Fraud Update: Person to Person Payments

By Bob Michaud, Chief Security Officer

Person to Person (P2P) payments have been a game changer for the industry. Unfortunately, that’s true for account holders and fraudsters alike. While financial institutions (FIs) have been feverish to offer P2P services, scammers have been equally excited to cash in on opportunities for fraud. Consider the following insights into how cybercriminals take advantage of the opportunities presented by P2P solutions—and ways your FI can defend itself.

The anatomy of a P2P Scam

Scammers love to exploit P2P for two key reasons—speed and anonymity. So how do they typically pull it off? It’s important to know these scammers have a tremendous amount of readily available data about the user they are attacking. To make things worse, it’s unclear where scammers obtain data; despite extensive research a common source has not been identified. Nevertheless, they’re equipped with details like contact info, debit card number, and expiration date, and they exploit this data in the following way.

1. Scammers pose as FI employees. With the data they have collected, scammers will call account holders and pretend to be from an FI’s risk mitigation team. They use the breadth of the user data on hand to gain their trust and position themselves as a legitimate employee of the FI. They will also spoof the FI’s phone number, further validating their fraudulent claims.
2. Scammers give false story about fraudulent activity. With the account holder on the phone, the scammer sets up a scenario in which they claim to be calling to help stop an unauthorized transaction from completing. They will ask if a suspicious transaction is legitimate (clearly it isn’t since it was just a fabrication by the scammer). The user confirms the transaction is not legitimate, playing directly into the scammer’s hand; the user is ready to help “defend” their account.
3. Scammer asks to “validate identity”. The scammer is now working to gain access to the user’s online banking account, and a strategy involving forgotten passwords is their favored method for entry. The scammer tells the user they are about to send them a code to “validate their identity,” and they’ll need to repeat it for the scammer.
4. User gives access to scammer with code and login. This code, in conjunction with the user’s login ID (which the scammer already has), gives the cybercriminal access to the account through the forgotten password process.
5. Scammer gathers more data. With access granted, the scammer is ready to extract funds. This is where P2P comes into play. The scammer can then register for that service, and initiate transactions. If additional data points are required for the service, the scammer simply continues the ruse, asking the user for remaining information that might be needed to complete the transaction, such as PINs or tokens.
6. Scammer extracts money from user. Finally, the damage is done. The unwitting account holder believes they were assisted by an FI representative who was helping to defend their account from a fraudulent transaction. That is, until the next time they check their account balance.

Educating account holders

All too often, the user is the weakest link in the security chain. Fortunately, fraud doesn’t have to be a losing battle. There are steps FIs can take to drive awareness of the attack scenario and limit exposure and potential for abuse.

• Use “trusted” devices for forgotten password access.
  
  With Forgotten Password being the preferred channel for gaining access, I recommend limiting access to that tool from registered (trusted) devices only. Removing this avenue will force the scammer to the normal login path which requires them to extract the user’s password. Encouragingly, account holders tend to be more protective of their passwords.
• Never share your secure access codes over phone or text. Scammers may ask a user to share their secure access code (SAC) upon generation. Make sure that messaging accompanying SAC clearly states that users should never share their SAC and that your FI will never ask them to share it via phone or text message, as some varieties of this scam may involve texting the user for the data.
• Consider making P2P access available by request only. While making P2P broadly available is an attractive proposition, it only makes sense to set some guidelines and expectations with users before they’re granted access.
• Send security alerts when “Forgotten Password” attempts are made. Consider enabling (or even forcing) security alerts that can let users know when a “Forgotten Password” attempt has been initiated. Sounding that alarm can help alert users that something suspicious is taking place.

Ultimately, the most important thing to do is to make account holders aware of the type of fraud occurring and the nature of the attack. It is essential that users understand FIs won’t use SACs for authentication via phone or text; their only purpose is to authenticate Online Banking sessions.

Responding to attacks

Unfortunately, if you’re unable to prevent an attack, consider the following recommendations for minimizing the impact of the event.

• Maintain conservative transaction limits. Set limits at multiple levels, per transaction, per day, and per month. The average P2P transaction dollar amount is $276. The intent of P2P was never to replace wires, but to facilitate smaller dollar amounts with great speed and efficiency.
• Be vigilant in monitoring P2P. Look for concentrations of payments to individual recipients.
• Know what to do if suspect foul play. Know what tools you have available to restrict delivery to recipients if you suspect foul play. Know how to block email addresses or phone numbers and prevent scammers from receiving additional payments.

P2P is a powerful tool in modern banking, but social engineering is designed to exploit unsuspecting account holders. Making users mindful of potential schemes is a strong first step in avoiding fraud. Should that first line of defense fail, providing additional layers of security – like the ones mentioned above – is crucial.