Blogs

Member Update: Mitigating Credit-Push and Account-to-Account Fraud

By Elyssa Morgan posted 04-18-2023 10:53

  

We’ve all seen the news or have experienced it first-hand: Credit-push or account-to-account fraud is on the rise. In fact, the Federal Trade Commission just reported that more than $2.3 billion was lost by consumers in 2021 due to imposter scams, up 92% from 2020.

Whether it’s a swindle where a fraudster convinces a customer or member to send them money under false pretenses (think romance scams) or a case of account takeover, spoofing, phishing, or email compromise, fraudsters have been working their way into credit payments. And these developments aren’t limited to one payment rail. They are being sent on card rails, as well as ACH and beyond. So as FIs prepare mitigation strategies, they must cast a wider net and consider how best to structure their approach for each platform.

Risk Mitigation Expectations

Preventing this type of fraud starts with a strong authentication program. According to the FFIEC’s Authentication in an Internet Banking Environment, “Financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.”

In addition, Nacha’s new Risk Management Framework for ACH states, “In credit-push fraud scenarios, though, the receiving institution may be in the best position to identify questionable or suspicious credit payments. Receiving institutions can and should take an active role in identifying fraud,” putting some of the onus for identifying fraud on the receiving institution.

The First Line of Defense  

So, how can an FI practically address this guidance? It takes a combination of approaches to bolster security and protect end users from this type of fraud. FIs should have multi-factor authentication at play, along with out-of-band verification and IP monitoring. In addition, a few key strategies will help in blocking credit-push or account-to-account fraud:

1.      Set account limits. You may have daily, weekly, and/or monthly dollar limits on accounts, and new customers/members might be subject to different requirements than existing customers/members, or you may even want to tier those permissions by account type. In addition, regularly evaluating accounts and limits will help in reducing your FI’s exposure.

2.      Limit the number of transactions per day. Similar to dollar limits, this layer of protection will help ensure that fraudsters aren’t moving repeated small dollar amounts out of accounts. This could also help identify unusual activity if the behavior is flagged.

3.      Establish service qualification criteria. Going hand-in-hand with the other mitigation techniques, evaluating each account from an individual perspective will also help in reducing your risk. Provide different requirements, like tightened protocols around minimum balance requirements, for new accounts or accounts that have had a history of NSF or returns. These additional measures are particularly helpful for the receiving banks. As Nacha noted about fraud-based accounts, “These receiving accounts are often newly opened or mule accounts with limited history and activity.”

4.      Incorporate account behavior analysis tools. In today’s landscape, we’re fortunate that a number of technological solutions exist to help FIs in monitoring fraud. Tools like anomaly detection and suspicious behavior detection can be set up on your systems to raise alerts of out-of-the-ordinary transactions. These can be applied both on the sending and receiving side, with tools for monitoring outbound and inbound transactions. As you’re looking to evolve and offer your services, think about the tools you need to have in place and whether you have the capacity internally for that or if it makes sense to partner with a third party. Talk to your cores and other third-party providers about these types of solutions for flagging potential fraud.

5.      Continue to invest in education. As we always say, the first line of defense is a good offense. Continue to make your customers/members and staff aware of the types of fraud that are out there, including phishing, spoofing, romance scams and more. It may just save your FI and your customer/member from falling victim to a fraud scheme.

Building Up Your Second Team

But what happens if fraudsters circumvent your controls and are able to gain access to your customer’s or member’s account? That’s where you want to have a layered approach for safeguarding accounts. For example, can you implement call-back and verification procedures for large-dollar payments, so that if a transaction is flagged, you’re able to investigate further? Is it possible to set up a process to review unusual payments internally prior to sending them out or posting them to an account? Consider additional steps your FI can take to stop fraudulent transactions from going out the door or to flag the suspicious funds on the receiving side.

How NEACH Can Help

When in doubt, reach out. These scenarios can be tricky, and your responsibilities may be murky depending on your role. Use our Payments Hotline to get personalized support on a particular scenario. We also can be resources to help point you to third parties who can help you shore up your fraud mitigation tools.

In addition, NEACH also offers its members Quarterly Fraud Reviews, which are interactive sessions that allow attendees the opportunity to contribute, share what they are seeing, and what they find is working (or not working) in the fight against fraud. And you can bet that credit-push/account-to-account fraud will be a key topic throughout the year. The first session of 2023 is scheduled for March 15, and NEACH members can register solely for that session or sign up for all four. Visit our website for more information and to register.

In the meantime, keep vigilant as fraud continues to evolve. By being strategic in your approach, you will set yourselves up for greater mitigation and fewer losses, and that’s a best-case scenario for any institution.

0 comments
7 views

Permalink