Authorized Push Payment Fraud (APP fraud): 3 Reasons Why It Is Challenging to Detect It
- Lukas Jakubicek
- January 5th, 2024
Authorized Push Payment fraud (APP fraud for short) is a social engineering attack where victims are tricked into authorizing a payment to a fraudster, usually via phone call or software allowing remote access (such as TeamViewer, AnyDesk, SupRemo, and the like).
Countries with banking infrastructures that enable fast or immediate transfers, such as the UK, are particularly susceptible to the prevalence of APP fraud.
In 2022, over £1.2 billion was stolen, which is equivalent to over £2,300 every minute.
This article explains what APP fraud is and why it is so difficult to detect such fraud. Consequently, it dives into listing insights banks can utilize to detect and mitigate risks.
How Does APP Work Step-by-Step
APP fraud occurs when a victim is persuaded to make a bank transfer under false pretenses, believing they are sending money to a legitimate recipient or service provider.
Setting up the Scene
APP fraud typically occurs when a fraudster pretends to be a reputable entity like a bank, police department, utility company, or government agency. The fraudster employs different tactics, such as making phone calls, sending emails, or text messages, to trick the victim.
Building Trust
To build trust, fraudsters often use various spoofing caller ID services that enable them to call from any number they want (the bank call support, for instance). These days, you don’t need any extra knowledge to use a service like this. All you need to do is pay approximately 10 dollars and select the phone number you would like to spoof.
Fear Factor
The fraudster typically provides convincing explanations or urgent scenarios, manipulating the victim into believing their money (or an extra profitable investment) is at risk if they don’t comply.
Hard to Find Tracks
Unfortunately, once the victim makes the payment, the funds are quickly transferred to multiple money mule accounts, often making it difficult to trace or recover the money.
Consequences & Liability Shift
One of the key challenges with APP fraud is the fact that the victim authorizes the payment, hence the name. Unlike unauthorized transactions, where banks are typically liable for the losses (for instance, card-not-present fraud), in APP fraud cases, the responsibility often falls on the victim.
In the case of Barclays vs. Fiona Philipp, Barclays Bank has overturned an appeals court ruling((https://www.finextra.com/newsarticle/42635/supreme-court-rules-in-favour-of-barclays-over-app-reimbursement-claim)) that rendered it potentially liable for a £700,000 authorized push payment scam against one of its customers.
Where the customer has authorised and instructed the bank to make a payment, the bank must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risks of its customer’s payment decisions.
Judge George Leggatt
However, prevention remains a collective effort that requires vigilance from both individuals and financial institutions to identify and mitigate the risks associated with this type of fraud.
The recent announcement by the UK Payment Systems Regulator (PSR)((https://www.psr.org.uk/publications/policy-statements/ps23-3-fighting-authorised-push-payment-fraud-a-new-reimbursement-requirement/)) places greater liability on financial institutions (FIs) that receive fraudulent payments.
It is likely that UK banks will adopt new measures to effectively fight APP fraud. Otherwise, they risk (apart from the reputation damage) fines from regulators.
Why is it so challenging to detect it?
From the nature of the APP fraud (and all social engineering-based attacks), there are really not many clues for a financial institution (and their anti-fraud systems) to follow up.
1. Trusted Environment
The victim is using a trusted device to access the bank’s services. This indicates that the bank has recognized and recorded the device’s unique characteristics, such as its fingerprint, during previous legitimate interactions. As a result, the device is deemed legitimate, and there is no cause for suspicion.
2. Performed by Victim
Secondly, all activities (or at least login) are performed by the legitimate owner of the account. That means that all solutions based on behavioral biometrics (the exact way users behave – typing, mouse movements, swiping and others) will be useless.
3. Known & Trusted Beneficiary Account Number
Consequently, payment usually goes to some crypto exchange account that the bank trusts. It is so because legitimate payments have been sent to that account before from other bank accounts.
Combine that with the fact that the payment is usually set up as instant, the bank has literally only a couple of seconds to react.
How to detect Authorized Push Payment fraud?
Initially, the situation may appear bleak due to the absence of any pertinent clues that would not lead to an increase in false positives and confuse the bank’s fraud investigators.
On second glance, there are some clues that, if analyzed holistically, can gain precious insights.
For instance, one of the tale-telling signs could be session duration. If there is an unusually longer session than the average duration of other sessions seen for the particular user, it could be the first indication that something is off.
Of course, the ultimate signal is where transaction monitoring detects abnormal payments going to (for instance) crypto exchange bank accounts. But that usually means that it is too late.