As real-time payments continue to take off across the globe, we’re unfortunately seeing a steep rise in an associated real-time risk: Authorized Push Payments (APP) fraud as a means to steal from unsuspecting victims. As a result, regulators are having to rethink how they protect consumers – a key change being to shift the burden of responsibility from consumers onto banks and credit unions.
Financial institutions (FIs) need to get ahead of this shift to protect their customers and preserve their customers’ hard-won trust.
The rise of Authorized Push Payment fraud
APP fraud, also known as payer manipulation fraud, is a social engineering attack where fraudsters attempt to manipulate consumers and businesses into making manual payments via bank transfer to a fraudster’s account. This attack vector effectively causes customers to steal from themselves. While there are various forms of APP fraud, from romance scams through to bank security staff impersonation, the outcome is always the same: The consumer or business loses money — and often has no recourse in recovering it.
Last year, US Senator, Elizabeth Warren, released data she received from four big banks running accounts using Zelle, a digital payments platform. The industry data showed that scam and fraud claims, such as APP fraud, were on track to reach in excess of $255 million in 2022, up from $90 million in 2020.
With this added threat to the security of customers’ transactions, banks and credit unions may need a new approach to continue delivering secure online services. Two-factor authentication (2FA) offers a basic level of protection from typical phishing attacks where the fraudster has stolen a customer’s username and password. However, with APP fraud, the fraudster uses the customer themselves to perform the transaction, enabling them to ‘bypass’ multi-factor authentication (MFA) systems.
The downside of real-time payments
Real-time payments (RTPs) enable consumers and businesses to send and receive payments instantly. However, with the added benefits real-time electronic payments offer, the technology also introduces real-time risks.
Firstly, immediate payments are irreversible, which means that victims of APP fraud can’t reverse the payments when they realize they’ve been tricked. And, since they approve the transactions themselves, as victims they receive little sympathy or support from their banks.
With the imminent rollout of FedNow, the Federal Reserve’s instant payment offering, this issue is top of mind for US banks and regulators. What’s more, it’s a global challenge that still needs to be effectively resolved. As a result, the fraud and security industry is working hard to find ways to protect vulnerable customers from becoming victims of these attacks.
Will regulatory mandates solve APP fraud?
On the whole, the financial services industry continues to grapple with the right approach to handle these types of incidents and prevent future attacks. There’s an ongoing debate around liability and whether banks should be refunding customers who have lost out to APP fraud, or whether the onus rests on the customer — the victim of the scam – and where that boundary lies between the protection offered by banks and the customer’s responsibility for their own funds.
While the US is debating the issue, the UK is taking a more hands-on approach. Driven by a lack of consistency and action from banks, the UK Payment Systems Regulator has chosen to implement a raft of measures to combat the growth of these scams.
These measures include:
- Mandating banks and other payment providers to reimburse victims
- Placing the responsibility on the banks to refund the loss.
One of the proposed measures will be a mandatory name checking service, Confirmation of Payee (CoP), along with consumer reimbursements for all banks, and active monitoring.
Payment authentication: The added risk of siloed data
While we expect many banks to resist the reimbursement option, they could benefit by thinking bigger, beyond this immediate pain. Customers caught out by APP scams will logically turn to their banks for a solution. Those who simply deflect culpability — without clearly showing how they’re actively protecting their customers — could suffer a loss of trust, reputation, and eventually customers.
But the crux of the matter is that APP fraud is an attack. Meaning, it’s rooted in human manipulation, which leads to unsuspecting victims consciously approving payments. This type of attack remains difficult to intercept or stop, especially if FIs employ siloed authentication mechanisms.
In essence, from an industry perspective, we need a holistic approach to payment authentication to solve the problem. When we’re dealing with this type of attack, additional authentication factors alone do not offer sufficient protection. For example, additional signals on a mobile phone could only indicate that the customer is on a call. We also need more context on the destination account, such as how long ago the account was opened and what type of account it is. And that's where Context Aware™ Authentication can help.
Overcoming industry-wide digital payment fraud
Ultimately, the solution to APP fraud requires a collaborative, data-driven industry approach. One that involves stakeholders across the banking and payments ecosystem working together to innovate new ways to combat this type of fraud.
Industry-leading FIs already leverage more holistic authentication technologies to get ahead of this type of fraud — before the customer is even presented with the opportunity to authorize a suspicious payment request. Shouldn’t you?
If you want to learn how your FI can offer secure payment authentication experiences that cover all your digital channels, get in touch with one of our experts.