Authorized push payment fraud - what banks need to know

By : Laurie Gentz

July 10, 2018 12:00 PM

As banks continue to improve their efforts to crack down on fraud and make it harder for criminals to operate, fraudsters themselves are also constantly coming up with new tactics to evade detection and bypass defenses, focusing on the weakest channel.


With efforts to improve customer authentication making traditional fraud methods harder than ever, one increasingly popular way for criminals to perpetrate fraud is through authorized push payment (APP). This involves a customer being tricked into initiating what they believe to be a legitimate payment to a business - but they are in fact sending money to fraudsters.


For example, one common tactic is for criminals to use a hacked email account to send a message that appears to be from someone they have a business relationship with - such as a lawyer or building contractor - requesting payment of an invoice for work that has been done. But instead of sending the money to the correct individual, the payment details on the invoice will instead divert the payment to the fraudster's account.


This type of fraud can be very difficult to spot, as it involves a genuine customer initiating payments in good faith. Frequently, they only become aware they have fallen victim to fraud when the real intended recipient complains the invoice has not been paid - by which time it is too late.


APP scams on the rise


UK Finance, a trade association for the UK banking and financial services sector, revealed recent data showing that Authorised Push Payment (APP) fraud is rapidly-growing problem. As part of its annual report for 2017, UK Finance looked at APP fraud rates for the first time, and found there had been almost 44,000 reported cases last year, amounting to total losses of £236 million ($333.9 million). Some 88 percent of these involved individual consumers, who lost an average of £2,784 each. Of this, financial providers only returned £60.8 million (26 percent) of losses.


Jennifer Craven of law firm Pinsent Masons commented on the figures, saying: "The report makes reference to the importance of funds recovery and acknowledges that the finance industry is responding to the ongoing threat of all frauds by working with government and law enforcement to better trace, freeze and return stolen funds."


Changes to consumer protection planned


Until now, some financial services providers have been reluctant to refund losses, arguing that as the consumer has made the payment themselves, they are responsible for ensuring it is going to the right person. But with so few victims of APP scams being reimbursed, there have been calls for changes in regulation that would improve consumer protection in this area.


Authorities seem to be listening to these calls. The UK's Payment Systems Regulator (PSR), for example, recently announced it will publish a new industry code later this year that will strengthen consumer rights and set out guidelines for the sector.


Head of policy at the PSR Paul Smith said: "This is about making a positive difference for people to protect them from APP scams. The banks have already made some changes but, from September 2018, this industry code will see better protections available to everyone." 


Banks will therefore have to take steps to minimize the risk of customers falling victim to APP scams in the first place if they wish to avoid losses. At the heart of this may well be better customer education about the issue in order to raise awareness.


Some banks in the UK have already started adding additional questions to their online banking tools when customers try to make a payment to a new payee, and these could well become a standard part of a bank's fraud prevention steps in the near future as regulatory demands shift.

Laurie Gentz

Marketing Manager, Fraud & Security Solutions

Other articles by this author

Laurie is Financial Services Solution Marketing Manager at NCR. She is responsible for marketing NCR’s fraud solutions, with a specific focus on enterprise, cross-channel fraud.