We all know that there are risks in payments. When the controls we put in place to manage risk fail, fraud is the result. Fraud, or fraud prevention, is now an industry using many of the same tools to defeat our controls that we use to defend our payments systems.
A reality is that fraudsters aren’t discouraged when we erect a strong new defense around one weakness. They just move on to the next, more easily exploited vulnerability. We put EMV chips on cards, and fraudsters moved to card-not-present transaction fraud. We have card data breaches so we tokenize payment credentials to make stolen data less valuable. So, fraudsters work to gain control of our accounts through account takeover fraud (ATO).
ATO fraud has become made easier through data breaches, social networks, and all of the other ways our data is shared online. Fraudsters can capture our user IDs and passwords and even to intercept multi-factor authentication messages. (Note to self: SMS text as an authentication factor isn’t strong enough).
ATO is a problem but it can be defeated by biometrics, behavioral analytics, and other techniques like truly strong passwords. Use them.
The Latest Scourge: Authorized Push Payment Fraud and the Scams That Drive It
A fraud vector now favored by a good part of the Fraudster Industrial Complex is authorized push payment fraud, or APP fraud.
Enabled by social engineering, a fraudster uses what they know about an individual to convince the victim to send the fraudster money, often by masquerading as a representative of a trusted entity like a bank, a telco, or a government agency. Other times the scammer poses as a distant relative or potential love interest. Preying on vulnerable, often older, individuals, these frauds can be elaborate, taking years of grooming if the payoff in victim monies is big enough.
For the victim, the impact can be devastating and the pain enduring. Our work in developing markets has taught us that these frauds can take food off of the family table or derail plans for the family business. In developed markets, we hear of victims losing their life savings.
These are not rare cases. UK Finance has just reported that, for the first time, APP fraud exceeded card fraud during 1H 2021. Total losses due to APP scams rose to £355.3 million in H1 2021 , up 71 percent over the same period in 2020. The number of cases rose 60 percent to 106,164. Note that banks there are trying to restore lost funds to victims but the percentage of losses recovered has been, at best, 45 percent.
This is better than nothing–but imagine the pain. (The report also contains an excellent description of the many types of scams employed by fraudsters.)
That is breathtaking. And a warning of what’s to come in the far larger US market.
To help raise awareness and protect individuals and businesses, UK Finance has produced an excellent informative site, along with resources, called Take Five to Stop Fraud. It’s worth a long visit.
No Simple Solutions to Payment Fraud
Payment is tough to prevent because it is hard to detect. The victims properly authenticate themselves to their bank. From an authentication perspective at the bank, everything looks fine. It’s just that the accountholder sends the money to the fraudster or to a money mule hired by the fraudster for provision of an intermediate, less suspicious, bank account to receive the funds.
The good news as this Payments on Fire® episode discusses, there are payment technologies and actions that can make a difference. As of now, however, we are vulnerable to these frauds.
For more on fraud types and how to sort them out, visit the Federal Reserve’s FraudClassifier℠ Model.
This is Going to Get Worse
Fraudsters are good at APP scams because they are rewarding. They are difficult to detect although there are techniques available. And it’s low risk because getting caught and then successfully prosecuted is rare. Therefore, we can expect a lot more APP fraud as instant push payments grow in popularity.
What we don’t know, in the US, is the extent of APP fraud in today’s environment. While individual firms—whether closed loop systems like Venmo or open loop ones like Zelle—no doubt track APP fraud internally, there is no legal or industry requirement to report those numbers. In admirable fashion, UK Finance has required fraud reporting for years in the knowledge that situational awareness leads to risk reduction.
We Need the Numbers to Improve
The great business management thinker of the last century, Peter Drucker, is often quoted to say: “If you can’t measure it, you can’t improve it.” Applied to US fraud reporting statistics, a more accurate rendition would be: “If you won’t measure it, you won’t improve it.”
There has to be a way for the industry to develop and share solid metrics that inform everyone without embarrassing or exposing individual entities to undue litigation, never mind ridicule.
Painful Human Impact
While comprehensive fraud reporting in the US is unavailable, there are certainly plenty of stories to illustrate the pain involved and how many, out of shame or embarrassment, choose to hide what happened rather than report it to authorities. Ouch.
Scammers Love Push Payments
To shed light on APP fraud, its impact, and some approaches to detecting fraudster coercion and the misdirected payments it causes, join Glenbrook’s George Peabody and PJ Rohall, Fraud Subject Matter Expert at Featurespace, a fraud management software company. PJ is also the co-founder of About Fraud.Com, a community site for the fraud management industry.
In this episode George and PJ discuss the growth of APP fraud and techniques to detect and deter it. You’ll hear him describe examples of the impact APP fraud has caused on individuals, many least able to weather this kind of financial damage. Psychological damage is real.
PJ outlines how scammers prey on people’s vulnerabilities – our fears, desires, greed, and worries. Scam types include romance scams, business email compromise (phishing), investment scams, purchase scams, and more.
What Can We Do?
Fighting back against payments scammers is an ecosystem-wide task. As PJ makes clear, every stakeholder has a role. Yes, regulators, financial institutions, the social media giants and the rest of Big Tech, mobile network operators, payment networks all have a role to play in educating us so we can raise higher barriers to the fraudsters.
But it’s not just up to those big entities. As individuals, we can contribute to the solution, to the work of prevention.
If you’re reading this, you’re broadly in the payments industry. You know how serious this is and will become over time. Here’s some actions you can take:
- Read through the UK Finance’s Take Five to Stop Fraud site. Its toolkits are a great resource that can help guide your discussion with friends and family. Nothing could be more British than its Take Five Over Tea with Loved Ones PDF.
- Tell your family, especially your elders and the innocent. Children need guidance and guardrails online. Here’s another reason for them.
- Tell your friends what you know. Ask them what their experience has been. Tell them what to do.
- Take a few minutes when you’re with your wider community, in the real world and online. Tell them how scammers operate. Let them know how sophisticated and patient the fraudster can be.
- Tell everyone that if they ever feel pressured to send money, that’s a sure sign of a scam.
- Offer to help. That can help buy time and calm emotions.