In recent months, many countries have rolled out real-time payments schemes. In the USA, The Clearing House launched their Faster Payments scheme in November 2017, the same month that the Eurozone got SEPC CT Inst – a cross-border, real-time payments scheme. In February 2018 Australia launched their New Payments Platform for use by consumers.
These schemes represent a major change to the payments landscape for the countries involved. While e-wallets and person-to-person schemes offer people quick and easy ways to pay, they have been underpinned by pre-existing payment systems, either card schemes or ACH transfers. The perception may be that payments using these are instant — the reality is that clearing of them isn’t. For example, ACH payments in the USA are cleared three times per day and card payments can take weeks for settlement to the merchant. The new real-time payment schemes, whether used directly or as the rails for e-wallets and person-to-person payments, are cleared instantly and are irrevocable.
Fraudsters are constantly looking for new ways to attack and real-time payments offers new vectors for both direct attacks and to enable other criminal activity. In order to understand the impact on fraud that real-time payments can have, it is useful to consider the wider payments account eco-system and the lifecycle of fraud. As this diagram shows real-time payments are a catalyst for fraud at multiple points, not just in payment transactions.
Authorised Push Payment Fraud at the Point of Transaction
In this scenario, the perpetrators are looking to trick an individual or business into making a payment to them. They use social engineering and interception of correspondence to do so.An example of this is invoice fraud, where a criminal sends an invoice that purports to come from a legitimate supplier, but of course contains their own bank account details. This is not a new fraud, but when the fraudster can persuade the victim to make a real-time payment there is little opportunity to see it happening before the money is gone.
The UK, which has had real-time payments since 2008, has seen an increase in this approach, particularly against individuals. Invoices that look like they come from your child’s school or from the contractor working on your house are paid, only for it later to be discovered that the invoice had come from a fraudster. As real-time payments can be for large sums (in the UK up to £250,000) this can be life-changing for victims.
It is easy to lay liability for this at the feet of the victims, who after all have authorized the payment, arguably without making adequate checks. Banks have given customers the welcome ability to make irrevocable payments in real-time, but customers don’t have the tools and knowledge to carry out checks in the same way that a bank can. For example, an individual cannot perform a behavioral risk analysis on their individual transactions.
In the UK the increase in victims of this kind of fraud has been frequently noted in the press and has been the subject of a ‘super complaint’ by consumer advocacy group Which? While liability is unlikely to be transferred wholesale to the banks, when stories hit the press they significantly impact the bank's reputation with their customers.
Using Real-Time Payments to Evade the Law
Real-time payments means that everyone can move money quickly – that includes criminals. The ability to move funds rapidly across accounts, at different institutions, makes it more difficult for law-enforcement to trace where proceeds of crime have gone and easier for the criminals to move money and then extract it. To do this, criminals need access to multiple bank accounts and this makes a number of bank account frauds more attractive:- Account takeover fraud: A criminal can take over an account and use it to ‘hop’ money through, thereby making it more difficult for the authorities to follow the money. In some instances, the legitimate account holder may not even spot it’s happening, particularly if its an account that they don’t regularly access themselves.
- Use of money mules: People who are otherwise upstanding citizens can be persuaded to allow criminals to use their accounts to transfer money through. Again, this helps criminals to hide the source of their funds, and with real-time payments the money can be moved across multiple accounts extremely quickly. In some cases, people allow their accounts to be used as mules for altruistic reasons (they’ve been conned into thinking they are helping someone in genuine need), but in other cases the mule account holder receives a payment. In the UK the widespread use of real-time payments has seen certain groups targeted by criminal gangs to act as money mules – students are often recruited.
- Application fraud: Another way criminals can gain access to an account is to open one using a stolen or synthetic identity. With such an account the criminal cannot only move money through it but extract it. As discussed earlier, in the case of authorized push payment fraud, the payee’s bank may not be held liable for losses from the fraud. However, in cases where the fraudulent payment has been sent to an account opened using a stolen or synthetic identity, the receiving bank has been pushed to make restitution to the victims for having opened an account for a fraudster.
For further reading, read our executive brief: Adapting Fraud Strategy to the Era of Real-Time Payments
