APP Fraud, Authorised push payment fraud, Cyber Security, Daily news, Fraud & Security, Payment Services Directive 2, PSD2, Risk & Compliance -

Authorised Push Payment Fraud (APP Fraud): The perfect storm

The Digital Revolution is changing our lives every day, but human nature does not change, and with every technological advance, new crimes emerge. As digital makes deeper inroads into our financial affairs, we are all increasingly exposed to fraud. Most of us will have had a transaction blocked because our bank suspected that it might be fraudulent. In 9 cases of 10, banks have been overzealous, and the payment is eventually cleared.

In an Authorised Push Payment Fraud, a criminal tricks his victims into sending money directly from their bank account to an account controlled by the scammer. This is a human hack that bypasses the controls and cyber defences put in place by banks and financial institutions, because it doesn’t look different from the hundreds of other transactions a customer may make each month. With APP Fraud, the robustness of a bank’s rules-based defences is almost irrelevant, as the individual customer is a Trojan horse – according to a Bleckwen white paper.

The UK Experience

In the UK, one of the few countries to track this emergent fraud in detail, £354 million was lost through APP frauds in 2018, a rise of 50% on the previous year. The number of reported cases almost doubled and reached 84,624 in 2018. Some others interesting figures to note: 90% of the UK APP Fraud is committed on digital channels.  Additionally, 93% of fraudulently obtained transfers are sent over a Faster Payments network so the banks have little time to intervene and prevent the criminal from moving the funds. (Source: UK Finance – Fraud the facts 2019).

Authorised Push Payment Fraud (APP Fraud)

Rest of World?

PSD2 (Payment Services Directive 2) encourages the use of digital channels and fast transfers, as a means of replacing cheques, cash and bank cards. As Faster Payments becomes globally established through international networks such as SWIFT gpi, is expected to soar and take on epidemic proportions.

Australia has recently introduced a new national Faster Payments network and as you would expect, APP Fraud is on the rise. During the first half of 2017, Australian companies were the world’s second most popular target for business email enterprise (BEC) scams such as CEO fraud. Australia received over 27% of global BEC attacks, trailing only the US. If the UK is a leading indicator, this will get a whole lot worse. The real tsunami will occur when the US finally implements Real-Time Payments (RTP) – and all the evidence points to the complicated and heterogeneous US banking system not being prepared for that.

What can be done? 

Financial institutions are right to err on the side of caution, but it comes at a cost as every (false) alert has to be actioned. For the customer, the experience of having a bona fide transaction blocked for no apparent good reason is nothing but frustrating. It is reassuring to know that in the case of actual card fraud, the customer is protected. Usually, the amounts of money involved are relatively small — an average of just over £250 in the UK — and any loss incurred is reimbursed by the banks.

Card fraud is growing, but not as fast as another type of fraud where the average loss is considerably higher — more than £4,000 – and which is not generally reimbursed. Authorised Push Payment (APP) Fraud, as it is called, is attractive to criminals for two reasons: the sums stolen are much larger, and banks have on the whole been helpless in detecting and preventing this type of fraud attack.

Banks have, until now, not been able to keep an eye on individual behaviours in real-time – the arena for almost all APP Fraud. But rapid advances in Artificial Intelligence (AI) are perfecting a technique known as behavioural analytics to detect payment anomalies which the fraudster may have tricked their victims into making.

Unlike rules-based systems, AI can track hundreds of variables in real-time at the individual account level to spot specific anomalies for each account and each client, and flag these to a fraud expert – in real-time 24*7*365, regardless of the channel being used. So, as more clients turn to digital and ever more digital channels to make payments, all these channels can be simultaneously monitored for APP and other types of fraud, such as account takeover and internal fraud.

The post Authorised Push Payment Fraud (APP Fraud): The perfect storm appeared first on Payments Cards & Mobile.