Fraud & Security Social Engineering and Push Payment Fraud – Who Should Pay?

Mobile transaction image with HACKED on it

In a previous blog I wrote about authorized push payment fraud and how social engineering leads to victims making inadvertent payments to fraudsters. I highlighted the case for banks to use behavioral analytics to identify suspicious payments before they are made. This is particularly important when an irrevocable, real-time payments scheme such as UK Faster Payments or SEPA CT Inst is used.

While the focus has often been on recovering losses from the bank of the victim, there are also instances where victims and authorities look to the receiving bank for recompense. Their case is that the receiving bank has been negligent in their account-opening procedures and opened an account for a fraudster using a stolen or synthetic identity. This account has then been used to accept the proceeds of the authorized push payment fraud.

In a recent case  a victim paid what they believed to be an invoice from their builder, only to find it wasn’t their builder they’d paid but a fraudster who had intercepted the invoicing process. In another case a victim transferred £4K from his bank account to buy a shepherd’s hut on Ebay. The hut never materialised and the payment made by bank transfer had gone to a fraudster. In both cases it appears that the fraudster had opened a bank account using either a stolen or synthetic identity; this bought the account-opening processes at the receiving banks into question.

On the surface it seems like an obvious answer – the receiving bank takes responsibility for the behavior of fraudsters they should not have opened accounts for, particularly when the account was opened using a stolen or synthetic identity. But this does not solve the problem of authorized push payment fraud for a number of reasons:

  • The link to the fraudster frequently isn’t as clear. In the two cases above the payment seems to have been sent directly to an account that had been opened using a stolen or synthetic identity. This isn’t always the case — fraudsters can take over the accounts of legitimate account holders or even persuade people to let them use their accounts to transfer the proceeds of fraud. It is difficult for a receiving bank to spot this behavior in time to prevent it, particularly when the money can be hopped quickly through several such mule accounts, before arriving in an account the fraudster can extract it from.
  • Even when the receiving bank has opened an account for a fraudster using a stolen or synthetic identity, the fraud is not spotted until after it has been executed. The original vector of attack, the social engineering and the payment have already happened. It may be good that victims can get some restitution from the receiving bank but the bank is then out of pocket and the fraudster has been successful.

The Which Super Complaint shows that consumers are increasingly looking to banks to solve the issue of authorised push payment fraud. Even in cases where banks may not consider themselves to be liable, negative publicity and loss of reputation is significant. Consumers have been given the welcome ability to make irrevocable, real-time payments, but individuals are not equipped to deal with all of the consequences. For example they cannot spot patterns across thousands of payments that indicate fraud — but their bank could.

At present many banks look at application fraud, payment fraud and account takeover fraud in silos. This story illustrates the same fraud can take advantage of weaknesses at any point. By looking at fraud in a more holistic manner across the entire enterprise, banks can be better prepared to stop fraud at all stages of the customer and payment lifecycles.

FICO has been leading the way in taking an enterprise-wide approach to fraud detection and management using the industry-leading FICO Falcon fraud Platform.

For more on application fraud, see the posts from my colleague Liz Lasher.


  • lburkefiles

    Excellent Article. In chasing fraud and working with banks for three decades – one theme remains loud and clear, lazy banks.

    Customers are a commodity and are treated as such. 85% or greater of all fraud can be stopped cold with real KYC (Know Your Client) and SYC (See Your Client). KYC when opening the account and monitoring transaction histories and outliers. For example, an 85-year-old woman does not open an account online and apply for a HELOC, it was stopped but only after berating the underwriter and paying a visit to the customer’s house. The client was bedridden and did not own a cell phone let alone a computer. (It was her caregiver.) Over 90% of account takeovers follow a request for a change in telephone number and or address. A vast majority of banks err on the side of customer convenience and have outsourced customer care and contact to third-party call centers who are rated only on how fast they handle calls. For those banks who embrace SYC and require any address or telephone number change now requires the customer to present themselves in person at a bank branch – account takeovers have gone to near zero.

    Treating customers as a commodity and erring on the side of convenience are gateways to massive serial frauds perpetrated against a bank.

    • Sarah Rutherford

      Thank you for your comments on my blog post – glad you enjoyed it. There is much that banks can do without making people come into branches. I think that customers want to do more and more online without coming into a branch – I know I do! Banks can use strong customer authentication to secure payments and change of details and they can use behavioral analytics to spot suspect transactions and account activity. You might like to take a look at this blog that takes a look at soft-clustering behavioural misalignment scores, here my colleague is talking about using it for anti-money laundering but the same principals apply when banks use it for spotting other types of suspicious account behavior.

      • lburkefiles

        Agreed, but here is the push back. The people on the receiving ends of the alerts are poorly or not trained. I have 100s of examples – really hundreds. Over one year one bank lost 13 million even though they had the most advanced monitoring programs because the people had no idea what the signals ment and even when they did, they failed to act. The programs were, really awesome, and did what they advertised. I will also add that the pay for the positions was horrid. It is my 3 decades of experience that awesome automation can be undone by a mope too close to a switch. James Bondesque plans executed by Mr. Bean. This conversation might be the germ of another post.