At CO-OP’s recent FraudBuzz webinar, participants identified person-to-person (P2P) fraud as the #1 payment fraud trend to watch. And it’s no wonder. With the popularity of easy-to-use, touchless payments taking off during the pandemic, opportunistic criminals are capitalizing on this trend.
P2P payments increased substantially during the pandemic, with Venmo processing $159 billion in transactions in 2020, an increase of 59% over the prior year. Zelle®, with the added advantage of being embedded into many popular credit union and banks’ mobile banking apps, processed a record $307 billion, representing 58% growth in year-over-year transaction volume.
The result? A dramatic rise in P2P-related fraud, as evidenced by the recent growth in account takeover (ATO) activity, which has increased by 40% from 2019 to 2020, while attacks on mobile devices have increased by 48% year over year.
Why is P2P fraud growing?
P2P fraud is taking off because savvy fraudsters tend to go where the action is. With younger generations embracing this convenient channel over older payment methods like plastic cards, cash and checks, adoption rates have ballooned. Unfortunately, recent efforts by providers in this space to make the channel even faster and more convenient to use are hampering P2P fraud prevention efforts.
The advent of fast funds, where users have the option to pay a 1% fee to have funds immediately credited to their bank account is further pressuring issuing financial institutions to authenticate transactions quickly. As issuers are generally responsible for any fraud-related losses, this puts them between a rock and a hard place. With Zelle® and other popular P2P platforms, dispute timeframes for each platform are driving the need for users to identify transactions and report fraud quickly to offer any chance at recovering funds.
How do fraudsters commit P2P fraud?
Criminals are using several methods to commit P2P fraud. Some use “friendly fraud” social engineering tactics, like messaging a user requesting that they deposit the fraudster’s check in their account and then send the funds back to the requester via a P2P app. The fraudster then promises to send the victim $500 as “payment” for the transaction. Of course, the fraudster never sends the payment and the original check bounces, leaving the member (and the credit union) on the hook for the funds.
Another popular scam is where a fraudster advertises items for sale, like concert or sporting event tickets, and requests payment to be made via a P2P app. Once the funds are received, the fraudster disappears without ever delivering the requested item to the unwitting consumer.
Some credit unions are also seeing a rise in incidents of structuring, where deposits are made just below the $10,000 currency transaction threshold to evade IRS reporting requirements. Cash App from Square has proven particularly popular for this purpose.
Unfortunately, with P2P fraud, fraudsters no longer need to obtain a user’s card number to steal funds. If they are able to hack into a member’s smartphone or mobile device, they can easily gain access to the user’s digital wallet app and transfer funds in their name.
What can credit unions do to mitigate payment fraud?
P2P fraud is challenging for issuers, given the nature of the channel and consumers’ rising expectations of convenience and the speedy receipt of funds. But credit unions do have tools at their disposal to help protect against all types of payment fraud schemes, and the best way is often through a holistic, multi-pronged approach that leverages a variety of solutions.
Assuming the mobile device has not been hacked, one of the best protections against account takeover fraud is multiple-layered authentication – the more layered the approach, the better. EMV® 3D Secure (EMV 3DS) is a globally deployed technology supported by all major payment networks that helps reduce fraud for digital card-based transactions, including online and e
–commerce payments. EMV 3DS offers secure one-time passcode (OTP) as an optional additional layer of protection that helps verify a member’s identity at the point of purchase.
Fraud scoring models are being continuously enhanced and becoming more sophisticated, using layered scoring to detect smaller dollar amounts through nuanced rule writing algorithms. To be truly effective, such models must be used to proactively alert credit unions and their members of suspicious activity, and to decline transactions when warranted.
Self-service solutions that deputize your cardholders as members of your security team can also be very effective. Credit unions can empower their members with card controls and alerts, adding them to the first line of defense against fraud.
We also recommend talking with your core provider about setting strict transaction limits with lower dollar thresholds. For example, it’s best to employ models that can detect a high velocity of low-dollar transactions, as fraudsters often take this approach to test out vulnerabilities with specific merchants or groups of users. They will often run high volumes of lower transaction amounts that don’t trigger issuers’ dollar thresholds, take what they can and get out quick.
Lastly, member education is a critical front in the ongoing fight against fraud. Remind your members often to protect their account information and passwords, never give out authorization codes or information to someone who they think is calling from their credit union and to only use P2P services with people they know and trust.
CO-OP is here to help
For customized approaches to support your credit union in reducing your exposure to the growing threat of P2P fraud, talk to CO-OP’s Fraud Prevention Consultants, who will help you proactively identify fraud trends specific to your market and membership base.