Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
September 21, 2020
Personal Responsibility for Irrevocable Payment Scams
Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.
You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraud.
In August, a UK-based consumer advocate organization called Which? released a research report based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.
The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?
My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?
September 14, 2020
You've Discovered a Money Mule: Who You Gonna Call?
The movie Ghostbusters is not a favorite of mine, but many people view it as a classic. While we can debate its status as a classic, there is no debate that it has one of the most well-known lines of any theme song in all of Hollywood: "Who you gonna call?"
The lyrics from this song were the recent topic of discussion among my colleagues as I shared with them that a banker had reached out to me about a fraud scheme that affected his customers. As he researched this scheme, he identified the involvement of a money mule using multiple accounts at two different banks to deposit funds from fake or counterfeit checks. His research also led him to a website that appears to be dedicated to hiring money mules to launder money. In this particular case, the banker rightfully contacted the two institutions where the fraudulent funds were deposited to inform them of the scheme and their potential money mule customer.
The banker asked, "What should I do now?" And "Who do I need to call?" After discussing with my Risk Forum colleagues, I made several recommendations to the banker about what to do and whom to contact:
- Contact law enforcement, both the local law enforcement office and the local Federal Bureau of Investigation office.
- File a Suspicious Activity Report with the Financial Crimes Enforcement Network.
- If your financial institution is part of the Financial Services Information Sharing and Analysis Center (FS-ISAC), report the money mule to the fraud intel or payments risk group.
- In addition to reaching out directly to the FBI, file a complaint through its Internet Crime Complaint Center.
- If your financial institution is part of a regional payments association, report the mule to the association as many of these associations send out money mule and fraud alerts to their members.
- Finally, report the suspected money mule recruitment website to the Federal Trade Commission by filing a complaint either through its online system or by calling 877-FTC-HELP (877-382-4357).
Earlier this year, my colleague Dave Lott blogged about efforts by law enforcement officials to crack down on money mules. As the example I'm describing here shows, the effort to bring down mules must be collaborative. As part of this collaborative effort, banks and other financial institutions have a critical role to play in identifying mule accounts and sharing this information with law enforcement as well as with each other. To those like the banker who reached out to me and other financial institutions that identify money mules, don't remain silent. In the immortal words of Ray Parker Jr., "If there's something weird, and it don't look good, who you gonna call?" Make the call to law enforcement and others to bring these mules and hopefully the larger criminal organizations behind them down.
July 27, 2020
SNAP Gets Snappier and Offers Ecommerce and Fraud Prevention
In April 2019, the USDA launched the Supplemental Nutrition Assistance Program (SNAP) online purchasing pilot program, which allows participants to purchase groceries online. What began as a two-year pilot program in one state with a gradual rollout to additional states is now available in 40 states (with five additional states granted approval and in the planning phase). The COVID-19 public health emergency, which has made access to online grocery shopping critical, expedited the program's deployment. The USDA also rolled out the Pandemic Electronic Benefits Transfer (P-EBT) program as a SNAP extension. With P-EBT, children in low-income households continued to receive the free or reduced-priced meals that they would normally have received in school during the 2019–20 school year.
This is certainly a positive move toward advancing ecommerce inclusion. However, more ecommerce transactions present more fraud risks and opportunities for criminals. (My colleague Doug King blogged a few years ago about fraud risks SNAP was already experiencing, including trafficking.) To mitigate some of these ecommerce risks, the Department of Agriculture's (USDA) Food and Nutrition Service (FNS), which administers SNAP, has increased security for online EBT card use. SNAP benefits and P-EBT benefits are both delivered on PIN-enabled EBT cards that function like prepaid debit cards. Retailers must use a USDA-approved, third-party processor that offers secure PIN-on-glass entry for online purchases. When customers transact online using their EBT card, they must enter their EBT PIN to complete their purchase. In addition, retailers must successfully meet the FNS's stringent technology and testing requirements.
Unfortunately, these technology and testing requirements to integrate a secure online purchasing environment with the grocer's EBT benefits system are extensive and cannot be done overnight. As a workaround until retailers can fully integrate their systems, the USDA recommends that SNAP customers take advantage of existing services like "pay at pickup," where customers place grocery orders online and pay with their SNAP EBT card when they get their groceries—which allows them to follow both social distancing and ecommerce fraud-prevention guidelines.
The USDA's SNAP Fraud Framework offers states resources to help them proactively identify potential fraud and suggests best practices on fraud prevention and mitigation. You can learn more about the USDA's efforts to manage fraud risk by visiting their website
June 29, 2020
How Do You Love Me? Let Me Count the $$$$
The COVID-19 pandemic has affected everyone's life in some way. Sadly, criminals prey on the chaos created by such situations. We posted back in 2014 about a variety of advance fee scams where victims are duped into sending funds to the criminal, and more recently mentioned these scams in a post about elder financial exploitation. The latest figures from the Federal Trade Commission show that approximately 25,000 consumers reported losses of $201 million in 2019—nearly 40 percent more than in 2018—from romance scams. And this figure is only for reported losses. While the elderly are often a target, victims are adults of all ages and genders. With the social isolation created by the pandemic, romance scams appear to be increasing at a faster pace.
A romance scam often starts with the criminal placing a false profile on an internet dating site. In some cases, the website is completely fraudulent with a large base of false identities, and it collects payment card information for subsequent fraudulent transactions in addition to operating the advance payment scam. After some message exchanges on the dating site, the scammer will encourage the victim to use a private communication channel such as email or text messaging. In the past, the criminal would usually avoid video chats to reveal their true identity. Today, however, these criminal efforts have become increasingly sophisticated. They often have the same person whose photograph they used on the site do these video chats. The criminal will often claim to live or work in a foreign country or at considerable distance from the victim to discourage the victim from visiting. The scammer will often research social media sites to gain more information about the victim's hobbies and interests to help convince the victim that they are "true soulmates."
The criminal tries to deepen the relationship with frequent claims of affection and may even send small-value gifts to the victim to build trust. Once the criminal believes they have the victim "hooked," the financial requests begin. Often it will be a request to send money to pay for medical services for a close relative, or to help the scammer get through some financial hardship. The criminal may also request nonfinancial items, including intimate photographs or videos to be used for extortion later. There may be a request for money or payment card information for the scammer to purchase an airline ticket to come visit the victim, a trip that never happens due to a sudden illness or other excuse.
Education is the key to the prevention or early detection of such a scam. The FTC recommends the following:
- Never send money in any form to someone you haven't actually met. If someone you've met online asks you for money, report it to the Federal Trade Commission (FTC) at ftc.gov/complaint.
- Perform a reverse image search of the person's profile picture to see if it matches with another person's name or if there are other discrepancies. (Some apps provide this service, as does at least one search engine.)
- If you discover that you are, in fact, being scammed, stop communicating with the person immediately, but save the messages.
- If the initial contact was through a dating website, notify the site of the scam.
The Federal Reserve joins with the FBI, FTC, and consumer organizations in helping to educate the public against these criminal activities. Please use any channels you have to spread this educational effort and clean up this slimy activity.
Now go wash up.