Do You Have Strategies in Place to Prevent Payment App Fraud?
Produced by Ann Davidson, Vice President of Risk Consulting | March 24, 2020
This blog first appeared on NAFCU’s website
More and more consumers are using payment apps like Venmo and Zelle to send money to friends and family. While allowing payments through these apps creates high value for your consumers, it has also opened up a new channel for fraud.
Financial institutions are reporting attacks where cybercriminals are draining accounts by gaining fraudulent access to their members' debit card or account numbers. These attacks primarily occur one of the following ways:
1. Consumers are scammed into sending criminals money directly thru a payment app. Click here to view the FTC's article with more information on how these consumer scams occur.
2. Criminals fraudulently enroll consumers into the payment app using the member's card number stolen from a data breach, i.e. the 2017 Equifax Breach.
3. Criminals call into the call center with account/card information stolen from a data breach, and request an account password reset alongside a request to change the account email and/or phone number. The fraudster then routes the password reset email/text to their own phone number/email address to access the account.
Keep your credit union protected from these crimes by adopting strong authentication and security layers.
Payment App Fraud Mitigation Practices
- Let employees know that these attacks are often being initiated through online password resets (often through the call center), so they can watch for suspicious behavior surrounding these requests.
- Do not immediately approve the following requests after an online password is reset:
- Change of address
- Change of telephone number
- Change of email
- Set daily velocity limits: a max number of debit card transactions within a 24 hour timeframe.
- Set a max daily dollar limit for both ACH and debit card payment app authorizations.
- Monitor activity surrounding “money transfer" type of authorizations (aka merchant category code MCC 4829)
- Ensure payment app authorizations using debit card numbers (versus account numbers) are marked as "card-not-present" authorizations, so you can exercise chargeback rights under the card associations’ chargeback rules.
- Confirm in writing with your card processor what layers of card security are being used for the money transfer and payment app types of authorizations.
- Confirm your fraud monitoring system is capturing and flagging these kinds of card authorizations, so you can monitor and block subsequent suspicious activity.
- Find out from your vendors what layers of authentication and security are in place to help prevent fraud and data theft.
- Share information with members about how to prevent and report payment app scam attempts.
- Offer text alerts to members so they may receive notifications of any new payment app transaction
- Understand who is liable in the event of payment app fraud, so you can make decisions aligned with your credit union’s risk appetite.
- If your credit union decides to block these transactions, send a message to members that this decision has been made to protect their information and money from theft.
Informing your employees and consumers about the these crimes can have a big impact on loss prevention. Make sure to share the wanring signs and prevention methods to keep your institution and accountholders protected.
Click here to sign-up for our e-newsletters to be the first to receive educational content like this.
About Allied Solutions
Allied Solutions, LLC is one of the largest providers of insurance, lending, and marketing products to financial institutions in the US. Allied Solutions uses technology based products and services customized to meet the needs of 4,000 clients along with a portfolio of innovative products and services from a wide variety of providers. Allied Solutions maintains over 15 regional offices and service centers around the country and is a subsidiary of Securian Financial Group, Inc. Allied Solutions has tools and resources that can help you keep an eye on the potential areas of impact, protect against collateral losses, and stay on top of any new events, bulletins, and regulations as they happen.Content in the blog posts are the opinion and views of the writer, and don't necessarily reflect the opinions or views of Allied Solutions.