Consumers flock to opportunities for instant gratification. They want their coffee orders ready when they arrive, their purchases delivered today, their movies to play the instant the mood strikes. So, naturally, they bring these same expectations to day-to-day financial transactions, such as sending money to friends on their smartphones — even at the cost of security, and at the risk of peer-to-peer (P2P) network fraud.

That demand has driven rapid global adoption of P2P payments. Almost 60 percent of U.S. consumers use P2P platforms, according to Mercator Advisory Group. In the U.S., payment volume through the third quarter of 2018 for market leaders Zelle and Venmo already exceeded last year’s totals, according to American Banker.

Unfortunately, P2P payment network fraud is popularizing right along with it, according to USA Today. But with a holistic, layered prevention and detection program, financial institutions can capture P2P payment market share while protecting themselves and their customers.

Accelerate growth and digital adoption with seamless identity trust

The Rapid Growth of Adoption Is Driving Fraud

Experts expect P2P payments to continue their frenetic growth, with even more providers likely to emerge. Unfortunately, like any new payment vehicle, fraudsters quickly hauled their efforts into finding and exploiting holes in P2P network defenses.

Many cybercriminals have succeeded because of the nature of P2P transactions. Since they are in near-real time, the opportunity to safeguard and verify the legitimacy of all parties to the transaction using legacy banking tools is severely limited. Banks vary widely in their P2P network fraud protection, with some moving ahead with very limited controls, according to the New York Times.

What Is P2P Network Fraud?

P2P payment fraud affects multiple victims and variations that financial institutions should understand when building protections against attacks. Consumers are often tripped up in P2P payments when they send funds to the wrong phone number or email or to someone who doesn’t hold up his or her end of a deal (scams). But one of the biggest sources of fraud is account takeover.

An account takeover is initiated when a victim with an account at Bank A has his or her personal or account credentials stolen through a previous data theft or phishing attack. The fraudster verifies that there is money in the account, then sends funds via P2P payment to a co-fraudster at Bank B, who withdraws the cash. The accomplice at Bank B might be part of the fraud ring, or perhaps her or she has been promised a share of the proceeds (scam). The fraudster may use a dormant (mule) account or set up a new account in the name of another identify theft victim to receive the funds.

Both Bank A and Bank B have some culpability for the loss. Right now in the U.S., the Electronic Fund Transfer Act (EFTA) requires Bank A to make the victim whole by restoring the funds. However, it’s likely that regulators will soon hold Bank B accountable for preventing this type of activity as well, placing greater emphasis on money mule detection in addition to account takeover detection.

How to Detect Account Takeover

The challenge for financial institutions is to keep P2P payments appealing and easy for the customer while ensuring that both the customer and the bank are protected from fraud. Global P2P payment momentum will only grow, so to participate, financial institutions will need a holistic, multilayered security approach to detect and prevent fraudulent transactions.

A key piece involves detecting questionable behaviors on the part of any party to the transaction — for example:

  • A dormant account suddenly moving cash in and out;
  • An unusually high dollar amount sent to a new recipient; or
  • A change in contact number or method, quickly followed by a new device accessing the account and then a P2P payment to a new payee.

Detecting those behaviors requires active monitoring via a digital fraud detection tool that spots mobile and online activity outside the norm for a user, such as a new device, location, transaction size or login pattern.

These work by tapping both internal and external data, such as the customer’s cell carrier — how long has the victim had this device and mobile number? Email is another resource — is this email address suddenly sending or receiving a lot of P2P payments? Examining transaction patterns, such as a low dollar amount followed by a high dollar transaction, adds to the picture.

Balancing Speed and Protection

A holistic view is key; any one action might be normal, but as part of a series of activities can reveal a suspicious pattern. A well-designed fraud detection engine profiles the behavior of any entity and delivers best-fit analytics to quickly screen for suspicious patterns — all while enabling legitimate transactions to flow rapidly and smoothly.

Advanced capabilities such as artificial intelligence (AI) and machine learning mean these solutions learn as they go, augmenting monetary and nonmonetary data to discover new patterns and apply that learning to future transactions. This complements the fraud detection methodologies that financial institutions must undertake to advance security across their risk tools, all in an effort to reduce customer friction and increase product adoption.

Putting this holistic, multilayer detection and fraud prevention layer in place is critical as P2P payments move beyond friends and family into their transactions with businesses, like landscapers and childcare. It starts with a well-rounded risk evaluation, ensuring layered controls are implemented all the way from customer login through to transaction fulfillment.

When financial institutions fills in those gaps with a multilayered solution, they enable P2P payments to flow in a way that balances risk mitigation with a fast, easy experience for customers — an invaluable arrangement for all parties involved.

Accelerate growth and digital adoption with seamless identity trust

More from Banking & Finance

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today