How Google profits from card fraud (case study)

As UK Finance’s latest annual fraud report shows, APP Fraud is down, Remote Purchase Card Fraud is up - criminals have pivoted over recent years. 

Here’s an example of how criminals misuse Google (and work around Bank authentication processes) to befuddle their victims : 

1️⃣ Criminals pay Google for an Ad that targets a popular website people make online purchases from; in this example it’s tickets to tour the Petronas Towers in Kuala Lumpur (a popular site, likely to harvest many international bank cards) 

2️⃣ Criminals clone the genuine Pertronas Towers website. It's presented at the top of search results on Google and the “sponsored Ad” status adds plausibility. At checkout, the criminal site presents a “Verified by Visa (VbV) pop up to the victim, telling them an authentication code will be needed. The victim is warned that tickets are scarce and that they only have a couple of minutes to complete the transaction. Legitimacy. Familiarity. Pressure - FOMO. 

3️⃣ Criminals add the victims card immediately to a new Google Pay wallet. This generates a verification code to the card holder’s (victim’s) phone via their bank’s app (or sms, depending on settings). A £0 auth is instantly made on the card to check the account is active. 

4️⃣ The victim instantly receives a Google Pay code authentication request from their bank and unwittingly uses this to approve the Petronas transaction. Criminals instantly transact on the victims card via the criminals Google Pay wallet….I expected this code. I need to comply. This is normal. Frictionless.

5️⃣ The criminals immediately attempt a spend. In this case a £334 transaction in Turkey (thankfully declined due to lack of funds) 

There’s screenshots below to show some of the scam journey

This is a technically sophisticated real-time scam - aka “authorised remote card fraud". It's on the rise. 

How can this be stopped?

➡️ Banks need to look for discrepancies between the customers device and the device that’s making the Google pay transaction. This needs to be real-time in order to block transactions. 

➡️ Google is profiting from this crime, by accepting Ads from criminals. Better KYC and ongoing monitoring is required, in real-time. By the following day, the fake Petronas website was behind a bright red Google scam site warning…not this is not fast enough. Better intel sharing (real time) between banks and payment firms is also needed if this is to be stopped. 

➡️ Bank Customer centric journey design. Are customers becoming “over familiar” with auth codes? The journey is low-friction, with auth codes presented in multiple different ways. What’s right and what’s suspicious ? It’s far too easy for a victim to “approve” something when the entire journey has been designed to work like that. Effective and timely fraud warnings and a bit of friction is needed. 

➡️ Brand protection. Big retail brands need to pay for clone site monitoring and takedown. They also need to build better relationships with Google to help protect their brand and URL. When a new site comes along that looks near-identical to a well-established genuine branded website, one that has lots of traffic, this should prompt some serious questions to be asked. Sponsored Ad + Big Brand + new website = risk

Jason Costain

Javloc.com

Jason Costain is a consultant specialising in fraud prevention and financial crime defence. Jason is the founder of Javloc Ltd, and has leveraged over 30 years of expertise to assist banks and organisations in strengthening their defences against fraud, and financial crime.

​​

Jason Costain is a leading fraud prevention expert with a career spanning more than three decades.   Before founding Javloc Ltd, Jason led fraud and financial crime defence teams at prominent UK banks, where he played a pivotal role in combating emerging threats such as authorized push payment (APP) fraud and cryptocurrency-related scams. Jason holds an ICA Diploma in Financial Crime Prevention, underscoring his commitment to staying at the forefront of the field.