illustration of how fraudsters use authorized push payment fraud to scam customers

Fraudsters have several factors working in their favor these days. Instant payment networks allow money to move rapidly, while digital banking technology and the proliferation of information on social media help make scams more convincing. What’s more, victims are often reluctant to speak out about the fraud. No wonder authorized push payment fraud is so popular with bad actors.

Authorized push payment fraud (APP) fraud resulted in £479 million in fraud losses in the United Kingdom last year, according to recent data from UK Finance. And financial institutions (FIs) and banks will face a higher burden to keep their customers safe and even assume responsibility for money lost to APP fraud. 

The effectiveness of APP fraud led the UK’s financial industry to launch the Contingent Reimbursement Model (CRM) Code in 2019. FIs that join the CRM voluntarily agree to reimburse APP fraud victims the money they lost (provided they meet certain criteria). FIs face increased pressure to validate their customers’ activities across their journey with CRM in place. Here’s how banks can protect their customers and reputations from the APP fraud threat.

APP Fraud’s Many Faces

APP fraud uses a combination of social engineering and phishing tactics to deceive victims. Some of the most common and costly push payment scams include:

Purchase Scams

In a purchase scam, fraudsters sell victims products – such as cars, phones, laptops, exotic animals, or concert tickets – they ultimately never deliver. Payments are made online through an auction website or social media. Purchase scams were the most common type of APP scam in the U.K. last year, costing consumers £57.1 million.

Impersonation Scams

In an impersonation scam, fraudsters will pretend to be trustworthy figures such as bank employees or police officers. They will claim the victim’s bank account is compromised and tell them to transfer funds to a different bank controlled by the fraudster.

Malicious Misdirection

A malicious misdirection (or malicious redirection) scam involves tricking a victim into redirecting a payment to a recipient they believe is legitimate. Fraudsters pretend to be a vendor or supplier known to an employee and claim their bank account details have changed. Another approach involves hijacking real estate transactions by telling homebuyers to send deposits to a different bank account from the one they were originally provided. 

Investment Scams

Investment scams involve fraudsters convincing victims to quickly invest their money in items like cryptocurrency, stocks, gold, or property, among other things. Fraudsters use high-pressure tactics to claim the deal won’t last and that the victim will get a high return on their investment. 

Romance Scams

Romance scams are among the cruelest types of fraud. Fraudsters will lure their victims into intimate relationships, building their trust over a period of time. Eventually, they will ask the victim to send money because of a financial problem or to buy a plane ticket to visit the victim. Victims sometimes pay fraudsters smaller amounts over the course of the fake relationship.

Why Fraudsters Turn to APP Fraud

What makes APP fraud so appealing to criminals? Here are a few reasons:

Money Moves Faster

The rise of real-time payment systems such as the U.K.’s Faster Payment Systems and Australia’s NPP enables money to move in seconds, leaving little time for banks to catch fraud in the act. Once money leaves a victims’ bank account, it’s very difficult to recover.

Digital Technology’s Dark Side

Digital technology touches just about every aspect of people’s lives, from banking to work to social media. In the digital landscape, it’s much easier for fraudsters to pretend to deceive victims by pretending to be other people. By reviewing a victim’s social media profile, for example, they can learn enough personal details to win their target’s trust.

ATO Attacks Aren’t Easy Anymore

Most banks have spent the past decade investing heavily in their technology stack and implemented controls such as real-time transaction scoring, leveraging device and behavioral intelligence, as well as strengthening authentication to thwart account takeover (ATO) attacks, long a favorite fraudster tactic. As ATO attacks became more challenging, fraudsters switched tactics and looked to coerce customers into making payments they believe are legitimate. 

The Shame Factor

The stigma of fraud also works in criminals’ favor because some victims are reluctant to admit they were deceived. Being swindled out of life savings or the down payment on a home is bad enough. Imagine admitting to getting fooled by a romance scam to authorities. Fraudsters are counting on this stigma around fraud to keep their efforts under wraps.

But it’s not just victims who are sometimes reluctant to talk about their own fraud experiences. Even banks have in the past struggled to talk openly about the threat of APP fraud.  However this position has improved hugely in recent years and there is now a large amount of advice and guidance available to customers, as well as industry initiatives such as “Take 5.” 

How Banks Can Combat APP Fraud

Fraudsters have many factors working in their favor to commit APP fraud. What’s more, banks are increasingly facing pressure to compensate victims for their losses. Measures like CRM put pressure on banks to maintain a strong control environment and protect customers from swindlers. Here’s how banks can prevent fraud and protect their customers.

Use All Available Data & Consider the Beneficiary of Funds

Understanding how customers normally engage with their FI is the first step. This involves looking at customers’ typical interactions across all available channels to establish a baseline of “normal” to detect anomalous transactions. Banks can also look at where customers want to transfer money and take note if the recipients or receiving bank raises suspicions. Verifying the name of a beneficiary is one such example. The more data you collect, the more accurately you’ll be able to assess the fraud risk. Application of machine learning can then allow banks to leverage these large data sets in order to build complex profiles and spot anomalies in real time.

Inbound Monitoring Can Really Disrupt Fraudsters

Monitoring the funds landing into accounts, is not only a valuable tool for AML and compliance teams but could be a powerful tool to fight APP fraud. Identifying accounts that exhibit behaviors akin to those of mule accounts (e.g. multiple payments in followed by large payments out in short succession), will help to disrupt the ability of fraudsters to rapidly move and take advantage of their ill-gotten gains 

Study Your Customer’s Journey

Sudden changes to the customer’s behavior are another warning sign. Deviations can include digital banking sessions that last considerably longer than normal or in which a customer uses a web portal instead of the mobile app they normally use. This is a sign that a fraudster is manipulating a customer. 

Speed vs. Pausing for Thought

Customer experience is often seen through a single lens of removing all friction. However, we know that suffering fraud is a traumatic experience for any customer. There may be times when offering customers some breathing space changes their minds for the better. Banks should consider whether some payments justify the need for pop-up messages. These messages can ask customers why they are initiating a transfer or warn them that they might be getting scammed. Small triggers can be enough to break a customer out of the fraudster journey.

End the Fraud Stigma

Talking openly with your customers about the threat of APP fraud is a highly effective way to keep them safe from fraudsters. It’s also one of the most responsible. Banks should continue to educate customers about different fraud tactics and remind them that they are the first line of defense against scammers. It is also vitally important that messaging is tailored to the audience. Vulnerable customers, for example, may need simpler messaging that is displayed more frequently. Being open about fraud demonstrates that your bank understands the threat and that customers can trust you to address it. It also arms customers with the information they need to protect themselves.

APP fraud is not a nuisance threat from a one-man shop. Instead, organized crime syndicates are using wide-reaching and increasingly sophisticated APP fraud tactics. In other words, fraudsters are only going to get more aggressive with their efforts. With the onus shifting to banks to protect customers, combining data and customer education is the most effective defense.

Consumers expect convenience, agility, and security while interacting with their banks. The challenge for FIis how to balance convenience for their customers with security and agility. Watch this on-demand webinar, Staying Ahead of Fraudsters: Cloud vs. On-Prem Ecosystems to learn more about the role of behavioral analytics in protecting digital identity and providing a frictionless customer experience.