More consumers are turning to digital methods to pay friends and retailers during the global health crisis. Shoppers are looking to avoid exchanging cash and cards in person and are instead choosing contactless transactions or remote purchase options. This trend has created myriad opportunities for (peer to peer) P2P payment apps like Venmo and Zelle, which allow consumers to quickly, simply and digitally transfer funds to merchants and friends.
However, these app-based transactions must be adequately secured to enable consumers to take full advantage of their benefits. P2P payments providers have their work cut out for them in this regard as cybercriminals have ramped up their attacks during the pandemic. This month’s Deep Dive examines the fraud challenges that real-time P2P payment apps face and the strategies these services can use to mitigate such threats.
Shoppers are leaning more heavily on P2P apps during the pandemic, prompting fraudsters to do the same. The New York Times recently reported that, even as Venmo’s daily user count rose 26 percent over the past year, the number of customer reviews that included the words “fraud” or “scam” rose almost four times that rate. These two trends suggest that such payment services continue to draw attention from legitimate users and bad actors.
Many P2P app providers are thus highly concerned with finding ways to serve consumers while thwarting bad actors, but the security challenges present in these payment services are no small issue. More than 70 percent of U.S. adults in a recent survey said that they use such apps, partly because the apps allow them to send funds immediately — an appealing option compared to transactions that take several days to complete. These quick transfers give payments services providers smaller time frames during which they can review and stop the movement of funds if something is amiss, however. Scammers often seek to capitalize on real-time payment services’ irreversibility, typically by setting up P2P app accounts and tricking victims into sending funds that are impossible to reclaim. Consumers who use these apps to send money to people they do not know risk routing the funds to fraudsters.
Cybercriminals take advantage of consumers’ trust by soliciting funds under dishonest pretenses. Some pretend to be tax officials and insist that their targets must send funds via the apps, for example. Other scams occur when fraudsters post Craigslist ads claiming they are selling items and demanding upfront payment via P2P apps. They then abscond with the funds without delivering the goods. Consumers who fall prey to these schemes are unable to file chargebacks and receive refunds, unlike with credit cards. Many consumers do not know that they should avoid sending money to unfamiliar parties with the apps, and 47 percent of respondents in a 2019 survey said they had used P2P apps to send money to strangers in response to classified ads on Craigslist and other sites. Fifty-three percent reported using such apps to pay unknown sellers they met on bidding platforms like eBay.
P2P app providers are striving to get ahead of these problems by educating consumers about the risks involved in such transactions. Some apps now feature pop-up alerts that warn users of the risks they face when sending funds to recipients they do not know, for example. Other app providers have moved away from enabling one-click transactions and instead prompt users to review their payments before hitting send, giving customers time to examine their choices, check for errors and confirm the details.
Keeping fraudsters from using real-time payment services to con legitimate customers can entail preventing bad actors from entering the space in the first place. App providers must be able to detect when users might be leveraging false identities during onboarding. Scammers often try to create accounts using stolen credentials or synthetic IDs cobbled together using personally identifiable information lifted from multiple victims. Payments providers can lean on banking partners to vet customers while also boosting their efforts to catch bad actors who slip through by leveraging artificial intelligence (AI)-powered tools to detect abnormal user behaviors that could indicate fraud.
ATOs And How P2P Apps Can Fight Back
Real-time payments providers also need to safeguard honest customers from cybercriminals who might seize control of their accounts. Fraudsters who gain access to these accounts can steal the funds they store on the apps or siphon off money from any bank or card accounts linked to them. Some cybercriminals may try to leverage usernames and passwords stolen in data breaches or purchased on the dark web to log into customers’ apps. Others apply brute force techniques that rely on malicious bots to automatically plug various usernames and passwords into login screens and hope they hit the correct combinations.
However, P2P app providers are far from powerless when it comes to stopping account takeover (ATO) attacks. A simple first step is to encourage customers to use unique passwords when signing up, reducing the likelihood that their account details will be compromised should a different company fall victim to a data breach. A recent study found that only 37 percent of Canadian bank customers use different passwords for each of their accounts, with 22 percent recycling two to five passwords across various accounts. Reusing passwords is risky because hackers can use compromised login details from other breaches to access additional accounts. Therefore, app providers may need to put in dedicated effort to educate customers about the importance of changing their habits.
Payment companies can also monitor for sudden and rapid rises in unsuccessful login attempts, which could indicate that brute force attempts are underway. P2P app providers could even take security a step further and implement multifactor authentication (MFA) to ensure that stolen password and username combinations alone would not be enough to give criminals access to customers’ accounts. P2P apps that implement MFA require customers to present at least one additional layer of authentication to validate their identities.
Many consumers recognize that real-time P2P payments can remove frictions from their transaction experiences and make paying swift and easy. Enabling customers to enjoy the benefits of such offerings also requires app providers to ensure that security is top-notch. The right fraud-frighting approaches can help P2P payments providers keep transactions moving quickly while halting fraud.