Frauds that use credit-push are on the rise. Every participant in the payments ecosystem needs to be aware of how to identify and help stop this crime.
Credit-push fraud differs from traditional debit fraud, wherein a bank account makes unauthorized payments. In credit-push fraud, the criminal uses social engineering or phishing attacks. They use these to try and convince someone to send a payment to an account that the criminal controls. One example of this type of attack is business email compromise (BEC). This is where a fraudster poses as a CEO or other executive of a company. They send an email to employees in finance, asking to transfer money to a new or different account. A fraudster could also send emails to accounts payable departments with fake contractor invoices or changes to the destination account.
Another method to promulgate credit-push fraud is payroll impersonation. This is where a fraudster sends emails to the payroll department. They claim to be an employee and say they want to switch the bank account their direct deposit goes to. They have the ultimate goal of rerouting that employee’s direct deposit to the fraudster account.
Credit-push fraud is on the rise, and to learn more, PaymentsJournal sat with Michael Herd, Senior Vice President of ACH Administration at Nacha and Sarah Grotta, Director of Debit Advisory Service at Mercator Advisory Group.
Industry Education Needed
Nacha last month published a risk management framework for dealing with this issue. This fraud is broader than just ACH payments — encompassing wire payments, push-to-card payments, and payment apps. Nacha wanted to start an industry-wide conversation on the issue, said Herd.
“We thought there needed to be a comprehensive plan at the industry level to address this,” he added. “We wanted to call attention to this so industry professionals can identify and stop this fraud.”
Herd described the framework as merely a first step. It outlines the general problem and offers broad guidelines. It calls for more information sharing between financial institutions. And it calls for the receiving institution to take more of an active role in identifying potential fraud.
“Improved information sharing can counter fraud by improving awareness and understanding of fraud scenarios, enabling communication and recovery between parties regarding specific instances of fraud, and providing qualitative and quantitative data for organizations to use in benchmarking, pattern identification, and anomaly detection,” a portion of the framework reads.
Grotta noted that the release of the framework is timely. There are more digital transactions happening than ever, and thus, more fraud as well.
“This is an industry call to action, and I like the idea that the industry can come together and coalesce around best practices and create a thoughtful approach to stopping this fraud,” she said.
Difficult to Detect
This type of fraud can be difficult to detect. Often the payment is authorized by someone who has legitimate access to the sending account after they have been duped.
“The nature of this fraud, you have to remember, means they were authorized by a legitimate user,” said Grotta. “They were duped by criminals.”
Herd noted that the receiving institution, which is normally passive in these types of account-based transactions, can take on a much more active role in spotting fraud.
“The receiving institution may be in the best position to identify something irregular or suspicious,” Herd said.
Indeed, new risk management guidance for receiving institutions can address inbound transaction monitoring standards, and sound business practices for controls on funds availability for potentially fraudulent transactions and accounts, including early access to funds, Herd said.
Another issue is the often-siloed nature of financial institutions. Since many different units within an institution often act separately and don’t interact with one another, a person can overlook a potentially suspicious sign, or not share a key piece of information.
“Different payment types are also handled by different departments,” Herd continued. “There needs to be a cultural change around sharing information.”
The Importance of Being Proactive
Herd urged financial institutions to take proactive measures in upgrading how they identify and stop fraud rather than waiting until after they’ve become the victims of an attack. A key aspect of this for financial institutions is educating customers on how to spot these phishing attacks that target their employees.
“Make sure for your corporate customers you have a thorough and proactive customer fraud education program,” Herd said. “The AFP [Association for Financial Professionals] has come out and identified BEC as the single greatest threat to businesses in the payments space.”
Financial institutions, third parties, and other stakeholders can implement new and innovative customer education programs and provide fraud controls and prevention tools and services on an opt-out basis.
“Take action to avail yourselves of the fraud prevention tools that are out there,” Herd said of corporate payment system users. “Don’t wait until you are a victim; you can take action today.”
Doing so also means financial institutions can avoid having uncomfortable conversations with business clients after the fact. They have to inform the customer that a fraudster tricked them into making a fraudulent payment.
“That’s not the kind of conversation you want to have with a customer,” Grotta said.
Download the NACHA report – A New Risk Management Framework for the Era of Credit-Push Fraud