Ashburn, United States - In the heart of Data Center Alley – a patch of suburban Washington where much of the world’s internet traffic flows – Visa operates its global fraud command centre.

Visa maintains identical facilities in London and Singapore, ensuring 24-hour global vigilance.

The numbers that the payments giant grapples with are enormous. Every year, US$15 trillion (S$19 trillion) flows through Visa’s networks, representing roughly 15 per cent of the world’s economy. And bad actors constantly try to syphon off some of that money.

Modern fraudsters vary dramatically in sophistication.

To stay ahead, Visa has invested US$12 billion over the past five years building AI-powered cyber fraud detection capabilities, knowing that criminals are also spending big.

“You have everybody from a single individual threat actor looking to make a quick buck all the way to really corporatised criminal organisations that generate tens or hundreds of millions of dollars annually from fraud and scam activities,” Michael Jabbara, Visa’s global head of fraud solutions, told AFP during a tour of the company’s security campus in Ashburn, Virginia.

“These organisations are very structured in how they operate.”

The best-resourced criminal syndicates now focus on scams that directly target consumers, enticing them into purchases or transactions by manipulating their emotions.

“Consumers are continuously vulnerable. They can be exploited, and that’s where we’ve seen a much higher incidence of attacks recently,” Mr Jabbara said.

The most up-to-date fraud techniques are systematic and quietly devastating.

Once criminals obtain your card information, they automatically distribute it across numerous merchant websites that generate small recurring charges – amounts low enough that victims may not notice for months.

Some of these operations increasingly resemble legitimate tech companies, offering services and digital products to fraudsters much like Google or Microsoft cater to businesses.

On the dark web, criminals can purchase comprehensive fraud toolkits.

Said Mr Jabbara: “You can buy the software. You can buy a tutorial on how to use the software. You can get access to a mule network on the ground or you can get access to a bot network” to carry out denial-of-service attacks that overwhelm servers with traffic, effectively shutting them down.

Just as cloud computing lowered barriers for startups by eliminating the need to build servers, “the same type of trend has happened in the cyber crime and fraud space,” he explained.

These off-the-shelf services can also enable bad actors to launch brute force attacks on an industrial scale – using repeated payment attempts to crack a card’s number, expiry date, and security code.

The sophistication extends to corporate-style management, Mr Jabbara said.

Some criminal organisations now employ chief risk officers who determine operational risk appetite.

They might decide that targeting government infrastructure and hospitals generates an excessive amount of attention from law enforcement and is too risky to pursue.

More on this topic

‘Millions of attacks’

To combat these unprecedented threats, Mr Jabbara leads a payment scam disruption team focused on understanding criminal methodologies.

From a small room called the Risk Operations Center in Virginia, employees analyse data streams on multiple screens, searching for patterns that distinguish fraudulent activity from legitimate credit card use.

In the larger Cyber Fusion Center, staff monitor potential cyberattacks targeting Visa’s own infrastructure around the clock.

“We deal with millions of attacks across different parts of our network,” Mr Jabbara noted, emphasizing that most are handled automatically without human intervention. AFP