Types of Fraud in IIPSs

Fraud is an intentional act, misstatement, or omission designed to deceive others, resulting in the victim suffering a loss or the perpetrator achieving a gain.

At the highest level, IIPS push payment fraud is often categorized by regulators and private sector players as authorized or unauthorized, referring to the party that initiated the payment. These are simplified categories and the tactics or vectors used by fraudsters to perpetrate these frauds come in many flavors.

Authorized Push Payment Fraud

Payment is initiated by the legitimate account owner. The end user may have been manipulated to send the payment that she believed was legitimate. The end user may have also knowingly sent a fraudulent payment.

Unauthorized Push Payment Fraud

Payment is initiated by an unauthorized end user who may have taken over the account of a legitimate end user or otherwise obtained and used the legitimate account owner’s information to send a fraudulent payment.

Fraudsters Invoke a Multitude of Tactics to Conduct Push Payment Fraud

Obtaining confidential end user data through singular or multiple means enables fraudsters to perpetrate push payment fraud.

For example, a fraudster may directly obtain account login information from a data breach at a DFSP. This may provide them with sufficient information to do an account takeover and initiate an unauthorized payment from the end user’s account.

The fraudster may also use the breached information to target end users for scams. Social engineering is a common tactic fraudsters use to scam end users to authorize and initiate payments. Scams come in many forms. A couple of typical examples include:

  • A scam may involve a fraudster pretending to be an entity that the end user knows and trusts, such as their bank or utility company, asking them to initiate an urgent payment.
  • In “mistakenly sent you money” scams, the scammer sends an SMS purporting to come from a DFS provider informing the victim that they have received funds. This is followed up by a phone call in which the scammer tells the victim that the funds were sent by mistake and requests that the funds be transferred back to the scammer’s account.
  • The impact of these scams is noteworthy. Globally, an estimated 293M scam reports were filed and $55.3B lost in scams in 20211.

The fraudster may use a combination of these tactics to conduct SIM swap. In a SIM swap, a fraudster pretends to be the end user and is able to transfer an end user’s phone number to the fraudster’s device. The fraudster can then create new account login information without the end users’ knowledge and take over their account.

There are many examples of push payment fraud. Fraudster tactics are continually evolving and becoming more sophisticated. A consistent classification and understanding of the details of fraud typologies are essential to identifying the controls required to mitigate each.

1: GASA – The Global State of Scams Report – 2022

Next Topic in this Section: What is Fraud Risk Mitigation?