The insidious threat of Authorised Push Payment Fraud.

In an era where digital transactions have become the norm, a new form of financial crime is on the rise – a scam type called Authorised Push Payment fraud (APP). This type of sophisticated scam has left thousands of individuals and businesses out of pocket, with losses amounting to £460 million pounds in the UK alone (2023), and likely to reach $6.8 billion world-wide by 2027. Our modern way of life relies heavily on online banking, and as digital payment dependency grows, so does the urgency to understand and combat this insidious threat. 

Scale of the Authorised Push Payment Fraud Problem 

As mentioned in the introduction, the scale of the problem is expected to rise markedly.

“Authorised Push Payment fraud losses are on the rise and expected to climb to $6.8 billion by 2027, driven by the increasing adoption of faster payment systems and the sophistication of social engineering techniques.” – ACI Worldwide.

Source and credit: https://www.aciworldwide.com/scamscope-report-app-scam-trends 

What is Authorised Push Payment Fraud? 

Simply put, Authorised Push Payment fraud occurs when a scammer tricks a person or business into voluntarily sending money to an account controlled by the fraudster. Unlike forms of payment fraud where transactions are made without the account holder’s knowledge, Authorised Push Payment fraud involves the victim authorising the payment themselves, under false pretences. 

The victim has been deceived into making a payment they should not have made to an account they should not have paid into. 

From the financial institution’s perspective, Authorised Push Payment fraud differs from other financial scams because the transaction appears legitimate. The account holder has authorised the payment, so there are no red flags that the account has been compromised, making it challenging for financial institutions to detect and prevent it in real time. 

The Anatomy of an APP Fraud Attack 

Authorised Push Payment fraudsters employ a variety of tactics to deceive their victims. Many of these are typical psychological triggers that are used to manipulate and drive action. These include: 

  1. Impersonation: Scammers often pose as trusted entities such as banks, government agencies, or legitimate businesses. 
  1. Urgency: The fraudsters create a sense of urgency, pressuring victims to act quickly without thorough consideration. This push for urgency reduces due diligence that may otherwise expose the scam. 
  1. Fear tactics: Fear is a powerful driver of action. Some fraudsters use threats or intimidation to coerce victims into making payments. 
  1. Social engineering: Manipulating victims through sophisticated psychological techniques. 

Real-world example:

” Anna contacted her bank after realizing she’d fallen victim to an Authorised Push Payment scam. A fraudster, pretending to be her bank, had tricked Anna into sending £14,500 to what she thought was a safe account but was actually an account controlled by the fraudster. Anna transferred the whole of her current account balance to the fraudster – in essence the payment cleared her account.” source:https://www.financial-ombudsman.org.uk/decisions-case-studies/case-studies/consumer-complains-after-a-fraudster-tricks-her-into-transferring-funds-from-her-bank-account 

Why Authorised Push Payment Fraud is on the Rise 

Several factors contribute to the increasing prevalence of APP fraud: 

  1. Faster payment systems: Modern life is speeding up, and banking consumers demand that ease of banking keeps pace so that we can transact when we need it and have the transaction completed in quick time. Banking is competitive, so the user experience is very important to gaining market share. While convenient, these user-friendly systems make it easier for fraudsters to quickly move stolen funds before they are detected. 
  1. Sophisticated social engineering: Scammers are becoming more adept at manipulating victims psychologically. Scammers learn from experience, and they learn what works and correct previous errors. It is challenging to be on alert against their social engineering techniques.
  1. Data breaches: Increased access to personal information allows fraudsters to make their scams more convincing. Large amounts of personal data is freely shared in social media, and combine that with hacks and A.I. to fill in the gaps, personal data is extremely valuable and is sold for malicious purposes. 
  1. Gaps in security measures: Traditional fraud detection systems are not always equipped to identify Authorised Push Payment fraud. Combine that with the tension between that and ease of use, sometimes the dial moves to far away from good security. That seems to be the view recently of the Banking Ombudsman in New Zealand. This is an amazing, real life case, and while technically not an APP fraud, it demonstrates that banks face an uphill battle to strike a balance between customer ease-of-use and security:

Source: https://www.stuff.co.nz/money/350429908/son-cracks-fathers-phone-and-takes-56k-using-banking-app-bank-liable

Who is at Risk? 

Authorised Push Payment fraud can target anyone, and you are at risk regardless of your intelligence, or job, or gender, or other demographic. Every person is an individual, and not a midpoint in a population curve, however statistics do tell us that certain groups are particularly vulnerable: 

  • Individuals: Elderly people, first-time home-buyers, and those unfamiliar with digital banking are common targets, for different reasons. The elderly can struggle to keep up with the fast-pace of modern tech. Home-buyers can be carried away by the emotion and confused by the complexities of home buying, and so on. Whatever the reasons, the less due diligence you do, then the higher the chances that you will eventually be caught out. 
  • Businesses: Small and medium-sized enterprises are often targeted, especially during busy periods or when they are expecting large transactions. Small business owners are often juggling a lot of hats at once, and tend to spend less effort and money on institutional-grade security measures. However, officers of medium-sized enterprises need to be careful and invest in safeguards, because the cure is far more expensive than prevention.
  • Financial institutions: While not normally direct victims, banks face substantial reputational damage and potential market and financial losses from reimbursing customers. This risk is getting higher all the time, with recent legislation in the UK requiring banks to reimburse scam victims of Authorised Push Payment fraud up to £85,000 (more on this shortly).  (See also the example referenced above from New Zealand).

The Financial and Emotional Impact of APP Fraud 

The consequences of Authorised Push Payment fraud extend far beyond monetary losses: 

  •  Financial impact: Firstly, there is the financial impact of APP fraud. As we saw earlier, ACI Worldwide forecasts APP fraud will top $6.8 billion by 2027, growing at 11% compound annual growth per annum. Few medium-sized businesses can afford to write off six-figure Authorised Push Payment fraud. The elderly and young families and single parents and many others suffer terribly from falling victim to APP.  
  • Emotional toll: Victims often experience shame, anxiety, and depression after discovering a fraud attack on them. The emotional toll of becoming a victim can leave permanent consequences far worse than just the financial loss. Sadly, Rexxfield takes calls from victims who are very much on the edge emotionally, and considering actions that they should never do in order to ease the pain. For many victims, financial loss pours woe upon woe, anxiety upon an already existing high level of anxiety. According to CNN, referenced by Duke, 71% of Americans identify money as a significant source of stress and 76% live paycheck to paycheck. With existing financial stress, falling victim to an Authorised Push Payment fraud adds a lot of proverbial salt to an existing wound. 
  • Broader economic effects: The prevalence of APP fraud can erode trust in digital payment systems, potentially slowing economic growth, and with banks and their insurance companies increasingly having to pay the bill, hire more staff, contractors and security systems, all these costs must be passed onto consumers somewhere. 

Current Measures to Combat Authorised Push Payment Fraud 

How do we fight back? 

First, we need to understand that Authorised Push Payment fraudster are always evolving their tactics, social engineering and digital infrastructure. Therefore, efforts to fight APP fraud have to evolve too: 

  • Regulatory initiatives: The UK’s Contingent Reimbursement Model (CRM) Code encourages banks to reimburse blameless victims of APP fraud. We referenced earlier legislation that says that banks must refund victims up to £85,000 within FIVE days, which is very little time to assess the incident and allocate blame. We also saw the New Zealand example where the bank had to repay a fraud of a son accessing his father’s phone. Rightly or wrongly, the bank is increasingly being held accountable, and this will create a huge problem for banks to manage the risks and consequences of this. (Fortunately, Rexxfield can help. If you are reading this and you work for a financial institution, talk to us about 1/ preventative measures and 2/ our first-response services that can help you recover lost funds. Follow link to our BEC Recovery page, which covers many of the same services we provide for Authorised Push Payment fraud).
  • Banking industry measures: Many banks are implementing real-time transaction screening and customer education programs. This will be expensive, and will not be fool-proof.
  • Technological solutions: A.I.-powered fraud detection systems are being developed to identify suspicious patterns as transactions occur. But with real-time financial transactions forecast to hit 575 billion PER HOUR by 2028, this seems like a near-impossible task. Time will tell – A.I. will definitely play a role – but as A.I. will be used on both sides, and an A.I. arms race will likely (in my opinion) favour the fraudsters. 

How to Protect Yourself from APP Fraud 

PREVENTION.

Prevention is the far cheaper option than the cure in the fight against Authorised Push Payment fraud. Here are some basic guidelines:

  1. Verify payment details: Always double-check account numbers and short codes before making large transfers. Take the time to send a small payment first to verify the account, make sure account information is suitably authenticated and if it is changed, be very careful to double check it. 
  1. Be wary of urgency: Legitimate organisations won’t pressure you to act immediately. Take your time and do your due diligence. Don’t be embarrassed or pressured into acting rashly.
  1. Use official contact methods: Before they are needed, set up and establish pre-approved communication methods and methods of authentication. If in any doubt, contact your bank or the supposed requester using official, verified contact information (not from an SMS or email link or contact details sourced from a forum). 
  1. Enable additional security features: Use two-factor authentication as a minimum for online financial portals. Use passwords once and make them strong (at least 8-characters, alpha numeric, upper lower case, special characters). 2FA apps are safer than SMS/text, but approval from the official app is better still. Also set up transaction notifications, where available, so you know where funds are going the instant they happen. 
  1. Have a plan if the worst does happen: It’s too late scrambling to google help once you get Authorised Push Payment scammed, you need to have a plan beforehand. I can illustrate this point with an anecdote from rural Australia. Living in a bush fire prone country like Australia, we had to have a bush fire plan prepared. We knew fires can not give you much time to think and act. So we all knew before hand what our jobs were and where we would turn should the worst happen. Similarly, you need to have a preparedness plan for APP, BEC and other types of financial fraud. Talk to REXXFIELD NOW about your AUTHORISED PUSH PAYMENT fraud preparedness plan. 

What to Do if You’re a Victim of APP Fraud 

FIRST RESPONSE IS CRITICAL. If you are a victim, do not delay getting help. 

If you suspect you’ve fallen victim to Authorised Push Payment fraud: 

  1. Contact your bank immediately to try and stop the payment. 
  1. Call REXXFIELD next (before the police). 
  1. Report the incident to the police and get a crime reference number. 
  1. Document all communications and evidence related to the fraud. 
  1. Depending on your country, contact the banking ombudsman, regulatory authority or similar to understand your rights within the country you are banking (ideally, you should know this as part of your fraud ‘bush-fire’ plan). 

I want to emphasise the importance of documentation: The documents you have will be paramount to the speed at which we can work out what happened, who did it and where your money has gone.  Keep a good audit train, to document everything financial. It will reduce your costs later. If needed, our GOLD-level Deep Dive Due Diligence investigations can get financial information about onshore and offshore accounts, financial status, financial history, controlled entities and much more that can help unravel who/what/where. This service is a little premium, so the more documentation you have, the less you will have to spend on paying others to dig through online and offline records. 

APP Fraud Case Study 

Here is a case that came to our attention this week. This APP is a BEC scam (business email compromise). This is how it happened as described by the victim in their submission to us: 

“We were engaged in a real estate deal. Someone impersonating our realtor and attorney sent us information that was accurate to wire money for the closing of the building. We wired the money and then learned it was fraud. We have engaged law enforcement, the FBI and the banks and they could not recover the funds. It was $356,870. Recently, the real estate assistant sent a new agreement to us. Within 60 minutes of her sending a document through docusign, we were contacted by the person impersonating our realtor to ask about the status of the “wire recovery” but it was the same email ending in proton.me. These were the fake emails used ########@proton.me, and #########@proton.me” 

Outcome … it’s a new case, so we will update this post later with the outcome. 

The Future of APP Fraud Prevention 

The fight against Authorised Push Payment fraud continues to evolve: 

Artificial intelligence (A.I.) and machine learning:

  • Advanced algorithms may help detect fraudulent patterns more accurately but A.I. will also likely lower the bar for criminals, making scams easier to run on a large scale. I wrote about the unholy marriage between A.I. and scammers recently

Blockchain technology:

  • Blockchain is a divisive topic around scams. One side says blockchain should be banned from being used for financial transactions because it makes the speed and ease of transactions (and the sudo-anonymous design) attractive to scammers. But, on the other hand, blockchain has various technological traits that can be an Achilles heel for scammers. For example, the immutability of blockchain transactions adds transparency, and once a wallet is identified, can cause the whole scammer network to be exposed. Another controversial aspect of crypto (for types that are programmable, like USDT, could mean that USDT that is stolen or obtained fraudulently can be remotely burned/ frozen/made unusable. In this case, the crypto doesn’t have to be recovered. The stolen crypto is remotely destroyed, and victim is simply minted new USDT to replace it. The scammer is left holding ‘money’ they can no longer spend. This is where money laundering comes in, as money laundering is the perpetrator’s means of converting the tracked stolen money into clean, spendable money. 

Fighting Laundering

Enhanced regulations

  • Governments worldwide are considering stricter measures to combat financial fraud, and we see this happening in the banking sector. Time will tell how much this helps – I have my doubts that it will be enough. Many understandably believe that the regulatory changes desperately need to be extended to technology companies, like Meta. Rather than a voluntary code, they need to be forced through the hip-pocket to take stronger action against scams being run unimpeded on their platform. It is inexcusable that WhatsApp and other platforms are used to facilitate scams with very little consequence. If the banks are going to be made liable, so should the tech companies that allow these scams to be facilitated through their tech. 

Public awareness

  • Ongoing educational efforts aiming to make the public more fraud-savvy will help, but it will always fall far behind the growth and adaptation of scammer’s methods. When one type is exposed, another method pops up. But we have to still try. US 501(c)(3) charity PICDO (Public International Cybercrime Disruption Organisation) is one such organisation disrupting cyber crime through education and law enforcement training. Rexxfield donates some of our recoveries to PICDO for PICDO to use to help law enforcement fight more crime more effectively.

Private-Public partnerships

  • By far (in my opinion) the biggest impact will come from private enterprise and law enforcement joining forces to rapidly respond to APP crime. Both sides do certain things very well, and by combining forces, getting around the cumbersome MLAT request process (that can take 6+ months) and other processes designed for the pre-international finance era, is paramount. This is what STINGFORCE (coming soon) is behind – and it will revolutionise response to Authorised Push Payment fraud and other scams. 

Authorised Push Payment Fraud: Where to from here? 

As APP fraud continues to pose a significant threat to individuals and businesses alike, awareness and vigilance, turned into a pre-and-post action plans are our best defence, but the thinking behind online financial crime fighting needs to evolve as well. It can’t just be down to consumers and small-medium sized businesses to lower the BEC and Authorised Push Payment frauds that are a large cost to society. However, as an individual or a business owner, you can only control what is in your wheelhouse, and so I encourage you to set in place: 

  • A security plan for how you are to minimize your chances of being hit by APP fraud, then 
  • Have a ‘bush fire’ plan on how to respond should the worst happen, and 
  • Make sure you have Rexxfield on speed-dial. 

By understanding the tactics used by fraudsters, having good plans, implementing robust security measures, and staying informed about the latest prevention strategies, we can work together to combat this growing menace. Remember, if a payment request seems unusual or too good to be true, at all unusual or suspect, it probably is. Stay alert, stay informed, and protect yourself from becoming the next victim of Authorised Push Payment fraud. 

To speak to a Rexxfield senior investigator about BEC or Authorised Push Payment fraud, contact us now https://rexxfield.com/contact/ 


NOTE: In case it isn’t obvious, none of this constitutes personal financial advice. It is general in nature, the opinion of the author and is written for educational purposes.


 

Authorised payment fraud sources and resources: