People are naturally trusting. It’s one of our great characteristics and, when wrapped up with empathy with our fellow human beings, helps us work together towards common goals. As with all strengths, of course, it also happens to be one of our most vulnerable areas too.
Fraudsters exploit this natural inclination to trust each other, and one of their favorite tactics when it comes to payments is Authorized Push Payment (APP) Fraud.
A business will be attacked regularly – often daily if it’s a big enough target – with potential APP fraudsters, and it will come in a variety of ways. It should also be said that the smartest people are just as likely to be scammed as anyone else, and the best way to prevent being scammed is knowing the tactics and techniques scammers use.
Only by being aware of the tactics can you prevent them. Otherwise, people’s natural instincts will kick in and before too long they might be saying to themselves ‘how could I be so stupid?’.
What is Authorized Push Payment Fraud?
Authorized Push Payment (APP) fraud is when a fraudster deceives a business into sending them a payment into a bank account controlled by the fraudster. This can be done in a variety of ways but is typically based on either social engineering techniques such as impersonation or hacking into payment systems to change bank account details.
Typical tactics used by fraudsters in Authorized Push Payment (APP) schemes
Often the best protection from any scam is simply the sheer number of potential targets for fraudsters. By being one of a large crowd, you can simply be lucky and never be targeted. This gives us a false sense of security, however, because once we are targeted, we may not be ready for it.
By catching us off-guard at the beginning, the scammer already has the advantage. The trick then, is to see the attack coming.
1. Authorized Push Payment Impersonation Fraud
APP fraud through impersonation is when the scammer pretends to be a person within your organization, or a supplier, and asks you to send them money either for a particular situation or as payment for goods or services.
A common scam is for a fraudster to pretend to be the CEO and contact someone (sometimes directly on the phone or by text message - and sometimes even using deepfake technology) within the company saying a third-party is in trouble; for example, trapped at an airport and needing money to pay for a flight home.
Due to the sense of urgency, and the tendency to follow orders from senior management without questioning them, the person will send the money to the fraudsters bank account. Very quickly, that money is then sent through numerous other channels and is difficult to reclaim once the scam is discovered.
How to prevent APP impersonation fraud
Training plays a big part in preventing this type of APP fraud, particularly when it comes to those impersonation schemes. Giving company-wide training regularly, highlighting these types of tactics used by fraudsters, will greatly improve the chances of your employees stopping them at the source.
Training also gives employees the psychological safety to raise concerns. It can be difficult for an intern or inexperienced employee to question a payment request from their CEO, so training must emphasize that they are right to query anything that seems odd. The best chance of encouraging this reporting is to put a clear and defined process in place. In other words, allow for that employee to report their concern to a dedicated person or department, rather than sending a message directly to the CEO.
2. Fraudulent payment requests
Another common tactic is to impersonate a supplier and send a fake invoice into the company. Depending on the level of knowledge the fraudster has, this can be timed to perfectly align with a typical payment.
This level of knowledge can often be a result of a successful phishing scam, where the fraudster has infiltrated your system through a malicious email. This allows them to look at typical payment times and amounts, the look and feel of the invoices, and the names of the individuals involved in the transaction.
For the person in finance making the payment, it can mean the fake payment request is almost indistinguishable from a real one.
How to prevent fraudulent payment requests
Again, training is important here – particularly when it comes to reporting suspicious emails. Another protection we have against fraudulent payment requests is modern payment systems, which use machine learning and anti-fraud detection algorithms to spot potential concerns and raising them with the human operator.
For example, if the bank account details for a regular supplier has been changed, a modern payment system will flag this and hold payment until the concerns are rectified.
Company policies, such as always putting payments through the accounts department (rather than company credit cards), also add a layer of protection against APP payment frauds.
3. Directly hacking payment systems
Fraudulent payment schemes involve tricking people into sending payments by using requests very similar to real ones, but with emails using a 0 instead of an ‘O’ for example. With direct hacking, fraudsters go into the systems and change the bank account details so, unless the payee studiously cross-checks all the details, will simply press ‘send’ and the payment goes to the wrong place.
These hacks are often a result of a successful phishing scheme, installing malware into an individual’s computer and allowing the fraudster to infiltrate payment systems from outside.
How to prevent direct hacking
Once again, training is important in terms of spotting phishing attacks and unusual activity. More specifically, having layers of security is the best defense.
In today’s era of remote working, having employees regularly log-in to the company’s VPN is vital for updating security systems against the latest threats, as well as asking them to regularly change passwords. Providing them with the latest security software for their home computer is again an important step.
Also, just like with those fraudulent payment requests, modern fintech payment systems will flag when details have been changed in a payment system and flag it to the operator (as long as it’s not the first payment).
Finally, a key piece of advice here is to pick up the phone and talk to the supplier directly. No-one will mind you taking care of their money, and it can be the best way to cut through any misdirection techniques thrown up by the fraudster.
The best defense against APP fraud is a good offense
Authorized push payments fraud is a growing worldwide threat. In the US, the number of digital fraud attempts went up 25% in the first four months of 2021, and in the UK there was a reported 71% increase in APP fraud in the first six months of the same year.
While modern technology provides excellent defenses against APP schemes, the fraudsters can leverage their own tools to keep attacking our systems and our people. It’s an arms race, and one where proactive businesses will be the winners.
By putting these measures in place, it may become the scammers asking themselves ‘how could I be so stupid?’ after targeting your company.
To learn how TransferMate's payment systems can help you prevent Authorized Push Payment fraud, get in touch with the team today.