According to
Nick Green, director, Purple Patch Broking, “APP fraud is now the number one payments threat and is expected to reach $5.25 billion by 2026.” Last year alone, UK bank fraud losses topped
£1 billion.
Authorised push payments
(APP) fraud is the increasingly
sophisticated financial crime that tricks victims into sending funds directly to fraudsters’ accounts. This is done by convincing the victim – through various technological and practical methods – that the criminal is a genuine payee. Since these transactions
are payer-approved, the challenge for banks is educating their customers on how to spot potential APP fraud before it happens.
In this article, Finextra explores the circumstances in which these financial crimes take place, the various kinds of APP fraud out there, as well as some tell-tale signs that a proposed transaction is not legitimate.
Where to look
According to UK Finance’s 2024 Annual Fraud Report,
76% of APP fraud cases originate online. Interestingly, while only 16% comes through the telecommunications route, this segment represents almost half of the overall cash stolen from victims. This may be because criminals can better exploit customers’ pre-disposition
to place trust in a person they have interacted with directly over the phone.
To make matters worse, artificial intelligence (AI) is increasingly being used to mimic the real voice or image of someone the customer may know or be aware of – necessitating hypervigilance from those most vulnerable.
What to look out for
There are several ways fraudsters go about stealing money from their victims. Here is a breakdown of the most common strategies.
Impersonation
Perhaps the most well-known APP fraud method is impersonation, whereby the criminal will pose as the police, family or a real company – be it a utility provider, insurer or bank – and attempt to convince the victim that money must be sent.
Businesses are particularly exposed to this kind of fraud around their self-assessment deadline, when scammers have been known to pose as HM Revenue & Customs (HMRC) and demand cash for rebates or fines.
One of the highest profile examples of impersonation fraud recently saw Mark Read, CEO of advertising group, WPP, fall victim.
According to
The Guardian, fraudsters created a “WhatsApp account with a publicly available image of Read and used it to set up a Microsoft Teams meeting…with him and other senior WPP executives…During the meeting, the impostors deployed a voice clone [and]…impersonated
Read off-camera using the meeting’s chat window.”
The scammers ultimately sought to cajole an agency leader into setting up a new business through which money and personal details would be lifted. The attempt was unsuccessful.
Purchase bargains
Anther common APP fraud method is the purchase scam, where victims are asked to buy a product or service that does not exist. Of course, this strategy places a limit on the amount that can be pulled from victims’ accounts and will often occur online via
sites that mimic well-known brands.
As is the case with most parts of modern life, purchase fraud is untouched by the spectre of Taylor Swift. In April, Lloyds Banking Group issued a
warning over Taylor Swift ticket scams, with thousands already having fallen victim; losing on average £332 each. Facebook was the source of 90% of the sales.
Offers of romance
Perhaps less discussed is the
romance scam, which involves the fraudster striking up a feigned emotional bond with the victim, before asking for cash. The criminal will be a stranger to the perpetrator and will often have a story that seeks to manipulate the victim’s emotions.
Interestingly, Nationwide has noted a
40% jump – between 2022 and 2023 – in the number of male victims of romance fraud: “In one case…a customer met someone via social media who claimed to be serving in the United States military and tried to send expensive gifts to them,” reported The Independent.
Romance scams accounted for
£36.5 million of lost personal money in 2023.
Big investment opportunities
This type of scam has been pushed to the fore of late – particularly in the shadow of the crypto boom, which is being exploited by bad actors to siphon money from the most unsuspecting or uninitiated investors.
In February, a County Down man was scammed out of his
entire life savings, having been convinced to invest a six-figure sum with a fraudulent cryptocurrency firm. Fortunately, in one of the biggest cases ever awarded by the Financial Ombudsman, he was given his money back.
Last year, investment scams comprised around
25% of all APP fraud losses.
Loan fees
Perhaps more sophisticated is the loan fee scam, whereby an administration fee is charged for a loan that victims never receive.
So sever is the risk, the Financial Conduct Authority (FCA) has issued
statement on this: “Every year we receive hundreds of reports of loan fee fraud, with victims reporting an average loss of £255.”
In April, the Financial Times
reported that the UK’s high mortgage rates are a key factor in the rise of lending scams – since they are forcing homeowners to seek short-term credit.
Advance fees
Like the loan fee scam is the advance fee scam, which tells victims that they are in with a chance of receiving a large amount of cash – perhaps from a postal lottery or an otherwise unknown inheritance – if they pay a small fee upfront. This kind of APP
fraud typically starts with a letter or email.
In October 2023, Leicester woman, Bina Ravat, told the i paper that she lost
£80,000 in an inheritance scam on Facebook after a ‘dying’ woman said she wanted to leave her a £35m fortune. Ravat Bina Ravat secured a partial refund from her bank by arguing that the fraudsters bullied and exploited her.
Invoice interception
The invoice scam, unlike the previous methods explored here, begins with a genuine transaction and seeks to intercept it to siphon off the cash.
This is achieved when a fraudster steps in on an invoice that is about to be cleared with a genuine payee and convinces the payer to divert the funds to an illegitimate account. In this scenario, bad actors will often pretend to be tradespeople, solicitors,
or builders, and may target all kinds of businesses.
In September 2023, an undisclosed coach operator was scammed for a six-figure sum in an invoice fraud around a
vehicle purchase. Unbeknown to the operator, its emails were hacked, and the high-value invoice was spotted by cybercriminals, who proceeded to alter the sort code and account number on the document.
Lost pet scams
One of the lesser-known APP frauds are those involving the loss of a pet. Scammers conduct this scam by trawling through lost pet forums and demanding ransoms from owners desperate to see their animals returned.
In January, the BBC reported that one victim, from Greater Manchester, said a man claiming to have found her Yorkshire terrier “demanded
£2,000 and said she would never see her dog again if she went to the police.”
So severe is this problem in Cheshire that its Police Commissioner, John Dwyer, advised people to be
vigilant when a
BBC North West investigation found fraudsters are increasingly “targeting dog and cat lovers with threatening calls.”
Five red flags
So how should we separate genuine transactions from those that are fraudulent?
Here are five questions that consumers may ask themselves before hitting the ‘send’ button:
1. Is it too good to be true?
If a product being sold is too cheap, or a reward being offered is too large, with ‘no catch’, then it probably is.
2. Is the communication a little odd?
Most have a good instinct for when things feel ‘off’. This reaction might come from the entity itself that has reached out, or even their wording. Remember, it is rarely the case that reputable brands will contact customers and ask for money.
3. Do I feel under pressure?
Most cybercriminals are under time pressure – they want to get as much money as they can from their victims in the shortest amount of time possible. Never would your bank, for example, ask for cash so pressingly. If you ever feel forced, then this is likely
a coercion tactic.
4. Is this payment method familiar?
To combat all kinds of fraud, most in-house bank technologies compare a payer’s historical transaction activity – whether it be the kind of payee, payment initiation times, or the transaction value itself – with what is pending. If the discrepancy is too
large, then fraudulent activity is likely taking place.
Consumers are advised to think in the same way: Is this method something I am familiar with? Is the payee someone I know? Would I normally send this much money via bank transfer?
5. Have I been asked for sensitive information?
The fifth, and bottom line, piece of advice to avoid becoming the victim of an APP scam is to never give personal details over text or email. In the UK, rarely a legitimate entity will ask for these. In August 2023, the FCA placed a
total ban on financial cold calling.
Industrial action
But what is the industry doing to catch APP fraudsters?
As well as educating their customers on how to spot scams, banks regularly monitor inbound and outbound transactions using Anti-Money Laundering (AML) and Know Your Customer (KYC) techniques, as well as leverage biometrics and behavioural profiling. With
partner institutions they also share intelligence so that criminal patterns can be monitored.
On top of this are initiatives such as Confirmation of Payee (CoP),
initially intended to come into force in October 2024; Pay.UK’s fraud detection
pilot with Visa, which promises to save the economy over £112 million a year; and Mastercard’s
AI tool for banks which uses historical spending behaviour to scan for signs of fraudulent activity.
If all else fails, consumers can sleep sound knowing that, in accordance with the PSR’s mandatory reimbursement requirement,
100% of APP fraud liability lies with banks. That’s 50% with the sending bank and 50% with the receiving bank.