How to Prevent Push Payment FraudDefense is the Best Offense

Tips & Best Practices to Prevent Push Payment Fraud

When it comes to push payment fraud, trying to claw your money back after the fact is often a losing battle. The only winning strategy is to stop the money from leaving the account in the first place.

Doing this requires a proactive approach to prevention marked by a “trust but verify” mentality to handling approvals, verifying vendors, and training employees.

In this last chapter, I’ll talk about how you can introduce deliberate friction in the right places so that you can slow down push payment fraudsters without stalling your business.

Best Practices for Push Payment Fraud Prevention

We established earlier that governments and financial institutions both have crucial roles to play in fighting push payment fraud. As a merchant, you play just as important of a role in keeping APP fraudsters at bay. You can do so by:

Make sure to segregate duties in procurement, payment initiation, and bookkeeping so that transactions can be reviewed and nobody within your organization can “cook the books”. Also, make sure that you can establish a three-way match between the purchase order, invoice, and receipt generated as part of every transaction. This will help reduce payment errors and lessen your susceptibility to APP attacks.

If anything appears off, try to verify payment details via established backchannels. Ideally, get on a live phone or video call with the recipient; don’t rely on email or instant messenger as a means of communication.

Fraud evolves constantly, and the best way to stay ahead is to educate yourself and your staff on the latest tactics. Provide fraud awareness training on a monthly, quarterly, or annual cadence, and subject staff to regular phishing simulations so that they remain on guard against push payment attacks.

Use multi-factor authentication (MFA) at account creation and checkout to prevent bad actors from onboarding themselves to your platform, and secure employee and executive emails with MFA as well. The latter can help prevent business email compromise (BEC) scams, which often culminate in some sort of push payment fraud.

A complementary suite of fraud detection tools, including fraud scoring tools, device fingerprinting solutions, and velocity check systems can help you detect suspicious activity and stop APP scammers in their tracks. After all, an ounce of prevention is worth a pound of cure. The most cost-effective thing you can do is stop fraud from happening in the first place.

Use or implement account verification services like Confirmation of Payee (COP) before initiating payments to recipients. Also, deploy always-on transaction monitoring software so that you can monitor all of your incoming and outgoing transactions and payments for signs of fraud.

Fraud prevention tools that use machine learning to identify anomalies can adapt to new threat environments in real time and allow you to defend yourself against new push payment fraud tactics. Closely related is behavioral analytics, which uses data about past interactions with recipients to identify patterns and predict future behavior. Any payment requests that deviate from “normal” behavior can be flagged as suspicious and forwarded for review.

Limit the ability of any single person to push funds out of the organization. Specifically, implement dual approval for wire transfers, which ensures that the person who initiates a payment cannot be the same person who releases it. In a similar vein, setting dollar thresholds, where larger amounts require executive sign-off, can help prevent large fraud losses.

Enforce a three-way match, in which every payment must correspond to a purchase order, a receiving document, and an invoice. Beyond this, make use of backchanneling to confirm payees: if a request comes via email, verify it via phone (or vice versa) using contact details from your master file, not the request itself.

Establish strict onboarding procedures that verify the legitimacy of every new supplier before they are entered into the system. Also, conduct periodic re-verification to ensure static details haven’t been altered.

If vendor details do change, follow a strict bank detail change protocol that prohibits accepting changes via email. Instead, require a signed letter on company letterhead and a verbal confirmation. After details have been changed, test with a small payment first to confirm the recipient. Wherever possible, have vendors communicate banking changes using a secure email chain.

Since most APP fraud starts with a phishing email, your inbox is the frontline. Implement authentication protocols like SPF, DKIM, and DMARC to prevent attackers from successfully spoofing your domain.

Monitor your domain and intentionally register domains similar to yours (e.g. misspellings) so fraudsters can’t use them against you. Similarly, configure your email server to display external email warnings, which will visually flag all emails that originate from a domain outside the organization.

Institute monthly or quarterly fraud awareness sessions that dissect recent, real-world scams targeting your specific industry. Layering on role-playing scenarios during these sessions can help your finance, customer service, and IT teams practice saying “no” to urgent requests.

Build a reporting culture where there is no shame in admitting a mistake or double-checking a request. You’ll want to especially empower junior employees with the mantra that it’s okay to verify all payment requests. Explicitly give them authority to question a payment instruction, even if it appears to come from the CEO.

Automation can help you spot threats your human staff miss. For example, deploy fraud detection machine learning tools to analyze transaction patterns and flag anomalies, such as a sudden spike in payment volume to a new beneficiary.

If available in your region, use Confirmation of Payee (CoP) checks to verify that the recipient’s bank account name matches the vendor’s name. Coupled with behavioral analytics, these tools can help you detect unusual user actions, such as a login from a new device or hesitation during data entry.

Maintain a readily accessible contact list that includes your bank’s fraud department, local law enforcement, and legal counsel. Establish immediate freezing procedures ahead of time so that you can lock accounts and halt pending transfers the moment fraud is suspected. Likewise, drafting communication protocols in advance can help ensure that internal stakeholders stay informed without tipping off the fraudsters or causing unnecessary panic among clients.

Have other questions about merchant fraud prevention? Want to learn how you can save time and recover more revenue? Contact Chargebacks911® and get started today.