What is Authorized Push Payment fraud?
Although Authorized Push Payment (APP) fraud is not a new phenomenon, recent real-time payment initiatives, like the UK's Faster Payments service, has led to its exponential growth. APP is a type of fraud where fraudsters trick business employees or individuals into sending them a payment under false pretenses.
The UK Payment Systems Regulator (PSR) considers APP to be a significant and growing problem as these scams often involve the victim losing life-changing amounts of money. The authority estimates that £583.2 million was lost to APP scammers in 2021, a 39% increase compared to 2020. Surpassing credit card fraud losses, this number may even be underestimated as APP scams are not always reported.
There are multiple factors that are contributing to the rapid growth of this type of cyber fraud. Firstly, Covid-19 pushed many people who were not necessarily tech savvy, toward online banking, put them at fraudsters’ bay. Second was the development of fast payments systems, which can be made online or on mobile, allowing people to wire money immediately to other accounts.
In the UK, the creation of the Clearing House Automated Payment System (CHAPS) between banks, which guarantees recipients receive payments on the same day, was also a major contributing factor to APP's rapid growth Indeed, instant payments lower risks for fraudsters and they can quickly launder money and escape monitoring.
What are the types of APP and how does it work?
Simply put, an authorized push payment is a transaction initiated by the payer, for the benefit of the receiver/payee who provided goods or services. APP fraud happens when the victim willingly transfers money to the scammer. Directed towards individuals or businesses, there are multiple APP fraud schemes, including:
Impersonation scams: A fraudster will impersonate someone within the same company, a contractor or someone the victim knows and has been dealing with, in order to get the victim to transfer money. This scheme can target both companies and individuals. There are numerous types of impersonation scams, such as fake president scams, romance scams or “Hey Mum” scams. See also Impostor Fraud.
Fraudulent payment requests: Scammers will send fake invoices to a company from a supplier or contractor they are currently in business with. Sophisticated fraudsters may even use suppliers or contractors’ email templates to trick the customer into believing it is a real demand. This type of information can be obtained in different ways, including open-source intelligence (OSINT), social engineering targeting vulnerable employees, and phishing.
Direct hacking: Although APP scammers most often exploit human weaknesses through social engineering while conducting APP fraud, they also use other tactics, like the hacking of a victim's IT infrastructure. Direct hacks are often conducted by organized criminal groups and target businesses. The objective is to change a supplier’s bank details to receive payments on their behalf. These actions may often take place after a successful phishing campaign aimed at the creation of a remote access to the victim’s IT infrastructure and the infiltration of its payment system. An example of direct hacking is property transactions fraud, where a scammer will intercept an email chain between sellers, buyers and real estate agents, in order to change the seller’s banking information, and divert the payment to their account.
How to report APP?
Victims of APP fraud must contact their bank or their finance service provider immediately. The sooner the fraud is reported, the more likely it is that the operator can stop the transaction and recover the money. If the transaction went through, then the victim could also contact the bank where the money was wired, as it may also be able to recover the funds. Finally, if the bank receiving the money did not act as quickly as it should have, the victim can always contact the national finance authority to file a complaint. Last but not least, filing a complaint to the police may also be an option.
How to prevent Authorized Push Payment fraud as a financial institution?
Banks often struggle to prevent APP fraud as the victim is willingly sending the money, and therefore complying with the different authentication and approval processes.
Financial institutions may take different actions to prevent APP fraud schemes:
Raising awareness about APP, both among financial institutions’ operators and their customers, plays a big role in preventing APP fraud. This may help to identify and deter such threats, especially before they happen;
Prevent fraudsters from opening bank accounts in the first place, by enhancing KYC processes and AML programs;
Identify high-risk transactions and provide warnings to their customers if an APP scam risk is identified in the first place.
On May 10, 2022, the UK government issued a policy paper to detail its position on reimbursement on authorized push payment scams, following a consultation launched by the PSR in November 2021. Also in 2021, the Lending Standards Board – a group of worldwide financial institutions – published the Contigent Reimbursment Model Code (CRM Code) for Authorized Push Payment Scams. The latter engages signatories to better protect their customers with appropriate procedures to detect, prevent and respond to APP scams, but also conduct a greater monitoring of accounts used to launder money from APP scams. Signatories also commit to reimburse customers who followed procedures adequately and are not to blame for the success of the scam. As of July 2022, at least 19 banks signed the CRM Code.