Authorised push payment fraud has been made more attractive to criminals since the advent of real-time payment schemes, such as Faster Payments in the UK — crooks can quickly take the money and run. This type of fraud is on the rise – but what is it? And who are the victims?
Authorised push payment fraud, also known as APP fraud, happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.
Despite the Which Super Complaint happening over five years ago, authorised push payment fraud continues to regularly hit the UK headlines.
The approach taken by the fraudsters is not new. They use social engineering techniques and may hack into email and other systems in order to set up their victims. These methods of attack are used to perpetrate a wide range of attacks; however, with authorised push payment fraud scammers can trick victims into using real-time payment schemes to transfer the money to them. As more consumers and businesses adopt simple ways to send money in real time the pool of potential victims increases, a trend accelerated by the COVID crisis pushing more people to use online banking. Real-time payments also lower the risk for fraudsters, as money is transferred instantly, fraudsters can move payments through multiple accounts in a process of layering to launder the proceeds of the fraud and make tracing them more difficult.
These criminals are devious and clever, and victims cannot simply be written off as gullible fools. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.
Authorised push payment fraud schemes are many and varied, some common attack types include:
Attacks on Individuals
- Paying an invoice that looks exactly like one from their child’s school – but turns out to be from a fraudster and sends the money to the fraudster’s bank account.
- Sending payment for work done by a tradesperson such as a carpenter or a builder who’s been working on your house, only to find that you have acted based on an email that came from a fraudster pretending to be your legitimate contractor.
- Confidence tricks such as romance scams, or the infamous ‘Hey Mum’ scam, where people are tricked into sending money to criminals they believe they have a personal relationship with.
Targeting property transactions
This kind of fraud can affect any property purchase, whether by an individual or a business. In fact, the conveyancing solicitors may also end up as victims of payment fraud. Property purchase fraud occurs when criminals intercept the email chain between sellers, buyers, estate agents and solicitors. Once the communications are intercepted, the fraudsters change the payment information related to transfer of funds so that payments are diverted to the fraudsters’’ account. With property transactions, the sums involved are likely to be large and falling victim can be life-changing.
Intercepting supplier payments
Also known as fake invoice fraud, this scheme is similar to the APP attacks made on individuals, but the victims are businesses. Using a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince businesses to change bank account details, getting their victims to replace the account number of the legitimate suppliers with their own. When the business later goes to pay an invoice from their supplier they are instead sending it to a fraudster.
Authorised push payment fraud is notoriously difficult for banks to prevent. Because the victim is sending the money themselves, the steps that banks take to authenticate customers are ineffective, as the customer will of course pass any identity check. There are however concrete steps that banks can take to stop APP fraud which I’ve covered in my blog How Can Banks Stop Authorised Push Payment Fraud? This includes deploying the FICO scam detection model that differentiates between normal customer behaviour and the behaviour of customers under the influence of a fraudster.
- Scams Alert We Can all Fall Victim to Social Engineering and Scams
- UK Losses to APP fraud are surging – what can banks do?
How FICO Can Help You Detect Authorised Push Payment Fraud
- Learn about our fraud and scam detection models in our FICO® Falcon® Platform
This is an update of a post originally published in December 2017.