Tackling authorised push payment fraud as a small business
< back to all business news articles
In 2018, criminals using Authorised Push Payment (APP) fraud stole more than half a billion pounds from UK bank customers. These are mostly small businesses that are unaware of what push payment is, let alone how to deal with it. The Guardian describes APP as "a cruel scam so slick even the vigilant can be duped”.
The rise of real-time payment schemes, e.g. Faster Payments, has made push payments more attractive to fraudsters because they can quickly take the money and run. APP is on the rise – but what is it?
What is APP fraud?
It's not actually new, but with the rise of social media it's becoming more common. It happens when con-artists trick consumers or individuals at a business to make a payment to a bank account they control. Since real-time payment schemes are irreversible, the victims can't withdraw the payment when they realise what's happened.
The process usually goes something like this:
- The scammer calls or emails a target posing as a genuine supplier or bank asking them to change the bank details they use to pay them. They work on the look and feel of the email to make their approach more convincing.
- The target is someone who's used that business legitimately.
- They make a demand for payment using a real-time scheme.
- The target makes the 'payment' - and boom, the scammer has the money in their account.
- Because the payment has technically been authorised by the target, there's no redress.
"They use social engineering techniques and may hack into email and other systems in order to set up their victims," says California-based data analytics firm FICO. "The defining factor in authorised push payment fraud is the use of real-time payment schemes to transfer the money to the fraudsters."
What can businesses do to prevent it?
Here are four tips to avoid APP fraud:
- Always confirm any bank account details directly with the company either on the telephone or in person before you make a payment or transfer any money.
- Criminals can access or alter emails to make them look genuine. Do not use the contact details in an email, instead check the company’s official website or documentation.
- If you are making a payment to an account for the first time, transfer a small sum first and then check with the company using known contact details that the payment has been received to check the account details are correct.
- Contact your bank straight away if you think you may have fallen victim to an invoice or mandate scam.
You can also:
- Have an agreed method of payment from the beginning of a business relationship. Whether people are ordering from you, or you from them, the payments need to be set up using an agreed method.
- Make sure you have a good relationship with your customers. The better you communicate with them, the more likely you will both be at spotting a scam.
- Make sure your customers know the risk exists. If they're aware, they can help, especially in relation to the protection of their own data and communications.
- Make sure staff are properly trained to recognise and react appropriately to the risks and indicators of APP fraud.
- Create a culture which includes good cyber security and data protection governance.
- Protect bank account details. They should be confirmed in person or on the phone and this should include asking security questions.
It's the old saying - prevention's better than a cure. The more effort you put into protecting your business and your customers from APP fraud as preventative measures, the greater your chances of not becoming a victim. So be proactive in data protection and security practices, and make sure you have expert legal assistance on hand just in case anything does go wrong.