Fraud & Security What Is Authorised Push Payment Fraud?

Invoice with HACKED written on it
Dec052017

Authorised push payment fraud has been in the news recently, in the UK because of the Which Super Complaint. The advent of real-time payment schemes, such as Faster Payments in the UK, has made push payments more attractive to criminals because they can quickly take the money and run. This type of fraud is on the rise – but what is it? And who are the victims?

Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.

The approach taken by the fraudsters is not new. They use social engineering techniques and may hack into email and other systems in order to set up their victims. These methods of attack are used to perpetrate a wide range of attacks — the defining factor in authorised push payment fraud is the use of real-time payment schemes to transfer the money to the fraudsters. This has given the fraudsters a wider potential pool of victims, as more consumers and businesses adopt simple ways to send money in real time. Real-time payments have also lowered the risk for fraudsters, since the money is received instantly, fraudsters can quickly extract their ill-gotten gains.

These criminals are devious and clever, and victims cannot simply be written off as gullible fools. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.

Authorised push payment fraud schemes include:

Attacks on Individuals

  • Paying an invoice that looks exactly like one from their child’s school – but turns out to be from a fraudster and sends the money to the fraudster’s bank account.
  • Sending payment for work done by a tradesperson such as a carpenter or a builder who’s been working on your house, only to find that you have acted based on an email that came from a fraudster pretending to be your legitimate contractor.
  • Account takeover where fraudsters initiate push payments to new payees – often across different channels with the goal of outsmarting existing fraud controls

Targeting property transactions

This kind of fraud can affect any property purchase, whether by an individual or a business. In fact, the conveyancing solicitors may also end up as victims of payment fraud. Property purchase fraud occurs when criminals intercept the email chain between sellers, buyers, estate agents and solicitors. Once the communications are intercepted, the fraudsters change the payment information related to transfer of funds so that payments are diverted to the fraudsters’’ account. With property transactions, the sums involved are likely to be large and falling victim can be life-changing.

Intercepting supplier payments

Also known as fake invoice fraud, this scheme is similar to the attacks made on individuals, but the victims are businesses. Using a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince businesses to change bank account details, getting their victims to replace the account number of the legitimate suppliers with their own.

While some countries, such as the UK, have had mass adoption of real-time payment schemes for some time, many countries are still in the process of rolling them out. The USA and the EU have launched real-time payment schemes this year, with Australia following next year. In my next post, I’ll look at what makes push payment fraud high on the agenda right now, as well as the effects that this fraud has on banks.

FICO helps banks protect themselves and their customers from fraud related to real-time payments. We provide solutions focussed on identifying suspicious payments and money mule activity and preventing criminals from opening or taking over accounts. For more information visit our real-time payments web pages.

7 Comments

  • Chris Watts

    It would be easy for the bank to stop if they used the name of the account too. As they already do with Cardholder not present card transactions.

    I suppose they do it with cards because it is their money at risk, not just that of another bank customer.

    • Sarah Rutherford

      Hi Chris, a good point – I think it doesn’t happen this way as it was established under (I think) PSD1 that bank accounts should be identified with a unique identifier and a name isn’t unique. Account number and sort code/IBAN have been established as such. In order to cross-check to account name the banks would have to share that data and that hasn’t happened. There are bank account detail checking solutions provided by vendors, that businesses can use (if they buy them) to check that they are paying the correct beneficiary but they are not available to individuals to use and are limited to the data that the banks want/are able to share with the provider. In some cases the banks would say that they don’t have permission to share peoples’ bank account details even to stop fraud such as this.

      • Chris Watts

        Surely the banks or clearing service could provide (or be forced to do so by government) a free internet based service that would allow anyoneone to cross-check the account name they intend to credit with the IBAN or sort code and account number they have been given.
        The bank would not have to reveal any more details to the enquirer other than those they would already have. Just a match / mismatch answer would be sufficient to raise suspicions if the account name was not correct, and would stop most of this type of fraud overnight.
        It would save the government financing a lot of police time in dealing with the many investigations and reports they have to provide to victims too.

        • Sarah Rutherford

          This has merit but I’d advise caution in a number of aspects and I think it would only tackle part of the issue. The scenario that you describe is used in the current commercially available solutions (Bank Wizard Absolute is an example). It is limited in a number of ways, and isn’t available to consumers. Firstly there’s the issue of data sharing, even if the banks only provide back a level of assurance that details match, they would have to share data with each other (or a nominated central body such as the clearing house) it is arguable that they have account holders permission to do this, even if it is for their protection, there are definitely accounts where they don’t have permission. Secondly is misuse, as a consumer who is also a fraudster I could use such a service to test account details I have access to, it could also be used for other un-intended uses e.g imagine someone has access to an IBAN and they want to confirm it belongs to a particular person or entity (e.g maybe a business partner or spouse you think has money hidden away) you could use the service to check the likelihood of any give account belonging to the person or entity you expect it to belong to. Then there’s the issue of the agility of fraudsters and what they would do to get around this for example if I was a fraudster who wanted to rip off parents at a private school, I’d simply set up a business with a name very similar to that of the school and then open an account in that name, fake invoices and send – it’s very easy and relatively inexpensive to register a business in the UK. I think it would stop a proportion of the fraud but there is a potential for many unintended consequences, that have contributed to why this hasn’t happened (I also take your point that while liability sits with the bank account holder there is little incentive to make it happen)

          • Chris Watts

            How about the bank simply holds in escrow any funds transferred to an account where the name in the transfer details do not match the recipient. They could even charge a modest amount for this service.

            Legislation is the other alternative to force them to do so. The status quo is just not acceptable.

            Additionally when I and my intended recipient advised Barclays that a fraud had occured they made it extremely difficult to let them know and refused to even acknowledge our call as we were not the account holder.

        • Bill Trueman

          “Surely” is a very dangerous word.

          Would you be happy to have your name and your bank details on a database accessible to the1000s of payments organisations that there are to check. I ***might*** be happy with this if it was a closed-group of a few trustworthy organisations; but don’t forget in the ‘new world’ payments organisations stretch far and wide.

  • Mark Whitehouse

    I’ve just been scammed 5.3k from a fake ebay account on purchase of a car. Was told money was in account until I’d accepted car that was being delivered fake tracking service. Was told ebay held money for 5 days until I was happy with vehicle that was being shipped from Thurso, Scotland.. Daniel Luka Modric check this person out on Google. Contacted my bank BARCLAYS whom contacted HSBC, money was gone.. HSBC can’t do anything. Contacted Action Fraud they can’t or won’t do anything.. Lost this plus this person has been doing this for some time.. What is my next step. .Lol I’ve no Car as it was a taxi, now have to pay £200 a month for 3 years with no car for income.. Gutted..