What is authorised push payment (APP) fraud?
Every year, the UK economy loses over £1 billion to various types of payment fraud, from card-not-present fraud to chargeback fraud. But authorised push payment (APP) fraud is the biggest single source of payment fraud, responsible for 44% of all payment fraud. In this article, we explore why it’s such a big problem for UK consumers, and what banks and financial institutions can do to help prevent it.
What is an authorised push payment?
An authorised push payment is simply a bank transfer made by an individual or business directly to the recipient. Authorised push payments are usually carried out on an online banking portal or mobile banking app, where the payer will input the recipient’s details and knowingly transfer money.
As the name suggested, authorised push payments are:
Authorised: the payer fully intends to send their money to a recipient
‘Push’ payments: the payer initiates the payment, as opposed to a ‘pull’ payment, where funds are taken from the payer’s account by the recipient.
A legitimate authorised push payment could be down to several use cases. The payer may want to transfer money to make an investment, pay a tradesman or even send money to family and friends.
APP fraud is so powerful as it effectively tricks the target into willingly parting with their money. This is different to unauthorised fraud, where the fraudster is able to take money from your bank account without your permission.
What is APP fraud?
APP fraud is a kind of social engineering fraud. Social engineering involves manipulating targets and exploiting human error to gain access to private information — or better yet — convincing targets to act on the fraudster’s behalf. By exploiting a person’s lack of knowledge, or making them act on a false idea of urgency or trust, scammers are able to trick people into giving up information or money that they believe — in the moment — is for a legitimate purpose.
Specifically, APP fraud uses social engineering techniques like phishing or spoofing to convince the target that they are sending money to someone for a legitimate reason. For example, they may believe they are sending money to a family member’s bank account, but a fraudster has targeted them with fake texts or emails, convincing the victim to pay money to an account that is actually owned by the fraudster.
Examples of APP fraud
There are eight categories of APP fraud that UK Finance has detected and actively tracks. There are scams like ‘romance scams’, where the victim is persuaded to send money to someone online, who they wrongly believe they are in a relationship with. This type of scam involves personal relationships, but the other types of APP fraud all convince the target they are from legitimate businesses or people in positions of authority. Some of the most prevalent include:
Purchase scams: This is where the target pays for a product or service in advance, but never actually receives what they paid for. Common purchase scams include fake holiday let listings and goods listed on second-hand marketplaces. The fraudster will convince the victim to use a manual bank transfer, rather than the platform’s secure payment portal. Purchase scams accounted for over half of all incidences of APP fraud in the UK in 2022.
Investment scams: Investment scams often use cold calling to target a potential victim with what they say is a time-limited offer to make investments in the likes of gold, cryptocurrency and property.
Advance fees scams: An advance fee scam involves convincing the victim to pay a fee to secure a much larger payment or prize. A well-known example is the claim that the victim has won an overseas lottery and needs to make a manual bank transfer to release the winnings.
Invoice and mandate scams: Invoice and mandate scams commonly affect business accounts, as fraudsters pose as legitimate suppliers, convincing the targeted business that payment details have changed and they need to set up a new payment.
Impersonation scams: Impersonation scams often convince the target into believing that they are already a victim of fraud, by pretending to be bank staff or even the police. Fraudsters convince victims to move money to a supposedly safe account. A similar scam that targets employees attempts to convince the target that their CEO or other senior management figure needs them to urgently make a payment to a specific account.
How much does APP fraud cost the UK economy?
According to UK Finance, the UK economy lost £583 million to APP fraud in 2021, a 39% increase compared to 2020. In total, there were over 195,000 reported cases of APP fraud. The majority were personal accounts, but over 7,000 were business accounts.
Over £270 million that was defrauded was returned to victims, leaving over £313 million in the hands of fraudsters. When you add the cases of APP fraud that were never reported, the scale of the problem — in just the UK — is readily apparent. 1,378 of the reported cases were for over £10,000, further reinforcing how devastating this kind of fraud can be.
The three top APP fraud scams, in order of total value lost, are:
Investment scams: £171.7m
Impersonation scams (police/bank staff): £137.3m
Impersonation scams (other): £77.5m
How can banks, financial institutions and businesses help reduce and prevent APP fraud?
Education and awareness
The reason APP fraud scams are so successful is that they take advantage of a consumer’s lack of knowledge of payments against them. Banks and financial institutions have a responsibility to educate their customers, and in-app warnings from the likes of Monzo both alert users to the possibility of a scam and highlight reasons why a request for payment might be fraudulent.
Confirmation of payee
Confirmation of Payee (CoP) is a safeguard intended to reduce accidentally misdirected payments — which could be down to APP fraud. CoP checks the account name, account number and account type when someone sets up a new payment, including via Faster Payments, standing orders and CHAPS. The check will confirm whether the name the payer provided matches the payee’s name, and if it doesn’t match, it will prompt the payer to contact the person or business they are trying to pay. Many UK banks are signed up to this service and several will also provide APP fraud-related warnings at this stage of a payment.
Reimbursement of funds
As outlined in the UK Finance Annual Fraud Report, 42% of money lost to APP fraud in 2021 was returned to the victim. This reimbursement process was made possible by a voluntary code of conduct that ten payment service providers (PSPs) signed up to. In September 2022, the Payment Systems Regulator (PSR) signalled its intention to require reimbursement in all but exceptional cases. This would apply to all payments over £100, with an excess no greater than £35.
Can open banking help combat APP fraud?
While the PSR’s announcement on mandatory reimbursement is reassuring news for consumers, it could have unintended consequences on open banking payments. If banks are liable in more circumstances for APP fraud, they might further decrease transaction limits and block more payments, as part of preventative measures.
Open banking payments are ‘safer by design’, meaning features — including embedded strong customer authentication (SCA), no card detail sharing, merchant due diligence and pre-population of payment fields — were built into open banking from the very beginning.
When customers choose to pay a business using open banking:
The customer doesn't need to enter payee details. This removes human error and the risk of customers being tricked into sending money to a fraudster. The open banking payments provider controls where the money goes.
The regulated open banking provider onboards and carries out due diligence with the business receiving the payments. The provider enters into a commercial contract with that business and undertakes due diligence, reducing the likelihood that bad actors will use open banking to commit fraud.
Find out more about how open banking is helping to fight the UK’s £1 billion fraud problem.