4 steps to stop fraud in Zelle and faster payments
Fraud is becoming increasingly prevalent on P2P networks like Zelle and others, as brought to the forefront, again, today by the article from the NYTimes.
As more instant real-time payments like RTP or FasterPayments go live in the US, this problem will only get worse. US regulation on protecting consumers from these fraud vectors is sadly far behind.
The same reason that customers love instant real-time payments via P2P like Zelle, Venmo, SquareCash and also Crypto, is also why fraudsters love it — with these payment methods, money can be transferred instantly and it’s not recoverable.
In this post, I wanted to share a few recommendations for consumers, fintechs, banks and regulators on how to deal with P2P scams on Zelle and other platforms. With Real Time Payments (also known as RTP) from The Clearing House already live on various banks and Faster Payments by Federal Reserve going live in a couple of years, these types of fraud vectors are only going to get exacerbated.
1. Consumers should never trust CallerID
First, as consumers, we should never trust CallerID. Fraudsters often are able to get away with pretending that a call or text is coming from a bank or fintech. It is very simple for fraudsters to map any name (typically that of a bank) to their own phone number when calling or texting, via various callerId spoofing methods.
To protect yourself, you should always check if that number truly belongs to the bank or fintech. The best way to do this is to go to the bank or fintech’s website and see if the sender’s number is listed there. Note that you should never trust the phone number that shows up in Google search results as fraudsters often employ clever SEO or ad tactics to advertise their phone number as belonging to the bank.
2. Identity is multi-faceted
Second, for banks and fintechs, they should stop using phone numbers as the sole identifier to identify someone. Digital identity is increasingly multi-faceted and someone’s real identity is a combination of:
- Device Id
- SIM Id
- Phone number
- KYC — credit bureaus
- Identity doc —Passport, Drivers License
- Biometrics — TouchId, FaceId
In this case, the glaring hole in Wells Fargo and Zelle’s fraud prevention is that they are allowing anyone to verify possession of a phone number and connect their phone number to Zelle. The fraudster was able to verify the phone number by asking the victim for the codes via social engineering methods. Wells and Zelle made the rookie mistake of not verifying if the Identity registered at the telco matched the Wells account Identity.
Instead of giving anyone access to Zelle based on just the phone number, a much more fool-proof approach is to give them access based on their holistic identity i.e. does the phone identity at telocs match the identity at bureaus (tied to SSN) or identity documents (such as passport, drivers license)?
At Sardine, we prevent payment fraud by building a holistic consumer identity and utilizing multiple facets of someone’s identity, right at the time of account opening. We use our proprietary AI models to score a user at the time of account opening from the lens of how likely are they to perpetrate payment fraud downstream.
3. Advanced device telemetry to prevent social engineering scams
Tech support or Romance scams, can not be detected server-side. You have to do client-side telemetry using advanced device intelligence products like ours at Sardine.
- Most fraudsters socially engineer victims by using texts that appear to come from banks.
- They then pretend to be bank customer support and convince victims to install a remote desktop app like Team Viewer/Any Desk.
The only reliable way to know if there are multiple people accessing the bank account is by introspecting the client-side behavior. At Sardine, we can detect if multiple people — victim and fraudster — are moving the mouse or typing at the same time.
Check out this informative previous blog post and see a live demo of how our technology works.
4. New payment methods require a rethink of consumer protection
Finally, on regulation, CFPB and others should look at what the UK had to do with similar scams on their Faster Payments methods. The UK has had instant real-time payments via Faster Payments since 2008 (and hence, a decade older than Zelle which started in 2017) and they‘ve seen similar scams for far longer.
This was the single fastest rising attack vector in the UK as well and is known as the APP scam (Authorized Push Payments).
- Banks under the guidance of the Payment Systems Regulator (PSR) in the UK set up a “common pot” of money to pay the victims if fraud responsibility could not be ascribed to anyone. In the US, CFPB and other regulatory bodies should take consumer protection seriously and set up a similar ombudsman and a similar money pool to refund victims.
- Moreover, when you send money via Faster Payments to a recipient, you can verify if the recipient’s bank account truly belongs to the person you intended to send it to, via a process called the Confirmation of Payee (CoP). We need something very similar at the time of Zelle payouts!
To summarize, as this week’s revelations from the NYTimes article show, as Zelle, RTP and FasterPayments continue to increase in popularity, fraud is only going to get worse. The time to address these fraud vectors head-on is now.