Payment Systems 101: How Money Actually Moves

The $47,000 That Vanished in 72 Hours

Marcus Rivera stared at his screen, trying to understand how a furniture company in Ohio had just lost $47,000 to someone in Eastern Europe.

The transaction looked simple enough. A customer placed an order for office furniture on Monday morning. The credit card was authorized instantly. The warehouse shipped the goods Tuesday afternoon. By Wednesday, the customer had received delivery confirmation.

Then the chargeback hit.

The card's real owner, a dentist in Phoenix, had never ordered furniture. Someone had stolen her card number and used it to furnish an office that didn't exist. The "delivery address" was a vacant lot. The shipping company had dropped the pallets and left.

But here's what puzzled Marcus: the authorization had gone through. The card wasn't reported stolen. The address verification matched. How did $47,000 in merchandise walk out the door before anyone noticed the fraud?

His supervisor pulled up a diagram of the payment flow. "You're looking at this wrong," she said. "You think the card swipe moves money. It doesn't. It moves a promise. The actual money doesn't move for days."

That gap between promise and payment is where $47,000 disappeared.

This story is fictional, but the patterns are real.

Why This Matters

In Fraud 101, you learned that fraud requires intent, deception, and harm. In Common Fraud Types, you saw the variety of schemes criminals use. But to understand why certain frauds succeed while others fail, you need to understand the infrastructure they exploit.

Payment systems aren't just pipes that move money. They're complex networks with rules, timing gaps, and multiple parties, each with different responsibilities. Criminals study these systems obsessively. They know that a wire transfer is irreversible but a card payment isn't. They know that authorization happens in milliseconds but settlement takes days. They exploit these structural features the way a burglar exploits an unlocked window.

This article won't teach you how to catch fraudsters. It will teach you how money actually moves, so you understand what criminals are exploiting when they attack.

The Authorization-Settlement Gap

The Moment of Vulnerability

When you swipe a card, two separate things happen at two separate times.

Authorization happens instantly. The merchant's terminal contacts the card network, which contacts the issuing bank, which checks if the card is valid and has available credit. Within seconds, the bank says yes or no. If yes, the merchant sees "Approved" and hands over the goods.

Settlement happens later. Usually one to three business days later. This is when actual money moves from the cardholder's bank to the merchant's bank. Until settlement completes, the merchant has shipped goods based on a promise, not a payment.

That gap is part of the vulnerability Marcus discovered. The criminal knew the stolen card would authorize successfully because the real cardholder hadn't noticed the theft yet. The merchant would ship the goods, settlement would happen, and the merchant would receive payment. But weeks later, when the real cardholder spotted the charge on her statement, she'd dispute it. The chargeback would pull the money back from the merchant. By then, the goods would be long gone.

Why the Gap Exists

You might wonder why payment systems work this way. Why not move money instantly, like handing over cash?

The answer is mostly historical. Card networks were designed in the 1960s and 70s, when real-time communication between banks was expensive and unreliable. Batch processing made sense: collect a day's transactions, send them overnight, settle the next morning. The infrastructure built around this model is now deeply entrenched.

There are also side benefits that reduce the incentive to change. Batch settlement allows for netting: if Bank A owes Bank B ten million dollars and Bank B owes Bank A eight million, they only need to move two million. Banks also earn interest on funds sitting in accounts during the settlement window. These aren't the reasons the gap was created, but they're reasons nobody is rushing to eliminate it.

Modern real-time payment systems like FedNow and the RTP network prove that instant settlement at scale is technically possible. But card networks haven't rebuilt their core infrastructure to match.

The authorization is a promise: "This cardholder has the funds, and we'll transfer them during the next settlement cycle." That promise is kept - settlement happens and the merchant receives payment. But card payments can be reversed for months after settlement. When a cardholder discovers fraud and files a chargeback, the money gets pulled back. The merchant shipped goods based on an authorization that looked legitimate, received payment, and then lost both the goods and the money when the chargeback hit.

Different Payment Methods, Different Gaps

The authorization-settlement gap varies dramatically by payment type:

The rightmost column matters most. Credit cards give cardholders months to dispute charges. Wire transfers give them nothing. This is why criminals strongly prefer wire transfers for high-value fraud, and why business email compromise attacks almost always demand payment by wire.

The Players and Their Incentives

A Simple Transaction, Seven Parties

When Marcus traced that $47,000 furniture fraud, he found it touched seven different organizations:

1. The cardholder (the dentist whose card was stolen)
2. The issuing bank (the dentist's bank that issued the card)
3. The card network (Visa, in this case)
4. The acquiring bank (the furniture company's bank)
5. The payment processor (handled the technical transaction routing)
6. The merchant (the furniture company)
7. The criminal (who exploited all of the above)

Each party has different information, different responsibilities, and different incentives. The issuing bank knows the cardholder's spending patterns but not what merchants are legitimate. The merchant knows their products shipped to a vacant lot but not that the card was stolen. The card network sees transaction patterns across millions of merchants but can't verify that any specific delivery actually occurred.

Criminals exploit these information gaps. No single party sees the complete picture, so fraud that would be obvious to an omniscient observer slips through the gaps between organizations.

Who Pays When Fraud Happens

The question "who loses money when fraud occurs" shapes the entire payment ecosystem.

For credit cards, liability usually falls on the issuing bank, not the cardholder. Federal law (Regulation Z) limits cardholder liability to $50 for unauthorized transactions, and most banks waive even that. This is why consumers trust credit cards for online purchases. It's also why issuers invest heavily in fraud detection: they're the ones who pay when it fails.

For debit cards, the rules are less favorable. Regulation E provides some protection, but cardholders can be liable for up to $500 if they don't report unauthorized transactions quickly. The money also comes directly from their checking account, causing immediate cash flow problems even if they eventually get it back.

For wire transfers, there's essentially no protection. Once a wire settles, the money is gone. If you wire $50,000 to a scammer, your bank has no obligation to help you recover it. This is why every business email compromise playbook emphasizes urgency: criminals need victims to wire money before they have time to think.

For ACH transfers, there's a middle ground. Unauthorized transactions can be reversed within certain timeframes, but the rules are complex and vary by situation.

The Merchant's Dilemma

Merchants face a cruel paradox. If they decline too many transactions, they lose legitimate sales. If they accept too many, they eat fraud losses.

When a chargeback occurs, the merchant loses the merchandise, loses the transaction amount, and pays a chargeback fee (typically $20-100). Too many chargebacks and they risk losing their merchant account entirely, which means they can't accept cards at all.

This is why the furniture company shipped to an address that, in retrospect, was obviously suspicious. The authorization came back approved. The address verification passed. Declining the order meant losing a $47,000 sale. They took the risk, and lost.

How Different Payment Rails Work

Card Networks: The Dominant System

Visa and Mastercard don't actually move money. They operate the messaging system that connects banks. When you swipe a card, information flows through their network: transaction amount, merchant identity, card number, etc. The network routes this information between banks and enforces rules about how transactions should be handled.

The actual money moves separately, through interbank settlement systems. This separation of information flow and money flow is fundamental to how card payments work, and also to how they can be exploited.

American Express works differently. Amex is both the network and (usually) the issuer. When you use an Amex card, you're borrowing from American Express directly, not from a separate bank that happens to use the Amex network. This vertical integration gives Amex more control over the complete transaction, which generally results in lower fraud rates but also limits which merchants accept Amex.

ACH: Moving Money Between Banks

The Automated Clearing House handles most routine bank-to-bank transfers in the United States: direct deposits, automatic bill payments, and many person-to-person transfers.

ACH works in batches. Banks collect transactions throughout the day and submit them to the ACH network in groups. The network processes these batches and moves money between banks, typically completing within one to three business days. Same-day ACH is now available for an additional fee.

The batch processing creates opportunities for fraud. If a criminal gains access to your bank account, they can initiate an ACH transfer to their own account. The transfer won't complete immediately, but the criminal knows they have a window before anyone notices. Payroll fraud works similarly: compromise a company's payroll system, redirect direct deposits to criminal-controlled accounts, and collect the money before the next pay cycle when employees start complaining.

Wire Transfers: Fast and Final

Wire transfers are the fastest way to move large sums domestically or internationally. They settle in real time (or close to it), which makes them ideal for time-sensitive legitimate transactions: real estate closings, large business purchases, emergency funds.

That speed comes with a critical tradeoff: finality. Once a wire settles, it's done. The sending bank has no ability to claw back the funds. If you wire money to a scammer, your only recourse is to convince the receiving bank to freeze the funds before the scammer withdraws them. Given that scammers typically empty accounts within hours, this rarely succeeds.

Wire fraud losses dwarf other payment fraud categories. Business email compromise, where criminals trick companies into wiring money to fraudulent accounts, cost victims $2.77 billion in reported losses during 2024 according to the FBI.^[1] The actual figure is certainly higher, since many victims never report.

Real-Time Payments: The New Frontier

Traditional payment systems were built when instant communication was expensive and batch processing made sense. Modern systems like Zelle, FedNow, and the RTP network can move money in seconds.

The convenience is obvious. The fraud implications are severe.

When settlement is instant, there's no gap to exploit, but there's also no gap for the victim to catch the fraud. A consumer who realizes they've been scammed can't stop a Zelle payment the way they might stop a check or dispute a card charge. The money is already gone.

Zelle has become notorious for scam losses. Criminals use social engineering to convince victims to send money, often by impersonating banks or creating fake emergencies. Because Zelle transfers are instant and authorized by the account holder (even if under false pretenses), banks often refuse to reimburse victims.

Why Payment Method Shapes Fraud Type

Different payment systems attract different criminal strategies. This isn't random. Criminals optimize for the highest return at the lowest risk, and payment infrastructure determines both.

High-Value, Single-Shot Attacks

Wire transfers attract sophisticated criminals going after big scores. A business email compromise takes weeks of preparation: researching the target company, compromising email accounts, learning internal processes, crafting convincing messages. But a single successful attack can net hundreds of thousands of dollars, and the money is unrecoverable.

The criminals who execute these attacks are patient and professional. They'll monitor a compromised email account for months, learning how the company handles payments, before striking at the perfect moment.

High-Volume, Low-Value Attacks

Card fraud attracts a different criminal profile. Stolen card numbers are cheap (you saw in Criminal Infrastructure that they sell for $10-40 on dark web markets). Each individual card might only yield a few hundred dollars before being cancelled. But automation makes volume attacks profitable.

Carding operations process thousands of stolen cards per day. They test cards with small purchases, then use working cards for larger frauds. They know most transactions will be blocked or reversed, but the math works out: if 5% of stolen cards yield an average of $200 before being shut down, a batch of 10,000 cards produces $100,000.

Speed-Based Exploitation

Real-time payment systems attract opportunistic fraud. The criminal doesn't need technical sophistication or expensive infrastructure. They need a convincing story and a victim who won't think twice before hitting "send."

Romance scams, fake emergencies, impersonation schemes. These attacks exploit trust and urgency. The payment system's instant finality transforms a moment of poor judgment into an irreversible loss.

The Irreversibility Spectrum

Understanding payment fraud means understanding reversibility. Every payment method sits somewhere on a spectrum from fully reversible to completely final.

Most reversible: Credit cards. Cardholders can dispute charges for months. Merchants bear the burden of proving transactions were legitimate.

Somewhat reversible: ACH and debit cards. Unauthorized transactions can be reversed, but the process is slower and less certain than card chargebacks.

Mostly irreversible: Cash and checks. Once cash changes hands, it's gone. Checks can bounce, but stopping payment requires quick action.

Completely irreversible: Wire transfers and real-time payments. No mechanism exists to reverse a completed transaction. Recovery requires convincing the receiving bank to freeze funds, which rarely succeeds.

Criminals understand this spectrum intimately. They push victims toward irreversible methods. The romance scammer doesn't ask for a credit card number. They ask for a wire transfer or gift cards (which are effectively cash). The business email compromise doesn't request payment by check. It demands an urgent wire.

When you see fraud targeting a specific payment method, ask why. The answer usually involves reversibility.

Key Takeaways

• Authorization and settlement are separate events, often days apart. Criminals exploit this gap to receive goods or services before fraud is detected.
• Different payment methods have different fraud profiles based on their reversibility, speed, and the liability rules that govern them.
• Wire transfers and real-time payments are irreversible, making them preferred targets for high-value fraud like business email compromise.
• Credit cards offer the strongest consumer protections, which is why criminals have shifted to card-not-present fraud and social engineering that bypasses card systems entirely.
• Payment fraud isn't just about stolen card numbers. It's about understanding which payment infrastructure to exploit for maximum gain with minimum risk.

Key Terms

References

1. FBI Internet Crime Complaint Center 2024 Report↗ - BEC losses of $2.77 billion

---

Generated with AI assistance. Reviewed by humans for accuracy.