Fighting Authorized Payment Fraud: How to Stop Real-time Scams

This article was originally published on the DataVisor blog.

Can you remember the last time you paid someone in cash? We’re so used to paying with apps or by phone tap that digital payments are the default way money “exchanges hands.”

As with anything digital, of course, this means our payments are vulnerable to online fraudsters. In fact, payment fraud is one of their oldest tricks to steal money. As such, they’ve spent decades refining different strategies to avoid detection and exploit vulnerabilities in digital payment systems.

The good news is we can detect payment fraud before it happens. The best platforms can prevent it completely. The solution involves first knowing:

• Different common types of payment fraud
• How fraudsters exploit authorized payments
• What data tools we need to fight fraud

The best place to start is first looking at authorized payment fraud as a whole. Then we’ll break down the different schemes under this umbrella.

What is authorized payment fraud?

Authorized payment fraud, or push payment fraud, happens when a fraudster tricks an account holder into authorizing a payment for illegitimate reasons. Fraudsters use social engineering tactics, like phishing emails, calls, or text messages (smishing) to pose as an individual or organization the victim trusts. They may coerce payment by leveraging urgency (think lottery scams), fear (the backbone of IRS scams), or even kindness (romance scams) to convince the victim to make a payment.

Once a payment is authorized, it’s often difficult to recover stolen funds, as the victim has made the request themselves. This is the key difference between authorized payment fraud and standard payment fraud. A bank can reverse a transaction or cancel it if the account holder never approved it (i.e. a purchase made with a stolen credit card), but the authorization from the account holder—even if made under false pretenses—notes the transaction as legitimate in the eyes of a financial institution.

The problem becomes even bigger when the fraudulent transaction in question is a real-time payment. Because it’s instantaneous, you can’t simply reverse or stop it the same as a reviewed transaction.

Who’s on the hook for real-time payment scams?

Recently, U.S. Congress has been pressing major banks to do more to protect customers from these authorized payment scams. Zelle—the real-time payment platform owned by Bank of America, Truist, J.P Morgan Chase, PNC, U.S. Bank, and Wells Fargo—has come under particular scrutiny as it’s become a hotbed for authorized payment scams. The banks have so far refused to refund customers who lost out to scammers, claiming the customers technically did approve the payments.

To understand why customers are at risk when using services like Zelle, or sending digital payments generally, we need to know how fraudsters manipulate gaps in the system and pull off their schemes.

Types of authorized payment fraud

Fraudsters will impersonate any number of trusted sources to commit authorized payment fraud. In each scam, their goal remains the same: gain a victim’s trust by impersonating a legitimate entity, then fool them into sending money. This takes many forms, but some recur more than most.

Common types of authorized payment fraud

• Invoice fraud – When a fraudster sends a fake invoice requesting payment for a product or service. Often it’s something the victim may have actually purchased from a legitimate vendor. When the victim makes the payment it goes directly to the fraudster.
• CEO fraud – These scams usually begin with a phishing email or smishing text. The fraudster, pretending to be a CEO or other executive the victim knows, requests payment to a third party to cover some fabricated expense. That third-party is really a hidden account for the fraudster to collect from.
• Romance scams – A fraudster poses as a romantic interest and convinces the victim to send money or make a payment for a variety of reasons, like travel expenses or medical bills. Often these scams target widows or older people.
• Tech support scams – A fraudster pretends to be a tech support representative and convinces the victim to pay for technical support services that are not necessary or likely fake altogether. These succeed best when targeting less tech-savvy victims.
• Charity scams – A fraudster pretends to represent a legitimate charity and requests a donation. In some cases, fraudsters even create fake websites or social media accounts to make their fake “charity” more convincing.
• Rental scams – A fraudster poses as a landlord or property manager and requests payment for a rental property. Of course, the property does not exist or is not actually available for rent, but these properties can come from legitimate listings.
• Chargeback fraud – This type of authorized payment fraud is committed by the actual account holder, and not a third-party fraudster. Most commonly, chargeback fraud happens with a buyer making a legitimate purchase with their cred or debit card, only to later dispute the charge by lying that it was made fraudulently.

Each scheme is even easier to run if the fraudster can take advantage of real-time payment.

Why real-time payments are targets for fraud

Real-time payments are instant by design. They’re a major convenience for good users and a feature that many account holders expect to have when sending payments. However, there are a few characteristics of real-time payments that make them an ideal playground for fraudsters.

Speed of payment combined with lack of verification is the first vulnerability. Real-time payments leave very little time for fraud detection systems to identify and block fraudulent transactions. What’s more, real-time payments don’t always require the same level of verification as traditional payments, such as checks or wire transfers, which means fraudsters can more easily use stolen or fake credentials to make payments.

Real-time payments often don’t have a chargeback mechanism like a credit card would, either. They are final as soon as a customer makes one. Fraudsters exploit this even further by making a large number of real-time payments to hide their fraudulent transactions from detection systems.

Perhaps the biggest payment fraud opportunity for real-time payments lies in the limited data they offer institutions. Strong fraud detection systems rely on many data points to catch fraudulent behavior patterns. Less data means a lower chance of catching fraudsters in action.

How to detect and prevent authorized payment fraud

Payment fraud detection follows similar methods to detecting non-authorized payment fraud. Even accounting for real-time payment fraud, the answer to detecting fraudulent transactions is data.

One of the most powerful tools you can add to your fraud detection stack is behavioral analysis. Using machine learning, behavioral analysis tools scan transactions and spot fraud patterns to uncover both individual fraud actors and coordinated attacks. This tool works by allowing financial institutions and merchants to utilize a rules engine capable of scanning data points across the payment journey. By automatically reviewing these data points, the ML solution can catch fraud and spot accounts that engage in fraudulent patterns even before they act.

Once an institution identifies the fraudulent actors, it can decide on actions to take to close accounts or suspend customers or allow them if they deem the transaction legitimate.

When considering real-time payments’ effect on this solution model, it becomes clear that speed is a necessity. DataVisor’s platform can detect fraudulent transactions in less than 200 milliseconds—leaving fraudsters with much less time to pull their schemes before they’ve been found.

Plus, capabilities like Decision Flow allow users to customize their own rule sets to preserve a smooth experience for good customers while offering best-in-class payment fraud prevention.

To learn more about how to prevent payment fraud and why DataVisor’s platform can do it for your organization, reserve time to speak with an expert from our team.