There is plenty in the news in the UK and around the world about scams at the moment, with popular news trends including investment, holiday and other purchase scams.  Most of these involve paying for goods and services that either don’t exist or you will never receive, and in a twist, it is now very common to be targeted by scammers when selling items.   Purchase scams have remained the most common scam and they continue to grow, with a 17% rise in volume in 2022, following the 18% rise in 2021 that is reported in the latest UK Finance report.

Many scams are also being linked to tech companies, and particularly Meta.  Calls for something to be done, from banks such as Lloyds Banking Group and TSB, are getting louder and more frequent. Action Fraud released figures of more than 1,000 cases and £18.6m of investment fraud reported that was related to Facebook (a Meta company) in the first 5 months of 2023 and TSB stating that 87% of investment fraud their customers suffered last year was linked to Meta Platforms.

In the UK, the outcomes for consumers should improve next year when the PSR’s new reimbursement policy comes into force and banks have to start refunding and/or increase their refunding rates when their customers suffer an Authorised Push Payment fraud and become a victim of one of these scams.  The reimbursement doesn’t solve the problem, the victim will still likely suffer with stress and anxiety from the scam experience and criminals are getting away with huge values (£485m in 2022).

APP fraud and scams are continually evolving and there aren’t always clear definitions, so many people are only now catching up. They’re asking:

  • Exactly what is a push payment?
  • Are all scams and APP the same thing?
  • How do people get scammed into making push payments online?
  • Is my money safe?
  • What can I do if I am the victim of a scam?

This article will outline the scope of push payment fraud today, and what financial institutions can do to protect themselves and their customers from it.

What is a push payment?

A push payment is a transaction that gets initiated by the payer (consumer/customer). This is different from a pull payment, such as a credit card payment, that gets initiated by the payee, or the person/business who receives the money.

In pull payments, there’s usually a merchant or service provider asking to be paid. In push payments, the payer takes the first step. The difference seems subtle, but it’s the “I would like to send you money” aspect of push payments that make them so flexible and useful for fraudsters.

What is authorized push payment (APP) fraud?

Authorized push payment fraud (APP fraud) is when a payer is tricked into transferring money to someone. Authorized push payments are rarely reversible after the payment has been made, which is one reason this approach is appealing to fraudsters.

APP fraud is also sometimes referred to as bank transfer fraud or even just scams, but this can cause confusion as scams can be used to refer to a much wider set of fraud scenarios. For example, machines being used to clone cards at ATMs is often called a card skimming scam, but this is very different to APP scams as the victim is unaware of the resultant pull transactions taking place from their card account.

In APP fraud, the victim could be an individual or a business, but in both cases, the victim has authorized the payment believing it was for a legitimate reason.  Regardless of the type of fraud or scam concern, it is better to be safe than sorry and, in the UK, customers can call 159 to talk to their bank about their fraud related concerns.

There are various types of push payment fraud schemes, including:

  • Invoice scams. This is when a fraudster creates a fake invoice for work that seems legitimate, or the invoice has new fraudulent payment details for a legitimate company or person. When the victim pays the seemingly legitimate invoice, the money goes to an account under the fraudster’s control.
  • Impersonation scams. This is when a fraudster pretends to be a legitimate payee. They often pretend to be a person or organization the victim trusts. For example, a fraudster pretends to be from a bank or the police. They contact potential victims in various ways; phone, email, text, social media to request payment for something that appears legitimate. These types of scams often use fear to manipulate the victim, such as threats of losing money to fraud or being suspected of a crime.  Sometimes they use the victim’s good character against them with pleas to help catch fraudsters.  To the victim, the phone numbers, email addresses or even websites used by the fraudster, look sufficiently legitimate for the victim to initiate a payment.
  • Confidence scams. These scams can be similar to impersonation scams as the fraudster usually poses to be someone they are not.  This can range from family or friends needing help through to including romance scams where the “friend” that needs help may be someone the victim has actually never met, but has developed a relationship after “meeting” online.
  • Investment scams. This is when a fraudster poses as an investment expert of some kind, usually online, and targets people who are looking for ways to invest money. The scammer will promise better returns on investments than standard or well-known approaches, often hundreds of times better and thus too good to be true.  The fraudster may use stories of crypto millionaires or celebrity endorsement and have very legitimate looking websites and trading platforms, but once the money is transferred to them it is not invested and is never returned.

Social engineering plays a big role in APP fraud. Fraudsters deploy all kinds of sophisticated measures to convince victims they really are who they pretend to be, but scams often follow a familiar pattern:

  • The fraudster initiates contact — usually by phone, email, social media, or direct message — by pretending to be someone the victim can trust.
  • The fraudster tells a story designed to neutralize any red flags the victim might otherwise spot. There’s always evidence to support the story, whether it’s a fake website or photos or the seemingly legitimate email address.
  • The fraudster’s story will look to get the victim into a heightened state of fear or greed such as the payment needs to be made, and soon, otherwise there is a bad impact or missed opportunity.  The authorized push payment is usually instant so there is no time to reflect and think through consequences until it is too late to recover the funds.

Hundreds of millions are lost every year to APP scams

In the UK, the latest data available shows that APP fraud value exceeded £485 million — in 2022. That takes the total for the last three years to £1.49 billion in APP reported value.  Only some of this amount was returned to victims of the fraud, with ten banks participating in a voluntary code (CRM) that resulted in 66% returns to victims and outside the code it will often be lower.  This will change in 2024 when the PSR introduces new requirements for increased reimbursement with the expectation of nearly 100% of victims being reimbursed.  Not all this financial burden falls on the victim’s bank though, with 50% of the refund to come from the receiving bank.

The PSR expects the introduction of its policy to increase efforts of sending and receiving banks to prevent scams. These efforts could come in many forms.  Until recently, many banks have relied on customers to protect themselves, but this is getting harder and less effective as the volume of scams grows and the fraudster’s stories and promises become more realistic and believable. Banks will continue to increase their education and awareness campaigns and will also continue putting pressure on social media companies such as Meta to take action.  These approaches need to be backed up by real time scam detection that can intervene before a victim or mule can send a payment.

How Featurespace can help detect authorized push payment fraud

Featurespace built the ARIC™ Risk Hub to serve as a real-time layer of protection for financial institutions and their customers.

ARIC Risk Hub uses patented Adaptive Behavioral Analytics technology to learn about customer behaviors — the transactions they make, when, to whom, why. The machine learning that powers this technology continuously learns the transactions that are legitimate and those transactions that might be suspicious, and it can make these assessments in real-time.  This is already industry proven in our work with our customers including NatWest who saw a 135% improvement in the value of scams detected along with a 75% reduction in false positives. You can read the full story here.

If replacing the payments detection solution isn’t the right option currently, then Featurespace’s Scam Detect can help augment your detection with a Scam Detect score that can be easily integrated into your current platform to monitor your payments. This option has simple integration requirements and a rapid deployment model.