Authorised push payment fraud has been in the news recently, in the UK because of the Which Super Complaint. The advent of real-time payment schemes, such as Faster Payments in the UK, has made push payments more attractive to criminals because they can quickly take the money and run. This type of fraud is on the rise – but what is it? And who are the victims?
Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.
The approach taken by the fraudsters is not new. They use social engineering techniques and may hack into email and other systems in order to set up their victims. These methods of attack are used to perpetrate a wide range of attacks — the defining factor in authorised push payment fraud is the use of real-time payment schemes to transfer the money to the fraudsters. This has given the fraudsters a wider potential pool of victims, as more consumers and businesses adopt simple ways to send money in real time. Real-time payments have also lowered the risk for fraudsters, since the money is received instantly, fraudsters can quickly extract their ill-gotten gains.
These criminals are devious and clever, and victims cannot simply be written off as gullible fools. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.
Authorised push payment fraud schemes include:
Attacks on Individuals
- Paying an invoice that looks exactly like one from their child’s school – but turns out to be from a fraudster and sends the money to the fraudster’s bank account.
- Sending payment for work done by a tradesperson such as a carpenter or a builder who’s been working on your house, only to find that you have acted based on an email that came from a fraudster pretending to be your legitimate contractor.
- Account takeover where fraudsters initiate push payments to new payees – often across different channels with the goal of outsmarting existing fraud controls
Targeting property transactions
This kind of fraud can affect any property purchase, whether by an individual or a business. In fact, the conveyancing solicitors may also end up as victims of payment fraud. Property purchase fraud occurs when criminals intercept the email chain between sellers, buyers, estate agents and solicitors. Once the communications are intercepted, the fraudsters change the payment information related to transfer of funds so that payments are diverted to the fraudsters’’ account. With property transactions, the sums involved are likely to be large and falling victim can be life-changing.
Intercepting supplier payments
Also known as fake invoice fraud, this scheme is similar to the attacks made on individuals, but the victims are businesses. Using a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince businesses to change bank account details, getting their victims to replace the account number of the legitimate suppliers with their own.
While some countries, such as the UK, have had mass adoption of real-time payment schemes for some time, many countries are still in the process of rolling them out. The USA and the EU have launched real-time payment schemes this year, with Australia following next year. In my next post, I’ll look at what makes push payment fraud high on the agenda right now, as well as the effects that this fraud has on banks.