Authorized Push Payment (APP) fraud is possibly one of the hardest fraud vectors to tackle. An advanced form of social engineering, APP fraud has been on the rise globally, causing significant financial losses to consumers. In its 2020 report on financial fraud, UK Finance reported close to 150,000 incidents of APP fraud in the UK, an unprecedented 22% increase over the previous year, draining consumers almost half a billion pounds. Impersonation scams accounted for most of these incidents. In 2023, the UK’s Payment Systems Regulator (PSR) has mandated severe penalties for banks that allow APP fraud.
APP Fraud – Modus Operandi
Fraudsters impersonate authorized service representatives of trusted firms such as banks and trick unsuspecting consumers into transferring money into accounts under their control. The exponential rise in real-time digital payments has been a critical driver in the rise of APP fraud globally. Since real-time payments cannot be revoked and the settlement is instantaneous, it has been the most attractive vehicle for criminals to execute APP fraud.
How to Spot Ongoing APP Fraud
Understanding the consumer's digital behavior during the course of a transaction is key to preventing APP fraud. Several risk indicators point to a consumer being manipulated into performing a fraudulent activity. Here are some:
- Lengthy calls: Widespread in APP fraud; long calls while making an online financial transaction is a common indicator of the consumer being socially engineered. Various industry estimates by carriers in the UK indicate that a high percentage of APP fraud events have an active call that overlaps the event.
- Network usage and call patterns that seem to match typical patterns associated with fraudulent activities.
- Device usage patterns such as typing and handling the phone that appear different from the typical usage patterns followed by the user.
The Contingent Reimbursement Model (CRM) code in the UK sets out the standards to protect consumers from APP fraud and reimburse them for financial losses. However, while the code is essential from a consumer protection perspective, it can do little to prevent the occurrence and repeat of the same fraud for a consumer. Therefore, the industry and participating organizations need to collaborate and implement innovative technologies to tackle APP fraud.
Steps to Tackle APP Fraud
Using behavioral biometrics in identity verification and authentication is an effective way to counteract APP fraud. Behavioral biometrics can score the authenticity of a user based on insight gathered by analyzing hundreds of device usage and behavioral parameters. Apart from thwarting the most advanced types of impersonation fraud, behavioral biometrics provides a frictionless way of authentication, ensuring no deprecation in user experience.
Considering the fact that a high number of APP fraud incidents are associated with long overlapping voice calls, industry participants are now collaborating to track phone usage in real time at the time of a transaction or digital engagement to determine if the consumer has been socially engineered into performing a sensitive transaction.
Companies must invest in strong possession checks that are an upgrade on legacy 2FA practices such as SMS-based OTPs. For example, instant links provide higher immunity to 2FA interception than OTPs and ensure the flexibility to check if the transaction is being completed where it began—a case often violated when the customer is socially engineered to share credentials with a criminal.
Conclusion
In the UK, there’s been a strong push to include financial fraud within the scope of the Online Safety Bill to ensure consumer protection, fight terror financing, and stop the exploitation of the vulnerable sections of the society. Technology companies need to take the onus upon them to ensure that fraudsters do not have it easy. However, effective tackling of a complex fraud like APP can only happen with the government, technology providers, and the online consumer entities coming together to collaborate.
To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.
Keep reading
Ascertaining a user’s age used to involve simple self-declaration or rudimentary checks, but technologies like facial recognition and rigorous identity verification offer a more accurate form of determination.
Even though we’re all acclimated to using them, passwords simply do not provide an adequate level of security.
Industry leaders gathered at Prove's Improve Connect summit to discuss balancing frictionless digital experiences with the threat of AI-powered fraud. Experts from companies like Coinbase, Bluevine, and Google shared insights on navigating the challenges and opportunities of emerging technologies.