Consumers flock to opportunities for instant gratification. They want their coffee orders ready when they arrive, their purchases delivered today, their movies to play the instant the mood strikes. So, naturally, they bring these same expectations to day-to-day financial transactions, such as sending money to friends on their smartphones — even at the cost of security, and at the risk of peer-to-peer (P2P) network fraud.

That demand has driven rapid global adoption of P2P payments. Almost 60 percent of U.S. consumers use P2P platforms, according to Mercator Advisory Group. In the U.S., payment volume through the third quarter of 2018 for market leaders Zelle and Venmo already exceeded last year’s totals, according to American Banker.

Unfortunately, P2P payment network fraud is popularizing right along with it, according to USA Today. But with a holistic, layered prevention and detection program, financial institutions can capture P2P payment market share while protecting themselves and their customers.

Accelerate growth and digital adoption with seamless identity trust

The Rapid Growth of Adoption Is Driving Fraud

Experts expect P2P payments to continue their frenetic growth, with even more providers likely to emerge. Unfortunately, like any new payment vehicle, fraudsters quickly hauled their efforts into finding and exploiting holes in P2P network defenses.

Many cybercriminals have succeeded because of the nature of P2P transactions. Since they are in near-real time, the opportunity to safeguard and verify the legitimacy of all parties to the transaction using legacy banking tools is severely limited. Banks vary widely in their P2P network fraud protection, with some moving ahead with very limited controls, according to the New York Times.

What Is P2P Network Fraud?

P2P payment fraud affects multiple victims and variations that financial institutions should understand when building protections against attacks. Consumers are often tripped up in P2P payments when they send funds to the wrong phone number or email or to someone who doesn’t hold up his or her end of a deal (scams). But one of the biggest sources of fraud is account takeover.

An account takeover is initiated when a victim with an account at Bank A has his or her personal or account credentials stolen through a previous data theft or phishing attack. The fraudster verifies that there is money in the account, then sends funds via P2P payment to a co-fraudster at Bank B, who withdraws the cash. The accomplice at Bank B might be part of the fraud ring, or perhaps her or she has been promised a share of the proceeds (scam). The fraudster may use a dormant (mule) account or set up a new account in the name of another identify theft victim to receive the funds.

Both Bank A and Bank B have some culpability for the loss. Right now in the U.S., the Electronic Fund Transfer Act (EFTA) requires Bank A to make the victim whole by restoring the funds. However, it’s likely that regulators will soon hold Bank B accountable for preventing this type of activity as well, placing greater emphasis on money mule detection in addition to account takeover detection.

How to Detect Account Takeover

The challenge for financial institutions is to keep P2P payments appealing and easy for the customer while ensuring that both the customer and the bank are protected from fraud. Global P2P payment momentum will only grow, so to participate, financial institutions will need a holistic, multilayered security approach to detect and prevent fraudulent transactions.

A key piece involves detecting questionable behaviors on the part of any party to the transaction — for example:

  • A dormant account suddenly moving cash in and out;
  • An unusually high dollar amount sent to a new recipient; or
  • A change in contact number or method, quickly followed by a new device accessing the account and then a P2P payment to a new payee.

Detecting those behaviors requires active monitoring via a digital fraud detection tool that spots mobile and online activity outside the norm for a user, such as a new device, location, transaction size or login pattern.

These work by tapping both internal and external data, such as the customer’s cell carrier — how long has the victim had this device and mobile number? Email is another resource — is this email address suddenly sending or receiving a lot of P2P payments? Examining transaction patterns, such as a low dollar amount followed by a high dollar transaction, adds to the picture.

Balancing Speed and Protection

A holistic view is key; any one action might be normal, but as part of a series of activities can reveal a suspicious pattern. A well-designed fraud detection engine profiles the behavior of any entity and delivers best-fit analytics to quickly screen for suspicious patterns — all while enabling legitimate transactions to flow rapidly and smoothly.

Advanced capabilities such as artificial intelligence (AI) and machine learning mean these solutions learn as they go, augmenting monetary and nonmonetary data to discover new patterns and apply that learning to future transactions. This complements the fraud detection methodologies that financial institutions must undertake to advance security across their risk tools, all in an effort to reduce customer friction and increase product adoption.

Putting this holistic, multilayer detection and fraud prevention layer in place is critical as P2P payments move beyond friends and family into their transactions with businesses, like landscapers and childcare. It starts with a well-rounded risk evaluation, ensuring layered controls are implemented all the way from customer login through to transaction fulfillment.

When financial institutions fills in those gaps with a multilayered solution, they enable P2P payments to flow in a way that balances risk mitigation with a fast, easy experience for customers — an invaluable arrangement for all parties involved.

Accelerate growth and digital adoption with seamless identity trust

More from Banking & Finance

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today