Authorised push payment fraud has soared during the pandemic and banks are battling to find solutions.
Bank transfer scams have soared during the Covid-19 pandemic in many countries around the world.
In the UK, the number of authorised push payment (APP) fraud cases — when people are tricked into transferring money from their account to one belonging to a scammer — rose to more than 100,000 cases in the first half of 2021, an increase of 60% over the same period in 2020, with the total value of losses up 71% to £355.3m, according to a recent report by trade association UK Finance.
“There’s been a steep rise in scam attempts over the past year,” says Matt Hammerstein, chief executive of Barclays Bank UK. “Criminals are taking advantage of the rise in digital payments and the pandemic to exploit vulnerabilities.”
The UK situation is mirrored in other parts of the world. For example, in China the number of APP cases increased 88.9% year-on-year in 2020, according to government data.
There’s been a steep rise in scam attempts over the past year
Banks’ response
Banks have invested heavily in online security over the past decade, making account-to-account fraud between payment companies and merchants harder to achieve. As a result, fraudsters have shifted their focus of attack, says Nick Barratt, a senior manager in PwC’s financial crime division.
“During the pandemic, fraudsters have transitioned the modes of operation of their attacks, because their previous outlets have been closed off,” he says. “The banks have implemented technology to detect account takeover, for example, so fraudsters are now targeting the weak point in the chain: the bank customers themselves.”
Customers are targeted in a range of ways, from fake text messages prompting people to share account information, to fraudsters pretending to be bank employees, to copycat e-commerce platforms. “Some people have lost very substantial amounts of money,” says Christopher Phillips, lead security analyst at Accenture, adding that some banks have struggled to respond effectively to the surge in cases.
Cross-industry solutions
David Callington, head of fraud at HSBC UK, says the bank employs “a wide range of methods” to identify and address the ever-changing techniques used by fraudsters, while Barclays’ Mr Hammerstein says the bank is “constantly improving the systems” it has in place to tackle fraud.
As APP scams typically rely on actors outside the finance sector, such as e-commerce groups, social media networks and technology firms, both banks argue that a cross-industry approach may be necessary to address the issue.
“All those who bring risk into the system, including online retailers, mobile network operators, social media companies and the wider payments industry, have an important part to play,” Mr Callington says.
Katy Worobec, managing director of economic crime at UK Finance, argues that a regulated code, backed by legislation, may be necessary to ensure consumer protections are applied consistently.
“Vulnerabilities in other sectors, such as telecoms and online platforms, are facilitating these crimes and government, and regulators need to consider an overall strategy to protect consumers from fraud,” she says.
Technological fixes
Banks may need to step up investment in technologies that can better identify accounts with the attributes of APP fraud, such as those receiving large amounts of money from various sources, when the business reason is unclear, or accounts where funds arrive and are then immediately transferred in aggregate to another offshore account, Mr Phillips says.
“The alignment of technological solutions needs to be encouraged, which promotes the confidential sharing of real-time fraud cases to ensure cross-bank responses and investigation,” he adds. “That would help the speedy identification and closure of accounts being established by the fraudsters.”
Meng Liu, a Beijing-based analyst at Forrester focused on fraud management research, says recent innovations in artificial intelligence (AI) and machine learning can help track increasingly sophisticated fraud patterns.
“The benefit of AI-based fraud management models is that they can analyse bigger data sets and identify abnormal behaviour more efficiently than rules-based models or human analysts,” Mr Liu says.
“In China, AI and machine learning models such as knowledge graphs, supervised learning, unsupervised learning and federated learning have been used quite intensively at banks.”
Mr Barratt says banks in Europe are evaluating the use of AI and machine learning in fraud detection with a focus is on behaviour analysis to try and build a “behavioural profile” around a customer to understand their typical pattern of behaviour.
James Thoburn, senior vice-president in Kroll’s cyber risk practice, says research is underway to establish ‘digital tokens’ that allow the creation of an identity and provide a process of validation for that identity during any one-off transaction.
“In theory that identity cannot be duplicated. It works in the same way as the Google Authenticator app on a smartphone; the tokens are generated by background [algorithms] and can only be used once. It can then get checked by both systems,” he says.
“[The solution to the problem] lies with robust and defined processes; something centralised that all banks can agree on,” says Mr Thoburn. “But that’s easier said than done because at the present different banks have different processes to go through to confirm the identity of a customer. But agreeing some common steps, that both the paying bank and the receiving bank adhere to, will go some way to addressing the issue.”
