What Is Authorized Push Payment Fraud?
Authorized push payment fraud – APP fraud in short – is a social engineering attack that seeks to trick consumers and businesses into making manual bank transfer payments to fraudsters’ accounts. The victims have been convinced that they are making the payments to a legitimate destination and for a legitimate reason.
These scams are employed across many different sectors. Criminals often pose as banks, solicitors, conveyancers and building firms, in order to target high value transactions when perpetuating the fraud.
Automated push payment fraud is an increasingly popular scam that creates huge financial losses for businesses and consumers. Because it is essentially social engineering and the victims make the transfers themselves, it is particularly difficult to catch those responsible.
APP fraud is particularly prevalent in countries where banks have an infrastructure that facilitates fast or immediate transfers, such as the UK.
In fact, the UK Faster Payments framework allows for single transactions of up to £1/$1.15 million. These payments can happen instantly and are not reversible. In the first half of 2021, financial losses linked to APP fraud increased by 71% in the UK.
What Are Authorized Push Payments?
Authorized push payments are bank transfer payments that individuals make themselves, usually using online banking websites or apps. Performed by entering the recipient’s bank details on the e-banking website or banking app, these payment methods are often used to transfer large sums of money.
For example, legitimate and commonly seen reasons to transfer large sums include deposits for properties and investments, payments for home renovations, and transfers to new savings accounts. These often involve Authorized Push Payments.
Improve your risk management with SEON’s real-time data enrichment tools, behavioral checks, and deep device fingerprinting analysis.
Book a Demo
How Does Authorized Push Payment Fraud Work?
There are many ways for criminals to engage in APP fraud, where they investigate a victim, hook them in, and convince them to send money to the victim’s account of their own volition. The fraudster will then extract the money from the bank drop account in a way that evades detection – such as by breaking it up into smaller sums before transferring it.
Often, the criminals employ techniques that are widely used in other fraud too, such as phishing, spoofing email addresses, and making telephone calls that claim to be from a bank or a business. In essence, APP fraud is a social engineering attack that can either be targeted or cast a wider net.
For example, the person might think they are sending the money to their solicitor but the fraudster has convinced them that the solicitor has a new bank account.
Another fraudster may gather sufficiently convincing personal details and call the victim, pretending to be from their bank. They will invent a compelling reason to urgently move money to another account.
Ironically, that invented reason may be a suggestion that the person is already being targeted by fraudsters. The criminal will convince them that they represent a security company, bank or even law enforcement, calling to explain that their funds are at risk and thus should be moved as soon as possible.
Of course, they will provide bank details for an account they have access to, which the victim might be convinced will be what keeps their funds safe.
The fraudsters will then immediately get to work on moving the money, sometimes using smurfing techniques to evade detection from transaction monitoring.
Authorized Push Payment Fraud Examples
They always involve convincing the victim to move some of their money into the fraudster’s account, but how exactly? Here are a few examples of how APP fraud can work in practice:
Home Renovation Scam
- Criminals identify a house where renovations are taking place.
- Using techniques ranging from phishing to basic observation, they identify the homeowner and the main building firm completing the renovations.
- The criminals submit an invoice for the work, pretending to be from the building firm. This appears to be legitimate but lists the fraudster’s bank drop account instead of that of the building firm.
- The fraudsters and the money are long gone by the time anybody identifies the scam.
New Bank Details Scam
- Targeting a business, fraudsters identify any one of its regular suppliers.
- The criminals submit a letter or email, professing to be from the supplier and notifying the customer of a change in their bank details for future invoice payments. This is incredibly easy to do.
- A member of the company’s finance team changes the details in the accounting system, meaning that future payments are re-routed to the fraudsters – for as long as it takes until someone realizes.
Property Purchase Fraud
- Fraudsters identify a target who is in the process of purchasing a property.
- They intercept emails between the property purchasers and their bank, solicitor or estate agent, lie low and wait.
- At a key moment in the property transaction, they switch the bank details on a key document.
- When a payment is made, such as that for a deposit or balance payment, the funds go to the fraudsters and not the intended recipient.
What Measures Can Combat Push Payment Fraud?
Measures to combat this rising type of fraud include calls made directly to the consumer, improvements to transaction monitoring in banking and other sectors, as well as risk mitigation and management, educating employees, and raising public awareness of these types of scams.
In recent years, financial institutions have introduced various checks and balances to combat APP fraud. In the UK, a Confirmation of Payee (CoP) service was launched in 2020. It cross-references bank details with the account holder’s name when somebody makes an online payment. As a result, the potential victim should be able to tell whether the account holder is who they claim to be – though, unfortunately, this isn’t a fool-proof system.
In addition, banks are increasingly using sophisticated fraud prevention software stacks, with machine learning and contextual data to flag suspicious transactions – blocking or holding them for manual review.
Of course, raising awareness of this type of scam and of social engineering attacks in general goes a long way to preventing APP fraud. And this is both relevant to individuals and to employees of any company – who might be targeted themselves or become unwitting enablers.
How to Avoid Authorized Push Payment Fraud
Similarly to many other types of schemes instigated by bad actors, communication and education are hugely important in combatting authorized push payment fraud.
If you run a business, clear communication with customers is essential. Some higher-risk companies now include notes in their communications, warning customers not to act on messages that ask them to pay into new bank accounts. You may have seen these in email footers, for example, or heard automated reminders when you call your bank.
Financial institutions also have various options open to them to combat APP fraud. These range from offering cool-off periods before payments are sent, to increasing due diligence around where payments are going from and to. For example, banks can check if the recipient account regularly receives high-value payments.
Additionally, financial institutions can also play their part in educating their customers and in promoting awareness around this increasingly common type of fraud.
Combining this approach with robust fraud prevention software, banks and fintech institutions can help the public fight back against this simple but very common type of fraudulent attack.
Contact Us for a Demo
Feel free to reach out to us for a demo!