By Matt Cox, Vice President and General Manager, EMEA, FICO says banks must act quickly to protect their customers from this wave of devastating scams
Authorised push payment (APP) scams are causing havoc for consumers and banks across the UK. In the first half of 2021, criminals used this approach to steal a total of £355.3m[i], of which only 42% was returned to victims. The losses for H1 2021 represent an increase of 71% compared to losses seen in the same period of 2020.
APP scams are when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudsters.
Which? filed a super complaint to the Payment Systems Regulator in 2016[ii]. The consumer advice platform was, at the time, concerned that there was not an appropriate level of protection against APP fraud, especially when compared with other types of payment. Six years later, UK Finance figures show APP fraud accounts for hundreds of millions of pounds in losses.
Part of the success criminals have with APP fraud is down to the increased availability and use of real-time payments which means that they can quickly gain access to and control of funds. For the victim, once initiated, these payments are irrevocable, which means the victim cannot reverse the decision after they realise they have been conned. Instead, they must report the incident to the bank and begin a laborious process of getting their money back – if they can, which is by no means a given.
The instantaneous nature of real-time payments benefits criminals in another way and lowers the risk they face. As money is transferred instantly, they can move the funds through multiple accounts in a process that launders the proceeds of the crime. This, of course, makes tracking them more challenging.
There is an abundance of different techniques implemented by criminals through APP fraud, many of them based in social engineering. Criminals hack into emails and other systems to set up the victim. By compiling consumer information, fraudsters learn which attacks are likely to be most successful.
Some common attacks include
- Disguising an invoice to look like one that is expected or regularly paid.
- Sending fake emails that mimic those from tradespeople carrying out work to properties.
- Confidence tricks such as romance or ‘Hey mum’ scams. These are based on real relationships individuals have.
- Details of property transactions are intercepted, copied, and re-sent with the fraudster’s bank account.
- Supplier payments for businesses.
Dangers in consumer confidence
Our recent survey of 12,000 consumers in 12 countries[iii] shows that banks need to improve security measures, particularly around APP fraud, or risk losing their customer’s money and eventually, their business altogether.
One of the worrying results we found was an overconfidence in consumers’ ability to spot certain scams. Only 6% of UK respondents said being tricked into sending money to fraudsters was their top concern. The staggering amount lost to APP fraud combined with this unwarranted confidence shows that banks need to not only improve how they handle this type of scam but also make efforts to better educate their customers.
While there have been educational initiatives like the “Take Five” campaign launched by UK Finance, there remains an opportunity to continue educating consumers about the ways scams are perpetrated. There are also technology elements banks can layer into their defenses, including AI and machine learning models tuned specifically for scams detection, that can help banks detect and alert customers to APP scams.
Another approach involves proactive and direct outreach to customers, in the channel of their choice (text, email, bank app etc) to verify that the payment in question is legitimate. By asking consumers if they want to continue their payment, and identifying why it may be part of a scam, banks can help their customers think critically about their choice to send money – before it’s gone for good.
There is no silver bullet to stop APP fraud but there should be a recognised list of signals and rules banks will share with customers. These will make it clear what they need to keep their eyes focused on. But it must go further than that. Deploying AI and machine learning can detect when a payment does not match a consumer’s usual behaviour, and is one of the greatest weapons in fighting APP fraud.