The banking sector faces a massive threat from fraudsters impersonating as what seems legitimate employees and/or companies trying to get a fraudulent payment authorized by a relevant individual. This type of fraud scam is called Authorized Push Payment Fraud and is extremely difficult to detect and protect yourself against, because of the authorization process itself.
Two typical types of APP fraud:
- Malicious payee: This is where an individual is scammed into sending money to a person with whom they thought they were in a relationship, but is really a fraudster (romance fraud), or when an individual is tricked into making an investment, which is nowhere legit.
- Malicious redirection: This involves an interaction typically done via a call, SMS, WhatsApp message, or Facebook Messenger message. The interaction comes from a trusted institution or a fake friend or family member, where the victim is being misled into believing they must transfer their money, using empathy, scarcity and fear.
Bonus info: Right now, we are seeing a growingincident-amount for this kind of APP Fraud in Europe, where the victim is receiving a message from a fake family member, stating they write from a new number, because the old phone have been stolen, lost etc., and sending a payment request using empathy.
APP Fraud is a variation of third-party fraud, but is different from the rest
How is that? A definition of third-party fraud is:
“When a person, or a group of people, takes up a false identity by using someone else’s identity, without the victim knowing that his/her identity is being used to commit the crime.”
This is basically what happens in authorized push payment fraud, but there is one key difference, and that is the authorization process itself. In APP Fraud the payment is being authorized and approved by a legitimate person/employee, and it is only the payment request that is fraudulent. As opposed to the other variations of third-party fraud, where fraudsters also authorize the payment themselves.
By many laws, a payment authorized by a legitimate person/employee, is extremely difficult to do anything about, because the authorizer is held liable, and not the banks. In some countries the customer’s/victim’s liability is limited to a certain amount by national law.
Many banks are starting to keep the consumers safe from APP fraud and trying as hard as they can to making sure the victims get refunded. Why do banks do this, when they might have the option to lean back, and do nothing? First there is the ethical responsibilities, and the customer service and experience, they offer their clients. Second there is reputational damage and implications it can have, if a client of theirs becomes the victim of APP Fraud, and they go to the press stating the bank could and should have done more. In both cases it comes down to reputation, and keeping the business intact.
According to a research done by finextra.com (view here), there were 122,437 registered APP fraud cases in the UK alone in 2019, which resulted in a total loss of £456 million.
As you can see the sums of APP fraud are enormously large and have to potential to be life-changing and the possibility of bankruptcy is very plausible for APP fraud victims. And APP fraud is not just a UK problem, it is picking up pace in the Nordics as well, where more and more incidents are being reported.
How do banks protect themselves and their customers from APP Fraud?
First, you need to take a multilayered approach of defensive tactics, if you wish to overcome the struggles and threats of authorized push payment fraud. A part of that multilayered approach must be CoP (Confirmation of Payee), which is one of the preferred solutions to the problem at the moment – but only the problem regarding malicious redirection, relies on too many sources prone to errors, and don’t cover cross-border transactions.
Beside the fraudsters themselves there are three involved parties in this scam; the customer (both inbound and outbound), the receiving bank, and the paying bank. All three must be kept safe and have instances in place to flag out potential security risks.
In order to do so, the banks have the biggest obligation. To educate and inform all consumers, both private and businesses, in how to detect fraudulent behavior of this kind. The banks rely on the rational thinking of the payment authorizers in both sectors. To trigger rational thinking and the sense of something might be wrong, banks should implement systems to flag out even the smallest discrepancies in a payment journey to alert the payment authorizer into thinking something might be wrong.
The fraudsters are clever and have studied how real people act and think in payment situations, so the whole mindset needs changing.
Another action for banks to take, is to make optimal use of every tool at their disposal – behavioral detection models, behavior biometrics, malware detection, device profiling, analytics, advanced workflows, and a solid fraud management/monitoring platform. This could be used to create levels of potential customers, who are at risk of being subject to fraud scams, and perhaps more importantly identifying the accounts receiving those payments.
What benefits come from implementing security against APP Fraud?
Let’s have a look at what benefits the banks have from protecting their customer (and themselves) from fraudsters trying the scam people and businesses using authorized push payment fraud.
- Reputation: Your reputation is on the line at both ends. Optimize your customers’ protection against fraudsters, including APP Fraud, and gain a respected reputation as a bank you can rely on, and that keeps the customers and their funds safe. At the other end, if your fail to protect your customers from fraud scams, it could have devastating consequences, as shitstorms in the press and media can quickly appear and roll with uncontrollable speed.
- Number of incidents go down: By implementing an anti APP Fraud system and taking the necessary measures, you reduce the number of fraud incidents.
- Reduced management time: Reduced number of fraud incidents frees up time for your employees to take care of urgent matters, which results in optimized use of manpower and improves the quality of each case handling process.
- Hostile environment for fraudsters: Leaning up against “reputation”, if you implement security measures towards keeping your customers safe from fraudsters, you simultaneously create a hostile environment for the fraudsters, and they might go after lesser protected banks and their customers instead. Our mission though, is to keep everyone safe from fraudsters, no matter which bank they belong to.
- Bottom line: All this obviously result in a better bottom line, and the ROI of investing in a platform that can keep make life very difficult for fraudsters, will prove to be sound.
Never underestimate the eagerness, cleverness, and creativity of fraudsters, and you should therefore always keep all business ends sealed and secure.