What Merchants Need to Know About Authorized Push Payment Fraud
We all want digital payments, and we want them to be fast, easy, and seamless. Across the board, banks, merchants, and payment platforms have been introducing services and technologies to meet that need, but as always, there are some unwanted side effects.
“Push payments” that involve direct fund transfers have caught the interest of fraudsters, and the victims of authorized push payment fraud can find it very difficult to recover their stolen money. This type of fraud primarily targets individual consumers, but businesses can be impacted too. What is authorized push payment fraud, and how do merchants end up getting harmed by these schemes?
Digital payments and e-commerce have been on the ascent for quite a while now, but they’ve been having a real moment ever since the COVID-19 pandemic hit, with more consumers than ever-shifting to new online payment and shopping platforms out of necessity or caution. App-based payment systems like Venmo and Cash App have seen widespread adoption, especially among younger people who are more likely to make informal purchases.
Most of these systems are basically running ACH transactions under the hood: direct transfers from one bank account to another.
When consumers embrace new financial technologies, it creates a situation where lots of money is being poured into a system that most people are still inexperienced with. This is an ideal hunting ground for fraudsters, who prey on consumers’ unfamiliarity with the new technology to con them out of their money.
Authorized push payment fraud fits into this category because it’s all about finding ways to trick the users of push payment services into sending money to fraudsters’ accounts.
Because these payments are bank transfers, they aren’t subject to the chargeback process and victims may not have any way to get their money back.
And while merchants may breathe a sigh of relief that at least this kind of fraud doesn’t result in chargebacks, be warned—merchants can easily become victims of authorized push payment fraud themselves.
What Are Push Payments?
Whether a payment is a “push” or a “pull” depends on the inner workings of the transaction process. Pull payments are those that grant permission to the recipient to take funds out of the payer’s account. Checks and card transactions are pull payments.
In each case, permission is given (via the check signature or card authorization) and the recipient completes a process (depositing checks, submitting batches of card transactions) that causes the money to be moved from the payer’s account to the recipient’s.With push payments, on the other hand, the payer uses the recipient’s banking information (or a third-party platform) to send money directly from their account to the recipient.
Push payments require no action on the recipient’s part. Wire transfers, ACH transactions, and Venmo transactions are all push payments.
How Does Authorized Push Payment Fraud Work?
Authorized push payment fraud relies on a simple premise that can be executed in thousands of different ways. The basic idea is that the fraudster provides their own banking information to the victim and convinces them to send a payment.
Usually, this is accomplished with social engineering. There are many classic wire fraud scams that follow this model. For example, a fraudster might call somebody up, pretend to be a friend or relative in distress in some foreign country, and ask them to wire them some emergency funds. A modern iteration of this would be to send a text message to a victim, telling them that their Netflix account is locked and they need to send money to a Cash App address to unlock it.
Of course, fraudsters often come up with cleverer schemes than those. Invoice fraud is a common form of authorized push payment fraud.
In invoice fraud, the fraudster creates a fake (but realistic) invoice for a company that their victim is known to do business with. If the victim doesn’t look at the invoice closely, they might assume it’s real and pay it.
Merchants can be particularly susceptible to invoice fraud because it’s usually not hard to find out some of the vendors a merchant uses, and merchants who deal with a high volume of invoices might not give them all adequate scrutiny.
Account takeover fraud is often a precursor to authorized push payment fraud. If a fraudster can get ahold of a victim’s online banking or payment platform account, they’re likely to steal as much money as they possibly can by making transfers or payments to accounts they control.
What Can Merchants Do to Protect Themselves from Authorized Push Payment Fraud?
The threat of authorized push payment fraud doesn’t come from malicious customers or random fraudsters, but from attackers who target you specifically. With push payment fraud, it pays to research potential victims and find out the names of the entities to whom they might be most inclined to send a payment without thinking twice.
Merchants should always read their invoices carefully and verify everything they’re being billed for, but it’s especially important to stop and take a closer look when a vendor provides you with new banking information for direct payments.
An even bigger red flag is if you usually pay via check or card and the vendor is suddenly insisting on some type of push payment. If you feel suspicious about an invoice, call the vendor directly to confirm it—just be sure to use a phone number from their website or an older invoice that you know to be legitimate.
Push payment services may offer a reprieve from the world of chargebacks, but for the most part, they aren’t intended to replace normal commercial transactions, with all of the attendant consumer protections they carry. When it comes to authorized push payment fraud, merchants are in the same boat as their customers: as potential victims for targeted fraud.
Protecting yourself from authorized push payment fraud doesn’t really overlap with the defensive strategies that work against e-commerce and chargeback fraud, but maintaining good recordkeeping, a dose of healthy skepticism, and diligent business operations can reduce your exposure to fraud no matter where it’s coming from.