What Is Authorized Push Payment Fraud (APP Fraud)?
Essentially, This Is When Scammers Convince A Customer To Transfer Money To Them Via An Instant Payment
It is a form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation. As of 2019 in the United Kingdom, because the victims of these frauds authorized the payments, albeit mistakenly, they are typically not fully reimbursed by their banks.
What Is A Push Payment And How To Avoid Fraud?
Scammers are getting more and more sophisticated, and one of the newer forms of deception is authorized push payment fraud. Banks are currently deliberating on how to handle the aftermath of this, and how much compensation customers can claim.
Due to the fact it’s an instant payment, the money is already gone before the victim is able to reclaim it (as may happen with older forms of payments).
The requests for the money may come over the phone (in a call or via text) or by email or social media, and they are often sophisticated and socially engineered.
They may find you (via social media) and find out you’re having work done on your house (because you posted it) and send an invoice that matches that of your construction company. Or, they may call saying they’re your bank’s fraud team, ironically scamming you using the information you give them. The variations are endless.
For victims of this kind of fraud is that, since you technically gave the information willingly, it’s difficult to get compensation from the financial institutions. This is true in most scams – however, more and more police understand that it was based upon deception and thus is a crime.
Currently only about a fraction of the money lost to push payment fraud is refunded to customers, but work is underway to change this.
In the U.K. as part of a draft voluntary code of conduct for banks, it would become the standard that customers were refunded as long as they’d taken reasonable steps to check they were paying the correct person. Under the standard there will be eight reasons banks can decide not to reimburse customers:
- If they refuse to listen to warnings from their bank
- If they recklessly share (in their opinion) their security credentials
- If they don’t take steps to make sure the person they paid was correct
- If they lie to the bank
- If they are negligent (in their opinion)
- If they fail to heed a confirmation of the payee result (which is a future scheme whereby customers will be notified of the name of the payee rather than just the account number and sort code)
Unfortunately, there are no equivalent standards in the United States or elsewhere that we are aware of.
Remember, your bank is not an insurance company. They have limited protections, but this will not always help you – the rules are serious and unforgiving.
In The Meantime, Pay Attention!
- Never give your details to anyone who calls or emails or messages you without complete verification
- If it looks like it’s from somewhere or someone you might know, hang up and call them to confirm
- If from a financial institution – regardless of the reason for the request – do not respond, hang up and look up the authorized bank phone number on your card or statements or find their official website or email online and contact them
- Never believe your own caller ID or email addresses – often scammers can fake or clone these details easily