NAFCU Services Blog

By Ann Davidson, VP of Risk Consulting, Allied Solutions

More and more consumers are using payment apps like Venmo and Zelle to send money to friends and family. While allowing payments through these apps creates high value for your consumers, it has also opened up a new channel for fraud. 

Financial institutions are reporting attacks where cybercriminals are draining accounts by gaining fraudulent access to their members' debit card or account numbers. These attacks primarily occur one of the following ways:

1. Consumers are scammed into sending criminals money directly thru a payment app. Click here to view more information from the FTC on how these consumer scams occur.
2. Criminals fraudulently enroll consumers into the payment app using the member's card number stolen from a data breach, i.e. the 2017 Equifax Breach.
3. Criminals call into the call center with account/card information stolen from a data breach, and request an account password reset alongside a request to change the account email and/or phone number. The fraudster then routes the password reset email/text to their own phone number/email address to access the account. 

Keep your credit union protected from these crimes by adopting strong authentication and security layers.

Payment App Fraud Mitigation Practices:

• Let employees know that these attacks are often being initiated through online password resets (often through the call center), so they can watch for suspicious behavior surrounding these requests.
• Do not immediately approve the following requests after an online password is reset:
  • Change of address
  • Change of telephone number
  • Change of email

• Set daily velocity limits: a max number of debit card transactions within a 24 hour timeframe.
• Set a max daily dollar limit for both ACH and debit card payment app authorizations.
• Monitor activity surrounding “money transfer" type of authorizations (aka merchant category code MCC 4829)
• Ensure payment app authorizations using debit card numbers (versus account numbers) are marked as "card-not-present" authorizations, so you can exercise chargeback rights under the card associations’ chargeback rules.
• Confirm in writing with your card processor what layers of card security are being used for the money transfer and payment app types of authorizations.
• Confirm your fraud monitoring system is capturing and flagging these kinds of card authorizations, so you can monitor and block subsequent suspicious activity.
• Find out from your vendors what layers of authentication and security are in place to help prevent fraud and data theft.
• Share information with members about how to prevent and report payment app scam attempts.
• Offer text alerts to members so they may receive notifications of any new payment app transaction
• Understand who is liable in the event of payment app fraud, so you can make decisions aligned with your credit union’s risk appetite.
• If your credit union decides to block these transactions, send a message to members that this decision has been made to protect their information and money from theft.

Attend our webinar, It’s 2020: Don't Let Your Member Data Fall Into the Wrong Hands, to learn more about how to protect your data from attacks like this.