In mid-2023, the UK’s Payment Systems Regulator (PSR) announced a compulsory directive requiring banks and payment firms to promptly reimburse victims of online bank fraud within a five-day timeframe. This new mandate was established specifically to address situations where individuals conducting transactions on behalf of a business inadvertently send money to a bank account manipulated by fraudsters. The reason for this new regulation is that, in recent years, a substantial number of individuals across the globe have experienced the loss of their bank and investment funds due to an unprecedented surge in deceptive online bank transactions targeting British consumers. This type of fraud is commonly referred to as authorized push payment (APP) fraud.
The PSR’s new guidelines were based on findings from investigations into consumer behavior and the subsequent responsiveness of payment service providers (PSPs) in addressing payment fraud issues. These were published in an October 2023 report, Authorised Push Payment (APP) Fraud Performance Report, which summarizes three key takeaways for organizations that enable APP:
The rapid adoption of online banking and the proliferation of peer-to-peer payment platforms have significantly simplified tasks such as bill payments, check deposits, and online account balance checks for UK residents. Consider that in 2022, approximately 93% of the adult population in the UK engaged in some form of online banking. The enhanced convenience is helping to drive increased online transactional volume, but it comes with a substantial drawback in the form of APP fraud.
The prevailing reality of life in 2023 revolves around online transactions, a fact underscored by the latest fraud data released by UK Finance. According to the data, a significant 77% of fraudulent APPs originated in the online realm, while an additional 17% were traced back to telecommunications, specifically SMS or phone calls.
Undoubtedly, APP fraud has emerged as a pressing national issue in the UK. In 2022 alone, losses attributable to APP fraud reached a staggering £583 million. Experiencing a 39% surge from the prior year, APP scams now stand out as a predominant fraud threat to British businesses and consumers.
Because instances of APP fraud are on a significant rise, it is a clear signal that regulators are going to put increasing pressure on banks and other financial institutions to implement better fraud protection measures.
APP fraud occurs when fraudsters deceive individuals into initiating a substantial bank transfer. Unlike unauthorized payments, APP fraud makes the victim a participant by actively authorizing and executing the payment, often under false pretenses created by the fraudster.
Like other types of fraud, APP fraud is not manifested through a single scenario. Rather, it involves the interplay of a variety of factors to create a complex web of activity that is challenging to identify and isolate. Characteristics and components of APP fraud include the following:
Fraudsters employ a range of deceptive techniques to trick individuals. This may include instances where they pose as seemingly legitimate entities, including banks, financial institutions, or even trusted service providers. They create convincing narratives or scenarios to gain the victim's trust and convince them to initiate a payment.
As in so many types of fraud, social engineering plays a crucial role in how APP fraud is perpetrated. Fraudsters exploit psychological and emotional triggers to manipulate individuals. This may involve creating a sense of urgency, fear, or trust to prompt the victim to act quickly without questioning the legitimacy of the transaction.
A common APP tactic is impersonating trusted entities such as banks, credit unions, and other types of financial services enterprises. Fraudsters often use sophisticated methods to mimic official communication channels, including emails, phone calls, or even text messages. This impersonation aims to deceive the victim into believing they are interacting with a legitimate institution.
Unlike some other forms of fraud where transactions occur without the victim's consent, APP fraud involves the victim actively authorizing the payment. This authorization is obtained through manipulation, misinformation, or the creation of a false sense of trust.
The actual act of APP fraud typically happens by convincing victims to make substantial transfers of funds. Once the payment is authorized, it is often processed through real-time payment systems, making it difficult or impossible to reverse. This adds to the urgency and impact of the fraud.
APP fraud can manifest in various scenarios, including romance scams, purchase scams, impersonation scams, and investment scams. Each scenario is tailored to exploit specific vulnerabilities or desires of the victim. We go into these different types of scenarios in the section below.
Fraudsters are cagey and attuned to how their tactics are tracked. As a result, those who engage in APP fraud are continually adapting their tactics, staying ahead of prevention measures. As technology advances, so do the methods employed in APP fraud. This necessitates a dynamic and multifaceted approach to counteract the evolving nature of these schemes.
Understanding that APP fraud is multidimensional is important for fraud teams to understand. They must recognize patterns and behaviors that indicate APP-related criminal schemes so that they can implement effective preventive measures and protect against financial losses. This is precisely why the UK’s PSR is now demanding more rigorous measures to help banks prioritize identification verification as a critical component for combatting APP fraud.
Clearly, there is a lot of work that goes into creating the right set of actions to make APP fraud a profitable endeavor. But what does it actually look like to the end user? Well, as we now understand, committing APP fraud involves persuading victims to initiate fund transfers, and unlike fraud that involves unauthorized payments, it incorporates a distinct psychological element. APP fraud is ultimately about some semblance of cajoling, confusing, and manipulating victims over extended periods to deceive them.
In a Prove webinar, Fighting APP Fraud and Scams, Chris Parker (Fraud Analytics Product & Threat Lead at NatWest Group) outlined some common forms of social engineering that are the foundation for APP fraud in the UK. These include:
The allure of APP fraud has increased for criminals in recent years, particularly with the introduction of real-time payment systems. In the UK, the inception of Faster Payments in 2008 marked the beginning of the initial wave of these types of scams.
Faster Payments was a pivotal electronic money transfer method in the UK, specifically designed for fast transactions. As a real-time payment system, it emphasized speed and convenience by ensuring that any transferred funds were received in near real-time. Before the advent of Faster Payments, the process of moving funds between bank accounts typically took three days for the process of transfer, clearance, and deposit.
Since the introduction of Faster Payments, real-time payment systems have become almost ubiquitous, with tools like PIX in Brazil, the New Payments Platform in Australia, and the recent launch of FedNow in the U.S., which is managed by the U.S. Federal Reserve Banks.
As a result of all this innovation, real-time payments are now integrated into the lives of almost every consumer, but, regrettably, real-time payments fraud has also become a pervasive issue. It’s easy to see how this is a ready-made environment for fraud. Once an individual is deceived into performing a seemingly normal, regular act, there is a whole underpinning of activities that compel them to make a payment under false pretenses to a bank account controlled by the fraudster. The incorporation of real-time payment schemes intensifies the gravity of the situation, as payments processed through these systems become irrevocable. This irreversibility leaves victims helpless once they become aware that they have fallen victim to deception.
Banks and other financial institutions can take a variety of measures to address this issue. The initial emphasis is on verifying the legitimacy of companies and promptly responding to reports of impersonation. This proactive approach is intended to prevent individuals from unwittingly sharing personal information online.
An illustrative example involves instances on platforms like X (such as Twitter) where an account impersonates a legitimate company in response to customer service complaints, attempting to extract personal information. This information could be exploited for fraud or become part of the burgeoning trove of data traded online about individuals. Another prevalent scenario is observed on platforms like Facebook Marketplace, where individuals are induced to prepay for goods without any intention of delivering them. These situations underscore the imperative for online companies to enhance their efforts. This includes not only an increased reliance on AI for cost-effective monitoring but also a commitment to maintaining human oversight. This dual approach is crucial because fraudsters adeptly adapt to the challenges posed by automated systems.
Given the intricate nature of this fraud vector, there isn't a one-size-fits-all solution to completely thwart all APP fraud. Nevertheless, there are several strategies that financial institutions can and should integrate:
First and foremost is education. Highlighted in the "Fighting APP Fraud and Scams in 2022" webinar, Chris Parker underscores the significance of initiatives like the UK’s Take 5 campaign. This campaign encourages individuals to pause before parting with their money, considering the risks of fraud. Recognizing that fraudsters excel at creating a sense of urgency, education emphasizes the importance of slowing down before approving any money transfers. However, acknowledging the limitations of education alone, additional technical solutions become imperative.
Financial institutions, both in the UK and globally, can implement a range of technical fixes to combat APP scams. Experts emphasize the need to avoid a generic warning message for every transaction, as users may become desensitized to them. Instead, it is recommended that companies deliver warnings to their users specifically before high-risk transactions occur, ensuring that users pay attention when it matters most.
At Prove, we address the issue through a lens that goes beyond just account access, which we know can be manipulated with relative ease by fraudsters. As a result, we see the problem being about how we bind an identity to the device that a person uses. That presents an actual human-in-the-mix element that cannot be cheated. By establishing a robust identity link, the Prove Auth® passwordless authentication solution facilitates passwordless and OTP-less authentication across mobile apps, web-based platforms, and multi-channel experiences.
The incidence of APP fraud in the UK has reached a crisis point. Daily, individuals fall prey to fraudsters, losing their well-earned money. Reports of victims surrendering their life savings to these deceptive practices not only erode public trust in digital banking but also amplify demands for more stringent regulations. To safeguard both their clientele and financial stability, banks, and other financial institutions can employ a combination of educational campaigns and cutting-edge technology to proactively prevent APP fraud.
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences. Contact us today to learn how you can frictionlessly secure your digital consumer journey — from onboarding to ongoing transactions.
Tap the button below to read our latest white-paper on the subject as industry leaders.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.
Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.