What is APP Fraud and How Can UK Companies Combat It?

In 2022, an estimated 93% of the UK adult population will use some form of online banking. Today, online banking and the rise of P2P payment platforms have made it easier than ever for UK residents to pay bills, deposit cheques, and check the balance of their various accounts online. Unfortunately, all of this added convenience comes at a major cost in the form of APP (Authorized Push Payments) fraud.

Today, there’s no question that APP fraud is a national crisis in the United Kingdom. Last year, losses from APP fraud totaled a staggering £583 million. With fraud increasing 39% from the previous year, APP scams are “now the biggest fraud threat to British businesses and consumers, having made up over half of all scams that took place through 2021.”

In a recent webinar, Chris Parker, Fraud Analytics Product & Threat Lead at NatWest Group joined Prove to discuss APP fraud in detail. Watch the on-demand webinar here or keep reading for an overview of APP fraud. 

What is APP fraud?

‍APP is an abbreviation for an Authorized Push Payment. To understand how this specific scheme works, it’s best to break down the concept word-by-word. 

Authorized versus unauthorized: 

When you imagine the classic fraud scenario, you’re probably picturing fraud via unauthorized payments. Unauthorized payments or charges occur when a bad actor steals a victim’s credit card credentials, for instance, to make purchases without the victim’s knowledge or consent. If a fraudster stole your credit card information via a skimmer and then used the information to purchase luxury goods, for example, that would be an unauthorized payment. 

Fraudulent authorized transactions, on the other hand, are a bit more complicated because they involve the knowledge of the victims. In these scenarios, a fraudster will “socially engineer” or fool a victim into transferring funds to the fraudster’s account under false pretenses. As its name suggests, APP fraud involves authorized payments.

Push versus pull:

Here’s the distinction between push and pull payments, according to gocardless.com: 

“Push payments describe any method where the customer must take the action to initiate payment. In other words, the payer is in control, pushing the funds to a destination account. Pull payments describe any method where the business can take money from the customer without approval for every single transaction. In this case, the payee is in control, pulling funds into their own account.” 

Examples of push payments include cash, checks, and bank transfers while pull payments include ACH debit or direct debit payments, automated card payments, and automated digital wallet payments. Because APP fraud is a push payment, the funds are nearly impossible to track once the victim approves the transaction. 

What types of social engineering methods are used to facilitate APP fraud?

To commit APP fraud, bad actors must convince victims to push funds. Unlike fraud that involves unauthorized payments, there’s a distinctly psychological component to APP fraud. Fraudsters cajole, confuse, and manipulate victims sometimes for months on end to defraud them. There are several common ways in which a fraudster will socially engineer or trick a victim into initiating an authorized push payment under pretenses. In Prove’s on-demand webinar Fighting APP Fraud and Scams in 2022, Chris Parker, Fraud Analytics Product & Threat Lead at NatWest Group, describes a few of the most common forms of socially engineering in the UK: 

• Romance scams: According to the FBI, “romance scams occur when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim. The criminals who carry out romance scams are experts at what they do and will seem genuine, caring, and believable.” Because victims sometimes feel ashamed to have fallen for a romance scam, they often go unreported to authorities. From a fraudster’s point of view, romance scams are low volume because it takes a significant amount of time and effort to manipulate a victim but high value. After all, fraudsters can steal a lot of funds from just a handful of victims. One convicted fraudster collected a staggering $1.26 million in romance scam proceeds throughout her career.  
• Purchase Scams: these types of scams can be as simple as selling a product on a social media marketplace that never materializes or setting up a sophisticated but fake retailer website using stolen logos and high-res photographs. Purchase scams are typically higher volume but lower value.
• Impersonation scams: With impersonation scams, a bad actor claims to be a law enforcement official or a bank agent to establish trust quickly. By “spoofing” their phone, they can make their phone calls and SMS messages appear legitimate. The fake agent will then ask the victim to transfer funds to a “safe account” before disappearing with the proceeds. This specific vector is increasing rapidly. 
• Investment scams: fraudsters will often pressure victims into “investing” in bonds, stocks, or real estate opportunities that don’t actually exist. By downplaying the risk and pressuring victims with time-limited offers, they can fool folks into handing over tens of thousands of pounds. Sadly, these investment opportunities aren’t real. 

Preventing APP Fraud

Because of the complex nature of this fraud vector, no one solution will stop all APP fraud. There are, however, a handful of strategies that financial institutions can and should implement: 

1. Education

First, there’s education. In the Fighting APP Fraud and Scams in 2022 webinar, Chris Parker highlights the important work of the United Kingdom’s Take 5 campaign. It encourages residents to take a moment before parting with their money to consider fraud risks. Because fraudsters are experts at rushing victims with fictitious deadlines and unmerited urgency, it’s important to slow down before approving any money transfers. Unfortunately, fraudsters are so skilled at manipulation that education is not enough. Even individuals who believe they are scam-savvy can still be socially engineered into falling for APP fraud. That’s why more technical fixes are also critical. 

2. Technical Fixes

There’s a whole host of fixes that can be implemented by financial institutions both in the UK and abroad to stop APP scams.

In the Fighting APP Fraud and Scams in 2022 webinar, Chris Parker emphasizes that it’s important not to simply add a warning message to every single transaction because users will stop noticing the messages altogether. A better way to fight APP scams is to deliver warning messages only before high-risk transactions to really grab the user’s attention when it matters most.

Another great tip is to begin phasing out OTPs (one-time passcodes) and replacing them with more secure Instant Links. Instant Link is a second-factor authentication (aka, “proof of possession check”) service that allows a client to issue a clickable link embedded in an SMS. Unlike an OTP it verifies the possession and trustworthiness of a user’s phone. This prevents a host of sophisticated and common forms of fraud, including account takeover (ATO) fraud. Instant Links help prevent APP fraud because, unlike passcodes, they can’t be easily shared by the victim to the fraudster under false pretenses. 

Conclusion

Rates of APP fraud are at a crisis level in the United Kingdom. Every day, new victims part with their hard-earned money. News stories about victims losing their life savings to fraudsters damage the public’s trust in digital banking and increase calls for tighter regulations. To protect both their customers and their bottom line, banks and other financial institutions can leverage both educational campaigns and new technology to prevent APP fraud.

To learn how to tackle APP fraud without compromising user experience, watch the Fighting APP Fraud and Scams in 2022 on-demand webinar or schedule a free demo today.

‍