Authorized Push Payment Fraud: What Merchants Need to Know
New technologies present new opportunities for you to reach customers and conduct transactions. So-called "push" payments, or buyer-initiated purchases, are one example. Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation.
In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics merchants (and cardholders) can use to protect themselves from this emerging threat.
Push Payments: Explained
In a traditional payment card transaction, a cardholder authorizes a payment, which is then submitted to the issuer for clearing. In the PSD2 language published back in 2018, this was described as a pull payment model. As a merchant, you submit a request to “pull” money from the cardholder’s account.
That’s the way it worked for many years. Now, though, we’re seeing new and more innovative ways for consumers to pay.
Push payments let you provide invoices to buyers. You can also submit payment requests through P2P apps like Venmo or Cash App. Buyers can then initiate payments themselves; they don’t need to wait for you to batch and submit transactions for settlement.
Pull Pay
- Merchant requests payment from buyer.
- Buyer authorizes payment, and merchant submits payment for clearing.
- Issuer releases funds to cover authorized amount.
- Merchant acquirer receives funds.
Push Pay
- The merchant provides a request for payment to buyer.
- Buyer initiates payment to merchant.
- Buyer authorizes payment, submitting directly for clearing.
- Merchant acquirer receives funds.
With push payments, you receive funds from a transaction faster, while customers never have to transfer any personal information to conduct a purchase. It’s a win-win setup…right?
Unfortunately, resourceful fraudsters are already identifying ways to game the system. Authorized push payment fraud is deceptively low-tech, but surprisingly effective at separating cardholders—and merchants—from their money.
What is Push Payment Fraud?
- Push Payment Fraud
Authorized push payment fraud occurs when a customer authorizes their bank or digital wallet to send (or push) money to a fraudster. Since push payments are often irreversible, the consumer is unable to dispute the transaction.
[noun]/* po͝oSH ● pā ● mənt ● frawd/
Authorized push payment fraud is sometimes known as “APP fraud.” It’s a new practice, but fraudsters employ some very familiar tactics to carry out these attacks. Three of the most common include:
Worried About New & Developing Fraud Threats?
With Chargebacks911® in your corner, you’re always covered. Learn more today.
What's My Liability for Authorized Push Payment Fraud?
The three tactics outlined above are some of the most commonly used right now. These should already be familiar to anyone versed in card-not-present fraud practices. As push payments gain wider usage, though, we can expect the tactics to get more sophisticated, and the attacks to get larger in scale.
This raises the question: what risk does authorized push payment fraud present to you as a merchant? Can you be held liable for these scams?
You’ll be relieved to learn that authorized push payment fraud targeted at a cardholder will seldom lead to a chargeback. To illustrate, let’s say a fraudster sends a phishing email to one of your customers eliciting a push payment. The buyer pays, only to realize that the person requesting the payment was an imposter. In this situation, you would not be held liable under the Fair Credit Billing Act.
That’s not to say it won’t impact you, though. If a fraudster impersonates you to conduct an authorized push payment fraud scheme using your identity, the cardholder will probably still associate you with the fraud. This would result in reputational damage.
How Authorized Push Payment Fraud Threatens Merchants
It’s not only cardholders that should worry about being victimized by push payment fraud. As we said before, APP schemes will get more sophisticated over time. As they do, they will expand to new targets.
Petty Son and Prestwich, a UK-based real estate firm, recently published a post on their blog outlining how they were targeted by an authorized push payment fraud scheme. “The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him,” they explain. The fraudster sent multiple emails to an employee in the department with questions aimed at “warming up” the individual.
It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.
As a merchant, you’re not immune to these schemes. That’s why it’s important to be extra-vigilant with push payments—both regarding your customers, and your internal operations.
What’s Being Done About Authorized Push Payment Fraud?
There are tools and strategies that banks have at their disposal to try and manage this problem. Screening tools that deploy a combination of machine learning and human oversight can help drill-down and segment suspicious push payments from legitimate ones. The bank can then ask for additional verification to complete the payment.
There have been attempts to try and rein in authorized push payment fraud at the governmental level. In the UK, for instance, consumers and businesses were faster to adopt push payments. In response, the British government adopted the Contingent Reimbursement Model (CRM) code.
As we’ve noted before, though, government efforts often have limited utility. The CRM code ensures that consumers are insulated from fraud losses, and can reduce consumer anxieties about push payment fraud. Unfortunately, it doesn’t actually prevent any fraud from taking place.
Merchants are on the front lines in the fight against fraud. That’s why they must take action to protect their customers—and themselves—against authorized push payment fraud attacks.
How to Fight Authorized Push Payment Fraud
The good news is that there aren’t many new practices or technologies you should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.
We suggest you take time to educate your customers about the risk posed by authorized push payment fraud. This not only educates customers, it demonstrates that you value their security. You should clearly outline:
- The circumstances under which you’ll request payment.
- How you’ll request payment.
- Signs to watch for to identify suspicious activity.
- What a customer should do if they suspect they’ve been the victim of APP fraud.
While it’s obviously important to protect your customers, you also need to protect yourself against potential abuse. This means educating staff on this issue. You should ensure that all staff members know:
- Who within the company has authority to authorize push payments.
- Situations in which push payments are allowed.
- Red flags that suggest malicious activity (like business email compromise).
It’s also a good idea to monitor communications within the organization--specifically, any exchanges that begin from a source outside the company. You can use indicators like IP address and geolocation to spot these potential threats.
Stay Current on New Fraud Threats
P2P payment platforms like Venmo and CashApp are making it much more commonplace to conduct push payments. As consumers get used to these options, more and more fraudsters will target them through both consumer- and merchant-facing scams. This means authorized push payment fraud is only going to become more of a problem over time.
We recommend you stay up-to-date on new threats, as well as methods for countering them. Sticking to security best practices--and adapting your procedures as circumstances change--is the only way to ensure that your business and your customers stay safe.
