Authorised Push Payment Fraud

Authorised Push Payment (APP) fraud is big business for the criminals, and for good reason. Last year it netted them £355,000,000 in the UK, with two thirds of that coming from personal bank accounts, and the rest from business bank accounts. Only £83,000,000 was recovered from the criminals.

How’s it done?

APP fraud is when you’re tricked into sending money to a criminal. There’s no hacking of banking apps or accounts required.

Common scams include fraudsters phoning up customers claiming to be from their bank, often saying they are from the fraud team, and getting the customer to transfer their money into a ‘safe’ account.

Another common scam used on businesses is to intercept emails (usually by hacking into your email service) and sending fake ‘change of bank account’ emails to your customers, or pretending to be from a supplier with the same type of email.

What to do if you’re a victim

The problem with this type of fraud is that the customer ‘willingly’ sends the money to the fraudulent account, it’s hard to prove that you were being duped and not that it was a deliberate choice to move the money.

Spotting APP fraud

Spotting APP fraud before you become a victim is the best defense. Check on your banks website for their tips that might include the use of two-step authentication via and app or additional passwords. Wherever possible you should enable this kind of authentication, it give an additional layer of security.

The Get Safe Online website also has a tips on avoiding fraud.

Here are some of our tips that might help you avoid becoming a victim of these scams:

  • Never take a callers word for it – If a caller claims to be from your bank never take them at face value. Before you answer any questions, get them to confirm something that only your bank will know, like the value of your last transaction or the company you pay your electricity direct debit to. If they can’t answer those questions, hang up and call the bank back on a number you trust (like the one on the back of your bank card)
  • If you’re called on a mobile, make sure you hang up before trying to call the bank back. If it’s on a landline, hang up and wait at least 5 minutes to make sure the other caller has been disconnected. It’s easy for them to play the sound of a dial code down the line to you to make you think they have rung off, then ‘intercept’ your call back to the bank.
  • The fraudsters are well practiced at conning people into believing them, if you’re asked a ‘security question’ give a wrong answer to see if they pick it up.
  • Never give your full password or more then 3 letters or numbers.
  • Never give out a OTP (One Time Passcode) that you receive by text.
  • Text is easy to fake too, never believe a text even if it claims to be from your bank, always double check it.
  • Never disclose any information you don’t think you should.
  • Never think it’s rude to hang up on someone if you don’t think they’re genuine. Your banks genuine call staff will not mind.
  • If someone calls you from a bank that you don’t bank with, just hang up, don’t tell them your not a customer at that bank, that will help them get the right bank next time.
  • Never move your money into a ‘safe account’ or any account the bank ask you to. There is no such thing.
  • If you get any ‘change of banking details’ message by email, text or any other way, double check it’s genuine. Contact the sender on a known phone number and confirm it’s from them, and the details are correct.

3 Comments

Deborah M · August 8, 2019 at 4:33 am

Thanks for your help sorting out our recent fake invoice scam.

Matt Effoms · August 2, 2019 at 4:47 pm

We’ve had this happen to us a few times, twice from creditors and once from a debtor. It’s been their emails have have been hacked, but how can we detect these hacked emails?

    tinsleyNET Admin · August 6, 2019 at 3:12 pm

    Hi Matt

    The best way to identify these types of scam are through user education, make sure your accounts team know what to look out for. If you have a perimeter UTM you could include various keywords, phrases and masks to flag suspicious emails for further analysis, such as the words and phrases “change of bank details” and masks of 99999999 and 99-99-99.

    We can help configure your UTM or work with what technology you have to help with this, we can also provide tuition and guides for your staff, and new solutions to meet more complex needs. Give us a call or email us. #WeCanHelp

What are your thoughts?