Many banking customers want a user experience that matches their other digital apps: 100% fast and frictionless. But sometimes getting exactly what you want is not always exactly what you need. Instant payments, or push payments, may fulfil consumers’ need for speed, but the ramifications are not all positive.
In this article, the final in our four-part financial fraud deep dive series, we discuss the dangers of authorized push payment (APP) fraud and how sharing the risk responsibility across the ecosystem holds the key to successful fraud prevention.
What is a push payment?
A push payment is a type of payment that is initiated by the payer, such as direct deposits, digital wallet payments, or bank transfers. Since push payments are pre-authorized, they are faster than pull payments — payments initiated by the payee, such as credit card payments.
Unfortunately, consumers are not the only ones that appreciate the speed of modern push payment technology. Fraudsters love them too.
- Firstly, because the customer takes the first step in the payment procedure by pushing the payment through.
- Secondly, the security measures for these new payment options are often inadequate, creating opportunities for bad actors to commit fraud.
What is authorized push payment fraud?
Authorized push payment (APP) fraud is a type of scam where attackers trick consumers into sending money to a fraudulent account by pretending to be a trusted authority figure, like a banker, police official, or conveyancer.
Fraudsters use tactics, such as social engineering, to manipulate individuals into paying or transferring funds. And, in the end, it’s the customer that initiates the transaction, making APP fraud a particularly sneaky attack vector, and one that’s difficult for banks to control.
Typical APP fraud examples include tech support scams, impersonation scams, invoice fraud, romance scams, and phishing, ultimately resulting in:
- Major financial loss for the customer and FI
- Reputational damage
- An erosion of customer loyalty
Let's look at why this particular scam is rising fast on the agenda for banking security teams.
Why APP fraud and payer manipulation is so dangerous
APP fraud is shooting to the top of the fraud priority list for bankers, with the launch of FedNow — the US Federal Reserve Bank’s instant payment service — in July 2023, and growing evidence of APP fraud in the US and other leading global markets.
While this new form of payer manipulation sees fraudsters take advantage of the weakest security link – humans – attackers are also exploiting the gap between innovative instant payment technology and the security measures that should be keeping these transactions locked down.
While push payments, such as real-time payments, enable businesses and banking customers to send and receive payments instantly, it’s also the speed of these transactions that introduces greater security risks. For one, it’s difficult for FIs to spot and prevent APP fraud as it’s the customers themselves who make the payment or transfer. What’s more, these payments are also irreversible.
The danger also lies in the liability when an attack is successful. Currently in the US, fraud victims are liable and have little chance of recouping their financial losses due to APP fraud. While this may seem like a positive for FIs, the flipside is that their customers could begin to lose faith in their bank’s ability to provide the necessary security and reimbursement, and decide to switch to another FI.
5 Payment fraud prevention tactics for your FI
FIs can protect their customers and institutions from APP fraud by adopting a holistic approach that covers both human and technological components.
- A multi-layered defense
A solution comprising multiple layers of visible and invisible security is more likely to detect suspicious activity, such as an unusually large payment, and protect customers against possible fraud attacks.
- Visible security, for example, refers to active authentication steps, such as a customer verifying a large payment via their mobile device.
- Invisible security, like behavioral biometrics, learns about a customer’s behavior with each transaction to better determine which interactions are legitimate and which should be flagged as suspicious – and stopped.
2. More secure online payment methods
Industry standards, like EMV 3-D Secure, help FIs deliver secure online payment options for their customers. These compliance protocols add an extra layer of protection for online payments, reduce attacks like APP fraud, improve the user experience with more customization options, and improve trust in the FI.
3. Intelligence sharing
Another way to reduce APP fraud attacks is through better industry collaboration. In other words, sharing data and intelligence across the wider ecosystem to keep a step ahead of the latest fraud trends. This will enable FIs to quickly differentiate between genuine customer transactions and fraudulent activities. Ultimately, better industry collaboration can help prevent potential cyberattacks before they happen through a more data-driven approach to fraud.
4. Leveraging generative AI
While fraudsters make the most of new technology to exploit security weaknesses, the same technology can be used by FIs as a tool to prevent fraud. Think of generative AI. Per a recent McKinsey global payments report: “Early examples indicate that using generative AI to automate or accelerate currently manual activities could boost productivity in fraud detection by 30 to 50 percent.”
5. Customer and employee education
Ongoing education and accessible reporting channels on the latest fraud attack vectors for customers and employees remains an essential avenue to thwart financial crime. For instance, when it comes to APP fraud, customers need to be wary of social engineering ploys as these are often the starting point for APP attacks.
Digital payment security: Creating a safer future
As financial fraud vectors grow more sophisticated, harnessing the latest technology to steal consumers’ identities and funds, the effort to turn the tide needs to be a collaborative one. Along with the assistance of regulatory mandates, such as the UK’s Contingent Reimbursement Model and Confirmation of Payee name-checking service, FIs need to employ up-to-date authentication technology to keep their customers’ payments secure.
At the same time, banks and credit unions shouldn’t see secure payments and user-friendly experiences as mutually exclusive. Solutions that improve the security of online payments can – and should – move towards a seamless user experience at the same time.
While there will be an increase in solutions that meet the customer where they are, such as embedded payments, application program interfaces (APIs) form the foundation of this technology. With Entersekt, FIs can create secure payment journeys across all digital channels while also delivering an exceptional user experience — from a single, secure platform.
This blog is the final component of our four-part series on fighting fraud. Read the others:
- In blog 1 of the series, you’ll discover how to defeat the 3 major fraud schemes threatening FIs today.
- In blog 2, you’ll uncover three ways to win against account takeover fraud.
- And, in blog 3, we explore MFA: Your best defense against social engineering attacks.