01/29/2024
The Cold Reality of Authorized Push-Payment Fraud
Federal Reserve Bank of Atlanta
I started teaching payment rules, compliance, and risk management in 2007. Back then I used to describe credit-push payments as warm and fuzzy. Everyone likes a credit hitting their account. For the most part, the people I was teaching worked in bank operations. Very few of their problems had to do with credit-push payments (wires and direct deposits via ACH). Curricula tended to focus on debit-pull payments, the long list of return codes that accompany them, and how Regulation E
works.
It is a new year and the days of warm and fuzzy credit-push-curricula are but a memory. The shift started happening around 2013, or at least that is when the FBI coined the term “business email compromise” (BEC) as reports of the scam started piling in. BEC scams vary in tactics, but the goal is the same. A fraudster convinces a company's employee to send credit-push payments to an account where the fraudster can access the funds. Reported losses attributed to BEC scams have so far totaled more than $50 billion. It is clear to see fraudsters still like the scheme, and it is not that hard to trick one human being.