News and resources on cyber and physical threats to banks and fintechs worldwide.
APP fraud continues to rise as criminals target bank customers online

APP fraud continues to rise as criminals target bank customers online

The amount of money lost to victims of authorised push payments fraud in the UK rose to £479 million in 2020, as criminals used the Covid-19 pandemic to target people online.

The APP fraud losses documented by UK Finance are up five per cent on the previous year, with the number of cases increasing by 22% to almost 150,000 in 2020.

Banks were able to return £206.9 million of the losses from APP fraud to victims, over three quarters more than the sum returned in 2019.

Impersonation scam cases, in which criminals impersonate trusted organisations to trick victims into handing over their money, almost doubled to 39,364 cases in 2020, the largest increase of all scam types.

During the pandemic, criminals sent fraudulent emails claiming to offer government support to those impacted by the pandemic and scam text messages requesting payments to book a Covid-19 vaccine. They also impersonated delivery companies to exploit the rise in online shopping.

To capitalise on the increase in online activity during the pandemic, UK Finance has also seen the emergence of criminals openly advertising fraud and scam services for sale online, including template phishing websites and custom-built scam apps which replicate real banking apps.

UK Finance is calling for fraud to be included in the scope of the government’s Online Safety Bill. This would ensure that online platforms such as social media firms, search engines and dating websites take action to address vulnerabilities in their systems that are being exploited by criminals to commit fraud.

Katy Worobec, managing director of economic crime at UK Finance, says: "We are seeing a worrying rise in online and technology-enabled scams that evade banks’ advanced security systems and use digital platforms to target victims directly, tricking them into giving away their money or information.

“We urge the government to use the upcoming Online Safety Bill to ensure online platforms take action to protect customers by taking down scam adverts on search engines, removing fake profiles on online dating websites and tackling fraudulent content on social media.”

On the upside, contactless card fraud losses fell by 22% to £16 million, the first annual fall since this data started being collected in 2013. This is likely to be related to lockdown restrictions limiting opportunities for criminals to commit contactless fraud using lost and stolen cards.

Comments: (4)

Jeremy Light
Jeremy Light - Independent - London 26 March, 2021, 17:292 likes 2 likes

APP fraud is fast becoming a UK banking scandal.

UK Finance figures show APP fraud was £208m in H1 2020, so although the total for the year is up 5% on 2019, H2 fraud was £271m, a massive 30% increase on H1, and 10% up on H2 2019.

According to the PSR, 79% of APP scams occur on Faster Payments, so assuming this held for the whole year, £378m was through FPS, or 0.02% of FPS processed value for the year. This is still low compared to cards (0.075%), but cards are inherently far riskier than authorised push payments, and in absolute terms APP is catching up - UK card fraud was £620m in 2019 (UK Finance).

This matters because real-time payments are core to the future of UK payments, core to the adoption of Open Banking payments and core to the UK economy. They continue to grow at over 20% per year, such is the demand for them. But unless APP fraud is brought under control, real-time payments in the UK will be under threat - already there have been calls to "delay the payments", which would wreck the real-time proposition and business models that depend on it; and bank fraud systems are being used more frequently to hold outbound payments in some instances for further authorisation, compromising the customer experience.

There are initiatives to deal with APP fraud, such as confirmation-of-payee, the Contingent Reimbursement Model Code, and The Stop Scams initiative, but no-one seems to be taking overall responsibility for stopping APP fraud. For example, APP fraud is a priority for the PSR, but CHAPS is outside its scope (Bank of England), as are FIs only indirectly connected to the payment systems it regulates, as is it would seem, APP fraud on-us book transfers, while only a sub-set of banks use confirmation-of-payee or adhere to the CRM code.

The real issue is that APP fraud is a failing of account management rather than payment systems. Banks have a regulatory obligation for customer due diligence and KYC. Since all APP fraud payments must go from the victim's UK bank account to the fraudster's UK bank account (set up fraudulently, taken over, or herded), it shows that bank KYC and CDD are failing.

With almost 10 billion payments flowing annually through UK payment systems, it is fiendishly difficult to detect the 150,000 or so that slip through as APP fraud each year, but banks must do more to prevent it. Better technology should be used to monitor accounts for unusual activity and be used to detect unusual inbound payments, as well as outbound payments. I would hope that an account can be used only once to receive APP fraud, so the arrival in one of an unusual payment must be detectable, especially if followed shortly after by an attempt to make an unusual outbound payment.

Very little seems to be discussed on bank KYC in the context of APP fraud. Much of the emphasis is on the victim's bank, the sending bank, whereas it is the receiving bank, the fraudster's bank that is at fault.

It is time for the UK banking industry to step up and do more, be seen to be doing more and be accountable for fixing CDD and KYC failings in APP fraud.

While the regulatory inititiatives focused on APP victims are laudable, and necessary, regulators can play their part to greater effect by also setting ceilings for APP fraud on each bank as a receiving bank, with severe enforcement penalties if the ceilings are breached.

Bob Lyddon
Bob Lyddon - Lyddon Consulting Services - Thames Ditton 29 March, 2021, 11:591 like 1 like

Hi Jeremy, I think it requires all sides of the problem to be addressed simultaneoulsy (i) the CDD failures that lead to the scammers obtaining accounts (ii) the exculpation of the payee's bank from checking the name in the payment with the name on the addressed account for every payment (iii) a legal change to back that up, so that the payee name is part of the payment contract in addition to the sort code and account number.

With all those changes made, the liability would sit completely with the payee bank, and the payer would enjoy cover under the PSRs for incorrect execution i.e. if the banks contrived to pay a different payee from the one named in the payment contract.

This new situation should be a Day 1 deliverable of NPA: it is a nonsense that NPA has so far been scoped so as to allow this problem to continue.

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 29 March, 2021, 13:261 like 1 like

Initiatives such as confirmation of payee are nothing more than a plaster over the issue. 

KYC needs to be discussed, but that is easy to get around - somethign card schemes have known for a very long time - and they used to address directly. 

The real issue comes from identity and identification of payment flows. Almost always push fraud is complete because the scammer looks geniune enough. However, if payments moved to a verifiable identity paying another verifiable identity basis - then this fraud would be stopped almost completely as the scammer wouldnt have the cryptographic control of who they claim to be. 

Initiatives like confirmation of payee have taken a lot of money, time and effort to get into the marketplace, however their effectiveness will be short lived (if at all based on these figures). We need to stop thinking of short term fixes and tackle such systemic issues directly.

Ed Adshead-Grant
Ed Adshead-Grant - Bottomline Technologies Europe - Reading 30 March, 2021, 14:07Be the first to give this comment the thumbs up 0 likes

CoP can still transform these APP fraud figures if we collectively drive the UK adoption faster. There is still too much misinformation circulating and 'do nothing' strategies, with many waiting I fear in vain for the PSR to mandate everyone for action.

I see no logic in waiting for an ambiguous 'CoP Phase 2' at some point in the future, or another regulator intervention when in fact the majority of banks can join now in the 'Phase 1' inside 12 weeks.

The analogy that comes to mind is waiting to be the last bank to put a chip on their debit card? Fraud will be displaced to the weakest link where there is no CoP.

Safety in numbers - ubiquity of adoption this year - if you are a bank with your own sort code, check in with Pay.UK or Bottomline or the Open Banking team - you can join Phase 1 NOW to close this noise down, keep reputations and reduce these disappointing APP fraud numbers.