P2P payment apps — including third-party solutions like Venmo and CashApp as well as first-party banking apps — allow users to seamlessly pay each other for informal services and goods and have recently become incredibly popular. Some retail establishments are also adding P2P-enabled payments to their repertoire of contactless payment apps, like Apple Pay or Google Pay.
A report predicted that 1 billion individuals around the world would use some sort of payment app this year and projected this number to grow to 1.31 billion by 2023. This group includes more than 70 percent of Americans, according to the American Association of Retired Persons (AARP).
The ubiquity of these apps belies serious security concerns, however. Fraudsters utilize numerous schemes to intercept these payments or trick app users into paying them directly, and the problem has worsened as the apps have gained popularity. The number of P2P payment fraud victims has increased by 733 percent since 2016, and the total amount of money stolen has likewise risen. There were 1.4 million fewer fraud victims in 2019 than in 2018, for example, but the total cost of these incidents rose by $2.2 billion.
The following Deep Dive explores the fraud methods P2P payment apps and their users face as well as the security measures app providers are deploying.
Payment App Fraud Threats
Account takeovers are one of the most pervasive threats payment app users face. Fraudsters perpetrating these schemes seize control of customers’ accounts and use them to access credit card data or steal funds. Cybercriminals can leverage methods like phishing or brute force botnet attacks to access users’ accounts, but one of the most common strategies involves purchasing stolen credentials in bulk online. Researchers have found 15 billion such credentials circulating the dark web, and because individuals typically use similar passwords and usernames for multiple logins, this stolen information can be applied to even greater numbers of accounts.
Other fraudsters forgo infiltrating accounts in favor of tricking payment app users into paying them directly, posing as friends or trusted authorities. These scams have become more sophisticated as app users grow more aware of the practice, and fraudsters are getting more creative. The Better Business Bureau (BBB) recently warned users about a new scam that is gaining popularity. Users receive seemingly innocuous messages asking for the return of accidental payments, at which point victims notice deposits of several hundred dollars in their accounts and return the money in good faith. These funds come from stolen credit cards, however, and after scammers send money to victims, they switch out the stolen credit card details with their own and link them to their P2P accounts. The stolen money then goes into the scammer’s bank accounts while funds are removed from the victim’s, costing them that amount when the owner of the stolen credit card seeks reimbursement.
The ongoing pandemic is allowing such scams to become even more pervasive, and fraudsters are capitalizing on consumers’ fears and economic uncertainty by posing as people in need, businesses selling personal protective equipment or government officials promising stimulus checks. The AARP estimated that Americans had lost $13.4 million to COVID-19-related payment app scams as of April.
How Apps Fight Financial Crime On Their Platforms
Protecting payment apps from crime thus falls on payment apps as well as their users. One of the most effective tools that apps can deploy against account takeovers is MFA, which requires users to enter secondary validation measures — such as emailed security codes or biometric fingerprint scans — in addition to their passwords. These authentication methods can stop potential bad actors cold, making the passwords they steal from data breaches useless on their own. Studies have found that using MFA can prevent more than 99.9 percent of attacks that utilize stolen credentials.
Payment app users also have to take security into their own hands. The first step is often fixing poor password hygiene. A recent study from data analytics firm FICO found that only 37 percent of bank customers use separate passwords for different accounts, for example, while 22 percent use two to five passwords across all their online profiles. This represents a massive security risk as a data breach that compromises a single account could give fraudsters access to any other account using the same password. App users should also be wary of transferring funds to strangers and report suspicious transactions to the apps’ security teams.
P2P payment apps are revered for enabling the convenient and seamless transfer of funds, despite security worries. App developers and users therefore need to up their security games to ensure that these apps retain their usage well into the future.