# Manage fraud Learn best practices for managing fraud as a financial account platform. Effectively managing fraud is essential because your platform might be liable for specific losses resulting from fraudulent activities. This guide outlines common types of fraud, including Authorized Push Payment (APP) scams, and provides recommendations to help protect both your platform and your customers. These recommendations aim to enhance Stripe’s anti-fraud systems without transferring any of Stripe’s legal or regulatory obligations to you. With your deep understanding of your customers, you play a critical role in protecting against fraud. By implementing the suggestions in this guide, you can significantly reduce the risk to your platform. ## Money Movement When you make or receive payments into a financial account for your platform or connected accounts, you typically use the Faster Payments Service (FPS). Payments usually arrive within minutes and you can’t recall them after you send them. As a platform, you must monitor how connected accounts use their financial accounts. Stripe Treasury for platforms follows the same workflows as Stripe Connect to help you get connected accounts up and running, including various KYC and compliance requirements. Your platform can be held liable for fraud losses and disputes arising from connected accounts. ## Fraud risks Treasury for platforms categorizes fraud into three main types: - **Business fraud**: Someone creates a connected account to commit fraud, or a previously legitimate business engages in fraudulent behavior. - **Account takeover (ATO) fraud**: A third party compromises a legitimate connected account owner’s login and takes unauthorized actions on their account. - **Authorized push payment (APP) fraud**: Someone creates a connected account to receive FPS payments for fraudulent purposes, or a legitimate connected account owner sends FPS payments to a fraudster. ### Business fraud Business fraud can occur when a business opens a financial account with the intent to commit fraud or, after operating legitimately for a time, starts using its financial account to engage in fraudulent activities. - A fraudster might receive or request funds from another person’s bank account, claiming to provide certain goods or services, but then fails to deliver those goods or services. - The fraudster quickly withdraws the received funds to an external account. If the legitimate account holder disputes this, your platform might incur financial losses. While Stripe conducts KYC to assess a new account’s risk profile holistically, you can further verify the legitimacy of an account, significantly reducing your platform’s risk exposure. ### Account takeover (ATO) fraud Account takeover (ATO) fraud occurs when an unauthorized third party gains access to a connected account, and it can happen at any point in a customer’s lifecycle. Typically, the fraudster takes unauthorized actions on the account with the motivation of financial gain. The most common action taken by the attacker on a financial account is transferring funds to an external bank account linked to them. Here are some actions you can implement to protect against account takeovers: - Use appropriate access controls, such as two-factor authentication (2FA), on all connected accounts. - Educate connected accounts about phishing and the importance of not sharing their 2FA codes. - Enforce unique password policies. - Collect device and IP address information to ensure it matches the characteristics of the connected accounts and isn’t accessed from outdated devices or unfamiliar IP addresses. - Monitor IP activity for logins from previously unseen locations or hosting providers. - Implement 2FA challenges where appropriate, such as for changes to account owner details or other significant actions. - Monitor connected accounts for unusual activity, such as transfers that deplete the entire financial account balance. If you suspect that an account has been taken over, contact Stripe to revoke the connected account’s capabilities, expire existing login sessions, and disable login access. After restricting the account, collaborate with the original account owner to verify their entitlement to access and restore their account. Remediation typically involves calling the phone number associated with the customer before the takeover and verifying various pieces of personally identifiable information (PII) with them. After you confirm the customer’s identity, assist them with resetting their password or 2FA device (if it was changed during the takeover), re-enable login access, and reinstate any financial account capabilities that were previously restricted. You might be liable to reimburse any transactions that occurred while the account was subject to a takeover. ### Authorized push payment (APP) fraud APP fraud is a type of business fraud that platforms in the United Kingdom must actively manage. Authorized Push Payment (APP) fraud can occur when a connected account receives FPS payments for fraudulent purposes (a subset of business fraud) or when a connected account owner sends FPS payments to a fraudster. Here are some examples of APP fraud: - **Invoice or mandate fraud**: An email from a “supplier” with new bank details. - **Romance scams**: A request for payment from a fraudulent person (for example, for a flight ticket). - **Investment scams**: Fake crypto or bond websites. - **CEO fraud**: Fake message or email from management asking to pay an urgent bill. To protect your users, you can: - Provide payment warnings or a waiting period for new payees. - Set daily FPS limits based on intended use cases. - Educate users with anti-scam tips included in monthly statements. ### Fraud remediation When you suspect fraud, take the appropriate actions to minimize financial loss and prevent further fraudulent activity. Fraud remediation involves two main steps: 1. Stop the immediate damage. 1. Build long-term solutions to mitigate future abuse. Here are some important steps to take when you identify fraud: - Block all funds flows and money movement for the affected account. Contact Stripe to remove capabilities for the connected account. - Determine why the fraud and risk controls didn’t identify the issue and make sure that you implement additional preventive measures. Fraudsters typically exploit gaps in risk systems until those gaps are successfully addressed. - Identify any other accounts exhibiting similar fraudulent behavior. When you identify one case of fraud, make sure that you verify whether the same type of fraud is occurring elsewhere. This helps prevent fraudsters from creating new accounts and repeating their actions, enabling you to get ahead of lagging signals, such as disputes, and discourage fraudulent activity by minimizing their gains. ### Monitoring We recommend using the following metrics to help guide the identification and measurement of fraud among your Treasury for platforms customers. #### Lagging metrics - Rejection rate on financial accounts compared to other accounts over time. - Total acquiring losses on financial accounts. - Percentage of financial accounts that have incurred losses. - Total loss per account on financial accounts compared to other accounts. - Time taken to incur acquiring losses on financial accounts versus other accounts. #### Leading metrics Monitoring leading metrics can help you proactively identify potential fraud trends before they escalate. Here are the key leading metrics to track: - Sign-up rate over time for financial accounts compared to other accounts. - Transfer amount anomalies: - New connected accounts with a high volume of [received credits](https://docs.stripe.com/treasury/connect/v2/moving-money/fund-a-financial-account.md#monitor-received-credits) (excluding acquiring payouts) in the first 30 days. - Low acquiring processing volume paired with a high volume of ReceivedCredits. - List of accounts that receive significant credits followed by [OutboundTransfers](https://docs.stripe.com/treasury/connect/v2/moving-money/out-of/outbound-transfers.md) that bring the financial account balance to zero.