The banking sector faces a massive threat from fraudsters impersonating as what seems legitimate employees and/or companies trying to get a fraudulent payment authorized by a relevant individual. This type of fraud scam is called Authorized Push Payment Fraud and is extremely difficult to detect and protect yourself against, because of the authorization process itself.
Two typical types of APP fraud:
How is that? A definition of third-party fraud is:
“When a person, or a group of people, takes up a false identity by using someone else’s identity, without the victim knowing that his/her identity is being used to commit the crime.”
This is basically what happens in authorized push payment fraud, but there is one key difference, and that is the authorization process itself. In APP Fraud the payment is being authorized and approved by a legitimate person/employee, and it is only the payment request that is fraudulent. As opposed to the other variations of third-party fraud, where fraudsters also authorize the payment themselves.
By many laws, a payment authorized by a legitimate person/employee, is extremely difficult to do anything about, because the authorizer is held liable, and not the banks. In some countries the customer’s/victim’s liability is limited to a certain amount by national law.
Many banks are starting to keep the consumers safe from APP fraud and trying as hard as they can to making sure the victims get refunded. Why do banks do this, when they might have the option to lean back, and do nothing? First there is the ethical responsibilities, and the customer service and experience, they offer their clients. Second there is reputational damage and implications it can have, if a client of theirs becomes the victim of APP Fraud, and they go to the press stating the bank could and should have done more. In both cases it comes down to reputation, and keeping the business intact.
According to a research done by finextra.com (view here), there were 122,437 registered APP fraud cases in the UK alone in 2019, which resulted in a total loss of £456 million.
As you can see the sums of APP fraud are enormously large and have to potential to be life-changing and the possibility of bankruptcy is very plausible for APP fraud victims. And APP fraud is not just a UK problem, it is picking up pace in the Nordics as well, where more and more incidents are being reported.
First, you need to take a multilayered approach of defensive tactics, if you wish to overcome the struggles and threats of authorized push payment fraud. A part of that multilayered approach must be CoP (Confirmation of Payee), which is one of the preferred solutions to the problem at the moment – but only the problem regarding malicious redirection, relies on too many sources prone to errors, and don’t cover cross-border transactions.
Beside the fraudsters themselves there are three involved parties in this scam; the customer (both inbound and outbound), the receiving bank, and the paying bank. All three must be kept safe and have instances in place to flag out potential security risks.
In order to do so, the banks have the biggest obligation. To educate and inform all consumers, both private and businesses, in how to detect fraudulent behavior of this kind. The banks rely on the rational thinking of the payment authorizers in both sectors. To trigger rational thinking and the sense of something might be wrong, banks should implement systems to flag out even the smallest discrepancies in a payment journey to alert the payment authorizer into thinking something might be wrong.
The fraudsters are clever and have studied how real people act and think in payment situations, so the whole mindset needs changing.
Another action for banks to take, is to make optimal use of every tool at their disposal – behavioral detection models, behavior biometrics, malware detection, device profiling, analytics, advanced workflows, and a solid fraud management/monitoring platform. This could be used to create levels of potential customers, who are at risk of being subject to fraud scams, and perhaps more importantly identifying the accounts receiving those payments.
Let’s have a look at what benefits the banks have from protecting their customer (and themselves) from fraudsters trying the scam people and businesses using authorized push payment fraud.
Never underestimate the eagerness, cleverness, and creativity of fraudsters, and you should therefore always keep all business ends sealed and secure.
The criminal minds out there are always trying to come up with new ways to do what they do and gain terrain above the rest of us and...
Implementing an IT project into any business or organization can be complex and difficult and requires stringent processes and...