1st September 2021

Authorised Push Payment (APP) fraud and the harm it causes

By Peter Moorhead

Making payments from your bank account has never been easier. With the advent of open banking and the growing use of mobile banking apps, we can transfer money literally at the touch of a button (or screen). 

Whilst this creates consumer convenience, it also means that we can make decisions about making payments in a matter of seconds, with little opportunity for reflection; something fraudsters are ready to exploit.

According to UK Finance, £479m was lost to Authorised Push Payment (APP) scams in 2020, an increase of 103% since 2017. When APP fraud takes place, victims are conned into moving money from their account into an account controlled by the criminal. However, the simplicity of this definition belies the many elaborate methods that fraudsters use to convince their ‘marks’ to make these payments.

One such example is when fraudsters impersonate bank staff, convincing customers that their account has been compromised and that they must urgently transfer their funds into a ‘safe account’. 

When we take a closer look at such a scenario, a number of steps take place from the early initiation of the fraud through to the final execution: 

Step 1

Fraudsters harvest information and data about potential victims. The sources of such information can vary from the ‘dark web’, where identity details are bought and sold often following major data breaches, through to meticulous reconnaissance conducted via telephone contact centres.

Step 2

Target victims are sent fake text messages, known as smishing attacks, purporting to be from their bank, mobile phone provider, a courier company, or a retailer such as Boots or Amazon. The convincing text messages typically suggest a recent payment has failed, and they must enter their bank details to resolve the matter. The messages are carefully worded to incite a panicked response, resulting in the victim entering their payment details into a landing site identical to that of the true organisation. 

Step 3

The victim then receives a call from the fraudster posing as a bank employee to inform them that, as a result of responding to that text, their account has been compromised and they need to move all their money to a new ‘safe’ account which has already been set up for them.

Step 4

The victim authorises the transfer of funds to the fraudster’s account, potentially costing the victim thousands of pounds. 

In this manner, pensioners and vulnerable individuals have been robbed of their life savings and nest eggs, while other victims, already struggling to make ends meet as a result of the pandemic, have been defrauded of what little money they have. 

In another cruel example of the true cost of APP fraud, other victims, believing they have met the love of their life through an online dating site, have ended up losing thousands of pounds, falling foul to a growing breed of fraud: ‘romance scams’. 

Victims of these pernicious crimes are often deeply traumatised, dealing with feelings of shame at being caught out that can have a long-term impact on their self-confidence, mental health and ability to trust. 

As these examples demonstrate, APP fraud comes in many varieties, all perpetrated by fraudsters who devote significant time and resources to creating the most opportune scenarios to ensnare their victims. 

Other types of APP fraud include:

  • Purchase scams — fraudsters pose as the seller of a high-value product (e.g., a car or a laptop computer), often advertising on social media. They request payment from their victims by bank transfer and once the money is transferred, they disappear while the promised product fails to materialise.
  • Investment scams — by promising high returns, criminals entice their victims into transferring their savings into bogus investment products, often using tactics such as time-limited offers to apply additional pressure.
  • Invoice and mandate scams — criminals interpose themselves, often by hacking email accounts, into what would otherwise be legitimate business transactions (e.g., builders and tradespeople, conveyancing solicitors), requesting payments to be sent to a different bank account.

Unlike other types of fraud, such as identity theft or account takeovers where the fraud is not directly authorised by the bank account holder, the payments made in APP fraud are authorised by the victims. This can make reimbursement by their bank a more complex issue. 

The banking and payments industry is working with regulators and consumer groups to help victims of APP fraud recover their lost funds,  with several institutions signing up to a voluntary code called the ‘Contingent Reimbursement Code’ . 

Whilst this is good news for victims, it would obviously be even better if these criminals were prevented from successfully scamming people in the first place. And this requires a layered defence approach, with scam warnings and interventions along every step of the bank’s payment processes for customers. Some key prevention initiatives include:

Confirmation of Payee

In June 2020, the six largest banks in the UK introduced Confirmation of Payee, a tool that checks the names of bank transfer recipients against the associated account details. The system then flags a warning if there is a mismatch. This is designed to add an additional prompt for potential fraud victims, helping them think twice before making a payment by calling out the inconsistency between an intended payee and the bank details provided. This is not always effective, since fraudsters are known to speak with the victim in advance of the payment and reassure them that when the payee details do not match they should not be concerned.  

Education and awareness 

Providing consumers with more information about how to avoid falling victim to scams is another initiative aimed at tackling the problem.

This includes advice such as never revealing security details and double-checking contact information for the recipient bank. In addition, institutions are encouraging customers not to assume emails, texts or phone calls they receive are authentic. In particular, organisations such as CIFAS and Action Fraud are providing members of the public with a range of useful resources on this topic.

Preventing reconnaissance via telephone contact centres

Fraudsters can harvest sensitive information associated with potential victims through call centres. They use bots to navigate through Interactive Voice Recognition (IVR) systems, and social engineering tactics to elicit security information from contact centre agents. 

However, consumer banks are using technology to address such vulnerabilities in their telephony channel defences, including the implementation of  Smartnumbers Protect, which provides real-time detection of high risk calls entering the call centre before the call is even answered. This ensures threats are quickly spotted and can be resolved by the bank’s fraud operations teams before the victim loses their funds.  

Stopping fraudsters early in the attack cycle is the most effective approach at preventing members of the public from falling victim to traumatic crimes, and will go a long way towards reducing the financial losses experienced by those who can least afford to bear them.

1. ukfinance.org.uk/policy-and-guidance/reports-publications/fraud-facts-2021
2. lendingstandardsboard.org.uk/wp-content/uploads/2021/04/CRM-Code-LSB-Final-April-2021.pdf