Credit-Push Fraud: Recognizing the Signs

If you feel like it’s hard to stay on top of payments fraud trends these days, you would not be alone. The introduction of any new payment instrument opens the opportunity for criminals to dupe the system, organizations, and consumers.

One trend to watch—Credit-Push Fraud (CPF)—has become increasingly concerning and can be tricky to detect. It is important to understand the associated scenarios to quickly identify potential fraud and develop a proactive stance for protecting customers, employees, and your bank’s bottom line.

Credit-Push Fraud uses social engineering and email phishing attacks to deceive someone into sending funds to a criminal-controlled account. One good resource that broadly outlines CPF and offers steps for identifying and combatting the trend is Nacha’s recently released guidebook, “A New Risk Management Framework for the Era of Credit-Push Fraud”. Nacha’s Michael Herd states that “improved information sharing can counter fraud by improving awareness and understanding of fraud scenarios, enabling communication and recovery between parties regarding specific instances of fraud (paymentsjournal.com).”

CPF continues to dominate in the faster payments space with its expectation of quick turnaround and dependence on digital connections. Below are the four most prominent CPF scenarios, and how to protect against them, as outlined by Nacha.

Payroll Impersonation Fraud, characterized also as ghost employee fraud, employee misclassification fraud, or employee falsification fraud, occurs when cybercriminals hack employee records or access company portals using phished credentials to create a false identity. Much effort is made to identify an employee that has access to payroll and related accounting-type activities to redirect paychecks into a criminal-controlled account.

Best Protections: Tighten scrutiny over direct deposit changes and systems access, utilize multi-factor authentication for accessing sensitive employee records and details, and increase employee education for awareness and red flags.

Vendor Impersonation Fraud, also classified as Relationship and Trust Fraud by the Federal Reserve, takes place when fraudsters convince government agencies, service organizations, and third-party vendors to make payments to the fraudster’s account. Smaller businesses and vendors tend to fall prey to this fraud type, whereby internal protections may only be stopgap measures.

Best Protections: Authenticate all payment change requests using known contact information, separate internal oversight between current and new vendors, and maintain stringent policies for vendor address and direct deposit changes.

Business Email Compromise Fraud (BEC) occurs when an email of someone holding authority within a company (normally C-Level personnel) is compromised and a request for funds is sent to a trusted internal party. Also classified as Relationship and Trust Fraud by the Federal Reserve, BEC fraud can be very damaging to a company, given current focus on the digital space, quick money movement, and reliance on email communications to conduct daily operations. Fraudsters conduct BEC fraud using techniques such as spear-phishing, wicked malware, and slight changes to legitimate email and company addresses.

Best Protections: Be cautious of urgent requests, verify (in person when possible) every request for personal payments or fund transfers, set up and never disable two-factor authentication, and scrutinize email address formats, company URLs, and phone numbers.

Account Takeover Fraud (ATF) occurs when a fraudster gains access to all necessary account information and then conducts transfers into their own accounts or accounts funded for unscrupulous purposes. ATF can wreak havoc in many ways, but criminals with legitimate credentials can deplete accounts quickly and move on before raising suspicions.

Best Protections: Engage and never disable multi-factor-authentication on all accounts, stay mindful of data that is shared online and via social media sites, and never click on links in unsolicited emails and text messages.

Being proactive, aware, and educated is the key to tackling Credit-Push Fraud. Remember, CPF is difficult to detect and funds (pushed or pulled) in most cases are irretrievable. Taking proactive protection measures can help you avoid or mitigate difficult conversations with both your business and consumer customers.