A new type of transaction risk is being reported by financial institutions who are experiencing losses from P2P bill pay attacks.
Financial institution employees and accountholders should be extra cautious of the increase in transaction risk especially when someone signs into online banking and creates a P2P bill pay type of transaction. Adopt fraud monitoring tools to help identify account takeovers where the fraudster has your consumers banking credentials due to phishing, malware or keylogging.
What is P2P Bill Pay Fraud?
This scam uses an ACH Credit to do a Person-to-Person (also known as P2P) transfer using bill pay versus online banking. Fraudsters generate an ACH Credit from your accountholder’s account to another person’s account at another financial institution using the P2P bill pay option. This fraud occurs when missing or weak authentication layers are setup on P2P bill payment authorizations (namely those involving ACH Credits). To prevent this crime, financial institutions should make sure outgoing ACH Credits, especially those in the online or mobile environment, are properly authenticated prior to releasing the ACH Credit (funds) to the Receiving Depository Financial Instition (RDFI).
There are several things financial institutions can do to educate their employees and members.
Click here to download our Risk Checklists on ACH and Wire Fraud Prevention.
Contact your Bill Payment Vendor to Find Out if you Offer P2P for Consumer or Business Members.
If you do not offer P2P, make sure you confirm you have blocked this type of capability under your bill payment offerings. If you do offer P2P payments in your bill payment platform, be sure to confirm with your vendor what authentication methods are required of the person or business account requesting the P2P bill payment. This helps protect your funds from any fraudulent transactions.
Educate your employees not to provide hints or accountholder information to a caller, or to not respond to an email or text without first verifying that it is the accountholder. Confirm layers of authentication are being used for any online account opening requests to prevent the fraudster from getting in to your current accountholders' online banking and bill pay. A fraud monitoring tool is critical to help detect suspicious bill pay transmissions.
Some suggestions include:
- Set daily dollar limits for bill pay and transaction limits. This is key to limit your risk exposure.
- Never rely on a single authentication layer. Multiple authentication layers are critical.
- Work with your ACH association to help identify the P2P bill pay risk exposure.
5 Questions to ask to help stay protected.
- Do you know if your bill pay vendor allows Person-to-Person (P2P) transmissions?
- If you offer P2P bill pay, do you have daily dollar limits and transaction limits in place?
- Are you performing micro/mini deposit authentication prior to a P2P bill pay going out to the other party?
- Are you authenticating the ACH credit with your accountholder prior to the release of the ACH credit?
- Are you able to “turn off” P2P bill pay with your bill pay vendor?
Keep Educating your Accountholders.
Share practical scam prevention tips with your accountholders to help them protect their information from a phishing attack! Reiterate the importance to never give out any personal or financial information and to keep their information secure by password at all times. Scammers will attempt to obtain this information using email, phone calls, or text messaging to obtain enough information to get into your online account. In some cases, this can even include pretending to be your financial institution with the claim that they need information to combat fraud! Encourage accountholders to call you back to verify fraud on their account and to not provide any personal/financial information in the call, email or text. This includes clicking or opening an attachment that they didn’t request.
P2P bill pay fraud is a growing concern and it’s important to recognize what it is, how it can affect your business, and educate your employees and account holders to keep them protected!