What is authorized push payment (APP) fraud?

According to payment systems company ACI Worldwide, 20 percent of global consumers surveyed in 2022 reported losing money to fraudsters within the past four years. Of those surveyed, 27 percent reported being victims of authorized push payment (APP) scams.

In the UK, losses from APP scams reached £811 million in 2022 and, according to data analytics firm GlobalData’s “Trends in Payment Fraud” report, losses are projected to increase at a compound annual growth rate of 20.5 percent from 2021 to 2026.

What is APP fraud?

APP fraud is one of the most common types of fraud, and both companies and individuals can be targeted. Fraudsters use techniques such as impersonation to trick the victim into paying money into their account. Although the account owner may have technically authorized the payment, they were unwittingly manipulated into making it.

APP fraud takes advantage of mobile payment technologies used via smartphones. Peer-to-peer (P2P) app-based money services like Venmo and PayPal use “push” payments, meaning the person paying “pushes” money to the recipient. This contrasts with “pull” payments, where a retailer asks a customer to pay for an item via credit card. P2P app accounts can be set up with just an email address or phone number, and money changes hands almost instantly.

Because of these easy and convenient features, it’s simple for a fraudster to pose as a legitimate payee and disappear with funds that can’t be recalled. This is also known as malicious payee app fraud.

The use of P2P payment apps is climbing, and so are the fraud types associated with them. The Federal Trade Commission (FTC) received 2.4 million consumer fraud reports during 2022, with a total of $8.8 billion reported lost. 

The problem is more pronounced in markets where the banking infrastructure is vulnerable to authorized push payment fraud, such as the UK where transactions can be made in real-time via Faster Payments. 

Methods used in authorized push payment scams

Fraudsters use a few different techniques to carry out push payment fraud, including:

• Social engineering: Social engineers use psychological manipulation tactics, such as impersonation, to get account holders to surrender their personal information, authorize payments to scam accounts, or even provide their login details. Impersonation fraud tends to see some of the highest financial losses.  
• Phishing: With phishing, a scammer impersonates a trusted institution via email or text to get the victim to click a link or download harmful software, allowing access to their personal details or accounts.
• Account takeover: Account takeover fraud is when a criminal takes control of an account belonging to an individual or organization to cause harm or steal money. For example, they might use a hijacked social media account to pose as the victim and ask friends to send payments. 
• Confidence scams: This kind of scam works by gaining someone’s trust to access their account or manipulate them into handing over money. It might involve a romantic connection or a business opportunity.
• Property purchase scams: Property scams involve intercepting communications between customers and their conveyancers, realtors, and/or lawyers. Faced with juggling communications with various new and unfamiliar people during the house-buying process, it becomes easier for a fraudster to intercept, claiming to represent a relevant party to the transaction.

Examples of push payment fraud

Some scams are planned in advance on vulnerable victims, whereas others are opportunistic.

Authorized push payment fraud examples include:

• ‘Hi Mom!’ scams: In this scenario, a person may receive a PayPal request, supposedly from a family member, requesting emergency funds. Eager to assist, the individual promptly sends the money without verifying the recipient’s email address. Later, it becomes apparent that the family member knows nothing about this transaction, and the money ends up in the hands of a fraudster.
• Relationship scams: Another common fraud tactic targets individuals who form connections on social media platforms. For instance, an individual may develop a romantic relationship with someone on Instagram. As the bond strengthens, the newfound “partner” convinces the person to send money using payment services like Venmo. However, once the money is transferred, all attempts to contact the “partner” go unanswered and the Instagram account mysteriously disappears, leaving the victim scammed and heartbroken.
• Banking scams, also known as malicious redirection: This type of fraud involves exploiting mobile notifications from banks. In this scenario, a person receives a notification claiming their credit card bill is overdue and is provided with a link to what appears to be their banking app. Trusting the notification, the person clicks the link, only to be redirected to a fake app created by fraudsters. Consequently, the victim unknowingly shares sensitive information with the scammers, leading to financial losses and distress when the bank confirms the occurrence of fraudulent activities.

Businesses are also vulnerable to APP fraud, especially where the fraudster pretends to be a representative of a tax authority, business supplier, courier, or business banking provider. Notifications or messages might claim that the company account is at risk from fraud and that money needs to be moved into a different account. Scammers control the new account and can be emptied immediately. 

With fake invoice scams, a firm may be tricked into paying an invoice that seems to be sent by a supplier via email. It looks like a legitimate invoice, but the payment link has been doctored, or the bank details altered.

How are companies impacted by APP fraud?

Retail Banker International reports that UK banks paid for 43 percent of customer APP fraud losses in 2020, amounting to £207 million. When firms choose not to compensate, this can impact brand reputation and customer loyalty.

The UK Government found that “reimbursement to victims of APP scams remain inconsistent, with many victims continuing to suffer losses without reimbursement (…) there are disparities in how firms interpret their obligations”. The Payment Systems Regulator has recommended that all customers be reimbursed, except in rare cases. If this recommendation is taken forward, it will have big implications for firms.

How to prevent and detect authorized push payment fraud

The finance industry is rapidly developing its defensive capabilities against APP fraud. In 2019, the UK’s Payment Systems Regulator directed the six largest banking groups to implement Confirmation of Payee (CoP), where banks check the name, sort code, and account number of any new payees. 

Firms looking to enhance their APP fraud detection capabilities may consider the following best practices:

• Implementing real-time transaction monitoring: Firms should adopt systems that continuously analyze transactions as they occur, allowing for swift identification of suspicious patterns or anomalous activities.
• Utilizing machine learning (ML) algorithms: Incorporating ML models can help detect complex fraud patterns and adapt to new fraudulent schemes, improving fraud detection accuracy over time.
• Collaborating with industry peers: Sharing information and insights with other firms in the industry can enhance collective efforts in identifying and combating evolving fraud tactics.
• Implementing multi-factor authentication (MFA): By requiring multiple layers of authentication, such as passwords, biometrics, or one-time passwords, firms can add an extra layer of security to verify the legitimacy of users and transactions.
• Educating customers and employees: Regular awareness training to customers and analysts can help them recognize potential fraud attempts and avoid falling victim to scams.

Technology has a valuable role to play in preventing P2P APP fraud. AI-powered fraud detection solutions that focus on transactional fraud using pattern recognition and machine learning to assess thousands of transactions at speed should be considered by firms looking to enhance their fraud detection software. With ComplyAdvantage, firms can identify and prevent over 50 payment fraud scenarios and can go beyond a rule-based analysis to adapt to “unknown unknowns”. 

To learn more, click here to see how Fraud Detection by ComplyAdvantage compares to other solutions in the market.