Confirmation of Payee Might Not Stop Push Payment Fraud

Authorised push payment fraud occurs when a person or organization is tricked into making a payment to a fraudster, often one that is posing as a legitimate supplier. I discussed this in more detail in the post ‘What is Authorised Push Payment Fraud?’ .  Given the impact this type of fraud has on both victims and banks Pay.UK (previously known as the New Payment System Operator) has announced that from next year there will be a confirmation of payee service. This will allow those sending payments to check that the name on the account matches that of their intended recipient.

Checking the name on an account will undoubtedly stop some push payment fraud, but it won’t stop it all. There may also be unintended consequences of taking this approach.

How Does Confirmation of Payee Work?

Source: FICO Blog

What Are the Drawbacks?

It won’t work for business to business payments. Businesses generally make payments in batch, mostly via Bacs but also by UK Faster Payments. The confirmation of payee service relies on the payer using online banking to enter payee details, and this doesn’t happen in business to business payments.

While push payment scams perpetrated against consumers often grab the headlines, it is businesses that have lost the most to this kind of scam. Even if this scheme is extended to batch payments, it will likely still be problematic for businesses, as the confirmation process happens after payment initiation. Should a business decide to not proceed with any payments, they are into a remediation process.

Names are not unique. A criminal can set up an account in the same (or very similar) name as a legitimate business or person. I predict that criminals will simply become more organized in how they perpetrate this kind of crime. For example, they will identify and target a group all at once and take the time to make the fraud more convincing.

Imagine a scenario where criminals have managed to get hold of a list of all parents at a school. For minimal investment, they can set up a business and a bank account that sounds very similar to the legitimate school’s name and send fake invoices to all parents. Where the name on the bank account is very similar to that of the legitimate supplier, people are unlikely to be suspicious even when the payee’s name is returned to them.

Confirmation doesn’t mean there’s no fraud. Pay.UK say that the final decision to proceed or not with a payment is with the payer. People who receive a confirmation of name may believe that this is a positive endorsement that there is no fraud risk — and this is simply not the case. As mentioned above, fraudsters may have opened an account using a very similar name. If fraud happens after a positive confirmation of payee, the victims are likely to be both confused and angry. I predict more negative press when this happens.

Lack of confirmation doesn’t mean there is fraud. Just as a positive confirmation doesn’t mean no fraud risk, a ‘contact recipient’ doesn’t automatically indicate fraud. As an example, my local public house The Old Bull is part of a wider business Smiths Catering Inc and I want to make a deposit payment for my Christmas party. With confirmation of payee I’m likely to get a ‘contact recipient’ result. This could cause issues for businesses that are legitimately trying to collect payments.

It may put consumers in touch with criminals. If a confirmation of payee returns the result ‘contact the person you’re trying to pay’, the person trying to make the payment may well use the contact details on the invoice or other paperwork related to the payment they are trying to make. If this is a fraud the contact information is likely to put them in touch with a fraudster. Criminals who are well-grounded in social engineering will have many plausible reasons why the payment should go ahead: ‘I’m using my gran’s account for payments’ or That’s the name of our parent company’, etc. When this happens, and a fraud is successful, victims may well be upset that they were instructed via their bank to talk to a criminal.

It could lead to an increase in direct debit fraud. Direct debit fraud happens when a fraudster uses someone else’s bank account details to pay a direct debit. This was famously illustrated with a hoax against Jeremy Clarkson. The confirmation of payee service will let criminals ‘test’ bank account information so that they can build a fuller set of data to use in setting up fraudulent direct debits.

Most direct debit fraud has been perpetrated against businesses because their bank account details are easier to obtain. The ability to ‘test’ bank account details of individuals as well as businesses could see an increase in direct debit fraud against people. Fraudsters may well target individuals who are more vulnerable, as they are less likely to check their bank accounts and direct debits on a regular basis.

The complications and unintended consequences of confirmation of payee mean that no one in the industry should accept it as a cure to authorised push payment fraud or a wholly positive step. Customers are likely to blame their bank when things go wrong, so banks should therefore look to what they can do to deliver protection that will mitigate against both the dangers of authorised push payment fraud and the consequences of confirmation of payee. Some of the steps they can take are outlined in my post ‘3 Things Banks Can Do to Tackle Push Payment Fraud’