The Weakest Link

When fraud losses are mostly owing to consumers’ naivete, how can banks and networks react? They’re starting to figure that out.

Consumers are at the heart of person-to-person payments and criminals know it. Criminals also know consumers can be the weakest link in securing P2P payments against their attacks.

In June 2022, eight U.S. senators issued letters to the seven banks that own Zelle, which launched in 2017 as a person-to-person payment service that relied on direct access to the sender’s and receiver’s bank accounts. Their issue? Frauds and scams proliferated on the P2P payment network and not enough was being done to curtail them and protect consumers, they alleged.

Zelle, owned by Early Warning Services LLC, referred in a statement issued last year to “misleading reports of fraud and scams” on the network and an “incomplete” analysis from outside sources. Early Warning defended its banks—Wells Fargo & Co. in particular—and said its data showed the rate of Zelle fraud at Wells was “extraordinarily low and comparable to the Zelle Network as a whole.”

Then, in July, the Consumer Financial Protection Bureau, as Digital Transactions News reported, was said to be looking into fraud on peer-to-peer payment apps. Indeed, the CFPB issued the same statement for this story as it did in July 2022.

“Reports and consumer complaints of payments scams have risen sharply, and financial fraud can be devastating for victims. The CFPB is working to prevent further harm, including by ensuring that financial institutions are living up to their investigation and error-resolution obligations.”

But the negative attention drawn to Zelle, and other P2P payment services, doesn’t seem to have dampened any user enthusiasm.

Zelle has continued to grow. In the 2023 first quarter, Zelle’s volume totaled almost $2 billion, a 31% increase year-over-year, Scottsdale, Ariz.-based Early Warning says. Consumers and small businesses—a major Zelle user group—completed 639 million transactions in the quarter, up 29% year-over-year.

In February Zelle reported that 2.3 billion payments totaling $629 billion were sent through its network in 2022, 26% and 28% increases, respectively, over 2021.

P2P payments volume also grew at other providers. At PayPal Holdings Inc.—which began offering peer-to-peer payments as one of its original services in the late 1990s—its Venmo P2P payment services grew by 7% in 2022 on top of a 44% growth in 2021, Dan Schulman, PayPal’s president and chief executive, said in a February earnings call.

Block Inc.’s Cash App also has grown. Its transaction-based revenue of $409.8 million was a 75.4% increase from $233.7 million in 2020. This excludes subscription and Bitcoin revenue generated by the app. Cash App had more than 51 million transactions globally across devices in December, up 15.9% from December 2021’s 44 million.

Mounting Losses

Clearly, consumer and business use of P2P payments has not dulled, and, as with most other electronic payment methods, neither has criminal fondness. Consumers continue to be duped with scams and criminals continue to use P2P services to test stolen credentials, among some examples.

Factors feeding P2P payments fraud include criminal exploitation, a general lack of understanding of or failure to read the terms of service, and genuine operator error, says John Buzzard, lead analyst of fraud and security at Javelin Strategy and Research, a Pleasanton, Calif.-based advisory firm.

Criminal exploitation is when consumers are manipulated by a highly skilled criminal using triggers that call them to action, such as emergencies or one-of-a-kind purchases, like buying a Corvette for $500 if you act now, Buzzard says. That can result in a string of mounting losses.

“Another factor that makes P2P so attractive to fraudsters is that some apps offer the ability to search for users,” says Jane Lee, trust and safety architect at Sift, a San Francisco-based digital security firm.

Lee continues: “This feature gives fraudsters access to a vast list of users, which then allows them to easily carry out something called ‘card testing.’ Card testing involves scammers sending small sums of money to unknown users in order to verify that the stolen payment information they’re using is valid. These transactions often show up as low-value payments sent to unsuspecting recipients, who are unaware that the fraudster is using them to test stolen payment credentials.”

Sometimes the marketing of a P2P payment service can be a factor. Speed of payment in marketing materials may be more memorable for consumers than messages about security, says Gregory Hatcher, founder of White Knight Labs, a penetration-testing provider.

“When banks are doing the marketing toward their P2P apps they’re saying they are a safe and easy way to send money fast,” Hatcher says. In addition to those messages, Hatcher would add that you better know whom you’re sending the money to.

Real-Time Fraud

The allure of P2P payments, especially faster-payment varieties, is the same for consumers and criminals, just from different sides.

“The reasons that peer-to-peer platforms are so popular with consumers are the same reasons why the platforms are popular with fraud actors,” says Ajay Guru, partner in the investigations and compliance practice who leads the fraud-technology services practice at Guidehouse, a McLean, Va.-based consulting firm. “These reasons include the instantaneous transfer capability, the ease of transacting, and immediate access to funds by the recipient.”

The immediate payment element should not be discounted, says Rob Rendell, director of fraud product marketing at NICE Actimize, an Israel-based digital-services company. “Three words…real-time payments,” Rendell says. “Real-time payments have become a double-edged sword, facilitating fast and convenient P2P transactions, while also providing an attractive target for fraudsters.”

That brings more criminal attention, and despite organizations’ best efforts to curb losses through real-time monitoring, “fraudsters continue to find new ways to target unsuspecting consumers and make off with ill-gotten gains,” Rendell says.

As for what may come from the legislators’ issues and the CFPB’s inquiry, some observers suggest more consumer protections may be in the offing.

“To incentivize consumers to transact, the financial-services industry has done a tremendous job training consumers that their fraud liability is very limited–thanks to the protections of Regulation E,” Guru says.

Banks are required by Regulation E in the Electronic Funds Transfer Act to reimburse consumers for so-called unauthorized funds movement. But the regulation doesn’t contemplate cases where consumers authorize the transfers as a result of fraudulent inducement.

“Consumers have become accustomed to these protections, which is why they are tremendously frustrated with the scam activity on peer-to-peer platforms,” Guru adds. “The inevitable outcome is that banks will need to assume a more significant portion of the liability for these types of transactions. Consumers need to be better protected. With those protections in place, I believe the critics in Washington will be satisfied.”

Some sort of reimbursement for consumers victimized in P2P payments fraud is likely, says Deborah Baxley, the Mobile and Touchless Payments Working Committee co-chair at the U.S. Payments Forum, a trade group.

“I personally believe a regulator, like the CFPB, will strongly encourage, or perhaps mandate, that the providers provide recourse to victims of scams,” Baxley says.

She adds that “payment providers might be required to demonstrate that suitable mitigation techniques might include matching to a list of known bad actors/IP addresses/geographies, pattern detection based on information sharing across multiple providers, or insurance or risk scores for particular transactions.”

From Optional to Required

Zelle says it is committed to strong fraud prevention. “That commitment is reflected in the fact that more than 99.9% of the [more than] 5 billion Zelle payments since launch [in 2017] were sent without any report of fraud or scams—and through Q1 2023, this rate continued to improve,” Al Ko, Early Warning chief executive, wrote in a blog post in April.

He said network-level controls to prevent bad actors from transacting on the Zelle network have been increased. He also touted the compliance and regulation oversight in place for the network and the more than 1,900 financial institutions that connect to it.

“This collective, networkwide commitment to fraud prevention and compliance is unparalleled in the P2P space –and it is the reason fraud and scam rates continue to go down while the Zelle Network is growing across all key metrics–including now helping move a staggering nearly $2 billion per day,” Ko wrote.

Industry-initiated preventive measures will help, but they may not be enough to stave off further regulations.

“As these processes evolve, there is a lot of self-regulation occurring,” says Kim Sutherland, vice president of fraud and identity-management strategy at LexisNexis Risk Solutions. “These processes are only going to evolve with additional protections.”

Industry efforts may yet give banks and networks a head start on potential future regulation and compliance protocols.

“Financial institutions are starting to roll out more liberal and logical ways to intake fraud claims that include reimbursement,” Javelin’s Buzzard says. “They may as well get started voluntarily. I don’t see this being optional for FIs much longer.”