Contactless payments have surged in popularity, shifting many traditional cash transactions onto electronic payment networks, from local shops to lawncare. “Almost overnight, the COVID-19 pandemic triggered increased dependence on digital technologies, which played a crucial role in helping firms weather the worst of the shock,” reported the World Economic Forum.
At the heart of the trend is the growth of Peer-to-Peer or Person-to-Person (P2P) payment applications like PayPal, Venmo, Cash App, Zelle and Square Cash, along with big-player ventures like Amazon Pay, Apple Cash, Google Pay and Facebook Pay. P2P apps can use Real Time Payment (RTP) rails offered by The Clearing House (TCH) to let users send and receive payments directly from their accounts immediately.
However, the speed of RTP and the explosion of P2P payment apps have drawn the attention of fraudsters.
The real-time risks
Since RTP settles immediately, it eliminates the clearing window that provides an opportunity to claw back funds associated with erroneous or fraudulent transfers. It also limits a bank’s ability to investigate or intervene on suspicious transactions.
While RTP offers convenience to legitimate customers, it has increased the chances of a fraud or scam event successfully exfiltrating funds from an account. The features of RTP are not inherently at greater risk of fraud than other transaction types, but they serve as an enabling capability that is enticing more fraud attacks and improving their rate of success. Fraud rates for P2P transactions are three to four times higher per transaction than traditional payment methods like credit and debit cards. Credit and debit cards still process many more transactions than payment apps, but apps triggered almost as many fraud complaints and losses in Q4 2021.
Types of frauds and scams
Payment app users can fall prey to both fraud events and scams, and the industry has seen an increase in both:
- A fraud involves an unauthorized user stealing funds.
- A scam tricks an authorized user — the victim — into transferring funds.
Fraud and scam perpetrators can use a variety of ruses, but they often align to one of the following examples.
During a fraud event, a perpetrator often gains access to an account and performs a transaction without the account owner’s knowledge or authorization. This type of fraud is referred to as an account takeover fraud. Account takeovers involve the use of stolen credentials to access customer accounts.
Perpetrators commonly initiate account takeovers by stealing customer credentials via phishing or smishing techniques. Phishing involves sending email to convince the victim to divulge their credentials. Smishing accomplishes the same thing by using SMS text messages instead of email.
These techniques increasingly include impersonating a bank representative, often alleging to be from the fraud department. A common version of this fraud involves the perpetrator texting a fake transaction authorization message to the target victim (such as, “Did you spend $1,000 at Acme, Inc? Reply Yes or No”). When the customer responds “No,” the perpetrator calls the customer and requests the customer’s online user ID as verification of the customer’s identity. At this point, the perpetrator initiates a password reset on the bank website for the customer’s user ID. Knowing this will trigger a one-time-passcode for multi-factor authentication, the perpetrator tells the customer a special code is being sent to verify their identity and to please read it over the phone under the ruse that it is needed for verification of their identity. Armed with this information, the perpetrator resets the password successfully, now has full access to the account and has effectively locked out the legitimate customer. The perpetrator then proceeds to exfiltrate the funds using electronic payments, wires or other payment types.
A scam perpetrator tricks an account owner into authorizing payment for a transaction, often under misleading or false pretenses. This is sometimes called an “Authorized Push Payment” (APP) scam.
The simplest version of this is the consumer scam, where customers purchase goods or services online with their electronic payment account and the product never arrives, or the service is never delivered.
One of the more common scams is the me-to-me scam, where the perpetrator links the victim’s phone number to an electronic payment account controlled by the perpetrator. The victim receives a text message from a number posing as their bank, asking if they authorized a transaction. Once the customer responds, the perpetrator calls the victim, poses as a bank employee advising them of unauthorized transfers on their account. Under the guise of protecting their money and moving the funds to a more secure account, the perpetrator advises the customer to transfer money to themselves electronic payment. When the victim sends the payment to their own phone number, the payment is delivered to the payment account controlled by the scammer instead.
There are numerous variations on these scams where perpetrators can change the ruse to best fit the circumstances. Another common variation is the romance scam, where a perpetrator adopts a fake online identity to establish relationships with victims and leverage those relationships to manipulate victims into sending money for various needs, including debt, medical expenses, travel costs, or other fictitious emergencies.
Regulatory guidance on responsibility
In the United States, the Electronic Funds Transfer Act and Regulation E (Reg E) limit consumer liability related to unauthorized transactions. Reg E provides clear guidance that electronic funds transfers (EFTs) are unauthorized transactions when the transaction occurs because the customer was defrauded, robbed, or forced. Many banks interpret that Reg E does not apply to scams because those transactions were technically authorized by the customer.
In June 2021, the CFPB published a compliance aid clarifying that transactions resulting from a consumer being fraudulently induced or misled into providing account details should be considered unauthorized. The CFPB released updated FAQs on December 13, 2021, clarifying that unauthorized transactions include transactions initiated by someone other than the consumer without authority to initiate the transaction and regardless of if the consumer provided the transaction initiator with account information or other security details, if they were induced to do so by fraudulent means. The guidance also states that financial institutions cannot consider a consumer’s negligence when determining liability.
This latest guidance clarifies several types of unauthorized transactions and the inability for financial institutions to consider consumer negligence for purposes of determining liability under Reg E. However, it is still unclear regarding the liability associated with scams, since the actual customer authorizes the transaction in a scam scenario. In both frauds and scams, the customer is induced via deception to take an action that results in a financially adverse transaction. The nuanced difference is in who pushes the button to approve the transfer.
In the United Kingdom, guidance has already placed the onus for scams on payment service providers. The UK has nearly a decade more experience in dealing with these fraud patterns, having introduced the Faster Payments Service in 2008, long before RTP launched in the US in 2017. For UK firms that are signatories of the Contingent Reimbursement Model (CRM) Code, customers who are victims of authorized push payment (APP) fraud are to be reimbursed. However, under that code consumer negligence is permitted as a consideration for liability in these instances. To receive reimbursement for losses due to scams, customers must have acted with an expected level of care to prevent such a scam.
Recommendations for organizations
The growth of P2P apps is likely to continue. So, how can your organization prepare to adopt them while staying aware of potential fraud? Current recommendations include:
- Establish training on an enterprise-wide basis focused on concerns related to P2P fraud scams. You can promote this training to both internal partners as well as external clients.
- Raise awareness of common P2P fraud risks with customer-facing partners, including portfolio managers, investment associates, tellers, and call center staff. Encourage them to keep clients aware of common schemes throughout the lifecycle of account management and ensure that clients are aware of the fraud/scam reporting mechanisms in place.
- Encourage customer-facing partners to escalate or report suspicious information relayed by customers to their managers or fraud risk leaders to help identify new schemes used by scammers or fraudsters.
- Educate clients who are first-time users of electronic payments. Provide them with an understanding of the way P2P payments work, how P2P apps differ and why customers must remain vigilant to avoid fraud and scam attacks. Provide access to education materials and instructions on what to do if they suspect fraud or scam activity.
- Update fraud rules and models to detect potential characteristics of fraud and scam-related transactions and require additional controls and confirmations for extremely high-risk transactions. This may include updating current anti-fraud technologies to be more sophisticated and flexible, such as implementing push notifications when an electronic payment transaction has been initiated or implementing additional multi-factor authentication procedures.
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.