Decoding APP Fraud: The Evolution and Eradication Strategies for Authorized Push Payment (APP) Fraud
In mid-2023, the UK’s Payment Systems Regulator (PSR) announced a compulsory directive requiring banks and payment firms to promptly reimburse victims of online bank fraud within a five-day timeframe. This new mandate was established specifically to address situations where individuals conducting transactions on behalf of a business inadvertently send money to a bank account manipulated by fraudsters. The reason for this new regulation is that, in recent years, a substantial number of individuals across the globe have experienced the loss of their bank and investment funds due to an unprecedented surge in deceptive online bank transactions targeting British consumers. This type of fraud is commonly referred to as authorized push payment (APP) fraud.
The PSR’s new guidelines were based on findings from investigations into consumer behavior and the subsequent responsiveness of payment service providers (PSPs) in addressing payment fraud issues. These were published in an October 2023 report, Authorised Push Payment (APP) Fraud Performance Report, which summarizes three key takeaways for organizations that enable APP:
- Consumers currently encounter inconsistent results when reporting APP fraud to their PSP.
- The reception of fraud data reveals significant variability, exposing vulnerabilities in controls that fraudsters have taken advantage of.
- Companies have initiated efforts to rectify deficiencies in controls, yet there is a need for further action.
Learn more about APP fraud in Prove’s webinar with Chris Parker, Fraud Analytics Product & Threat Lead at NatWest Group.
The Rapid Rise of APP Fraud in the UK
The rapid adoption of online banking and the proliferation of peer-to-peer payment platforms have significantly simplified tasks such as bill payments, check deposits, and online account balance checks for UK residents. Consider that in 2022, approximately 93% of the adult population in the UK engaged in some form of online banking. The enhanced convenience is helping to drive increased online transactional volume, but it comes with a substantial drawback in the form of APP fraud.
The prevailing reality of life in 2023 revolves around online transactions, a fact underscored by the latest fraud data released by UK Finance. According to the data, a significant 77% of fraudulent APPs originated in the online realm, while an additional 17% were traced back to telecommunications, specifically SMS or phone calls.
Undoubtedly, APP fraud has emerged as a pressing national issue in the UK. In 2022 alone, losses attributable to APP fraud reached a staggering £583 million. Experiencing a 39% surge from the prior year, APP scams now stand out as a predominant fraud threat to British businesses and consumers.
Because instances of APP fraud are on a significant rise, it is a clear signal that regulators are going to put increasing pressure on banks and other financial institutions to implement better fraud protection measures.
Understanding How APP Fraud is Perpetrated
APP fraud occurs when fraudsters deceive individuals into initiating a substantial bank transfer. Unlike unauthorized payments, APP fraud makes the victim a participant by actively authorizing and executing the payment, often under false pretenses created by the fraudster.
Like other types of fraud, APP fraud is not manifested through a single scenario. Rather, it involves the interplay of a variety of factors to create a complex web of activity that is challenging to identify and isolate. Characteristics and components of APP fraud include the following:
Deception and False Trust
Fraudsters employ a range of deceptive techniques to trick individuals. This may include instances where they pose as seemingly legitimate entities, including banks, financial institutions, or even trusted service providers. They create convincing narratives or scenarios to gain the victim's trust and convince them to initiate a payment.
Social and Behavioral Engineering Tactics
As in so many types of fraud, social engineering plays a crucial role in how APP fraud is perpetrated. Fraudsters exploit psychological and emotional triggers to manipulate individuals. This may involve creating a sense of urgency, fear, or trust to prompt the victim to act quickly without questioning the legitimacy of the transaction.
Impersonation of Trusted Entities
A common APP tactic is impersonating trusted entities such as banks, credit unions, and other types of financial services enterprises. Fraudsters often use sophisticated methods to mimic official communication channels, including emails, phone calls, or even text messages. This impersonation aims to deceive the victim into believing they are interacting with a legitimate institution.
Inadvertent Authorization by the Victim
Unlike some other forms of fraud where transactions occur without the victim's consent, APP fraud involves the victim actively authorizing the payment. This authorization is obtained through manipulation, misinformation, or the creation of a false sense of trust.
Large and Irrevocable Financial Transactions
The actual act of APP fraud typically happens by convincing victims to make substantial transfers of funds. Once the payment is authorized, it is often processed through real-time payment systems, making it difficult or impossible to reverse. This adds to the urgency and impact of the fraud.
Diverse Engagement Scenarios
APP fraud can manifest in various scenarios, including romance scams, purchase scams, impersonation scams, and investment scams. Each scenario is tailored to exploit specific vulnerabilities or desires of the victim. We go into these different types of scenarios in the section below.
Continuous Evolution
Fraudsters are cagey and attuned to how their tactics are tracked. As a result, those who engage in APP fraud are continually adapting their tactics, staying ahead of prevention measures. As technology advances, so do the methods employed in APP fraud. This necessitates a dynamic and multifaceted approach to counteract the evolving nature of these schemes.
Understanding that APP fraud is multidimensional is important for fraud teams to understand. They must recognize patterns and behaviors that indicate APP-related criminal schemes so that they can implement effective preventive measures and protect against financial losses. This is precisely why the UK’s PSR is now demanding more rigorous measures to help banks prioritize identification verification as a critical component for combatting APP fraud.
Clearly, there is a lot of work that goes into creating the right set of actions to make APP fraud a profitable endeavor. But what does it actually look like to the end user? Well, as we now understand, committing APP fraud involves persuading victims to initiate fund transfers, and unlike fraud that involves unauthorized payments, it incorporates a distinct psychological element. APP fraud is ultimately about some semblance of cajoling, confusing, and manipulating victims over extended periods to deceive them.
In a Prove webinar, Fighting APP Fraud and Scams, Chris Parker (Fraud Analytics Product & Threat Lead at NatWest Group) outlined some common forms of social engineering that are the foundation for APP fraud in the UK. These include:
- Romance Scams: The quite common romance scam occurs when criminals adopt fake online identities to gain a victim's affection and trust. The scammer then exploits the illusion of a romantic relationship to manipulate and steal from the victim. The U.K.’s major investigative unit, the National Crime Agency (NCA), says that the key to understanding these fraud attempts is that scammers appear genuine, caring, and believable. Victims often feel ashamed, leading to underreporting. While romance scams are low in volume, they are high in value, with fraudsters investing significant time to manipulate victims.
- Purchase Scams: Purchase scams range from simple schemes like selling nonexistent products on social media marketplaces to sophisticated fake retailer websites using stolen logos and high-resolution photographs. These scams tend to be higher in volume but lower in overall value.
- Impersonation Scams: In impersonation scams, bad actors claim to be law enforcement officials or bank agents to quickly establish trust. By "spoofing" their phone, they make calls and SMS messages appear legitimate. The fake agent then convinces the victim to transfer funds to a supposed "safe account" before disappearing with the proceeds. This vector is rapidly increasing.
- Investment Scams: Want to buy a bridge? We’ve all heard some variation of that joke before, but investment scams work incredibly well. Fraudsters pressure victims into "investing" in nonexistent bonds, stocks, or real estate opportunities. By downplaying risks and applying pressure with time-limited offers, they deceive individuals into handing over substantial sums. Unfortunately, these investment opportunities are entirely fabricated.
The Evolution of APP Fraud
The allure of APP fraud has increased for criminals in recent years, particularly with the introduction of real-time payment systems. In the UK, the inception of Faster Payments in 2008 marked the beginning of the initial wave of these types of scams.
Faster Payments was a pivotal electronic money transfer method in the UK, specifically designed for fast transactions. As a real-time payment system, it emphasized speed and convenience by ensuring that any transferred funds were received in near real-time. Before the advent of Faster Payments, the process of moving funds between bank accounts typically took three days for the process of transfer, clearance, and deposit.
Since the introduction of Faster Payments, real-time payment systems have become almost ubiquitous, with tools like PIX in Brazil, the New Payments Platform in Australia, and the recent launch of FedNow in the U.S., which is managed by the U.S. Federal Reserve Banks.
As a result of all this innovation, real-time payments are now integrated into the lives of almost every consumer, but, regrettably, real-time payments fraud has also become a pervasive issue. It’s easy to see how this is a ready-made environment for fraud. Once an individual is deceived into performing a seemingly normal, regular act, there is a whole underpinning of activities that compel them to make a payment under false pretenses to a bank account controlled by the fraudster. The incorporation of real-time payment schemes intensifies the gravity of the situation, as payments processed through these systems become irrevocable. This irreversibility leaves victims helpless once they become aware that they have fallen victim to deception.
How to Identity and Eliminate APP Fraud
Banks and other financial institutions can take a variety of measures to address this issue. The initial emphasis is on verifying the legitimacy of companies and promptly responding to reports of impersonation. This proactive approach is intended to prevent individuals from unwittingly sharing personal information online.
An illustrative example involves instances on platforms like X (such as Twitter) where an account impersonates a legitimate company in response to customer service complaints, attempting to extract personal information. This information could be exploited for fraud or become part of the burgeoning trove of data traded online about individuals. Another prevalent scenario is observed on platforms like Facebook Marketplace, where individuals are induced to prepay for goods without any intention of delivering them. These situations underscore the imperative for online companies to enhance their efforts. This includes not only an increased reliance on AI for cost-effective monitoring but also a commitment to maintaining human oversight. This dual approach is crucial because fraudsters adeptly adapt to the challenges posed by automated systems.
A Common Sense Approach to APP Fraud Eradication
Given the intricate nature of this fraud vector, there isn't a one-size-fits-all solution to completely thwart all APP fraud. Nevertheless, there are several strategies that financial institutions can and should integrate:
Initiate Ongoing Education for Consumers
First and foremost is education. Highlighted in the "Fighting APP Fraud and Scams in 2022" webinar, Chris Parker underscores the significance of initiatives like the UK’s Take 5 campaign. This campaign encourages individuals to pause before parting with their money, considering the risks of fraud. Recognizing that fraudsters excel at creating a sense of urgency, education emphasizes the importance of slowing down before approving any money transfers. However, acknowledging the limitations of education alone, additional technical solutions become imperative.
Develop Technology-Driven Solutions
Financial institutions, both in the UK and globally, can implement a range of technical fixes to combat APP scams. Experts emphasize the need to avoid a generic warning message for every transaction, as users may become desensitized to them. Instead, it is recommended that companies deliver warnings to their users specifically before high-risk transactions occur, ensuring that users pay attention when it matters most.
At Prove, we address the issue through a lens that goes beyond just account access, which we know can be manipulated with relative ease by fraudsters. As a result, we see the problem being about how we bind an identity to the device that a person uses. That presents an actual human-in-the-mix element that cannot be cheated. By establishing a robust identity link, the Prove Auth® passwordless authentication solution facilitates passwordless and OTP-less authentication across mobile apps, web-based platforms, and multi-channel experiences.
Vigilance is a Priority
The incidence of APP fraud in the UK has reached a crisis point. Daily, individuals fall prey to fraudsters, losing their well-earned money. Reports of victims surrendering their life savings to these deceptive practices not only erode public trust in digital banking but also amplify demands for more stringent regulations. To safeguard both their clientele and financial stability, banks, and other financial institutions can employ a combination of educational campaigns and cutting-edge technology to proactively prevent APP fraud.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.