card fraud, for which 271,823 reports were filed in 2019. However, existing credit card account fraud was down by 4%.
The primary contact method for fraud was over the phone, with a staggering 821,862 reports. Websites were a distant second, representing just 99,215 of the fraud reports. Email reports were just behind at 92,323, while consumer initiated contact was fourth at 50,805. Criminals perpetrating fraud by mail represented only 31,928 reports, while another 21,319 reports classified the contact method as “other.”
When identity theft reports were examined by state, the greatest number of victims were in Georgia, which had 427 reports per 100,000 residents. Florida was second with 304 and California was third with 257. Wyoming, Vermont and South Dakota were the least affected by identity theft, with 55, 54 and 47 reports per 100,000 residents, respectively.5
While EMV chip cards have cut counterfeit fraud, “card not present” (CNP) fraud is rising. CNP fraud includes telephone, internet and mail order transactions in which the cardholder does not physically present the card to the merchant.
In its 2018 Identity Fraud Study, Javelin Strategy determined that CNP fraud is 81% more likely to occur than point of sale fraud.1 This is particularly relevant as there was a massive decrease in card present transactions at the beginning of the COVID crisis in March 2020.2
But a 2019 Federal Reserve Bank of Atlanta report showed the U.S. lags the U.K., France and Australia in adoption of EMV chip cards that fight counterfeit fraud. It showed fraud losses from card present transactions peaking or declining in those countries after EMV payment systems were introduced.
In the U.S., CNP transactions were higher than face-to-face transactions for the first time in 2016 as fraudulent CNP transactions grew from 2015 to 2016. The report also shows new fraud threats are growing to fill the gap left by tougher anti-fraud measures taken to combat card present fraud. These emerging vectors include fraud perpetrated through business email and email account compromise.3
How the EMV migration has changed the face of fraud
When it comes to credit card fraud, the big development in the U.S. over the past few years has been the move from magnetic stripe readers to EMV smart chip authentication at payment terminals. The technology migration passed a major milestone on Oct. 1, 2015, when a liability shift occurred that placed the cost of card-present fraud on the retailer or card issuer that hadn’t upgraded to the new system.
In the nearly five years since, over 80% of card present transactions worldwide are now conducted with EMV chip technology, even while just under 64% of cards issued are EMV compatible. In the U.S., only 63% of card present transactions are occurring with EMV, while nearly 61% of cards are EMV compatible. This is far below Africa and the Middle East, which has 89.4% of its cards EMV compatible, which translates into 96.5% of transactions using EMV.1
How fraud victims are affected
An Identity Theft Resource Center report titled, “Identity Theft: The Aftermath 2018,” showed the emotional impacts of identity crime leave victims with very negative feelings about their situation. The percentage of respondents who reported that they felt worried, angry and frustrated registered at 85.7% each, and 83.7% reported feeling violated.
Another 69.4% said they could not trust others and felt unsafe, while 67.3% experienced a sense of powerlessness or helplessness. Many others felt sad or depressed (59.2%), and 55.1% felt betrayed. As a result, 84.1% reported issues with sleep and 77.3% said they had increased stress, among other symptoms reported.2
Fraud and COVID-19
In a survey about the coronavirus’s impact on fraud, the credit reporting bureau Experian found 16% reported fraudulent emails or calls related to COVID and 55% were aware of a scam related to the deadly pandemic, as fraudsters sought to take advantage of the crisis.
However, 33% reported increased online shopping, and 52% said they were somewhat, very or extremely worried their bank account information could be stolen while shopping online. But surprisingly, 30% of those surveyed said they were shopping online less since the onset of the COVID-19 crisis.
The authors speculated that this reduction could be due to multiple factors, such as the economic downturn or the even the increase in fraud during this period.3
- The New York Times, “All 3 billion Yahoo accounts were affected by 2013 attack,” October 2017
- Risk Based Security, Data Breach Quick View, 2020 Q1 Report
- Politifact, “By the numbers: How common are data breaches – and what can you do about them?,” September 2019
- UpGuard, “The 36 Biggest Data Breaches,” June 2020
- Federal Trade Commission, Consumer Sentinel Network Data Book 2019, January 2020
- Javelin Strategy and Research, “Identity fraud hits all time high with 16.7 million U.S. victims in 2017,” February 2018
- Insight Vault, “Combating card not present fraud during COVID-19,” April 2020
- Federal Reserve Bank of Atlanta, “The future of U.S. fraud in a post-EMV environment,” June 2019
- EMVco, Worldwide EMV chip development statistics (H1 2020)
- Identity Theft Resource Center, The aftermath: The non-economic impacts of identity theft, 2018
- Experian, “Survey: The impact of COVID-19 on fraud and identity theft,” April 2020