The Federal Trade Commission (FTC) has called social media the “golden goose for scammers” noting consumer losses to fraud were far higher on these platforms than any other form of contact. This is in line with data from UK Finance which reported 76% of authorized push payment (APP) fraud originates from online platforms.
With such a high concentration of scams originating on these platforms, it was no surprise when JPMorgan Chase recently announced plans to ask customers if the reason for a Zelle payment originated via a social media interaction. Why is this important? It signals a shift in fraud fighting to include information known only to the customer.
Fighting authorized push payment fraud requires a different approach
In the world of fraud, APP fraud has become the norm. In these scams, a victim is groomed to believe they are interacting with a genuine person and trust they are sending a payment to this person for legitimate reasons. A common tactic used by scammers is the impersonation of trusted entities such as banks, government agencies, or service providers. For instance, a scammer might pose as a bank representative, convincing the victim to transfer funds to a “safe” account due to alleged fraudulent activity. Other common types of APP fraud include romance scams, purchase scams, and investment scams. See the ScamClassifier model published by the Federal Reserve to better understand the different types of scams.
Modern payment services which enable payments to be moved instantly (Zelle, FedNow, RTP, etc.) offer a value proposition to the customer that an authorized payment will move from their bank account to a recipient’s bank account in real time. And, for the recipient, they know the payment represents “good funds” – the payment cannot be reversed. For the vast majority of payments, this value proposition offers very real benefits. But when the recipient is a fraudster, this can cause problems.
Added risk of authorized push payment scams
The financial impact of APP scams is substantial. In 2023, U.S. consumers reported losses exceeding $10 billion to various scams, a significant portion of which is attributed to APP fraud. However, the FTC estimates the real number could be upwards of $158 billion in losses due to underreporting. The real-time nature of modern payment systems, while convenient, leaves little room for error detection or transaction reversal, making APP scams particularly devastating.
In an APP scam, the fraudster lives on the receive side of the transaction. For open loop bank to bank instant payments, the initiating financial institution knows very little about the receiving account. The point is that a consumer – the rightful owner of an account – authorizes a payment. Emphasis on the word “authorize.” In such cases the victim, believing they are conducting a legitimate transaction, gives a clear and undisputed authorization for a payment. This differs from unauthorized transactions where funds are taken without consent. Once the payment is made, reversing the transaction is often challenging as the victim technically authorized it.
The tension between convenience and security
The basis of the bargain for instant payments is the ability for a consumer to make a “good funds” payment 24x7x365. The industry has spent significant marketing dollars selling the value of real time (or near real time) funds availability via these new payment systems. For legitimate payments, these systems deliver on the value. So, how do we deliver the value proposition and keep customers safe?
Customers may not understand the distinction between a transaction that is authorized vs. one that is unauthorized. Rather than try to teach customers the difference, we have invested in educating customers to make them more aware of scams. Individual financial institutions, including Chase, spend significant effort to engage customers and help them protect themselves. Industry resources are available as well.
Regardless of these efforts, scams proliferate. This is why we are seeing efforts by many banks to introduce prompts as close to the payment as possible. One of the tactics shown to reduce customer losses due to fraud is slowing down a transaction. Fraudsters explicitly rely on creating urgency in a payment. Giving a customer the space to back away from a transaction allows them to think clearly about why they are making the payment.
Back to the Chase announcement
What Chase has proposed is a relatively simple change. Ask the consumer if the reason for this payment originated through contact via social media. Importantly, the one question creates a moment of pause by the customer – “Why is Chase asking me this question?” Great question. Why?
The Electronic Privacy Information Center (EPIC) has documented the risk of data leakage via social media, “The more data companies collect about us, the more our data is at risk. When companies hold your data, the greater the odds it will be exposed in a breach or a hack and end up in the hands of identity thieves, scammers, or shadowy companies.”
So, the approach being taken by Chase is a sound one. They are 1) slowing the customer down with an additional question; and 2) attempting to determine if the source of the payment is rooted in a social media interaction. What will they do with the answer? That will be up to them, but I expect they will further slow the transaction down.
A non-technological tool for fraud fighters
Chase is signaling that they are willing to make a proactive attempt to slow things down to protect a customer. An instant payment is only instant once the payment instruction has been issued. FIs have as long as they want BEFORE the payment instruction is issued to determine risks related to the payment. Chase is engaging their customers in an effort to protect those same customers.
Other FIs have employed similar approaches to protect their customers. For example, introducing warnings into the payment flow helped Santander prevent nearly 1,900 customers from falling victim to a potential purchase scam on Facebook Marketplace.
This is a relationship approach acting in addition to technology approaches. Sounds smart to me!