If you ask an AI agent to provide an overview on fraud, the agent surveys the current content and generates content. It will accurately tell you that trends to watch include AI-Powered Social Engineering; Identity Theft and Synthetic Identity Fraud; Real-Time Payment (RTP) Fraud; and Supply Chain Fraud [impersonating vendors]. But then in telling you how to manage fraud, it clearly isn’t connecting the dots. What connects all those trends is something Nacha, the organization that governs banks’ and their customers’ use of the $86T ACH Network, has been talking about for years: the rise of Credit-Push Fraud (CPF).
Credit-Push Fraud occurs when malicious actors exploit gaps in organizations’ sophistication or operations to access their deposit accounts and then push out deposits to fraudulent accounts, from which the funds are quickly transferred, in order to prevent claw backs. By “organizations” we mean customers of banks that banks permit to initiate fund transfers (business payments, Wires, ACH, etc.). It’s those customers that are the targets and victims of social engineering, identity theft, RTP fraud, and vendor impersonations. CPF is rapidly evolving as fraudsters learn new techniques to dupe customers or penetrate their systems, and rapidly move funds. But the key piece that’s missing in the conversation is: how do we shore up those gaps in customers’ sophistication and operations?
It’s bank customers – organizations like your local school district, doctor’s office, pet supply store….all of them, without differentiation by sector, size or geography – that are now the frontline of fraud prevention. To fraudsters, they’re the front door of the bank, and we need to focus on the customer to close that door.
What is Credit-Push Fraud?
In 2022, Nacha said a new type of fraud had eclipsed debit fraud as the predominant threat to bank account holders. Debit Fraud involves debiting funds from a customer’s or organizations’ bank account without obtaining proper authorization from the account holder. For a long time it was Nacha’s main focus, and most of Nacha’s Rules and official Guidelines address this fraud. And many of the tools the industry developed for fraud prevention were designed for debit fraud, including transaction monitoring, measuring return rates, etc. Those are still important tools (debit fraud still exists), but fraudsters have adapted.
In 2022, Nacha said:
Now, however, the most significant fraud threats to bank account holders involve fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards, and other instant and digital payments.
They said this in an article titled, “A New Risk Management Framework for the Era of Credit-Push Fraud,” as Credit-Push Fraud (CPF) is the name for this new, pernicious trend. In the article, Nacha said that our old Framework (including those solutions mentioned above) don’t work for CPF, as fraudsters have developed techniques to circumvent them (such as masking fund payments to look like a customer’s normal practices). To deal with this new fraud, Nacha said we needed to evolve in two key ways:
- Better information sharing (and more information)
- “All participants” in payments must work together
To combat this fraud, we need to focus on the bank customer as the target and primary victim. For proactive fraud prevention, we both need information about their sophistication and operational gaps, and we need them to assist in monitoring for it. In other words, we need to empower the customer to be the fortified front line against fraud, while obtaining data about their operations that banks can use proactively to identify points of high risk across their customer networks.
What’s an example of Credit-Push Fraud?
There are many ways fraudsters exploit organizations’ gaps in sophistication and operations to access their deposits. As listed above, they use social engineering (phishing, vishing, etc.) to steal banking credentials, they pose as employees or vendors requesting payment to “a new bank account,” they impersonate managers (such as via business email compromise, or BEC), and increasingly use AI-generated voices for all of the above. They also use old-school penetration and account takeover. Here’s a classic (and true) example:
Fraudsters hacked into an organization and watched their payment routines. As soon as the CEO left on vacation, the fraudsters sent an email in his name to the CFO (business email compromise) saying, “My wife and I have gone on a cruise, but I need you to transfer some funds for an acquisition we just made, in three payments of $700,000 spaced one week apart. You can’t reach me, but I’ll be checking in.” Not catching the pretense, the CFO followed through.
To the bank, these were valid payment orders from their client, and the amounts and cadence were not extraordinary for the organization. By the time the CEO checked in, over $2M had been sent through a series of foreign bank accounts and was lost.
It wasn’t the bank’s mistake, but the customer, facing ruin, blamed the bank and threatened a lawsuit. Facing the prospect of reputational harm and loss of an important customer, the bank covered much of the loss.
It’s important to note: this could all have been avoided if the customer had the right practices in place—verification and dual control, not to mention training on social engineering techniques used by fraudsters.
Net effect: fraudsters take advantage of gaps in customer sophistication and processes that are invisible to their banks.
Do you have a strategy for Credit-Push Fraud?
It’s critical for your bank to begin to ask: how do we sensitize and empower customers to manage the risk of their operations, and enable bank staff to manage that remote operational risk in a proactive, targeted, efficient and effective way? As you go through this journey, Nacha’s Credit-Push Fraud Monitoring Resource Center offers relevant content and links to providers that help with these issues. Among them, LexAlign uniquely addresses the customer layer of Credit-Push Fraud prevention.
To learn more about LexAlign’s role in fraud prevention, schedule a demo here.