Authorised push payment fraud, which can be difficult even to identify, needs to be tackled head on by banks and the wider finance industry. Heather McKenzie reports.
“Devious” social engineering-based frauds are becoming a serious threat to peer-to-peer (P2P) payments, according to Ken Palla, a retired director of MUFG Union Bank. “A few years ago the biggest driver of payments fraud was malware,” he says. “That has now given way to social engineering scams, where the customer becomes directly involved with the fraudster.”
The scams have “exploded” as real-time payments have proliferated, he adds. Designated as authorised push payment (APP) frauds, they involve the account holder sending a payment under false pretences to a bank account controlled by the fraudster. Here the victim has initiated the transaction, unlike an unauthorised transaction where a fraudster may have gained access to a user’s identification and password.
A growing area of fraud
In the UK, losses due to APP fraud totalled £583.2m in 2021, up 39% on the year before, according to figures in a report by banking and finance industry body UK Finance. “Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of authorised push payment scams and […] the use of social engineering tactics to defraud people has only increased during the pandemic,” says the report.
Once a victim has authorised a payment and the money has reached the criminal’s account, the latter will quickly transfer the money out to numerous other accounts, often abroad, where it is then cashed out, says the report. This can make it difficult for banks to trace the stolen money.
If a customer authorises the payment themselves, current legislation means that they have no legal protection covering them for losses, which is in contrast to the rules for unauthorised transactions, notes the report.
The situation is the same in the US, observes Mr Palla. Regulation E, which covers electronic fund transfers, enables victims of unauthorised frauds to be reimbursed. “The situation for unauthorised payments is clearer, but for authorised payments, there is much more open to question,” he says.
Mr Palla says changes to Regulation E, which would give the legislation “teeth” to address the issue of APP fraud, are likely in the near term. He points to recent legislative moves in the UK and the Netherlands that address such fraud.
Legislative response
The UK Financial Services and Markets Bill, which had its first reading in the House of Commons in July, includes provisions for the Payment Systems Regulator (PSR) to consult on a reimbursement model for victims of APP fraud. David Postings, chief executive of UK Finance, welcomes the move. “I am concerned that we prioritise tackling and reducing fraud, but a clearer and more complete approach to reimbursement is important too,” he says.
The bill states that the PSR “must prepare and publish a draft of a relevant requirement for reimbursement in such qualifying cases of payment orders as the regulator considers should be eligible for reimbursement”. A qualifying case is defined as one that relates to a payment order executed over the Faster Payments Service and was executed “subsequent to fraud or dishonesty”.
It adds that the PSR must impose a relevant requirement, “in whatever way and to whatever extent it considers appropriate”, for reimbursement to be made in qualifying cases of payment orders.
The role of banks
Jim Ducharme, chief operating officer of payments technology company Outseer, says that while technology controls exist to help banks identify unauthorised payments, APP fraud is much more difficult to identify. “These are cases where your real customer is using their real device to make a transaction. You have to go deep into behavioural analytics to determine whether a transaction is ‘normal’ or might represent unusual behaviour,” he says.
You have to go deep into behavioural analytics to determine whether a transaction is ‘normal’
Information sharing between banks, particularly to identify “mule” accounts (those that are commonly used by fraudsters to receive stolen money), is a crucial step in fighting APP fraud, he adds.
As legislation to reimburse victims of APP fraud begins to roll out, banks will start to pay more attention to risk mitigation techniques such as behavioural analytics, says Mr Ducharme.
Wider industry efforts
In the UK, an APP scams voluntary code was introduced in May 2019, which provides protections for customers of signatory payment service providers, which represent 19 consumer brands and more than 90% of APP fraud cases. In 2021, 182,976 cases were assessed and closed with a total value of £467.5m. Losses of £238.1m, representing 51% of the whole, were returned to victims under the code.
Other steps the UK industry is taking to address APP fraud include collaboration with telecommunications and technology companies to stop fraud at source before victims lose money. Banks are also making use of the Confirmation of Payee name-checking service that helps to prevent APP fraud when a payment is being made.
Additionally, UK Finance is collaborating with Pay.UK to improve data sharing within payments transactions to increase identification of fraudulent payments, and has launched the Mules Insights Tactical Solution (MITS), which helps to track suspicious payments and identify money mule accounts.
