Inside the World of APP Fraud: Key Insights into An Evolving Threat

Authorized push payment (APP) fraud is an increasingly prevalent scheme posing a significant threat to consumers and businesses. APP fraud involves tricking victims into willingly transferring funds to accounts controlled by fraudsters. By using sophisticated social engineering tactics, fraudsters exploit trust and urgency, often successfully.

APP fraud occurs when bad actors deceive consumers or businesses into sending money under false pretenses. The hallmark of these scams is a reliance on impersonation, pressure, or fear, prompting hasty financial decisions.

The ploy is highly effective. In the UK alone, APP fraud losses were £459.7million in 2023. This comprised £ 376.4 million in personal losses and £ 83.3 million in business losses. As Finextra recently reported, UK bank fraud losses topped £1 billion last year.

How APP Fraud Targets Businesses:

Business Email Compromise (BEC) is a key tactic in APP fraud, where fraudsters use impersonation and deception to exploit businesses. Fraudsters may pose as representatives of legitimate entities, such as banks, business partners, or vendors. For instance, a fraudster might impersonate a trusted business partner within a multinational consultancy. They craft an email that mirrors the partner's usual communication style, directing the finance department to expedite payment to a new account for a time-sensitive project. The email emphasizes urgency, stressing the need to keep a competitive edge. Without stringent verification procedures, the finance department often complies, transferring a substantial sum to the fraudulent account. That scenario played out earlier this year when a finance worker in Hong Kong was invited to an online deepfake meeting so convincing that when instructed to transfer the equivalent of $25 million USD to an account controlled by fraudsters, he did.

How APP Fraud Targets Individuals:

When defrauding individuals, fraudsters may impersonate family members, friends, or professional connections.  A common scam involves fraudsters pretending to be a relative in an emergency, using a new phone number to request money from the victim. They often claim their phone has been lost or damaged and that they are locked out of their bank account. The cross-border nature of these transactions makes them difficult to track. By the time the victim realizes they have been swindled, it is often too late to recover the funds, as they are usually irretrievable. Purchase scams where people are tricked into paying for goods that never materialize account for 67 percent of the total number of APP cases, according to Finextra. While different in nature, both types of scams involve deceiving victims into making payments that lead to financial loss.

Real-Time Payments Add a New Wrinkle:

With rising usage of instant payment rails including the RTP® network and FedNow, irrevocable transfers are catnip to criminals. For example, Faster Payments were used for 98% of APP fraud payments, according to the UK Payment Systems Regulator (PSR) 2023 APP scams performance report. Also, citing another UK study from late last year, The Fintech Times said “…challenger banks were facilitating the most [APP] fraud. Monzo sent the most APP fraud payments per million transactions (141) with Starling and Metro Bank tying for second place, sending 127. Santander was the next-highest ranking with 117. However, traditional banks...were the ones sending the least fraud per million transactions.”

Pushing Back Against APP Fraud:

As with other forms of payment fraud, APP fraud prevention involves education and awareness, with an emphasis on verification before performing a transaction. The advent of voice and video deepfakes means that people must always maintain a healthy level of skepticism when requests for information, access, and money are concerned.

Businesses should implement strong internal controls on financial transactions, including dual authorization for payments, regular audits, and clear protocols for transferring money. Comprehensive real-time transaction monitoring and analytics solutions provide an important layer of security and protection by detecting unusual account and transaction activities and flagging anomalous requests.

Other layers of defense include verification measures such as Confirmation of Payee (CoP). As of 31st October 2023, all UK banks now use Confirmation of Payee. Other payment service providers (PSPs) will offer this service by the new confirmation of payee deadline: 31st October 2024. Dutch banks have been using Confirmation of Payee (CoP), also known in the EU as IBAN Name Check (INC) since 2017.  According to SurePay, using this verification layer has shown reductions in fraudulent domestic transfers by up to 81% in 2020.

However, there has been a reported increase in fraudulent transfers to European IBAN accounts, with fraudsters always seeking the weakest link. This highlights the need for IBAN-name check services at a pan-European level. Moreover, the EU Commission’s June 2023 proposal for PSD3/PSR mandates the implementation of the IBAN Name Check to all types of credit transfers.

As APP fraud losses have never been so high, the UK has introduced unique new draft legislation giving FIs an added 72 hours (about 3 days) to investigate payments when there are reasonable grounds to suspect APP fraud. During this time, they can contact the customer and, if necessary, law enforcement agencies.

The UK is also taking the lead on new reimbursement requirements for victims of APP fraud, which come into force on 7 October 2024. At that point, most victims of APP fraud will be eligible for reimbursement from their bank or payment service provider. As fraudsters continually evolve their tactics, it is crucial to advance real-time detection and prevention strategies. Staying informed and vigilant can significantly reduce the risk of falling victim to APP fraud and ensure the security of financial transactions.