Authorized Push Payment Fraud

What Are Push Payments?

The terms “push” and “pull” in a payments context refer to whether the merchant or the customer is initiating the payment. In a traditional payment system, the customer authorizes a payment, and then the merchant submits it for clearing to the issuer—effectively requesting to “pull” money from the customer’s account.

With push payments, the customer does not have to provide any of their account information to the merchant. Instead, the merchant provides an invoice with account details, and the customer uses that information to initiate a payment directly to the merchant account. The customer can “push” the payment straight to the merchant instead of the merchant having to submit batches of transactions and waiting for them to settle. This means that merchants get their money faster and customers don’t have to give away their personal information or account credentials—two definite advantages of push payment systems.

In addition to traditional invoices, push payments can also be made through certain payment apps. This trend began with payment apps designed for non-commercial purposes, such as Venmo and CashApp. Instead of needing all the applicable payment information, users can simply enter an account name to find the person they want to make a payment to, or scan a QR code on the other person's app if the transaction takes place in person. While it's typically against the terms of service to use these apps to buy or sell goods and services, there has been significant demand from both customers and merchants to be able to use these apps in business transactions, and so there are already efforts under way to adapt these payment services for a commercial environment.

What is Authorized Push Payment Fraud?

Push payments work similarly to P2P payment systems like Venmo, but scaled up for retail merchants and business-to-business sellers to use.

That means that once the customer authorizes and submits the payment, it’s gone—the money is immediately sent to the acquirer.

This makes it an attractive medium for fraudsters, who can quickly cash out and disappear if they can scam somebody into sending them a large sum of money.

The way fraudsters usually accomplish this is decidedly low-tech. For the most part, they just use social engineering, phishing emails, and other simple deceptions. Here are some examples of these different approaches, all of which end in acts of authorized push payment fraud:

• Social Engineering

The fraudster calls up a company’s accounts payable department, pretending to be one of that company’s vendors, and convinces an employee to change their push payment account details. The next time the company tries to make a payment to that vendor, the fraudster receives it instead.

• Phishing

The fraudster creates an email designed to look like an invoice from their target’s favorite eCommerce store. The customer doesn’t look at it closely and misses the signs that it isn’t a real invoice, and submits a payment—to the fraudster.

• Account Takeover

The fraudster buys a list of stolen usernames and passwords on the dark web and tries them out on various mobile banking apps.

Once they find an unlucky victim who always uses the same password on every website, the fraudster sends a large payment to their own account.

Of course, more sophisticated attacks are possible. Hackers can potentially break into a system and alter vendor data and financial documents to insert their own account details. What all of these methods have in common is that the customer willingly authorized the transaction—they just didn’t know who they were sending it to.

What’s Being Done to Stop Authorized Push Payment Fraud?

The best defenses against push payment fraud are those that prevent individuals from becoming victims: Strong passwords, diligent account monitoring, and awareness of the social engineering tricks fraudster use. Merchants who use push payments to pay vendors should be especially careful to verify account information and review it frequently, as these payments can be high-value targets for fraudsters.

Issuers can use screening tools, similar to the ones used to detect credit card fraud, that use machine learning and artificial intelligence to identify transactions that seem fraudulent and ask the customer to provide additional confirmation before proceeding with the transaction.

In the UK, the Lending Standards Board has created the Contingent Reimbursement Model Code, which seeks to preserve consumer confidence in push payment systems by creating a fund that can be used to reimburse victims of authorized push payment fraud. While adherence to the code is entirely voluntary, many UK issuers have agreed to participate. This approach, however, seems designed only to reduce consumer anxieties about fraud—it won’t do anything to reduce its occurrences.

Does Push Payment Fraud Lead to Chargebacks?

While merchants certainly can become the primary targets of authorized push payment fraud, there are few scenarios in which this type of scam will involve a chargeback. If a fraudster sends a phishing email that pretends to be from Amazon, and the victim sends the fraudster a payment, Amazon is not liable in any way—and the customer, who authorized the transaction, has no recourse to dispute the charge under the terms of the Fair Credit Billing Act.

This would make push payments a viable way to avoid chargebacks, but the catch is that you need your customer base to be on board with making the switch. This might be feasible for B2B companies with a small number of clients, but for the average US-based eCommerce merchant, the market for push payments may not yet be ripe.

Any new payment method requires customer confidence to achieve widespread adoption, and just as many customers were hesitant to provide their credit card number online in the early days of eCommerce, many customers may be hesitant to send a push payment to a merchant. However, the increasing popularity of P2P payment apps like Venmo has paved the way for push payments to make their way into the eCommerce space.

Merchants looking to use push payments might wish to provide their customers with some information to help prevent them from becoming victims of fraud. Many banks already do this by telling their customers that they will never ask for their account details over the phone or through email. Similarly, a merchant using push payments might let customers know that they won't ever change their payment details or ask a customer to re-submit a payment.

The Bottom Line on Push Payments

As a new generation of consumers becomes more accustomed to using P2P payment apps like Venmo and CashApp, we shouldn't be surprised to see push payments taking up more space in the payments ecosystem in the not-too-distant future. Merchants who send out invoices for the purpose of requesting push payments should be careful to provide detailed information and educate their customers about the possibility of phishing attacks.

While push payment systems offer clear benefits to merchants, such as faster settlements and reduced chargeback liability, merchants should be aware that they, too, can become the primary victims of authorized push payment fraud. Strong security practices, the latest anti-fraud tools, and careful review of vendor updates and payment procedures can help reduce the risk.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com