If you think there’s nothing more insidious than phishing attacks, think again. There’s another form of social engineering that’s even more difficult to prevent. Authorized push payment (APP) fraud accounted for a staggering 75% of all digital banking fraud in 2022. Financial losses from APP fraud are projected to double across the UK, India and the US in the next four years, hitting $5.25B by 2026.
The reason APP fraud is on the rise: companies don’t have a way to stop it. After all, customers willingly approve the payment. How does this happen? APP fraud occurs when a fraudster pretends to be someone from a company or service the victim trusts, like their bank, water or power utility and tells the individual they owe money (or some other lie). By creating a sense of urgency, scammers convince the victim to transfer money out of their bank account to one controlled by the scammer, often a mule account used to move illicit funds on behalf of criminals.
Some victims — turned into puppets — have seen their entire savings swept away in a flash. Once the money is transferred, it is nearly impossible to recover because, as the term, ‘authorized push payment’ suggests, the transaction is authorized by the victim. Who is accountable for the loss? That’s a question under debate. In the UK, regulators of the Faster Payments system will require banks to reimburse business victims starting in October 2024.
In this blog post, we’ll cover how APP fraud slips past today’s defenses and the tactics that fraudsters use to trick victims. Most importantly, you’ll learn about new methods and strategies for preventing APP fraud — before the money is transferred.
Table of Contents
Traditional customer identity and access management (CIAM) solutions are designed to catch account takeover (ATO) fraud that starts at login in the form of credential stuffing, phishing, brute force or other means. But APP fraud doesn’t need to employ the same tactics because the legitimate user authenticates the money transfer. As a result, typical ATO detection techniques don’t work.
Sure, you might try to warn customers about APP fraud, but we’ve all been shouting from the rooftops about phishing and social engineering for years — with disappointing results. Scammers often succeed by targeting the elderly, individuals who are not as savvy and skeptical.
Masters of deception, they’ll create a sense of urgency by telling victims, “Your bill is past due…” or, “Your account has been hacked.” Key to the art of persuasion, they use leaked information about the victim and create a sense of urgency. Fearing ramifications, victims transfer money immediately. This can happen through various channels, including email, phone calls or text messages.
Examples of how fraudsters deceive victims through impersonation:
In all these contrived scenarios, the key element is deception: making the victim believe they are transferring money for a legitimate and urgent reason. Even when an alert pops up, fraudsters will convince the customer to ignore it by saying, “That’s a standard warning that always appears. Just close that window.” So smooth.
In an ideal world, the consumer (a would-be victim) knows to verify the recipient before making any money transfers, especially when prompted by unsolicited communications. But as we’ve learned from phishing attacks, banks and other companies cannot rely on customers to protect themselves.
There is clearly a gap in the security and a dire need for APP fraud detection. With this in mind, Transmit Security has developed a new approach for detecting this highly deceptive form of social engineering, building a three step process:
Step 1: Detecting suspicious behavior and transactions
It’s essential to detect suspicious behavior based on intelligence collected throughout the user journey. Is the user pausing more than usual? If so, this may indicate the customer is being coached. Or perhaps they’re “too fluent,” moving along more quickly than usual. Maybe they are carrying out an activity outside of their normal patterns. Any behavior that strays from that individual’s norm could indicate a fraudster is in control. With Transmit Security’s advanced behavioral biometrics, you can detect all of this.
Transaction intelligence is continually analyzed to detect anomalies. For example, is the money transfer going to a new or atypical recipient and are similar transactions happening at a high frequency? If so, these are clear risk signals. Transaction size can also indicate APP fraud; for instance, if the amount is slightly below the bank’s threshold for additional controls, this could be a fraudster trying to fly under the radar.
Context-aware, orchestrated security also checks device and network reputation, mule accounts and lists of targeted banks (typically ones with easier account opening processes). It even looks at call center intelligence and weighs the customer’s age as a factor since the elderly are commonly targeted by APP fraud.
Machine learning (ML) and AI analyze risk signals the full context of all that’s happening in real time — to detect suspicious transactions and stop APP fraud before the money is gone.
Step 2: Increase interaction with the customer
Transmit Security has devised a way to increase the friction with customers and fraudsters, significantly reducing the success rate of APP fraud. If there are enough signs of a risky transaction, our solution allows you to probe for answers that will help you understand:
With all of the information above, Transmit Security is able to rapidly re-assess the level of risk for the transaction.
Step 3: Validate and verify the money recipient (individual & business)
Whether it’s an individual or business, use data validation to check the money recipient’s phone number (a prepaid number would indicate risk), email address (who registered and when) or company website (who registered and when). At the same time, verify if there is a match between the recipient’s email address and the company website.
If the data appears to be legitimate, the final step is to validate the business and/or individual. When validating a business, leverage our leading Know Your Business (KYB) verification methods. For an individual, contact the money recipient and use identity verification in order to analyze their photo ID and selfie. At the same time, you can check the money recipient’s device fingerprint.
It’s time to move beyond traditional reactive approaches where rules and models are based solely on past observations. Prepare for what lies ahead.
Our product redefines fraud management, offering an all-encompassing solution that combines cutting-edge technology and user-centric design, ensuring you stay ahead of evolving APP tactics. Discover Detection and Response or request a meeting so we can help you solve your toughest identity and fraud challenges.