Stopping Fraud on Peer-To-Peer Payment Apps
As consumers have adopted peer-to-peer (“P2P”) payment platforms in increasing numbers, fraudsters have increased[1] efforts[2] to swindle consumers via the platforms. The “open” nature of some P2P platforms[3]—where each participating consumer in a transfer keeps accounts at different financial institutions—creates a degree of complexity that fraudsters exploit. Fraudsters receive and abscond with funds before victims can recognize the scam and stop the transfer.
Conventional layered defenses against account takeover fraud (ATO) provide no protection because consumers unwittingly participate. The expanded number of channels through which criminals can initiate contact with consumers—email (“phishing”), phone (“vishing”), and SMS/text message (“smishing”)—affords criminals more opportunities to defraud.
Several factors make P2P fraud a problem for the financial institutions serving consumers, including a recent clarification from the Consumer Financial Protection Bureau (CFPB), and consumers’ rising expectations for protection. Financial institutions put at risk customers, revenue, and brand reputation by dismissing this fraud vector as a problem for P2P platforms to resolve.
Financial institutions must protect consumers from P2P fraud
Consumers have become the path of least resistance to the value stored in their financial accounts.[4] Layers of sophisticated technology protect consumer accounts, but consumers themselves have comparatively few protections; just caution and education. Criminals bypass strong fraud prevention measures by targeting consumers directly.
Ironically, criminals use breached personally identifying information (PII) to earn consumers’ trust. First, criminals spoof an originating phone number or email address to deliver an urgent alert, ostensibly from the consumer’s financial institution. The criminal fortifies the illusion of trustworthiness on a phone call by authoritatively citing the consumer’s personal information. Three-quarters[5] of identity fraud scam victims report that scam callers used the victim’s personal information to build trust and extract additional data. The criminal withdraws the transferred funds quickly, before the consumer or corresponding financial institution can attempt to reverse the transfer.
The scale of this problem has mushroomed along with adoption rates of P2P apps. In 2020, 70 percent of American adults reported using a P2P service, up from 57 percent in 2017.[6] The number of fraud complaints submitted to the Federal Trade Commission (FTC) involving “internet/mobile” and “payment app or service,” respectively, rose from 14,392 in 2018 to 127,500 in 2020 (the latest year when data was available), an 885 percent increase.[7] The FTC’s numbers may underreport the reality by as much as a factor of six.[8]
P2P fraud impacts financial institutions directly. Over three-quarters of banks in the Asia Pacific reported higher fraud losses after introducing real-time payments platforms.[9] Almost half of victims of P2P fraud close their accounts from which their funds were taken.[10] More than 40 percent[11] of P2P consumers discover fraud before their financial institution, an experience that is likely to degrade the customer relationship.
This consumer behavior could taint relationships with financial institutions. “Many consumers mistakenly believe that P2P payment systems have protections similar to a debit or credit card since many P2P payment systems are affiliated with banks,” writes Fraud.org.[12] “This is not true. Once you send money via a P2P payment system, it is nearly impossible to get the money back or refunded.”
Consumers readily act on their expectations for protection, even if they’re mistaken. Nearly 15 percent[13] of financial consumers close their accounts after an identity fraud incident, even if they are satisfied with the assistance provided by the related organization. If they are dissatisfied, as much as one half of consumers may take their business elsewhere.
The CFPB holds financial institutions responsible[14] for P2P fraud, according to a June 2021 FAQ[15] on Electronic Fund Transfers: "negligence by the consumer cannot be used as the basis for imposing greater liability." This applies to cases where consumers were tricked into sending money to a fraudster via a P2P platform. The CFPB’s FAQ invalidates language in terms and conditions or private network rules that make fraud loss the consumer’s responsibility.
These trends put financial institutions in a tight spot. Liability for P2P fraud is rising while P2P apps gain popularity among consumers. Failure to participate in a P2P platform could cost financial institutions market share and a revenue channel. However, financial institutions cannot impose excess friction on transfer authorizations, lest they frustrate customers caught as false positives. False positives slow service and imply suspicion, both of which degrade customer experience. Financial institutions need to prevent P2P fraud, or risk losing revenue, ceding market share, and inviting greater regulatory oversight.
Monitor for signals indicating P2P fraud risk
Most P2P fraud occurs[16] in conjunction with a phone conversation, though the scams may start via email or SMS message. Phone calls allow criminals to create urgency and pressure prospective victims to act before thinking twice. Fortunately, phone calls produce risk signals within the telephone network, such as recent usage and changes to service, the identity of the subscriber, and whether the fraudster’s phone number has been spoofed or connected to a virtual call app. These signals could help to forewarn customers at risk, and flag for additional verification risky new users attempting to create accounts on P2P platforms. This capability demands insight into the telephony network and the identities of both participants in a P2P transfer.
These insights require constant investment and maintenance. Capturing and analyzing the signals produced by the telephone network falls outside the scope of most organizations’ operating models. Keeping consumer information accurate and up-to-date challenges even the most sophisticated organizations. These shortcomings create a blind spot, which enables P2P fraud. That’s where Neustar can help.
Neustar TRUSTID Fraud Solutions deliver the insight that financial institutions need to reduce fraud exposure, meet the CFPB’s clarified interpretation mentioned earlier, and provide consumers with the highest possible level of service. Using unique and unhackable insight into the telephony network, forward-thinking organizations determine whether to assign a higher degree of trust when using mobile applications, promoting online registrations, and verifying transactional activities in real-time. These organizations focus fraud-prevention resources more efficiently and reduce friction for users whose behavior appear as expected. Customers continue to enjoy the convenience of P2P transfers while financial institutions tap into an exciting new revenue channel, safely.
[1] WFLA, Protect your money: How thieves target mobile payment apps
[2] Chicago Sun Times, ‘Painful lesson’ on payment apps
[3] Yahoo Finance, PayPal vs. Venmo vs. Zelle: Is There Actually a Difference, and Which One Is Best?
[4] Javelin Strategy & Research, 2021 Identity Fraud Study: Shifting Angles
[5] First Orion, Scam Callers Now Leveraging Data Breaches In New “Enterprise Spoofing” Strategy
[6] Mercator Advisory Group, 2020 North American Payments Insights
[7] Federal Trade Commission, Consumer Sentinel Network data sets
[8] Aite Group, U.S. Identity Theft: The Stark Reality
[9] InternationalBanker.com, The Rise of Digital Banking Brings Fresh Security Concerns
[10] Javelin Strategy & Research, Securing P2P Payments
[11] Ibid.
[12] Fraud.org Scammers increasingly turning to P2P payment apps
[13] Aite Group, U.S. Identity Theft: The Stark Reality
[14] Temenos, P2P Payment Transfers: Regulation E Liability
[15] Consumer Financial Protection Bureau, Electronic Fund Transfers FAQs
[16] Federal Trade Commission, Consumer Sentinel Network Data Book 2020