Push the button: Fraud by APPF
By Mark Kenkre
Mark Kenkre looks at new models of online banking fraud
An Authorised Push Payment Fraud (APPF) occurs when an individual is tricked into making a payment from their bank account into an account controlled by a fraudster, who often purports to be a representative of a legitimate organisation such as the bank, a contractor or even the police.
Fraudsters target victims in many ways, and the introduction of online banking has made APPF more appealing to criminals as the transfer of money can happen in real time. This means fraudsters can instantly move funds across multiple accounts which makes tracing and recovering the payment increasingly difficult.
It couldn’t happen to me…
The following are the most common types of APPF incurred in the UK:
- Invoice fraud
This occurs when a fraudster hacks into an individual’s email account, then pretends to be a contractor or company hired to carry out work. The fraudster will often issue a fake invoice for these works, of which the victim pays, in the belief they were paying the company who actually completed the work in question.
- CEO fraud
This occurs when a fraudster impersonates a high-ranking employee from the victim’s organisation and requests the victim transfers funds.
- Impersonation fraud
This occurs when fraudsters pose as a legitimate organisation such as a bank or a police officer. The fraudster will often inform the victim they need them to move large sums of money to a ‘safe' account which they later uncover as belonging to the fraudster.
Looking to the future, we envisage there will be an increase in fraudsters targeting individuals purchasing a property due to the large transactions involved with the sales process, and posing as representatives from energy suppliers due to the recent increase in the energy price cap. Property purchase will likely be of particular interest to fraudsters as they can intercept correspondence between parties and alter payment information which results in large payments being made directly into the fraudster’s account.
Representatives from the financial industry, consumer groups and the financial regulator have been working collaboratively over the past few years to increase consumer protection in the hope of reducing the number of APPF occuring within the UK. The pinnacle of this work has to be the implementation of the Contingent Reimbursement Model Code (CRM Code), a voluntary code that requires signatory banks to take active steps to protect their customers and to reimburse those who have fallen victim to APPF. As part of the CRM Code, banks are expected to educate their customers regarding APPF, to consider the vulnerabilities of the customer, and to provide adequate warning to the customer if they consider a transaction to be at risk of APPF.
Stop! Are you sure you want to make this payment?
Many customers will be unaware banks have technology which allows them to check the recipient’s name matches that which is registered to the account number and sort code provided by the customer. In turn for this protection, banks expect consumers to pay close attention to any warnings which they issue regarding potential fraudulent transactions, and consumers must have a reasonable basis for believing the payment was for genuine goods or services and the recipient was legitimate.
There is no doubt the CRM Code is a step in the right direction. However, there is considerably more that needs to be done in order to reduce the level of APPF in the UK. This is reflected in statistics prepared by UK Finance which found a total of £479m was lost as a result of APPF across the 149,946 cases reported in 2020. This is a considerable increase to the losses incurred in 2019 – the year in which the CRM Code was implemented – which has led to increasing calls for the CRM Code to be mandatory, as opposed to voluntary. This would not only ensure customers are afforded requisite protection from APPF, but will incentivise the banks to adopt stringent measures to prevent instances of APPF in the future.
Mark Kenkre is partner with Keller Lenkner UK: kellerlenkner.co.uk