One of the prevalent fraud typologies in the UK is the Authorisation Push Payments (APPs) scam. Through authorised push payments, thieves are taking advantage of Faster Payments, a real-time payment scheme.
Approximately £479 million was lost to authorised push payment scams in 2020, of which £91.3 million was lost by businesses, according to a recent UK Finance report.
APP scams are not new, but if you’re wondering what you can do to protect your business, this article is for you.
What is APP Fraud?
APP fraud is extremely effective due to its delivery method, a relatively unsophisticated deception. Fraudsters deceive consumers or business employees into sending payments to a bank account controlled by them under false pretences. Since real-time payments are irrevocable, victims cannot reverse a payment once they realise they were scammed.
In most cases, fraudsters gain access to an individual’s information through hacked email accounts and then pretend to be a company with which the account owner already does business.
They monitor email threads between consumers and businesses to identify payment dates and details so they can request a transaction when the victim may expect it. Then, the fraudster will request payment to a bank account supposedly belonging to the legitimate firm they are impersonating.
What is the banking industry doing about it?
Currently, banks are not required to refund any money lost to scams. As a result of APP fraud, the victim is not redeemed, which is increasingly viewed as unjust.
But, following a complaint filed by the consumer group Which? in 2016 to the Payment Systems Regulator (PSR) regarding this growing problem, a steering committee has been established to develop an industry code for reimbursing APP fraud victims.
Other prevention initiatives have been implemented across the payment networks, but they have only marginally impacted APP:
Creating The Banking Protocol. This groundbreaking rapid response scheme allows branch staff to alert police to suspected frauds. Since its launch in 2016, the system has prevented £142 million in fraud and led to 843 arrests. In Covid-19, the scheme has been expanded to include telephone and online banking.
Confirmation of Payee (CoP) was an initiative implemented by Pay.uk, the UK’s Retail Payment Authority, which checked the account name of the payment destination and identified rogue payment destinations. As the process is quite rudimentary, fraudsters could easily circumvent it.
Enabling customers to delay faster payments. First-time payee transfers could be delayed for a predetermined time. However, most APP scams can take days or weeks to surface, so this didn’t have the desired effect.
Delivering Take Five to Stop Fraud and Don’t Be Fooled campaigns. These campaigns provide guidance on staying safe and avoiding APP scams to customers and businesses.
How to protect your business from APP fraud
Protecting your business from this kind of fraud can be difficult, as hackers can strike at any time. To make sure you’re in the best position, here are some things you should consider:
Diligent account monitoring. You should always contact the beneficiary of payments over a set amount, even if you have a good relationship with your supplier. Additionally, it could save you a lot of money to agree on a ‘safe protocol’ with your accounts department and insist they contact you before making any payment over a certain figure. You should also be wary of making payments to a regular supplier or beneficiary to an alternative bank account.
Implement 3DS2 authentication. Work with a smart payments provider that will ensure the 3DS2 protocol is actively implemented for all your payments. This will help reduce risks from non-authenticated transactions and enhance cardholder authentication experiences by reducing friction on lower-risk transactions.
Raising awareness amongst customers. Protect your business employees and customers by periodically raising awareness of fraudsters’ social engineering tricks through emails and training documents. Teach employees to call the company asking for payment to verify that the request is legitimate. You can ask them to do a Google search for suspicious companies’ impersonators and their contact information and not just accept what is in the email as it is likely to be a hacker’s contact information.
Simplify the transaction reconciliation process. Your statement descriptors should be easy to understand. Your customers are more likely to contact you directly if they can easily identify where the transaction was made rather than disputing it immediately. And your employees will be used to a naming convention process and won’t ignore any red flags.
Improve security and reduce chargebacks with our award-winning risk management, AML and fraud detection tool powered by Artificial Intelligence. Learn more here.