Payment Systems 101: How Money Really Moves
Essential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
By Benjamin, Fraud Attacks · Updated
Payment systems are the rails that carry money between banks, businesses, and consumers. Each rail (cards, ACH, wire, real-time) settles on a different timeline, gives consumers different protections, and creates different fraud opportunities. Understanding how each one works is the foundation for understanding every payment fraud that follows.
The $12,000 Chargeback
Jordan was working through the dispute queue when he pulled up case 4471. Furniture retailer in Ohio. $12,000 chargeback on an order of office chairs.
He read the cardholder's statement. Dentist in Phoenix. Said she'd never heard of the merchant, never ordered furniture, never authorized the charge. Her card had been in her wallet the whole time.
He pulled the merchant's records. Order placed online. Card number entered manually. Billing address matched the cardholder. Shipping address was different, a commercial building in Columbus. Goods delivered, signature on file.
The merchant had done the standard checks. Card wasn't on any hot lists. AVS passed. CVV matched. From their side, it looked like a legitimate order.
But the cardholder was telling the truth. She hadn't ordered anything. Someone had her card number, her billing address, and enough patience to place a $12,000 order to a warehouse they controlled.
Jordan checked who ate the loss. Not the cardholder. She filed a dispute, got her money back. Not the card network. They just moved information. The merchant. They'd shipped $12,000 in furniture to a criminal and had no way to get it back.
That's how it worked. The person who shipped the goods carried the risk.
This story is fictional, but the patterns are real.
Why This Matters
In Fraud 101, you learned that fraud requires intent, deception, and harm. In Common Fraud Types, you saw the variety of schemes criminals use. But to understand why certain frauds succeed while others fail, you need to understand the infrastructure they exploit.
Payment systems aren't just pipes that move money. They're complex networks with rules, timing gaps, and multiple parties, each with different responsibilities. Criminals study these systems obsessively. They know that a wire transfer is irreversible but a card payment isn't. They know that authorization happens in milliseconds but settlement takes days. They exploit these structural features the way a burglar exploits an unlocked window.
This article won't teach you how to catch fraudsters. It will teach you how money actually moves, so you understand what criminals are exploiting when they attack.
The Authorization-Settlement Gap
Where is the Moment of Vulnerability?
When you swipe a card, two separate things happen at two separate times.
Authorization happens instantly. The merchant's terminal contacts the card network, which contacts the issuing bank, which checks if the card is valid and has available credit. Within seconds, the bank says yes or no. If yes, the merchant sees "Approved" and hands over the goods.
Settlement happens later. Usually one to three business days later. This is when actual money moves from the cardholder's bank to the merchant's bank. Until settlement completes, the merchant has shipped goods based on a promise, not a payment.
That gap is part of the vulnerability Jordan discovered. The criminal knew the stolen card would authorize successfully because the real cardholder hadn't noticed the theft yet. The merchant would ship the goods, settlement would happen, and the merchant would receive payment. But weeks later, when the real cardholder spotted the charge on her statement, she'd dispute it. The chargeback would pull the money back from the merchant. By then, the goods would be long gone.
Why does the gap exist?
You might wonder why payment systems work this way. Why not move money instantly, like handing over cash?
The answer is mostly historical. Card networks were designed in the 1960s and 70s, when real-time communication between banks was expensive and unreliable. Batch processing made sense: collect a day's transactions, send them overnight, settle the next morning. The infrastructure built around this model is now deeply entrenched.
There are also side benefits that reduce the incentive to change. Batch settlement allows for netting: if Bank A owes Bank B ten million dollars and Bank B owes Bank A eight million, they only need to move two million. Banks also earn interest on funds sitting in accounts during the settlement window. These aren't the reasons the gap was created, but they're reasons nobody is rushing to eliminate it.
Modern real-time payment systems like FedNow and the RTP network prove that instant settlement at scale is technically possible. But card networks haven't rebuilt their core infrastructure to match.
The authorization is a promise: "This cardholder has the funds, and we'll transfer them during the next settlement cycle." That promise is kept - settlement happens and the merchant receives payment. But card payments can be reversed for months after settlement. When a cardholder discovers fraud and files a chargeback, the money gets pulled back. The merchant shipped goods based on an authorization that looked legitimate, received payment, and then lost both the goods and the money when the chargeback hit.
Different Payment Methods, Different Gaps
The authorization-settlement gap varies dramatically by payment type:
| Payment Method | Authorization | Settlement | Reversal Window |
|---|---|---|---|
| Credit card | Seconds | 1-3 days | Typically 120 days; up to 540 days for services-not-rendered (chargeback) |
| Debit card | Seconds | 1-3 days | Varies by network |
| ACH transfer | Hours to days | 1-3 days | 2 banking days for most returns; up to 60 days for consumer-initiated unauthorized debits (R10/R11) |
| Wire transfer | Minutes | Same day (final) | None |
| Real-time payments (Zelle, RTP) | Seconds | Instant (final) | None |
| Cryptocurrency | Seconds (broadcast) | Minutes to hours (varies by chain) | None |
The rightmost column matters most. Credit cards give cardholders months to dispute charges. Wire transfers give them nothing. This is why criminals strongly prefer wire transfers for high-value fraud, and why business email compromise attacks almost always demand payment by wire.
The Players and Their Incentives
Why does a simple transaction touch seven parties?
When Jordan traced that $12,000 furniture fraud, he found it touched seven different organizations:
- The cardholder (the dentist whose card was stolen)
- The issuing bank (the dentist's bank that issued the card)
- The card network (Visa, in this case)
- The acquiring bank (the furniture company's bank)
- The payment processor (handled the technical transaction routing)
- The merchant (the furniture company)
- The criminal (who exploited all of the above)
Each party has different information, different responsibilities, and different incentives. The issuing bank knows the cardholder's spending patterns but not what merchants are legitimate. The merchant knows their products shipped to a vacant lot but not that the card was stolen. The card network sees transaction patterns across millions of merchants but can't verify that any specific delivery actually occurred.
Criminals exploit these information gaps. No single party sees the complete picture, so fraud that would be obvious to an omniscient observer slips through the gaps between organizations.
Who pays when fraud happens?
The question "who loses money when fraud occurs" shapes the entire payment ecosystem.
For credit cards, liability usually falls on the issuing bank, not the cardholder. Federal law (Regulation Z) limits cardholder liability to $50 for unauthorized transactions, and most banks waive even that. This is why consumers trust credit cards for online purchases. It's also why issuers invest heavily in fraud detection: they're the ones who pay when it fails.
For debit cards, the rules are less favorable. Regulation E uses a tiered structure: $50 if you report within 2 business days of discovery, up to $500 if reported between 2 days and 60 days after the statement is sent, and unlimited liability if reported more than 60 days after the statement. The money also comes directly from the checking account, causing immediate cash flow problems even if it eventually gets refunded.
For wire transfers, there's essentially no protection. Once a wire settles, the money is gone. If you wire $50,000 to a scammer, your bank has no obligation to help you recover it. This is why every business email compromise playbook emphasizes urgency: criminals need victims to wire money before they have time to think.
For ACH transfers, there's a middle ground. Unauthorized transactions can be reversed within certain timeframes, but the rules are complex and vary by situation.
The Merchant's Dilemma
Merchants face a cruel paradox. If they decline too many transactions, they lose legitimate sales. If they accept too many, they eat fraud losses.
When a chargeback occurs, the merchant loses the merchandise, loses the transaction amount, and pays a chargeback fee (typically $20-100). Too many chargebacks and they risk losing their merchant account entirely, which means they can't accept cards at all.
This is why the furniture company shipped to an address that, in retrospect, was obviously suspicious. The authorization came back approved. The address verification passed. Declining the order meant losing a $12,000 sale. They took the risk, and lost.
How Different Payment Rails Work
Card Networks: The Dominant System
Visa and Mastercard don't actually move money. They operate the messaging system that connects banks. When you swipe a card, information flows through their network: transaction amount, merchant identity, card number, etc. The network routes this information between banks and enforces rules about how transactions should be handled.
The actual money moves separately, through interbank settlement systems. This separation of information flow and money flow is fundamental to how card payments work, and also to how they can be exploited.
American Express works differently. Amex is both the network and (usually) the issuer. When you use an Amex card, you're borrowing from American Express directly, not from a separate bank that happens to use the Amex network. This vertical integration gives Amex more control over the complete transaction, which generally results in lower fraud rates but also limits which merchants accept Amex.
ACH: Moving Money Between Banks
The Automated Clearing House handles most routine bank-to-bank transfers in the United States: direct deposits, automatic bill payments, and many person-to-person transfers. It is also, by total dollar value, the dominant noncash payment rail in the country: the Federal Reserve Payments Study reported $91.85 trillion in ACH payments in 2021, about 72% of all noncash payments by value.[2]
ACH works in batches. Banks collect transactions throughout the day and submit them to the ACH network in groups. The network processes these batches and moves money between banks, typically completing within one to three business days. Same-day ACH is now available for an additional fee.
The batch processing creates opportunities for fraud. If a criminal gains access to your bank account, they can initiate an ACH transfer to their own account. The transfer won't complete immediately, but the criminal knows they have a window before anyone notices. Payroll fraud works similarly: compromise a company's payroll system, redirect direct deposits to criminal-controlled accounts, and collect the money before the next pay cycle when employees start complaining. ACH and wire fraud often share the same intrusion path: a compromised email account leading to a redirected payment.
How wire transfers work, and why they're final
Wire transfers are the fastest way to move large sums domestically or internationally. They settle in real time (or close to it), which makes them ideal for time-sensitive legitimate transactions: real estate closings, large business purchases, emergency funds.
That speed comes with a critical tradeoff: finality. Once a wire settles, it's done. The sending bank has no ability to claw back the funds. If you wire money to a scammer, your only recourse is to convince the receiving bank to freeze the funds before the scammer withdraws them. Given that scammers typically empty accounts within hours, this rarely succeeds. Wire fraud is also one of the events that triggers a Suspicious Activity Report under the BSA reporting framework, and most cases trace back to a prior account takeover or email compromise.
"Wire transfer" is actually a loose term that covers a few different systems. In the US, Fedwire is the Federal Reserve's real-time gross settlement (RTGS) system: each transaction settles individually and immediately, with final, irrevocable transfer of funds. CHIPS (Clearing House Interbank Payments System) is privately operated by The Clearing House and uses end-of-day netting to settle large-value payments more efficiently between participating banks. SWIFT is not a payment rail at all. It's a global messaging network that banks use to send each other secure instructions about cross-border payments. The actual money still moves through correspondent banking relationships, Fedwire, CHIPS, or similar systems in other countries. When fraudsters move stolen funds internationally, they typically exploit SWIFT messaging while the value settles across multiple correspondent banks.
Wire fraud losses dwarf other payment fraud categories. Business email compromise, where criminals trick companies into wiring money to fraudulent accounts, cost victims $2.77 billion in reported losses during 2024 according to the FBI.[1] The actual figure is certainly higher, since many victims never report. Industry surveys point in the same direction: the AFP Payments Fraud and Control Survey found that 79% of organizations experienced attempted or actual payments fraud in 2024, with BEC the top vector.[3]
Real-Time Payments: The New Frontier
Traditional payment systems were built when instant communication was expensive and batch processing made sense. Modern systems like Zelle, FedNow, and the RTP network can move money in seconds.
The convenience is obvious. The fraud implications are severe.
When settlement is instant, there's no gap to exploit, but there's also no gap for the victim to catch the fraud. A consumer who realizes they've been scammed can't stop a Zelle payment the way they might stop a check or dispute a card charge. The money is already gone.
Zelle has become notorious for scam losses. Criminals use social engineering to convince victims to send money, often by impersonating banks or creating fake emergencies. Because Zelle transfers are instant and authorized by the account holder (even if under false pretenses), banks often refuse to reimburse victims.
Why Payment Method Shapes Fraud Type
Different payment systems attract different criminal strategies. This isn't random. Criminals optimize for the highest return at the lowest risk, and payment infrastructure determines both.
High-Value, Single-Shot Attacks
Wire transfers attract sophisticated criminals going after big scores. A business email compromise takes weeks of preparation: researching the target company, compromising email accounts, learning internal processes, crafting convincing messages. But a single successful attack can net hundreds of thousands of dollars, and the money is unrecoverable.
The criminals who execute these attacks are patient and professional. They'll monitor a compromised email account for months, learning how the company handles payments, before striking at the perfect moment.
High-Volume, Low-Value Attacks
Card fraud attracts a different criminal profile. Stolen card numbers are cheap (you saw in Criminal Infrastructure that they sell for $10-40 on dark web markets). Each individual card might only yield a few hundred dollars before being cancelled. But automation makes volume attacks profitable.
Carding operations process thousands of stolen cards per day. They test cards with small purchases, then use working cards for larger frauds. They know most transactions will be blocked or reversed, but the math works out: if 5% of stolen cards yield an average of $200 before being shut down, a batch of 10,000 cards produces $100,000.
Speed-Based Exploitation
Real-time payment systems attract opportunistic fraud. The criminal doesn't need technical sophistication or expensive infrastructure. They need a convincing story and a victim who won't think twice before hitting "send."
Romance scams, fake emergencies, impersonation schemes. These attacks exploit trust and urgency. The payment system's instant finality transforms a moment of poor judgment into an irreversible loss.
The Irreversibility Spectrum
Understanding payment fraud means understanding reversibility. Every payment method sits somewhere on a spectrum from fully reversible to completely final.
Most reversible: Credit cards. Cardholders can dispute charges for months. Merchants bear the burden of proving transactions were legitimate.
Somewhat reversible: ACH and debit cards. Unauthorized transactions can be reversed, but the process is slower and less certain than card chargebacks.
Mostly irreversible: Cash and checks. Once cash changes hands, it's gone. Checks can bounce, but stopping payment requires quick action.
Completely irreversible: Wire transfers and real-time payments. No mechanism exists to reverse a completed transaction. Recovery requires convincing the receiving bank to freeze funds, which rarely succeeds.
Criminals understand this spectrum intimately. They push victims toward irreversible methods. The romance scammer doesn't ask for a credit card number. They ask for a wire transfer or gift cards (which are effectively cash). The business email compromise doesn't request payment by check. It demands an urgent wire.
When you see fraud targeting a specific payment method, ask why. The answer usually involves reversibility.
Key Takeaways
- Authorization and settlement are separate events, often days apart. Criminals exploit this gap to receive goods or services before fraud is detected.
- Different payment methods have different fraud profiles based on their reversibility, speed, and the liability rules that govern them.
- Wire transfers and real-time payments are irreversible, making them preferred targets for high-value fraud like business email compromise.
- Credit cards offer the strongest consumer protections, which is why criminals have shifted to card-not-present fraud and social engineering that bypasses card systems entirely.
- Payment fraud isn't just about stolen card numbers. It's about understanding which payment infrastructure to exploit for maximum gain with minimum risk.
Key Terms
| Term | Definition |
|---|---|
| Authorization | The real-time approval or decline of a transaction by the issuing bank |
| Settlement | The actual transfer of funds between banks, typically 1-3 days after authorization |
| Issuing bank | The bank that issued the payment card to the cardholder |
| Acquiring bank | The bank that processes payments on behalf of the merchant |
| Card network | The system (Visa, Mastercard, etc.) that routes transaction information between banks |
| ACH (Automated Clearing House) | The batch processing network for bank-to-bank transfers in the US |
| Wire transfer | A direct bank-to-bank transfer that cannot be reversed. Fedwire settles in real time; CHIPS nets at end of day |
| Chargeback | A forced reversal of a card transaction initiated by the cardholder's bank |
| Real-time payments | Payment systems (Zelle, FedNow, RTP) where settlement is instant |
| Liability shift | Rules determining which party bears financial responsibility for fraud losses |
References
1. FBI Internet Crime Complaint Center 2024 Report↗ — BEC losses of $2,770,151,146 in 2024 (page 10).
2. Federal Reserve Payments Study, 2022 Triennial Initial Data Release↗ — ACH payments value of $91.85 trillion in 2021, about 72% of core noncash payments value. Wire transfers excluded from these data.
3. 2025 AFP Payments Fraud and Control Survey Report — Key Highlights↗ (April 2025, Truist underwriter copy of the AFP survey) — 79% of organizations experienced attempted or actual payments fraud in 2024; BEC was the top vector at 63% of respondents.
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.
Continue learning
- Money Movement & Transaction FraudWire Transfer & ACH FraudHow criminals exploit wire transfers, ACH payments, and real-time payment systems through BEC attacks and social engineering
- Money Movement & Transaction FraudE-commerce & Card FraudCard-not-present fraud, friendly fraud, chargeback schemes, and digital marketplace fraud investigation
- Money Movement & Transaction FraudLending and Institutional FraudHow criminals exploit loan applications, payroll systems, and government programs using stolen and synthetic identities
- More from Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- More from Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust