Do you know what Authorized Push Payment or APP fraud is? Imagine this scenario: you’re getting an extension on your house, and after the building work is complete, you receive an email from an account bearing your builder’s name with an invoice attached showing the amount you agreed to pay for their labor.
You pay the bill for the work done as arranged. Only, you don’t hear back from them and so a few days later you drop them another message to check they received the payment. However, you find out that not only did they not receive the money, the account details you used to pay them are not connected to any account belonging to their company.
This is an example of Authorized Push Payment also known as APP fraud. APP scams occur when a scammer poses as a legitimate individual and convinces someone to send a payment under false pretenses, which ends up in an account controlled by fraudsters.
Examples such as the one outlined above can often include fake invoice fraud, where a fraudster invoices the victim for work that has actually been done, but by someone else, or else manages to intercept the invoice and change the account details to refer to one controlled by them.
UK Finance reported that in the first half of 2019, £208m was lost to APP fraud in the UK. APP scams are becoming more common due to the mass adoption of real-time payments by the financial services industry, and we expect them to make up a big proportion of fraudulent activity in 2020. Read why in a previous blog on the fraud trends we expect to see this year.
Initiatives, such as Faster Payments in the UK, are steadily rolling out real-time payments across the globe as incumbent banks compete with challenger fintechs to provide the best user experience possible.
Real-time payments are the defining element of APP fraud, as they mean that the transactions cannot be reversed, and the fraudsters can immediately take the money and run.
The approach to committing this type of fraud is not new or innovative as characteristically the scams involve some form of social engineering. A fraudster will impersonate a member of staff at a bank, a law enforcement officer, or as belonging to any legitimate company with which a user has an existing relationship. They then make what look like legitimate requests for payments due to the synthetic familiarity that the victim perceives.
Using social engineering allows fraudsters to perpetrate a wide range of attacks. It also means that Strong Customer Authentication, required under PSD2, has no effect on APP fraud because the accountholder will have been manipulated into providing the necessary authentication.
APP scams have become a much more attractive opportunity for scammers to make money since this regulation was announced.
These stories are all too common, and yet there were no set rules on protection for users when real-time payments began to be used en masse. So, whilst users were given the ability to make instant payments, providing protection if something went wrong seemed to be only a second thought.
In 2016, “Which?”, an independent UK watchdog working on behalf of the consumer, submitted a super-complaint to the Payment Systems Regulator (PSR) concerning customer safeguards in the market for push payments. It was worried that there wouldn’t be the same level of protection available to consumers falling victim to APP fraud compared to other types of payment methods.
This led to the APP Scams Steering Group being formed who set up the Contingent Reimbursement Model. This is a voluntary code which banks in the UK can sign up to, where they must reimburse a customer who is a victim of this type of fraud, as long as they have conducted themselves in adherence with the same code.
This code meant that Thomas, from our romance scam example, was refunded the money he lost, as his bank was signed up to this agreement.
The UK was one of the first financial industries to adopt real-time payments, and their subsequent recognition of the necessity to provide protection against APP fraud will likely act as a paradigm for the rest of the world who have followed in their footsteps.
The full data on the reimbursements that have been made in 2019 under this new code are due to be published this year, but it seems probable that the practice of banks reimbursing customers will become the widely accepted practice by PSPs in due course, whether as part of an official code or not.
Claiming culpability for customer losses as a result of APP fraud means banks are placing more emphasis on ways to prevent it from happening.
However, scams involving social engineering seem the hardest to both detect and to protect against as the person seems to be conducting a fully authorized transfer. Indeed, at the time, the customer themselves believe that is what they are doing. In a sense, when caught out as a victim of an APP scam, the victim has unknowingly defrauded themselves.
Security solutions founded in behavioral biometrics can help counteract this, by analyzing thousands of parameters regarding the user’s behavior in real time to see if their behavior suggests they are following instruction whilst carrying out the transfer.
This information can then be compared to known fraudulent behavior from confirmed fraudulent banking sessions and to the way legitimate transactions are usually handled.
A solution employing behavioral biometrics can generate a risk score based on this information whilst working invisibly and without impacting the user experience, and the banks can then take the appropriate action against APP fraud.