What is authorised push payment fraud?

null
Andy Tweddle, Payments writer
19 Jun 2024
APP

Every year, the UK economy loses over £1 billion to various types of payment fraud, from card-not-present fraud to chargeback fraud. But the biggest single source of these losses is authorised push payment (APP) scams, accounting for over 40% of the total. In the first half of 2023 alone, victims lost £239.3 million to APP fraud. In this article, we explore why it’s such a big problem for UK consumers and what merchants can do to help prevent it.

What is an authorised push payment?

An authorised push payment is simply a bank transfer an individual or business makes directly to the recipient. Authorised push payments are usually carried out on an online banking platform or app, where the payer will input the recipient’s account details and knowingly transfer money.

As the name suggested, authorised push payments are:

  1. Authorised: the payer fully intends to send their money to a recipient

  2. ‘Push’ payments: the payer initiates the payment, as opposed to a ‘pull’ payment, where funds are taken from the payer’s account by the recipient

A legitimate authorised push payment could be made for several reasons. The payer may want to transfer money to invest, pay a tradesman, or even send money to family and friends.

APP fraud is so powerful as it effectively tricks the target into willingly parting with their money. This differs from unauthorised fraud, where the fraudster takes funds from your account without permission.

What is APP fraud?

APP scams are a kind of social engineering fraud. They involve manipulating targets and exploiting human error to gain access to private information or act on the fraudster’s behalf. Scammers capitalise on a person’s lack of knowledge or make them act on a false idea of urgency or trust. As a result, they trick people into giving up information or money that they believe — in the moment — is for a legitimate purpose.

APP fraudsters use techniques like phishing or spoofing to convince the target that they are sending money to someone for a legitimate reason. For example, they may believe they are sending money to a family member’s bank account. In reality, a fraudster has targeted them with fake texts or emails, convincing the victim to pay money to an account that is actually owned by the fraudster.

Examples of APP fraud

UK Finance has detected and actively tracks eight categories of APP fraud. There are scams like ‘romance scams,’ where the victim is persuaded to send money to someone who they wrongly believe they are in a relationship with. This type of scam involves personal relationships, but the other types of APP fraud all convince the target they are from legitimate businesses or people in positions of authority. Some of the most prevalent include:

Purchase scams: This is where the target pays for a product or service in advance but never actually receives what they paid for. Common purchase scams include fake holiday let listings and goods listed on second-hand marketplaces. The fraudster will convince the victim to use a manual bank transfer, rather than the platform’s secure payment portal. Purchase scams accounted for 66% of the confirmed cases of APP fraud in the first half of 2023.

Investment scams: Investment scams often use cold calling to target a potential victim with what they say is a time-limited offer to make investments in the likes of gold, cryptocurrency, and property.

Advance fee scams: An advance fee scam involves convincing the victim to pay a fee to secure a much larger payment or prize. A well-known example is the claim that the victim has won an overseas lottery and needs to make a manual bank transfer to release the winnings.

Invoice and mandate scams: Invoice and mandate scams commonly affect business accounts, as fraudsters pose as legitimate suppliers, convincing the targeted business that payment details have changed and they need to set up a new payment.

Impersonation scams: Impersonation scams often convince the target to believe they are already a victim of fraud by pretending to be bank staff or even the police. Fraudsters convince victims to move money to a supposedly safe account. A similar scam that targets employees attempts to convince the target that their CEO or other senior management figure needs them to urgently make a payment.

How much does APP fraud cost the UK economy?

The UK economy lost £485.2 million to APP fraud in 2022 and £239.3 million in the first half of 2023. There were over 116,000 confirmed cases of APP fraud in January to June 2023. The majority were personal accounts, but approximately 4,000 were business accounts.

Over £152.8 million that was defrauded in the first half of 2023 was returned to victims, leaving millions of pounds in the hands of fraudsters. When you add the cases of APP fraud that were never reported, the scale of the problem — in just the UK — is readily apparent. 23,597 of the reported cases in 2022 were for fraud losses of over £10,000, further reinforcing how devastating this kind of fraud can be.

In 2022, 78% of APP fraud cases originated online. These tend to include lower-value frauds so resulted in 36% of losses (approximately £175 million). Impersonation APP fraud, which tends to be higher value, accounted for 44% of losses — around £213 million.

How can banks, financial institutions, and businesses help reduce and prevent APP fraud?

Given the scale of the problem, preventing APP fraud is an uphill struggle. However, there are several steps different organisations can take to reduce the problem.

Education and awareness

APP fraud scams are so successful because they take advantage of a consumer’s lack of knowledge of payments against them. Financial institutions have a responsibility to educate their customers. In-app warnings from banking apps like Monzo alert users to the possibility of a scam and highlight reasons why a request for payment might be fraudulent.

Confirmation of payee

Confirmation of Payee (CoP) is a safeguard intended to reduce accidentally misdirected payments — which could be due to APP fraud. CoP checks the account name, account number, and account type when someone sets up a new payment, including via Faster Payments, standing orders, and CHAPS. The check will confirm whether the name the payer provided matches the payee’s name, and if it doesn’t match, it will prompt the payer to contact the person or business they are trying to pay. Many UK banks are signed up for this service, and several will also provide APP fraud-related warnings at this stage of payment.

Reimbursement of funds

As outlined in the UK finance half-year fraud update, over 60% of money lost to APP fraud in the first half of 2023 was returned to the victim. This reimbursement process was made possible by a voluntary code of conduct that ten payment service providers (PSPs) are signed up to. In December 2023, the Payment Systems Regulator (PSR) announced new requirements for reimbursement in all but exceptional cases.

New APP fraud requirements for UK payment service providers (from October 2024)

In December 2023, the UK PSR announced new measures that will come into effect from October 2024. The new requirement mandates all UK payment service providers (PSPs) to reimburse customers when they’re victims of APP fraud. This measure will replace the current Contingent Reimbursement Model (CRM) Code, which is voluntary.

The CRM was introduced in May 2019 as a framework for UK banks and payment service providers. It sets standards for reimbursements for victims of APP fraud, provided they adhere to certain security practices. The code encourages banks to take steps to reduce APP fraud, like using fraud detection tech and educating customers. Not all PSPs are signed up to the code, but it covers 90% of transactions.

Can open banking help combat APP fraud?

While the PSR’s announcement on mandatory reimbursement is reassuring news for consumers, it could have unintended consequences on open banking payments. If banks are liable for APP fraud in more circumstances, they might further decrease transaction limits and block more payments as part of preventative measures.

Open banking payments are ‘safer by design,’ meaning features — including embedded strong customer authentication (SCA), no card detail sharing, merchant due diligence, and pre-population of payment fields — were built into open banking from the very beginning.

When customers choose to pay a business using open banking:

  • The customer doesn’t need to enter payee details. This removes human error and the risk of customers being tricked into sending money to a fraudster when they believe they're sending the money elsewhere. The open banking payments provider controls where the money goes.

  • The regulated open banking provider onboards and carries out due diligence with the business receiving the payments. The provider enters into a commercial contract with that business and undertakes due diligence, reducing the likelihood that bad actors will use open banking to commit fraud.

Find out more about how open banking is helping to fight the UK’s £1 billion fraud problem.

Insights straight to your inbox
Join 10,000+ subscribers getting the latest open banking news.
Latest
checkout
6 Dec 2024

3 tipping points for change within ecommerce payment experiences

Cart abandonment
2 Dec 2024

How to reduce ecommerce cart abandonment

dev sec ops shared responsibility
27 Nov 2024

Devising a delegated alerts model for SecOps

Categories to explore