Consumers flock to opportunities for instant gratification. They want their coffee orders ready when they arrive, their purchases delivered today, their movies to play the instant the mood strikes. So, naturally, they bring these same expectations to day-to-day financial transactions, such as sending money to friends on their smartphones — even at the cost of security, and at the risk of peer-to-peer (P2P) network fraud.

That demand has driven rapid global adoption of P2P payments. Almost 60 percent of U.S. consumers use P2P platforms, according to Mercator Advisory Group. In the U.S., payment volume through the third quarter of 2018 for market leaders Zelle and Venmo already exceeded last year’s totals, according to American Banker.

Unfortunately, P2P payment network fraud is popularizing right along with it, according to USA Today. But with a holistic, layered prevention and detection program, financial institutions can capture P2P payment market share while protecting themselves and their customers.

Accelerate growth and digital adoption with seamless identity trust

The Rapid Growth of Adoption Is Driving Fraud

Experts expect P2P payments to continue their frenetic growth, with even more providers likely to emerge. Unfortunately, like any new payment vehicle, fraudsters quickly hauled their efforts into finding and exploiting holes in P2P network defenses.

Many cybercriminals have succeeded because of the nature of P2P transactions. Since they are in near-real time, the opportunity to safeguard and verify the legitimacy of all parties to the transaction using legacy banking tools is severely limited. Banks vary widely in their P2P network fraud protection, with some moving ahead with very limited controls, according to the New York Times.

What Is P2P Network Fraud?

P2P payment fraud affects multiple victims and variations that financial institutions should understand when building protections against attacks. Consumers are often tripped up in P2P payments when they send funds to the wrong phone number or email or to someone who doesn’t hold up his or her end of a deal (scams). But one of the biggest sources of fraud is account takeover.

An account takeover is initiated when a victim with an account at Bank A has his or her personal or account credentials stolen through a previous data theft or phishing attack. The fraudster verifies that there is money in the account, then sends funds via P2P payment to a co-fraudster at Bank B, who withdraws the cash. The accomplice at Bank B might be part of the fraud ring, or perhaps her or she has been promised a share of the proceeds (scam). The fraudster may use a dormant (mule) account or set up a new account in the name of another identify theft victim to receive the funds.

Both Bank A and Bank B have some culpability for the loss. Right now in the U.S., the Electronic Fund Transfer Act (EFTA) requires Bank A to make the victim whole by restoring the funds. However, it’s likely that regulators will soon hold Bank B accountable for preventing this type of activity as well, placing greater emphasis on money mule detection in addition to account takeover detection.

How to Detect Account Takeover

The challenge for financial institutions is to keep P2P payments appealing and easy for the customer while ensuring that both the customer and the bank are protected from fraud. Global P2P payment momentum will only grow, so to participate, financial institutions will need a holistic, multilayered security approach to detect and prevent fraudulent transactions.

A key piece involves detecting questionable behaviors on the part of any party to the transaction — for example:

  • A dormant account suddenly moving cash in and out;
  • An unusually high dollar amount sent to a new recipient; or
  • A change in contact number or method, quickly followed by a new device accessing the account and then a P2P payment to a new payee.

Detecting those behaviors requires active monitoring via a digital fraud detection tool that spots mobile and online activity outside the norm for a user, such as a new device, location, transaction size or login pattern.

These work by tapping both internal and external data, such as the customer’s cell carrier — how long has the victim had this device and mobile number? Email is another resource — is this email address suddenly sending or receiving a lot of P2P payments? Examining transaction patterns, such as a low dollar amount followed by a high dollar transaction, adds to the picture.

Balancing Speed and Protection

A holistic view is key; any one action might be normal, but as part of a series of activities can reveal a suspicious pattern. A well-designed fraud detection engine profiles the behavior of any entity and delivers best-fit analytics to quickly screen for suspicious patterns — all while enabling legitimate transactions to flow rapidly and smoothly.

Advanced capabilities such as artificial intelligence (AI) and machine learning mean these solutions learn as they go, augmenting monetary and nonmonetary data to discover new patterns and apply that learning to future transactions. This complements the fraud detection methodologies that financial institutions must undertake to advance security across their risk tools, all in an effort to reduce customer friction and increase product adoption.

Putting this holistic, multilayer detection and fraud prevention layer in place is critical as P2P payments move beyond friends and family into their transactions with businesses, like landscapers and childcare. It starts with a well-rounded risk evaluation, ensuring layered controls are implemented all the way from customer login through to transaction fulfillment.

When financial institutions fills in those gaps with a multilayered solution, they enable P2P payments to flow in a way that balances risk mitigation with a fast, easy experience for customers — an invaluable arrangement for all parties involved.

Accelerate growth and digital adoption with seamless identity trust

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today