Fraud victims lose £28K to bank transfer scams every hour

APP fraud is identity fraud and banks should implement Secure Provider Authentication (SPA).

To protect their customers from the indignity, the anxiety and the shame of being scammed, Banks need to focus energies on SHUTTING THE STABLE DOOR to prevent more of this from happening in the first place.

Some people will always get scammed but right now that door is way too ajar.

Big banks are just too easily impersonated and their comms channels to customers vulnerable and too easily compromised by their own behaviours.

Last month our son at Uni fell victim to an APP scam and they emptied his account. Sufficiently sophisticated to fool a young adult with just a few yrs of banking familiarity.

First a bogus txt from ‘Royal Mail’ about parcel redelivery: enough to elicit an address and bank name. Next an 0800 inbound call from ‘Santander’s fraud team’ alerting to suspicious activity. And so, driven by a fear of losing all his money … he lost all his money.

Banks say “we will never contact you by…“ and “we will never ask you to ….” but the uncomfortable truth is they do and they have (less now than in the past) - and it’s those behaviours the scammers are exploiting.

In the follow up with Santander’s real fraud team they’d called him on three different 0800 numbers, none of which he had any means to validate as real. At the start of each call he was “taken through security checks” but they gave him NO means to authenticate THEIR identity.

Why? They could have sent an OTC to their App on his phone and recite it once he’d opened the App to view it using SCA. They’re leaving account holders vulnerable because it’s secure comms ONE WAY but NOT the other.

Hardly a surprise that APP fraud on FPS now outstrips fraud on the card networks (which for so long held top billing). Significant for the customer tho as fraud on the former is far harder to recoup than the latter are your article points out.

PSD2 gave banks no choice but to spend on SCA to ensure the account holder is verified by two factors when opening their App.

Implementing 2FA to provide equivalence in the other direction ~ for the account holder ~ is non mandatory. So whilst it's technically trivial to enable, it’s a chunky £upgrade which needs to be signed off internally.

Cost being commensurate with size / age: the CMA9 are the natural laggards and loom large on this heat-map.

When the CRM payouts (mandated or otherwise) exceed the internal cost to upgrade I guess the decision becomes easier.

Giles, I'm sorry to hear that your son was scammed of his entire bank account contents.  It's an interesting angle you talk about here - securing the inbound call to a consumer from 'the Bank' with legitimate and well advertised authentication through the banking app.  This would go a really long way to eliminate the bank impersonation scams that are so rife right now.  If this is a capability that could be applied, then the banks need to take a good hard look at what appears to be double standards here.  Thank you for your comment.

This is the £1billion problem in our payments industry. More work needs to be done on prevention rather than reimbursement. Educate and mandate. The Confirmation of Payee (CoP) is available TODAY for payment players to plug in and slow or remove APP fraud. Just like EMV chips on our bank cards, CoP has to become ubiquitous in the ecosystem - let's not wait for the £2 billion threshold next year, before we act to protect consumers and businesses.

Thanks Jackie. When your bank’s app is in your phone, you are carrying their software (SaaS). Essentially you’re carrying a miniaturised branch around in your pocket and we need to be maximising the advantage of this … Applying modern use of in-app messaging or message-based-chat would make the phone line - where you have to be “taken through security” and are more often than not subjected to ‘hello 1989’ IVR before you are permitted to even talk to a human - largely redundant. It would be trivial instead to ping an app (push) notification and then serve up the ‘last three transactions’ …. “did you spend £15.22 at Aldi in Jesmond yesterday?” or whatever, in the App with a Y/N? field. No phone call required, utlising SCA (instead of the first two characters of your mother’s maiden name etc) and strong assurance for the account holder that they’re communicating directly with their actual provider.

Agree Ed. In our son’s case his cash ended up in a non-CoP UK bank, so a UK mandating would at least help to close the door. In terms of consumer education (for account holders) …. it would help that effort if these scams could be referred to with something the general public can actually understand and that better describes the problem. Such as Identity Fraud Scams, for instance …. and not ‘APP fraud’ which appears in every media headline but is so tenuous even bankers struggle with it (despite it being essentially derived from bankers’ speak).

The UK Finance Fraud report due out in the next few weeks report on 8 x specific types (eg CEO fraud, Romance scams, Advance Fee scams etc) which we can do better to socialise.

The migration of fraud to non-CoP banks you mention Giles, sadly is inevitable and predicted long ago, like the bad movie slow-mo playback. It should make an increasingly easy business case for banks/building societies/credit unions etc to make on CoP installs, based on growing losses, reputation risk and poor competitiveness amongst peers.

There are several things that banks could do to help reduce APP fraud:
Bank impersonation fraud via phone calls - legitimate bank can send a code via notification to user's mobile app that they confirm to the operator (Chase do this, it works well & gives mutual authentication)
CoP - extend to non-participating banks, but CoP still relies on the consumer (who has already been tricked) to make the fraud decision, so is not the best approach as scammers will talk them through the warnings
Carry out SCA on the recipient before initiating the FPS - (possible now with digital identity solutions) - this gives mutual authentication and additional data for the sending bank to use in the fraud decision. Scammers will not want to SCA themselves so this will reduce fraud.