Do You Have Strategies in Place to Prevent Payment App Fraud?

This blog first appeared on NAFCU’s website

More and more consumers are using payment apps like Venmo and Zelle to send money to friends and family. While allowing payments through these apps creates high value for your consumers, it has also opened up a new channel for fraud. 

Financial institutions are reporting attacks where cybercriminals are draining accounts by gaining fraudulent access to their members' debit card or account numbers. These attacks primarily occur one of the following ways:

1. Consumers are scammed into sending criminals money directly thru a payment appClick here to view the FTC's article with more information on how these consumer scams occur.

2. Criminals fraudulently enroll consumers into the payment app using the member's card number stolen from a data breach, i.e. the 2017 Equifax Breach.

3. Criminals call into the call center with account/card information stolen from a data breach, and request an account password reset alongside a request to change the account email and/or phone number. The fraudster then routes the password reset email/text to their own phone number/email address to access the account. 

Related Topic: Tips to Prevent Online & Mobile Payment Fraud Losses

Keep your credit union protected from these crimes by adopting strong authentication and security layers.

Payment App Fraud Mitigation Practices

  • Let employees know that these attacks are often being initiated through online password resets (often through the call center), so they can watch for suspicious behavior surrounding these requests. 
  • Do not immediately approve the following requests after an online password is reset:
    • Change of address
    • Change of telephone number
    • Change of email
  • Set daily velocity limits: a max number of debit card transactions within a 24 hour timeframe.
  • Set a max daily dollar limit for both ACH and debit card payment app authorizations.
  • Monitor activity surrounding “money transfer" type of authorizations (aka merchant category code MCC 4829)
  • Ensure payment app authorizations using debit card numbers (versus account numbers) are marked as "card-not-present" authorizations, so you can exercise chargeback rights under the card associations’ chargeback rules.
  • Confirm in writing with your card processor what layers of card security are being used for the money transfer and payment app types of authorizations.
  • Confirm your fraud monitoring system is capturing and flagging these kinds of card authorizations, so you can monitor and block subsequent suspicious activity.
  • Find out from your vendors what layers of authentication and security are in place to help prevent fraud and data theft.
  • Share information with members about how to prevent and report payment app scam attempts.
  • Offer text alerts to members so they may receive notifications of any new payment app transaction 
  • Understand who is liable in the event of payment app fraud, so you can make decisions aligned with your credit union’s risk appetite.
  • If your credit union decides to block these transactions, send a message to members that this decision has been made to protect their information and money from theft.

Informing your employees and consumers about the these crimes can have a big impact on loss prevention. Make sure to share the wanring signs and prevention methods to keep your institution and accountholders protected.