How Zelle, banks combat real-time payment fraud
For bankers and network providers, it's a given that moving to a real-time payment system will lead to an increase in fraud attempts.
Banks have at times reported double-digit basis-point spikes in fraud after adopting such a system, and one banker recently said that soon after his firm launched Zelle, fraud skyrocketed so high he had to go into the office at midnight to shut the system down.
What's been unclear until now is how Zelle and other real-time payment providers are fighting back against such efforts. Banks and their vendors are adding additional security controls to try and detect bad actors quickly and take them out before they do significant damage.
"With everything we do, we think about fraud," said Scott Bellomo, senior vice president and payments manager at PNC Bank. "And we know the fraudsters out there love to target new payment types."
PNC began using The Clearing House's real-time payment network last December as part of a beta program. So far, the Clearing House has not seen any fraud, said Steve Ledford, senior vice president of product and strategy. But that may be due to the fact that the real-time payment system, dubbed RTP, went into production in November 2017 and transaction volumes are low.
Yet fraud remains a concern. PNC runs every transaction through a series of algorithms to make sure neither party is on the Office of Foreign Assets Control list and to determine whether the payment is similar to historical transactions. The Clearing House also screens each transaction, with the help of a security partner.
“That doesn’t mean everything is perfect out of the gate on day one, but it does mean we’ve got significant focus on any type of fraudulent activity,” Bellomo said.
The Clearing House has a plan in the works to send the sender of each payment a note with the recipient’s name on it, to make sure it’s the person to whom they want to send money.
Zelle, meanwhile, warns each new adopter up front that their attack rates will be highest at launch, according to Donna Turner, chief fraud policy and control officer at Early Warning, the company that runs the Zelle network.
“Be careful not to get consumed with the rates,” Turner says she tells Zelle members. “Pay attention to the magnitude and don’t let the rates distract you from the discipline. That discipline is you have to live in fraud risk management every day — preventing fraud, detecting fraud, resolving fraud, because it’s going to happen, you’re in the payments business, learn from it."
Turner advises banks using Zelle to dissect the observed fraud and find out who is doing it, what controls aren’t effective enough, and analyze the tradeoff in expense, experience, adoption and usage if those controls are ratcheted up.
Early Warning has a long list of items banks need to tick off on a readiness assessment before they can go live on the Zelle network. Roughly 30 of those are about fraud.
“The single biggest requirement is, you have to have a real-time fraud engine,” Turner said. “If you’re going to be in real-time payments, you have to have the ability to say yes or no in real time.”
Though Early Warning is at heart a security technology company, it can’t do these things for a bank, Turner said. It does have a team of fraud risk management professionals that teach bank technologists about the types of fraud that can occur and how to detect and prevent them.
Zelle’s bank members report all their Zelle fraud to Early Warning. The company hosts a weekly call in which it reports back to the bank the kinds of fraud it’s seeing on the network. Early Warning also asks bank members to take a closer look at accounts that receive money in fraud incidents (it's up to them to decide whether to shut those accounts down). It blocks the tokens used in fraud so they can’t be used in future attacks.
A dominant form of fraud remains account takeover, according to Turner, which could happen through phishing or some other malware tactic. Zelle banks use stronger authentication, device binding and malware detection tools to try to keep this type of fraud at bay. Some use one-time passwords to improve authentication. Early Warning tries to match the user’s address against what the card networks and the banks have for that person.
"Because of the collaboration between Early Warning and its bank members, fraud rates are lower on Zelle than on any other P2P solution,” Turner said.
Zelle banks are all making a few changes toward further security, Turner said, including messaging a customer sending money to a new contact asking if they are sure about the transaction.
Additionally, by the end of the fourth quarter, banks will start sending users the name of the person they’re sending money to, to help avoid the problem of people sending money to the wrong person by mistakenly typing in an old or incorrect cell phone number or email address. Such efforts can disrupt the delicate balance of security versus convenience, however.
“Years ago, Visa piloted sending an alert on every transaction,” Turner recalled. “What we observed as an industry was consumers became numb to it. We’re trying to be much more intelligent about our alerts so that you pay attention to them, you don’t get numb.”
Last year, PNC reported that fraud on Zelle for a time hit “double digits” in basis points of payment volume, but then subsided to 5 to 6 basis points.
“I’m worried about the fraudster angle more than I’m worried about the Zelle network,” Bellomo said. “Fraudsters are getting slick on social media. Social media has turned into a fantastic way to lure innocent individuals into compromising information, whether it’s Zelle or a different payment type.”
Bellomo also points out that there is “fuzziness” around perceived versus actual fraud within Zelle. When a consumer falls for a too-good-to-be-true scheme, like $5 tickets to a baseball game, the consumer considers that fraud “when it’s really a bad consumer choice,” he said.
And though account takeover is legitimate fraud, “it’s not Zelle-specific for me,” Bellomo said. “The concern about fraud for me is the way these fraudsters continue to get creative with the methods in which they approach consumers.”
Vetting certain identity elements can help reduce fraud on Zelle, according to David Barnhardt, executive vice president of product at fraud analytics company Giact. He was previously the payment product manager at Early Warning and he has held risk and fraud positions at Bank of America and Wachovia.
“If I’m taking over someone’s account, I’m using their name and date of birth and changing only email address and phone number,” Barnhardt said. “If you look closely you can see that phone number is only two weeks old and that the email address may have existed only a short time. And there’s no social media. So you start to see where something as minute as secondary pieces of information are becoming almost primary. Understanding those details and the metadata behind them are what a lot of companies and banks are starting to have to do because the legacy systems aren’t working.”
In this vein, PNC is trying to get more information about the accounts receiving Zelle payments, Bellomo said.
“Things stick out like a sore thumb,” he said. “If you’re trying to send a $5 million payment to an account that’s been open for two weeks, that gives the bank an opportunity to ask the customer, are you sure you really want to make this payment? Here’s the DNA on the account you’re sending it to. Does this make sense, or do you want to confirm things before we initiate this payment?”
The trouble is, doing this to a consumer or business means the experience becomes less convenient. “We’re trying to balance technology and fraud with convenience,” Bellomo said.
If the enrollment process is too onerous, for example, people can just give up and walk away.
“Our customers say, ‘I’ve got fraud problems, but I’m really concerned about turning away a good customer and having that person not only never come back, but tell their friends and family never to do business with me,’” Barnhardt said. Some banks try to take a picture of the driver’s license and prefill the application while running identity and OFAC checks, he said.
Banks also investigate each fraud perpetrator and shut down their account as fast as they can, Barnhardt said.
“That doesn’t mean they don’t pop up somewhere else, but we don’t ignore that there might be a consumer-based transaction that can be characterized as fraud,” he said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.