Why P2P payments remain prone to social engineering fraud

Smartphone user at MWC
Angel Garcia/Bloomberg

The rapid transaction-settlement speed of Zelle that helped drive its adoption also helps scammers create a false sense of urgency to trick consumers into authorizing immediate payments.

“Through social engineering, consumers are being duped into sending money and authorizing those transactions and are now looking to be made whole for their mistake,” said Sarah Grotta, director of debit and alternative products advisory at Mercator Advisory Group.

Amid rising consumer complaints about these types of scams, several class actions recently filed against banks and Zelle's owner, Early Warning Services, are making their way through the courts against a backdrop of rising identity theft. 

Total losses from Zelle scams are difficult to assess because banks don't share that data. But about one in four consumers affected by account takeover fraud experienced a bogus P2P transfer, according to a recent Aite Novarica report.

Banks say they aren't obligated to repay consumers caught in scams who knowingly authorize payments through Zelle or any other channel, though consumer advocates are pushing for Regulation E protections to cover P2P fraud.

“Financial institutions are not responsible if a consumer uses ACH or mails a check or gives cash to a criminal, and P2P apps should be no different,” Grotta said.

But as complaints — and lawsuits — mount, U.S. regulators could step in.

Two members of the U.S. Senate Banking Committee sent a letter in April to Early Warning and the banks that own it, seeking information about their plans to protect consumers from scams.

Zelle fraud was flagged as a top problem in the Consumer Financial Protection Bureau's  technology industry inquiry late last year.

Shutting down Zelle scams across thousands of participating banks where consumers unwittingly authorize payments to criminals who often pose as bank employees or romantic prospects could be tough.

The U.K. has been grappling with P2P scams for years, and last month the British government said a law is forthcoming that will require banks to reimburse consumers for P2P scams, where losses total hundreds of millions of pounds per year. 

To be clear, U.S. banks are obligated to repay customers for fraud involving unauthorized Zelle transactions, such as account-takeover fraud where criminals send funds without the customer’s knowledge, Grotta said.

“Financial institutions are meeting their obligations under Regulation E for unauthorized transactions and providing financial recourse to customers, but authorized transactions are another matter,” Grotta said.

When consumers knowingly send funds to a person who is perpetrating fraud, financial institutions aren’t liable, and one reason is the difficulty in determining whether the Zelle user is a co-conspirator, as is often the case in so-called “friendly fraud," according to Grotta.

Requiring banks, credit unions and fintechs to refund money in instances of authorized push payment (APP) fraud would likely be a significant setback for the convenience of P2P apps, where the main benefits are simplicity and speed, Grotta said.

Banks may opt to cap the value of funds consumers could send via Zelle to protect them from losing money in scams. Zelle scam victims documented in class actions that they lost thousands because Zelle is attached to a bank account versus Venmo and other P2P apps where transactions are pulled from a stored balance. But users of those apps also are routinely victimized by scammers, according to fraud experts.

Early Warning has reported that Zelle’s fastest-growing use cases are for paying rent and other bills, so restricting transaction size or blocking larger transactions could interfere with that activity.

Forcing consumers to reconsider payments to unrecognized recipients b adding steps to the Zelle authorization process could be another protective layer. “But these are all commonly used tactics that some consumers just ignore and click through,” Grotta said.

Cryptocurrency transactions, whose benefit for recipients is their irreversibility, are also vulnerable to similar engineered scams, said Julie Conroy, head of risk insights and advisory at consulting firm Aite-Novarica.

“There are a number of ways that scammers are bilking consumers out of their money and crypto firms report this is a huge issue for them as well. Essentially, any payment mechanism that does not have the zero-liability protection of card rails has the same issue,” Conroy said.

One company claims that its “behavioral biometrics” technology is helping to block fraud via Zelle by detecting unusual activity when scammers are in the midst of tricking consumers.

BioCatch, founded in Israel in 2011, offers software that measures consumers’ online behavior and warns financial institutions of red flags signaling fraud in progress, according to Raj Dasgupta, the company’s head of fraud strategy for North America.

“We can see that the person logging into their Zelle account is the real account user, but they are behaving very differently than normal, hesitating, giving off telltale signs of a scam,” he said.

Examples include sending funds to a new recipient with unusual pauses in activity during the transaction, entering and deleting the amount or the recipient’s account information, Dasgupta said. BioCatch can also determine whether an Android phone user is talking on the phone [possibly to a fraudster] while using a P2P app, which is a clue to a scam.

“All of these things together elevate our risk assessment [of a P2P transaction] and we notify the bank of the risk in real time,” Dasgupta said, adding that several undisclosed U.S. banks are using BioCatch to help filter out P2P scams, among other types of fraud.

But Aite-Novarica’s Conroy is skeptical about the potential for third parties to anticipate a consumer’s vulnerability to a P2P scam.

“I don’t see physical biometrics as a solution to this, because the consumer is voluntarily initiating the transaction. This is what makes scams so hard to stop, since traditional fraud controls are intended to catch unauthorized transactions, not those that the consumer is willingly initiating,” Conroy said. 

For reprint and licensing requests for this article, click here.
Payments P-to-P payments Digital banking
MORE FROM AMERICAN BANKER