Instant Payments Fraud

Wespay’s Instant Payments Brief is a series of short articles designed to help members understand the key concepts of the next generation of payment services.

The qualities that attract Instant Payments to senders and receivers; 24x7x365 availability, clearing speed, and finality of settlement, are the same features that make Instant Payments an attractive target for fraudsters to exploit.

Because Instant Payments are always credit-push transactions, fraudsters will attack the sending side of the payment to attempt to have Instant Payments routed to accounts controlled by the fraudster in some fashion. The Federal Reserve’s FraudClassifier ModelTM can help to highlight the two main types of fraud associated with Instant Payments; Authorized party manipulation and unauthorized party account takeover (see diagram below):

Authorized Party Manipulation Fraud

This type of fraud involves an account holder being tricked or manipulated into sending a payment to a fraudster. The payment itself is authorized by the sender, but the underlying reason for the sender to make the payment is fraudulent. This type of fraud is frequently performed via social engineering like romance scams or the “buy a puppy” scam.

Unauthorized Party Account Takeover Fraud

This type of fraud, the fraudster obtains access to the sender’s account, typically a customer’s online banking credentials or mobile app is compromised, and the fraudster is able to transmit Instant Payments to another account owned by the fraudster.

Preventative vs. Detective Controls

Preventative controls are designed to stop fraud from occurring while detective controls detect and notify the FI after the fraud has occurred. Because of the speed of Instant Payments and the requirement that the payee receives immediate access to the funds, Instant Payment-sending FIs can employ a combination of preventative and detective controls to minimize the occurrence of authorized party and unauthorized party fraud.

Typical fraud preventative controls include establishing dollar limits for outbound transfers, preventing new accountholders from making transfers for the first 30 to 60 days, or requiring a customer to validate via a secondary channel any Instant Payment instructions or any additions or changes to their authorized payees.

Monitoring tools that identify anomalous transactions can be preventative or detective depending upon the level of friction the FI wishes to impose upon its customers and can be customized by the risk profile of each customer. Of course, for FIs to use monitoring tools as a preventive measure, they will need to ensure their fraud detection capabilities are real-time capable.

For authorized party fraud, one of the best preventative measures is customer education. Encouraging customers to take responsibility for protecting their account information and understanding how to identify fraud schemes remains one of the best methods for keeping themselves safe. All FIs should have a program to regularly educate their businesses and consumers that Instant Payments are irrevocable and should never be sent to a recipient that the sender does not know.