Authorized Push Payment Fraud
Real-time push payments might not yet be widely used in the American markets, but countries like the United Kingdom have already started to embrace this new paradigm for merchant payments. Acquiring banks and other voices in the domestic payments industry have been talking up the benefits of push payments, and merchants who are weighing its pros and cons need a clear and accurate picture of the risks it can carry.
It offers some security advantages over traditional payments, but fraudsters are already exploiting its vulnerabilities. With authorized push payment fraud and other scams beginning to appear, are real-time push payment systems safe for merchants?
The terms “push” and “pull” in a payments context refer to whether the merchant or the customer is initiating the payment. In a traditional payment system, the customer authorizes a payment, and then the merchant submits it for clearing to the issuer—effectively requesting to “pull” money from the customer’s account.
With push payments, the customer does not have to provide any of their account information to the merchant. Instead, the merchant provides an invoice with account details, and the customer uses that information to initiate a payment directly to the merchant account. The customer can “push” the payment straight to the merchant instead of the merchant having to submit batches of transactions and waiting for them to settle. This means that merchants get their money faster and customers don’t have to give away their personal information or account credentials—two definite advantages of push payment systems.
What is Authorized Push Payment Fraud?
Push payments work similarly to P2P payment systems like Venmo, but scaled up for retail merchants and business-to-business sellers to use.
That means that once the customer authorizes and submits the payment, it’s gone—the money is immediately sent to the acquirer.
This makes it an attractive medium for fraudsters, who can quickly cash out and disappear if they can scam somebody into sending them a large sum of money.
The way fraudsters usually accomplish this is decidedly low-tech. For the most part, they just use social engineering, phishing emails, and other simple deceptions. Here are some examples of these different approaches, all of which end in acts of authorized push payment fraud:
- Social Engineering
The fraudster calls up a company’s accounts payable department, pretending to be one of that company’s vendors, and convince an employee to change their push payment account details. The next time the company tries to make a payment to that vendor, the fraudster receives it instead.
The fraudster creates an email designed to look like an invoice from their target’s favorite ecommerce store. The customer doesn’t look at it closely and misses the signs that it isn’t a real invoice, and submits a payment—to the fraudster.
- Account Takeover
The fraudster buys a list of stolen usernames and passwords on the dark web and tries them out on various mobile banking apps.
Once they find an unlucky victim who always uses the same password on every website, the fraudster sends a large payment to their own account.
Of course, more sophisticated attacks are possible. Hackers can potentially break into a system and alter vendor data and financial documents to insert their own account details. What all of these methods have in common is that the customer willingly authorized the transaction—they just didn’t know who they were sending it to.
What’s Being Done to Stop Authorized Push Payment Fraud?
The best defenses against push payment fraud starts with the users who end up as the primary victims: strong passwords, diligent account monitoring, and awareness of the social engineering tricks fraudster use. Merchants who use push payments to pay vendors should be especially careful to verify account information and review it frequently, as these payments can be high-value targets for fraudsters.
Issuers can use screening tools, similar to the ones used to detect credit card fraud, that use machine learning and artificial intelligence to identify transactions that seem fraudulent and ask the customer to provide additional confirmation before proceeding with the transaction.
In the UK, the Lending Standards Board has created the Contingent Reimbursement Model Code, which seeks to preserve consumer confidence in push payment systems by creating a fund that can be used to reimburse victims of authorized push payment fraud. While adherence to the code is entirely voluntary, many UK issuers have agreed to participate. This approach, however, seems designed only to reduce consumer anxieties about fraud—it won’t do anything to reduce its occurrences.
Does Push Payment Fraud Lead to Chargebacks?
While merchants certainly can become the primary targets of authorized push payment fraud, there are few scenarios in which this type of scam will involve a chargeback. If a fraudster sends a phishing email that pretends to be from Amazon, and the victim sends the fraudster a payment, Amazon is not liable in any way—and the customer, who authorized the transaction, has no recourse to dispute the charge under the terms of the Fair Credit Billing Act.
This would make push payments a viable way to avoid chargebacks, but the catch is that you need your customer base to be on board with making the switch. This might be feasible for B2B companies with a small number of clients, but for the average US-based ecommerce merchant, the market for push payments may not yet be ripe.
As a new generation of consumers develops their spending habits on apps like Venmo and CashApp, we should not be surprised to see push payments taking up more space in the payments ecosystem in the not-too-distant future. Merchants who send out invoices for the purpose of requesting push payments should be careful to provide detailed information and educate their customers about the possibility of phishing attacks.
While push payment systems offer clear benefits to merchants, such as faster settlements and reduced chargeback liability, merchants should be aware that they, too, can become the primary victims of authorized push payment fraud. Strong security practices, the latest anti-fraud tools, and careful review of vendor updates and payment procedures can help reduce the risk.