6 minutes
Person-to-person payment platforms are popular with consumers and scammers alike. What measures can credit unions implement to help protect themselves and their members?
Sponsored by TruStageTM
As consumers have grown increasingly comfortable with online banking, the use of person-to-person (P2P) payment platforms has also expanded. Although these platforms offer consumers a highly convenient way to pay, they also make them—along with credit unions—more vulnerable to fraudsters. In fact, whether in real-time or not, P2P scams are responsible for the bulk of online account takeovers.
P2P scams burst onto the scene in 2019 and not long after, credit unions began reporting extremely large losses to TruStage, at present ranging from tens of thousands up to several millions of dollars over that timeframe. And these losses are only expected to escalate. What makes P2P scammers so scary (and effective) is they’re able to target large numbers of credit union members, not just in a single day but over multiple consecutive days, causing significant damage.
The trend has scammers launching their attacks shortly after the credit union introduces the P2P product to the membership. In some cases, the scammers launched their attack in the same week the credit union introduced the P2P product to members.
The more popular P2P payments have become, the more scammers they attract. A big reason is taking over an account doesn’t require the fraudsters to have strong technical skills. Instead, relying on social engineering tactics they all too easily obtain the necessary information from credit union members that enable them to launch an invasion.
The fraudsters use common channels—text, email, even phone calls—for the bulk of their takeovers, scamming consumers into providing financial information by, for example, impersonating a “credit union employee” who is supposedly reaching out to alert the member about a “problem” with their account or a suspicious transaction, with the intent of obtaining login and authentication information.
How Does This Work?
This member account information isn’t being obtained by hacking into credit union systems. Instead, the fraudsters, ever resourceful, are accessing member data on the dark web, mining it for information to help them perpetrate their scams.
Once in hand, the scammers send a text alert to members warning of suspicious activity on their accounts and calling those who respond to that text. They spoof the phone number, making it seem as if it was coming from the actual credit union. The member, believing this is the case and under pressure from the scammer, ends up providing their login information (username and two-factor authentication passcodes). The fraudster uses the member’s username with the “forgot password” feature to reset the password. This triggers a two-factor authentication passcode sending it to the member, but the member is conned into providing the passcode to the fraudster. The fraudsters use the passcodes to reset passwords and then immediately start transferring money out of the accounts, sending it to money mules who assist in laundering the stolen funds.
In another version of the scam, fraudsters send the credit union members a text or email saying their accounts have been frozen. These “alerts” contain a link to a website, made to appear as if it’s the credit union’s actual online banking login page, and in this way, members also provide all the necessary login information.
Although real-time person-to-person payment platforms are especially attractive to scammers, these tactics are also being successfully used against credit unions that don’t offer real-time payments.
What Can Be Done?
A best practice is to launch an educational campaign warning members of the scam prior to introducing the P2P payment product. Along with putting articles up on your website and sending email warnings, credit unions should also include this information in newsletters, even doing a special mailing providing all the details about the scam.
However, what we in risk management are finding is educational campaigns aren’t immediately effective at mitigating fraud losses during an active attack. This is because when a credit union is in the midst of being slammed with this scam, with multiple members being targeted daily, preventing additional losses depends on members actually reading and reacting to the notices in a timely manner. Even so, it’s essential for credit unions to warn their members, not only to hopefully prevent additional victims and losses but to also help preserve the organization’s reputation.
At the same time, there are best practices that we at TruStage do recommend credit unions can proactively put into place to lower their risk, such as:
- Starting smaller. Credit unions considering adding a real-time P2P payment product should launch with lower daily limits in order to keep initial losses smaller, since fraudsters tend to swoop in shortly thereafter, hitting hard. Credit unions can always raise the limits, particularly since it’s much easier to raise daily limits than to lower them. (This advice also applies to payment platforms that are not in real-time.)
- Cautioning members. When publicizing a person-to-person platform, the marketing material should advise members that it should only be used to pay friends and family.
- Keeping it personal. Another important risk-management practice is requiring members who want to use P2P to either request it at the branch or through the call center (but only after authentication). In other words, don’t automatically activate this kind of payment type on a member’s account unless it is requested.
- Forgot my password. Don’t allow members to use the forgot password feature using devices not recognized by the host system. Targeting the forgot password feature is the focal point of the scam.
- Suspicious P2P transfers. Block or delay P2P transfers that occur immediately following a password reset so the transaction can be confirmed with the member.
As for online banking itself, credit unions should ensure they have strong, online banking layered security controls. At a minimum, TruStage recommends two-layered controls. For example, credit unions could deploy a more secure form of two-factor authentication, such as a token that generates a passcode instead of generating this themselves and then sending that passcode through text or email.
The second recommendation is to deploy a real-time fraud monitoring solution that leverages artificial intelligence and machine learning. Such solutions will allow credit unions to analyze massive amounts of data, uncovering behaviors and identifying patterns that indicate fraudulent activity.
Finally, don’t limit member education to just the P2P scams. Instead, credit unions should strive to regularly educate members on the various scams fraudsters use in their efforts to get login credentials and other confidential information such as credit/debit card details.
Ken Otsuka, CPA is senior consultant/risk & compliance solutions, has spent over 32 years at TruStage™, specializing in risk management and those risks associated with payments, deposits, funds transfer/ACH and fraud. He is a frequent contributor to our TruStage RISK Alerts and speaks on risk management at conferences and industry events throughout the U.S.
The views expressed here are those of the author(s) and do not necessarily represent the views of TruStage.