How to avoid payment card fraud

The number of illegal actions with payment cards that resulted in losses increased by a quarter in 2023 and amounted to 272 thousand transactions.

Last year, the amount of losses incurred by payment service providers, merchants, and customers from illegal actions with payment cards amounted to almost UAH 833 million. This is 73% more than in 2022.

The average amount of one illegal transaction last year amounted to UAH 3,065, which is 39% more than in 2022 (in 2022 - UAH 2,200).

At the same time, the number of active cards increased by 13% in 2023, which indicates that payment cards are more actively used for transactions.

It should be noted that, starting in 2023, data on losses are submitted not only by banking institutions, but also by postal operators and non-bank financial institutions that have been authorized to issue and/or acquiring electronic payment instruments in accordance with the Law of Ukraine On Payment Services. The share of losses incurred by such institutions in the total amount of losses from illegal actions in 2023 amounted to 0.4%, and 0.2% in terms of the number of cases.

The most common payment fraud scenarios

Last year, payment card fraud was most often committed via the Internet - 83% of the total number of cases. At the same time, only 17% were committed through physical devices (retailers, ATMs, self-service devices).

The average amount of one illegal transaction on the Internet in 2023 increased by 31% and amounted to UAH 3,150 (UAH 2,408 in 2022).

The vast majority of fraud cases are caused by disclosure of personal data by customers. Specifically, social engineering accounted for 80% of all losses in 2023 (in 2022, this figure was 53%).

According to the information provided by payment market participants, the most common social engineering scenarios that led to financial losses by customers in 2023 were as follows

• fake messages sent by fraudsters about the possibility of receiving assistance from the state and social funds - customers follow the link and provide vulnerable data, which fraudsters use to misappropriate their funds;
• making a duplicate SIM card, including an electronic SIM card, and a customer's financial phone number by luring access codes to mobile operators' applications. Subsequently, using the financial number, criminals commit fraudulent actions to gain access to mobile banking in order to steal money from accounts, purchase goods or attempt to take out online loans;

• calls from persons posing as security officers of a bank, the National Bank or other institutions to obtain payment card details, to induce a transaction (for example, to avoid alleged account blocking), to obtain one-time passwords from SMS messages, etc. Such disclosure of customer data leads to financial losses;
• dissemination of messages in messengers and social networks about opportunities to receive additional income for performing certain tasks on social networks or the Internet in order to encourage customers to make certain purchases or transfer funds to fraudsters.

The NBU, together with the Cyber Police, other government agencies, and payment market participants, are systematically working to improve financial literacy, create an understanding of the basic rules of cyber hygiene, and counteract phishing by blocking malicious websites.

At the same time, taking advantage of the war and the difficult situation of Ukrainians, fraudsters skillfully adapt and manipulate people's feelings when they are most vulnerable, and find new schemes to deceive them.

The NBU once again emphasizes that it is important to know and follow the rules for the safe use of payment cards!

In no case should you disclose payment card details [card number, expiration date, three digits on the back of the card (CVV code), login and password for Internet banking].

Also, disclosure of one-time passwords sent in SMS messages from payment service providers (including banks) and mobile operators, personal data, etc. is particularly dangerous.

In addition, in order to strengthen the protection of personal data, the NBU recommends that citizens be identified with a mobile operator (i.e., "link" their SIM card to their identification data) and not use non-personalized SIM cards as a financial phone number. Today, every mobile operator offers the opportunity to perform this procedure remotely and free of charge using the NBU's BankID system.

At the same time, in order to reduce payment fraud, payment market participants must complete the implementation of the requirements of the NBU Resolution "On Approval of the Regulation on Authentication and Application of Enhanced Authentication in the Payment Market" in 2024. The NBU, for its part, will continue to implement educational programs aimed at informing citizens about payment security.

For reference:

To learn more about common payment fraud scenarios and tips on how to protect your money, please visit the #FraudsterGoodbye information campaign page.