Authorised Push Payment (APP) Fraud has escalated in recent years, with the number of cases increasing year on year. What can companies do?
What is APP Fraud?
Authorised Push Payments (APP) are normal payments that companies make using online banking services. They have been correctly authorised and are “pushed” from their account to the beneficiary. APP fraud involves manipulating victims into authorising payments to accounts controlled by fraudsters.
Faster payments enable companies to make and accept payments more rapidly and, as a result, drive competitive advantage. However, faster payments also make APP fraud more attractive to criminals, as the transactions cannot be revoked and are settled rapidly into fraudsters’ accounts enabling them to extract the funds without delay.
“As the use of faster payments becomes increasingly available to businesses, it is likely this type of fraud will continue to grow.” says Andrew Marshall-Hardy, Head of Fraud Risk for Corporate, Commercial and Institutional Banking (CCIB) at Standard Chartered Bank.
As of 2020, about 41 per cent of businesses had reportedly encountered APP fraud — a percentage that is set to rise in today’s digital world.1
As of 2020, about 41 per cent of businesses had reportedly encountered APP fraud
How is APP fraud carried out?
To perpetrate APP fraud, criminals often use social engineering tactics to trick individuals within a business into authorising payments to accounts that are controlled by fraudsters.
Typically, before reaching out to the targets, criminals conduct research to gather details about the company and its employees. This enables them to tailor their attack and make their requests appear genuine. Such information could be obtained through phishing and vishing, or by conducting research on the internet, social media or the dark web.
Once they have the information they need, fraudsters will then launch their attack, frequently using a Business Email Compromise (BEC) tactic, a form of APP Fraud.
Here, fraudsters send email to company employees that appear to come from a known source making a legitimate request. To achieve this, they may hack into a business partner’s email account or create a similar-looking email address under a fake domain (spoofing). Then, masquerading as that business partner (which could be a vendor, lawyer, government or financial institution), they will send fake invoices, or requests to add or amend beneficiary banking details.
Fraudsters can also impersonate the company’s CEO or senior staff members to trick employees into authorising payments — this type of BEC is called CEO fraud.
If employees in the targeted company are not vigilant or aware of such scams, they may be tricked into transferring money to accounts controlled by fraudsters.
With the global supply chain disrupted due to the pandemic, some companies have also found themselves falling victim to non-delivery scams — another form of APP fraud. This happens when criminals pretend to be legitimate companies, promising highly sought-after or heavily discounted products. They can pose as salespeople to manipulate victims into making advance payments for products, only to never receive them.
The cost of APP fraud
In the case of APP Fraud where a company instructs payments to an account controlled by the fraudster, it is that company that bears the burden of the loss, as they consciously authorise the payments.
Once the fraudulent payment is authorised and released, it can be hard to recover the funds. Chances of recovering funds are even lower if a real-time payment method is used.
Trade Association UK Finance reported that GBP479 million (USD658 million) was lost to APP fraud in 2020 in the UK alone. 2
The true cost of APP fraud often extends beyond the immediate financial loss, to additional fees spent to investigate the breach, remediation of internal processes, and staff dealing with the emotional fallout of the event. Falling victim to APP fraud is clearly an expensive experience that no one wants to go through.
Key warning signs
Here are some common red flags of APP fraud :
- Unusual money transfer requests, such as adding or amending beneficiaries or payments in a different currency
- Urgent requests that are marked as highly confidential, with explanations to encourage employees to make changes or process the payments immediately without consulting colleagues
- Changes in the supplier or business partner’s company profile such as email address (which can be difficult to spot without looking closely), contact number or contact person
- Anomalies in documents such as payment orders, contracts and invoices that indicate tampering or contradict information that employees have on hand
Vigilance is key. In Andrew Marshall-Hardy’s words, “It needs to be second nature for staff members to check payments and verify them with the requestor using trusted records, especially when things don’t make sense or payments are above a certain value”.
How to protect yourself
While technologies such as artificial intelligence and blockchain have been touted as the solution to fraud, the reality is there is no single silver bullet.
Instead, APP fraud is best prevented by having multiple controls in place. These should include dual-level payment approvals, segregation of duties, performing call-backs to verify the authenticity of transactions or changes in payee details using trusted records.
“Humans are often the weakest link, which is why employee education and fraud risk awareness are important. Promoting a culture of fraud risk awareness and compliance with processes designed to prevent frauds should form a part of any company’s risk management strategy”, summarises Andrew Marshall-Hardy.
Experts suggest creating a “human firewall” to protect organisations against payment fraud. Find out more from one of our recent webinars .
Three steps to stop APP fraud
SPOT APP fraud red flags by keeping abreast of the latest payment fraud scams and validating unusual payment requests.
STOP payment if you are unable to verify the identity of the requestor or the authenticity of the payment request. Do not bypass internal policy by succumbing to peer and time pressure when processing payments.
REPORT APP fraud to local law enforcement authorities and to your bank immediately. The faster you act, the higher the chance of recovery.
Find out more about how you can protect your business against fraud.
1 Experian’s 2020 Global Identity & Fraud report
2 UK Finance’s Fraud – the Facts 2021 report