P2P (Peer-To-Peer) Fraud Research Guide

P2P (Peer-To-Peer) Fraud Image

Apps like Venmo and Cash App have become so popular that their names are now part of everyday conversations. From "Venmoing" your friend for dinner to "Cash Apping" a family member for help with rent, peer-to-peer (P2P) payment systems have become the norm.

By and large, these services are safe, secure, and easy-to-use ways to transfer funds quickly. In 2022, the total transaction value from P2P mobile payments reached nearly $1 trillion, a full 25% increase from the previous year. By 2028, the P2P payment market is expected to exceed $5 trillion.

Yet, all this growth paints a bright red target for fraudsters. As more people use P2P payment systems, the potential for scams and fraud increases. A recent article published in the PaymentsJournal reported that criminals increasingly target individuals and businesses using these services.

That's why we have created this guide. We want to provide you with the information you need to stay safe when managing P2P payments.

In addition, you'll learn how Fingerprint can help you protect your business from P2P fraud. Our product offers a comprehensive suite of tools to identify and address fraudulent activity. For more information, get a free demo of our product. 

What Are Peer-to-Peer Payments? 

Peer-to-peer payments are digital payments that allow users to send and receive money directly from one person to another without needing a bank or other traditional financial institution. The most popular P2P payment apps include Venmo, PayPal, Cash App, Zelle, and Google Pay. 

P2P payments offer several advantages over traditional payment systems. These include: 

  • Convenience – P2P payments allow you to quickly and easily transfer money without dealing with a third party. 
  • Low Fees – Most P2P payment services charge minimal fees or sometimes no fees at all. 
  • Fast Transfers – Funds can be transferred in minutes instead of days or weeks. 

To understand why these platforms have advantages, we must look at how the traditional banking system works. 

Swift explains that payments are sent via a correspondent banking network in traditional banking. This chain of banks sends funds from one to the next until they reach their final destination. 

When a wire transfer is initiated, the debtor agent sends money to an intermediary bank before moving on to the creditor agent, who transfers it to the beneficiary account. During this process, various fees are incurred, and wait times can be several days or longer. 

Cross-border payments add further complexity as international transactions involve different currencies, regulations, and protocols that can take even longer to process. Many local settlement systems only update account balances within operating hours. 

Compliance checks and other regulatory requirements can further prolong the process. Not to mention, low data processing speeds can cause delays. By comparison, P2P payment services can save users time and money. With the help of high-speed networks, P2P payments are usually settled within minutes.

How Do P2P Payment Services Work?

Most P2P payment services don't use their payment infrastructure. Instead, they rely on large, established networks to handle the money transfers. For example, Zelle and Venmo both use Visa Direct. Visa Direct allows financial institutions to connect to Visa, access information, and push payments directly to Visa card accounts.

When a customer wants to send a payment using Visa Direct, the request is routed through the Visa network to the recipient's financial institution, which then processes the transaction and credits the funds to the recipient's account.

This network is built on top of a messaging system that allows financial institutions to communicate with each other and exchange information about transactions in real time. This allows Visa Direct to provide customers with immediate payment confirmation and ensures that the funds are available to the recipient immediately after initiating the transaction.

Additionally, Visa Direct incorporates advanced security measures to protect against fraud and unauthorized transactions. For example, the service uses encryption to protect the sensitive payment information transmitted between financial institutions and employs fraud detection algorithms to identify and prevent fraudulent transactions.

Venmo uses something other than Visa Direct for its payment rail, however. It also uses Automated Clearing House (ACH), the U.S. payments network, for transferring funds from one bank account to another. Similarly, Zelle uses an ACH-backed system that allows users to securely send and receive money directly between accounts at different banks. 

ACH is operated by the National Automated Clearing House Association (NACHA) and is used to process a wide range of financial transactions, including direct deposit of paychecks, automatic bill payments, and government benefits.

ACH transactions are initiated by the sender, who provides the necessary payment information to their financial institution. The financial institution then creates an ACH entry, a standardized electronic record containing the payment information and routing instructions. This ACH entry is then sent through the ACH network to the recipient's financial institution, which processes the transaction and credits the funds to the recipient's account.

The batch processing system ACH uses can be slow, which is why P2P payment apps use a combination of payment rails to allow users to send and receive payments in real-time.

By leveraging existing payment networks, P2P companies can accelerate time to market and provide more reliable services than if they had built their infrastructure. 

The most popular P2P payment services are Venmo, PayPal, Cash App, Zelle, Google Pay, and Apple Pay.

Venmo

Venmo was founded in 2009 and acquired by PayPal in 2013. While PayPal focuses more on business-to-business payments, Venmo focuses on peer-to-peer transactions. It's available on iOS and Android devices and can transfer money to friends, family, and businesses.

In 2021, Venmo processed $230 billion in payment volume across over 80 million users. Venmo is experiencing solid year-over-year growth and, alongside PayPal, is one of the largest P2P payment companies.

A number of Venmo fraud tactics are on the rise. According to a study by the Better Business Bureau, the average victim of Venmo fraud loses $700 - a significant amount for a personal transaction.

One common scam involves sending a supposedly "accidental" transaction and asking the recipient to pay back the sum. In one example, a landlord received a Venmo refund request from a fake account with the same name as the renter, claiming they paid with the wrong card. On Venmo, many transactions are public, so scammers can easily view transaction details to set up a fake account and come up with a reasonable request.

In another example, a consumer sold a mirror for $30, and the buyer 'accidentally' sent a $900 transfer, requesting the $870 difference to be returned. In reality, the credit card first used was stolen, and the buyer changed their account details to get the $870 refund back to their account. The scammer left with $870 in their pocket, and the seller lost their money (and their mirror).

Another common fraud type involves analyzing the victim's social media accounts. Scammers can use the information to set up a fake account with a name and profile picture matching one of the victim's friends or family members. They then send a transaction to the victim, asking for help with an emergency. 

PayPal

Established in 1998, PayPal has over 400 million users, making it the most widely used P2P payment service. Similar to Venmo, it's available on iOS and Android devices and can transfer money to friends, family, and businesses. 

In 2021, PayPal processed $1,250 billion in total payment volume, more than five times that of its subsidiary, Venmo. Business accounts for a large part of PayPal's revenue. However, there is also significant fraudulent activity targeting business accounts. 

In 2022, PayPal reported that 4.5 million accounts were "illegitimate," meaning they were created using stolen or fake information.

Fraudsters use several tactics to target PayPal accounts, ranging from phishing emails and fake invoices to malicious software and phony customer service lines. As with Venmo fraud, a few common scams to look out for include: 

  • An email that appears to be from PayPal asking for sensitive information such as passwords, bank account numbers, or credit card details.
  • A buyer sends too much money and asks the seller to provide a refund for the difference.
  • A seller requests payment through PayPal but then asks the buyer to send money via a different method. 

While PayPal has measures to protect users from fraud, its security is far from foolproof. It's challenging to find comprehensive figures on PayPal fraud, but Action Fraud (U.K.'s national reporting center for fraud) found that PayPal fraud victims lost over £1 million in just three months in 2021. Extrapolating from this, PayPal users in the U.K. alone are estimated to lose nearly £4.5 million annually to fraud.

The U.K. market represents a small fraction of PayPal's global user base. It's difficult to estimate the total cost of PayPal fraud worldwide, but it's likely in millions of dollars.

Cash App

Block Inc., formerly Square, launched Cash App in 2013 to compete with the previous two platforms. It differs from Venmo and PayPal in that it's more of a one-stop-shop fintech app that offers debit cards, investing in fractional shares of stocks and cryptocurrency, and the ability to file taxes at no cost.

Viral marketing efforts have brought tremendous success for the P2P payments newcomer, which is now nearly as big as Venmo. With this success, however, comes increasingly sophisticated fraud schemes.

For example, one of Cash App's favored marketing plays is to run sweepstakes and giveaways on social media. Fraudsters take advantage of this by posing as Cash App representatives and asking users to send a small payment to "verify" their eligibility for a prize.

Fake Cash App customer service numbers also dot the internet, purporting to assist with Cash App accounts and transactions. When contacted, the individuals on the other end of these numbers will ask for personal information such as Social Security numbers or bank account details in an attempt to hack into user accounts.

Many of these Cash App scams share a common thread of romantic or emotional stories that appeal to the victim's empathy. This is why it's crucial always to verify the identity of the person you're dealing with before sending any money.

Any request for a large transaction over Cash App is suspect, as the application doesn't offer meaningful buyer protection for large purchases or investments like Venmo and PayPal do. While an individual user may feel like they're helping out a friend in need, they're more likely to reward an automated bot for the hard work of a sophisticated fraudster.

Zelle 

Zelle was founded by Early Warning Services in 2016 to make digital payments more accessible and more secure for individuals. The founding members of the network included the likes of Bank of America, Capital One, Citi Bank, JP Morgan Chase, Morgan Stanley, and Wells Fargo. 

Those are big names in the financial industry, and their involvement gives Zelle legitimacy. In 2021, consumers and businesses processed nearly half a trillion dollars in payment volume over the Zelle network.

As with any P2P payment service, however, fraud is a genuine concern. Zelle's strong network of banks hasn't stopped criminals from targeting users. Zelle has been called the "preferred tool of fraudsters." 

Data shows that in 90% of cases, victims of fraud are not refunded by Zelle, which is partly why Congressional members have called for better protection. Still, those members should be aware that all P2P payment services should be used cautiously, regardless of the company behind them.

Common Zelle scams include: 

  • Phony customer service lines pretending to be Zelle's support team. 
  • Messages claiming that a payment was sent when it wasn't.
  • Fraudulent emails pretending to be from Zelle, potentially spoofing a legitimate sender's address, asking for sensitive information such as passwords or bank account numbers. 
  • Fake websites that look like a bank's website but send your information to a scammer. 

In one case, a Florida woman was defrauded $2,500 by a scammer claiming to have a rental available. She was not refunded and turned to the media to tell her story. Calling Zelle "a highway to steal," the publication isn't wrong. Research estimates that Americans will lose $255 million this year to Zelle scams.

Google Pay 

Google has long attempted to break into the payments space, with its first offering, Google Wallet, launching in 2011. However, in 2017, the company finally succeeded with its current P2P payment service, Google Pay, which is part of Google Wallet.

Users can add credit or debit card information, COVID-19 vaccination cards, loyalty cards, travel receipts, event tickets, and other documents to their Google Wallets accounts. Google Wallet is available for Android and iOS devices and supports over 50 countries. By default, new Android phones automatically include the Google Wallet app.

The ubiquitous nature of Google Wallet means it's a popular target of scams. A common form of fraud involves phishing emails or texts claiming to be from Google Wallet asking users to download a fraudulent application.

These emails and text messaging are often compelling, containing Google logos and other official-looking details. Upon clicking the link in the email, victims are taken to a malicious application that looks incredibly similar to Google Wallet's legitimate app. Then, any transaction or other information the victim enters into the malicious application is immediately stolen and sent to the fraudsters.

Apple Pay

Neither Apple nor Google are payment companies, but their payment platforms have become popular enough to deserve mention.

Apple launched its P2P payment service, Apple Pay, in 2014. Available on iPhone, iPad, Mac, and Apple Watch devices, users can link their debit or credit card information to the service and use it to make payments. Apple Pay is easy to use; users hold their device near the merchant's contactless reader with Touch ID or Face ID enabled. 

The popularity of Apple Pay as a payment platform also makes it a prime target for fraudsters. Apple Pay scams come in many forms, ranging from stolen credit cards to peer-to-peer digital wallet fraud.

Using stolen credit cards is a common form of an Apple Pay scam. While online retailers rely on tools like "Verified by Visa" to ensure the person making the purchase is the same person whose credit card is used, criminals can sidestep these measures by using Apple Pay to make in-store purchases in person. Moreover, these stolen credit cards can be bought for as little as $2 on so-called "carding" sites, making it easy for fraudsters to access.

Another form of Apple Pay scam is Apple Cash fraud. Apple Cash is a feature that allows you to send money to other Apple Pay users. Unfortunately, Apple Cash is a peer-to-peer digital wallet, so it doesn't offer buyer protection like credit cards. As a result, federal laws that cap your liability for credit card fraud don't apply to digital payment systems like Apple Pay.

Another common scam is the fake iTunes invoice. Victims receive an email claiming to be from the iTunes Store with an invoice attached. The invoice asks users to verify their accounts by clicking a link, which leads them to a malicious website and ultimately steals their information.

The prevalence of Apple Pay scams concerns users, who may be unaware of the risks associated with digital payments. Apple unveiled its new Apple Card in 2019, a credit card linked to the Apple Pay platform. While it's too early to tell if the Apple Card will successfully combat Apple Pay scams, it could offer users a more secure and reliable payment platform.

What Are the Benefits of Using P2P Payments?

Walking around with coins and notes in your pocket is increasingly becoming a thing of the past. The convenience and speed of P2P payments propel us towards a cashless society, with more and more countries embracing this trend.

P2P payments are central to daily life from New York to London to Singapore. Whether you're boarding a train, buying a coffee, or using a buy now, pay later service, P2P payments are accepted everywhere. Even businesses that want to pay for their employees and vendors more quickly and conveniently are turning to P2P payments.

In the U.K., studies estimate that just 9% of all payments will be in cash by 2028. Fueled by the pandemic and the emergence of contactless cards, mobile phone payments, and digital wallets, P2P payments are seeing their popularity grow.

Even governments are shying away from physical cash. After all, cash nowadays is increasingly associated with fraud and money laundering. As a Harvard analysis explains, the $100 bill represents the large majority of money in circulation, although it's rarely used for legitimate transactions. 

However, not all countries have jumped on the bandwagon. Germany is a notable example of a country that has yet to embrace the shift toward a cashless society fully. Despite the availability of P2P payment options, many Germans still need to be made aware of financial technology and prefer to use cash due to its security and control.

This hesitation inconveniences those accustomed to using P2P payments, as anyone traveling in Germany will find that many businesses do not accept them. In addition, it means missing out on the economic benefits of P2P payments and their power to drive economic growth. 

The shift towards a cashless society is a trend that cannot be ignored and comes with many benefits. 

The Risks of Using P2P Payments 

While P2P payments offer many advantages, the risk of fraud should not be underestimated. As we've seen, fraudsters are actively targeting users of these services and will find any loophole they can exploit.

Still, this activity is more of an artifact of criminals' changing tactics than an inherent flaw in P2P payments. Cash-based fraud is just as common, after all. Just look at the amount of counterfeit currency circulating the globe: It's estimated that upwards of $147 million counterfeit U.S. Dollar notes alone.

The best way to protect yourself is to be aware of the risks associated with P2P payments. We can categorize them into four main categories:

  1. Financial risks
  2. Reputational risks
  3. Legal risks
  4. Security risks

Financial Risks 

The primary financial risk associated with P2P payments is the potential for fraud. This can include stolen credit cards, spoofed emails or texts, and fake accounts, all of which can be used to steal money from unsuspecting victims. 

Unfortunately, P2P payment companies often refuse to reimburse victims of fraud. Unlike credit card companies, they generally don't have the same obligation to do so. As such, it's essential to be vigilant and only send money to people you know and trust.

These financial costs reach beyond just fraud, however. Many P2P services charge fees when you send or receive money. These can range from a flat fee to a percentage of the sent amount and can add up quickly.

Reputational Risks 

Another risk associated with P2P payments is reputational damage. If a user suspects they've been scammed, they may go public with their story, creating negative press coverage for the company behind the service. This could damage their reputation and lead to a decrease in service use.

Additionally, if a user falls victim to fraud, they may not be willing to use the service again out of fear for their safety or financial security. 

The reputational risk is two-sided. Consumers, too, take on risks. If a fraudster can access the consumer's account, they can use it to make transactions in their name and potentially tarnish their reputation.

This could include making false refunds or purchases, sending messages or pictures on your behalf, or any other action that could be seen as inappropriate or illegal. In addition, the details of these transactions may be publicly visible, so the risk of reputational damage is even greater.

In addition to financial and reputational risks, there's also the potential for legal risk. If you make a payment to an individual or business that fails to deliver the goods or services promised, you may not be able to hold them accountable in court.

This is because some P2P payment services don't offer Buyer or Seller Protection programs. With this protection, you may be able to get your money back if something goes wrong. 

Platforms take on significant risks here as well. If a user falls victim to fraud, they may sue the company providing the service for negligence or breach of contract. This could lead to hefty fines, penalties, and potential class-action lawsuits against the company.

Furthermore, if a user makes an illegal transaction – such as sending money to a person or organization on an official blacklist – they may be held liable by law enforcement agencies. 

Security Risks 

Finally, there are security risks associated with P2P payments. Despite the many layers of security put into place by the companies, user accounts can still be hacked or compromised. This could lead to a loss of funds and a breach of personal information.

Bot-based attacks may also be risky, as malicious actors can use automated scripts to access user accounts and send money to themselves. Therefore, making sure your P2P payment service has strong authentication measures in place is essential. Account takeover is one of the primary risks associated with P2P payments, and strong controls can prevent it. 

How To Stay Safe When Making or Receiving P2P Payments 

An attack vector describes how a malicious actor can access users' systems and data. These attack vectors are growing increasingly sophisticated, making it essential for businesses to keep up with the latest security measures.

P2P payment apps have many potential attack vectors that must be addressed. When you search Google or your mobile app store for a peer-to-peer payment app, you're introducing yourself to the potential of stealing your data and money. That's because fake payment apps allow criminals to access sensitive information.

User Awareness

The first step in mitigating these attacks is user awareness. Make sure you're downloading a legitimate payment app by researching the company and its reviews online. Additionally, always use secure passwords that are difficult to guess or hack. Set up two-factor authentication when prompted and consider using a Virtual Private Network (VPN) for increased security.

Once you've downloaded a legitimate payment app, there are other attack vectors you'll need to be aware of. For one, criminals often use malware to intercept or alter payments. It's essential to keep your device free of malicious software and ensure the app you use is regularly updated with the latest security features.

Business Awareness

Businesses, too, need to take steps to keep their users safe. P2P payment apps need safeguards that protect user data, such as encryption and security firewalls. Additionally, businesses must have clear policies and procedures that outline what to do during a data breach.

Man-in-the-middle attacks are becoming more common and pose a significant threat when using P2P payment apps. These cyberattacks occur when a malicious actor positions themselves between two parties attempting to communicate and intercept sensitive data or alter transactions. To mitigate this, businesses should implement authentication protocols and encryption technologies that make it difficult for criminals to partake in man-in-the-middle attacks.

Finally, businesses must always be vigilant when it comes to phishing attacks. These attacks involve criminals attempting to gain access to sensitive information by disguising themselves as legitimate sources, such as the payment app itself. Companies should educate their users on recognizing and avoiding these types of scams and have an appropriate response plan if one is encountered.

P2P payments have revolutionized how consumers transfer money online, but they have cybersecurity risks that must be addressed. By understanding potential attack vectors, businesses can ensure their products and services are secure and protect themselves from malicious actors.

New P2P Payment Scams and Frauds 

As peer-to-peer payments become more popular, fraudsters continue to find new ways to exploit the system. While some scams are variations of old tricks, such as phishing and fake customer service lines, others are more creative. 

Here are five emerging P2P payment fraud types:

  1. Botnet Attacks
  2. Fake Apps
  3. Fake Billing Sites
  4. Card Cracking
  5. Money Muling

Let's look at each of these scams in more detail. 

Botnet Attacks

In 2022, high-severity malware rose 86% from the previous year. Criminals use botnets to deploy malicious code and gain control of thousands of devices at once. Botnet attacks allow fraudsters to set up multiple P2P accounts on different platforms and then transfer funds between them without being detected.

This is so common that bots now generate most Internet traffic. Not all bots are "bad bots," as some are used for legitimate purposes like automated data collection and web scraping. However, criminals use bots to launch phishing attacks, spread malware, and harvest credentials from unsuspecting victims.

Fake Apps

Fraudsters create fake versions of popular payment apps and upload them to app stores or directly distribute them to potential victims. The goal is to gain access to personal information, payment details, or bank accounts so they can transfer funds without being detected. 

These fake apps often have the same interface as the legitimate version but with malicious code embedded within them. They may also contain additional features that make it easier for criminals to steal data.

A fake Google Wallet app made the rounds in 2019, prompting the company to warn its users. Google has a firm policy against fraud and has taken steps to prevent these fake apps from appearing in the Play Store, but newcomers to the P2P payment market may not be aware of the danger.

Fake Billing Sites

Fraudsters create fake versions of legitimate billing websites and use them to convince victims to provide their payment details. These sites usually have a professional design and feature the same logos, layouts, and other elements as the real ones. 

Fraudsters also send phishing emails with malicious links that take users to these fake billing sites. Once on the site, users are prompted to enter personal information, payment details, or both. The fraudsters then use this information to transfer funds to their accounts.

Card Cracking

Card cracking is a type of fraud where criminals use stolen payment card information (e.g., credit and debit cards) to transfer funds into a wallet without the cardholder's knowledge. 

Card cracking is often done as part of a larger scam, like buying a cheap product and "accidentally" sending more money through P2P payments. Criminals then demand a refund for the difference, only for the seller to be on the hook for the total amount when it's discovered that the card was stolen.

Money Muling

A money mule is someone who, often unwittingly, moves funds illegally from one account to another. This money laundering is usually done through a peer-to-peer payment system.

A fraudster may approach a Venmo, PayPal, or other P2P user, saying, "I have a large amount of money from a relative that I need to transfer quickly, but my account is new, so I can't transfer it directly. Could you help me transfer it to your account, and then I will pay you a fee for the service?"

The user transfers the funds, only to discover later that they were part of a scam and now have to deal with the consequences. Victims may be on the hook for legal or financial issues due to their involvement in the crime.

Using Fingerprinting to Reduce P2P Fraud

One way to reduce P2P fraud is through fingerprinting technology, which involves collecting unique identifying information about a user's device. This information is used to create a unique "fingerprint" for each device, which can be used to identify and track users and their devices.

P2P payment companies can use this technology to identify and block fraudulent transactions in real time. For example, when a new user signs up, the Fingerprint of their device can be compared against a database of known fraudsters. The account can be blocked if a match is found, preventing the fraudster from stealing user funds.

Fingerprinting can also be used to identify and block bots, which are often used by fraudsters to automate and scale their attacks. By identifying and blocking these bots, P2P payment companies can prevent them from overwhelming their systems and stealing user funds.

In addition to reducing fraud, fingerprinting technology can prevent other forms of abuse, such as coupon and promo abuse, friendly fraud, and mobile payment fraud. By accurately identifying users and their devices, P2P payment companies can flag suspicious activity and prevent chargebacks.

To learn more about how Fingerprint can help protect your business from P2P fraud, visit our website and sign up for a free demo today.

Share this post