Confirmation of Payee Might Not Stop Push Payment Fraud

Authorised push payment fraud occurs when a person or organization is tricked into making a payment to a fraudster, often one that is posing as a legitimate supplier. I discussed this in more detail in the post ‘What is Authorised Push Payment Fraud?’ .  Given the impact this type of fraud has on both victims and banks, Pay.UK (previously known as the New Payment System Operator) now provides a confirmation of payee service. The service helps provide assurance that payments are sent to the intended recipient, and has been widely adopted.

Checking the name on an account will undoubtedly stop some push payment fraud, but it won’t stop it all. There may also be unintended consequences of taking this approach.
 

How Does Confirmation of Payee Work?

The service works within online banking, when a payer goes to make a payment via their online banking portal. Here’s an illustration of the process.

What Are the Drawbacks?

Confirmation of payee has some benefits in fighting fraud, but it also has drawbacks. Here are six:

1. It doesn't always work for business-to-business payments. Businesses generally make payments in batch, mostly via Bacs but also by UK Faster Payments. The confirmation of payee service relies on the payer using online banking to enter payee details, and this doesn’t generally happen in business-to-business payments. 
   
   While push payment scams perpetrated against consumers often grab the headlines, it is businesses that have lost the most to this kind of scam. Even if this scheme is extended to batch payments, it will likely still be problematic for businesses, as the confirmation process happens after payment initiation. Should a business decide to not proceed with any payments, they are into a remediation process.
    
2. Names are not unique. A criminal can set up an account in the same (or very similar) name as a legitimate business or person. Criminals are sophisticated enough to determine how to circumvent this process. For example, they will identify and target a group all at once and take the time to make the fraud more convincing. 
   
   Imagine a scenario where criminals have managed to get hold of a list of all parents at a school. For minimal investment, they can set up a business and a bank account that sounds very similar to the legitimate school’s name and send fake invoices to all parents. Where the name on the bank account is very similar to that of the legitimate supplier, people are unlikely to be suspicious even when the payee’s name is returned to them.
    
3. Confirmation doesn’t mean there’s no fraud. Pay.UK say that the final decision to proceed or not with a payment is with the payer. People who receive a confirmation of name may believe that this is a positive endorsement that there is no fraud risk — and this is simply not the case. As mentioned above, fraudsters may have opened an account using a very similar name. If fraud happens after a positive confirmation of payee, the victims are likely to be both confused and angry. 
    
4. Lack of confirmation doesn’t mean there is fraud. Just as a positive confirmation doesn’t mean no fraud risk, a ‘contact recipient’ doesn’t automatically indicate fraud. As an example, I may be doing business with a subsidiary of a larger corporation that will result in a ‘contact recipient’ result because the name of the corporation is being used for the account. This may create challenges for businesses that are legitimately trying to collect payments.
    
5. It may put consumers in touch with criminals. If a confirmation of payee returns the result ‘contact the person you’re trying to pay’, the person trying to make the payment may well use the contact details on the invoice or other paperwork related to the payment they are trying to make. If this is a fraud the contact information is likely to put them in touch with a fraudster. Criminals who are well-grounded in social engineering will have many plausible reasons why the payment should go ahead: ‘I’m using my gran’s account for payments’ or 'That’s the name of our parent company’, etc. When this happens, and a fraud is successful, victims may well be upset that they were instructed via their bank to talk to a criminal.
    
6. It could lead to an increase in direct debit fraud. Direct debit fraud happens when a fraudster uses someone else’s bank account details to pay a direct debit. The confirmation of payee service will let criminals ‘test’ bank account information so that they can build a fuller set of data to use in setting up fraudulent direct debits.

Most direct debit fraud has been perpetrated against businesses because their bank account details are easier to obtain. The ability to ‘test’ bank account details of individuals as well as businesses could see an increase in direct debit fraud against people. Fraudsters may well target individuals who are more vulnerable, as they are less likely to check their bank accounts and direct debits on a regular basis.

The complications and unintended consequences of confirmation of payee mean that no one in the industry should accept it as a cure to authorised push payment fraud. Customers are likely to blame their bank when things go wrong, so banks should therefore look to what they can do to deliver protection that will mitigate against both the dangers of authorised push payment fraud and the unintended consequences of confirmation of payee. Some of the steps they can take are outlined in ‘3 Things Banks Can Do to Tackle Push Payment Fraud’

How FICO Can Help You Fight Scams

• Read How Scam Prevention and Scam Detection Help Banks and Customers