News

P2P Payment Apps: Risk and Mitigation Strategies

Matt Goble
Blog,
Matt Goble – Vice President – Product Compliance Manager.

The phrase “bank without the building” has rapidly gained popularity in the banking industry, reflecting the shift towards digital banking solutions. As customers increasingly prefer to manage their finances through smartphones and tablets, banks have responded by offering comprehensive online services that eliminate the need for physical branches. This trend has been driven by the demand for convenience, allowing users to perform transactions, access financial advice, and manage accounts from anywhere. The widespread adoption of mobile banking apps and peer-to-peer payment systems underscores this evolution, making “bank without the building” a common term that encapsulates the modern, tech-driven approach to banking.

Being used by over 62% of American millennials, Peer to Peer payments are becoming so commonplace that there’s no doubt you have heard people say, “I’ll Venmo you,” or “I’ll PayPal you,” instead of simply saying, “I’ll pay you back.”  In a nutshell, peer-to-peer payments are instant digital transfers that make it simple and secure to send money to friends, family, trusted businesses and professionals without a card, check, or traditional multi-step wire transfer process. Similar to a debit card, they eliminate the need to have cash on hand by initiating a payment directly from the account balance associated with the app, or if you don’t maintain an account balance within the app, then it can be sent from an associated account at the institution — just without the card.  

Peer-to-peer payment accounts are typically relatively simple to set up, work essentially the same way, and share similar features. Whichever platform you choose, you’ll sign up for an account, then link your banking account,  credit or debit card to it.  To send or even receive money from someone, you’ll provide the recipient’s information — in many cases, this is their username, e-mail address, or telephone number.  After that, sending and receiving money is usually just a couple of clicks away. You choose who you are sending money to the transaction amount, add a reason for payment if you desire, and then submit the payment. Depending on which Peer to Peer payment service you use, the time it takes for money to transfer can range anywhere from instant (if you’re willing to pay a small fee) or up to three business days for free transfers.  Typically, the applications keep the money stored in the app until you manually release the cash into your personal checking account.

Fraudsters use data stolen from customers through data breaches or “hacks,” account takeover, social engineering, phishing attempts, or other methods used to open an account fraudulently. In addition to application fraud, fake, manipulated, or manufactured identities are also on the rise. Common attacks that lead to account takeover by fraud include:

  • Phishing attacks: Fraudsters send emails or SMS messages, also known as Smishing, designed to encourage the recipient to click a link that redirects the user to a fake banking portal or to open an attachment that installs malware engineered to collect the individual’s personal credentials.
  • Mobile Banking Trojans and Overlay Attacks: Fraudsters will leverage weaknesses in operating systems to install Trojan software on the victim’s electronic device, which is designed to overlay fake screens on legitimate mobile banking apps to collect an individual’s banking credentials.
  • Malware: Fraudsters use malware to collect data through key-logging or man-in-the-middle malware, which intercepts data via the victim’s internet browser.
  • Fake Banking Applications: Using fake stores or discount/promotional campaigns, fraudsters distribute apps that pretend to be owned by the financial institution. These counterfeit apps look like the real thing, except that data is sent to the criminal.

The best remedy for fraud is prevention, and the best tool for prevention is knowledge. Educate your customers and members on the risks of fraud when using peer-to-peer payment systems and inform them of ways to prevent that fraud from happening to them.  With that in mind, here are some tips for protecting yourself and your account holders from peer-to-peer payment scams.  

Use caution when sending money to or receiving money from someone you don’t know:

Scammers use mobile payment services to trick people into sending money or merchandise without holding up their end of the deal.  For example, a scammer may sell you concert or sports tickets but then never actually give them to you. Using mobile payment services with family, friends, and others you know and trust is the safest way to protect your money. This is especially true when buying and selling online. 

Don’t use peer-to-peer services for business purposes. 

The terms of service for most cash apps prohibit them from being used to purchase goods and services.  Instead, look for payment apps specifically created for business users, like Square Cash for Business or PayPal. When you pay someone directly using a peer-to-peer app, there’s no way to recover your money unless the other party agrees to return it, which will not happen if the person is trying to scam you. 

As a result, it’s essential that you – 

Read the terms of service:

It’s essential to understand the terms of service for every peer-to-peer app you use. As I just mentioned, some companies like Venmo, for example, prohibit using the app to buy and sell goods. The app’s intended purpose is simply to quickly transfer cash between family and friends. Knowing the terms of service allows for the proper use of an app, which means a higher chance of recovering funds in fraud cases.

Consider having your friend send you a payment request first: 

If you’re sending money to someone for the first time, ask that they send a “request” from their app if that service is available. This helps ensure you send funds to the right person for the right amount. If the payment app does not have a request-for-payment function, consider sending a small test payment to the recipient to confirm it is the right person before sending more significant amounts. 

Double check before you press send: 

A simple mistype can send money to the wrong person or in the wrong amount. Always double-check the amount you entered and the person you selected to pay. Most payment apps use a username, phone number, or email address to identify payment recipients. Ask your recipient to be sure they have registered in the app with the information you intend to use to send them money.

Set up your app or your phone or smart devise to require a passcode, PIN, or fingerprint before making a payment: 

Most mobile payment apps allow you to set up a passcode, PIN, or fingerprint to authenticate yourself before making a payment. This feature helps prevent anyone else who gets access to your mobile phone from making mobile payments from your account. 

Set up transaction alerts so you are notified immediately anytime your account is used: 

Sure, this can be annoying, but notifications like eAlerts will provide the earliest notice that money has been sent or received. The earlier you can catch a scam or become aware of fraud, the less financial loss you’ll likely suffer and the better chance you’ll have of recovering your funds.

Overall, P2P transactions offer convenience, which appeals to many consumers. However, implementing the appropriate controls can mitigate those risks and reduce losses while allowing your institution to stay competitive in the digital age of the banking industry without the risks outweighing the rewards.

Source Reference: Helpful tips for using mobile payment services and avoiding risky mistakes | Consumer Financial Protection Bureau. https://www.consumerfinance.gov/about-us/blog/helpful-tips-using-mobile-payment-services-and-avoiding-risky-mistakes/

Filed under:

Matt Goble
Blog,
Matt Goble – Vice President – Product Compliance Manager.