How to Identify Authorized Push Payment Fraud Before It’s Too Late
New technologies present new opportunities for businesses to reach customers and conduct transactions. So-called "push" payments, or buyer-initiated purchases, are one example.
Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation. Push payments are no exception.
In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics that merchants, banks, and cardholders can use to protect themselves from this emerging threat.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 10 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- What is Synthetic Identity Theft? How Can Merchants Stop it?
- Increase in Fraud in APAC Highlights Need for Solutions
- What is SIM Swapping Fraud & How Does It Work?
What is Push Payment Fraud?
- Push Payment Fraud
Authorized push payment fraud, or APP fraud, happens when a cybercriminal tricks a consumer into authorizing a payment under false pretenses. During the APP scam, the fraudster will pretend to be someone the individual trusts, like a bank or utility provider, then attempt to convince the individual to authorize the payment without much consideration.
[noun]/po͝oSH • pā • m(ə)nt • frôd/ With push payments, merchants receive funds from a transaction faster, while customers never have to transfer any personal information to conduct a purchase. It’s a win-win setup…right?
Unfortunately, resourceful fraudsters are already identifying ways to game the system. Authorized push payment fraud is deceptively low-tech, but surprisingly effective at separating cardholders — and merchants — from their money.
Pull Pay
- Merchant requests payment from buyer.
- Buyer authorizes payment, and merchant submits payment for clearing.
- Issuer releases funds to cover authorized amount.
- Merchant acquirer receives funds.
Push Pay
- The merchant provides a request for payment to buyer.
- Buyer initiates payment to merchant.
- Buyer authorizes payment, submitting directly for clearing.
- Merchant acquirer receives funds.
Unfortunately, resourceful fraudsters are already identifying ways to game the system. Authorized push payment fraud is deceptively low-tech, but surprisingly effective at separating cardholders — and merchants — from their money.
The term “APP fraud” is most widely used in the UK. In the US, we generally refer to the tactics employed here according to the methodology; for instance, social engineering tactics, etc.
At their core, APP scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.
In essence, a push payment is a merchant-initiated payment. They let merchants provide invoices to buyers. Sellers can also submit payment requests through P2P apps like Venmo or Cash App. Buyers can then fulfill payments themselves; they don’t need to wait for merchants to batch and submit transactions for settlement.
How Does Authorized Push Payment Fraud Work?
Do you remember that old “Nigerian Prince” scam from the early days of the internet?
You’d get an email from somebody claiming to be foreign royalty. The sender would say they need you to give them a small, temporary loan. In exchange, you’d be entitled to a big reward later, once the prince reclaims the family fortune. Authorized push payment fraud actually has a lot in common with that trick, just in a more modern format.
APP fraudsters will begin by researching their victims. They will then carefully engineer a scenario through which they will attempt to manipulate an individual into approving a payment or releasing sensitive account information.
A few common methods that fraudsters use include:
So, we now have a better understanding of how fraudsters target individuals for APP scams. Next, let’s illustrate a few examples of how these scams might take shape in the real world.
Understanding APP Fraud: Common Examples
The point of authorized push payment fraud, from a criminal’s perspective, is to convince a victim to move money by impersonating someone that the victim recognizes and trusts. This can be a merchant, an employer, a governmental agency, or even a personal friend.
It can help to have a concrete example. So, here are a few examples of how APP scams might play out in the real world:
Person-to-Person Scams
These are APP scams that target individuals on a personal level. The fraudster will attempt to convince a person that they are a trusted friend or relative, and have the victim deposit money into a non-related account. The fraudster will usually claim to be in some kind of bind; for instance, needing money to pay a past-due bill, or having forgotten login details to an important account.
A target might also receive:
- Invoices that appear identical to ones issued by a child’s school, or fake bills from utility companies or service providers.
- Emails from a hairdresser, designer, or some other nonessential servicer looking to set up payment options.
- Personal ads, dating app scams, or other confidence scams in which scammers pose as people the individual has a relationship of some kind with.
Home Renovation Scam
In a neighborhood or apartment complex, it can be pretty difficult to hide ongoing renovations. It’s no different online, where homeowners might accidentally click fake links in search of contracting services or materials.
Fraudsters are always looking for the means to connect with potential victims. Home renovations are generally big investments, and thus present an opportunity for a big score.
Using fake invoicing with a contractor’s letterhead and details, the fraudster will send the homeowner fake payment information. Once the homeowner pays the fake invoice, the fraudster will disappear.
New Account & Supplier Scams
Fraudsters that have access to a consumer’s email address might be notified when their target opens a new account with an application or service provider online.
The fraudster will send a fake payment request, then use spoofing techniques to convince the consumer the invoice comes directly from that company’s billing department. This can be particularly tricky if auto-billing is enabled.
Merchants, too, can be targeted for this scam. All the fraudster needs to do is convince someone in the company’s billing department that they are a legitimate account provider. When this happens, the scam can roll on for as long as it takes the company to identify the scam.
Property Purchase Scams
If a fraudster is able to work out that a consumer is in the market for a new home or property, fraudsters may take advantage.
A scammer can pose as a mortgage broker or bank loan officer involved in the exchange. Or, they may operate silently, without any other party’s knowledge. In either case, the scammer intercepts communications between parties, then changes relevant payment details to hijack any payment and reroute the funds exchanged to their own account.
As you might imagine, this type of APP fraud can be devastating for consumers if enough money is on the line.
How Big of a Problem is APP Fraud?
The answer varies depending on the market in question. Remember that push payment fraud is mainly an issue in countries in which immediate money transfers are made possible by banks under the law, such as in the UK.
While US consumer law does accommodate some bank transfer activity, these transfers are generally only approved pending authentication. Say, for example, that a consumer wants to send immediate person-to-person payments to a friend or family member. They are technically loaned the funds by their bank or third-party payment aggregator until the transfer clears authentication. This gives banks in the US more time to identify and act against fraud.
In the UK, however, the Faster Payments Service allows instant transfer of funds ranging between £1 and £1 million sterling. Such payments can be transferred fairly immediately and are, therefore, irreversible. As a result of these easy transfers, UK financial losses linked to APP fraud increased by 71% in 2021. Push payment scams ran rampant during the pandemic, pushing it to the forefront of fraud schemes throughout the UK. Additionally, UK Finance reported £583.2 million in losses in 2021, which indicates a 74% increase from the previous year.
Obviously, these statistics hint that APP fraud is not only a very real threat to consumers, but that merchants and banks are also at risk.
APP Fraud: Impacts for Consumers, Merchants, & Banks
It’s not only cardholders that should worry about being victimized by push payment fraud. APP fraud negatively impacts everyone involved. Below, we break down the ramifications for each party involved:
REAL-LIFE EXAMPLE
Petty Son and Prestwich, a UK-based real estate firm, published a post on their blog outlining how they were targeted by an authorized push payment fraud scheme. “The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him,” they explain. The fraudster sent multiple emails to an employee in the department with questions aimed at “warming up” the individual.
“It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.”
Regulatory Responses to Push Payment Fraud
As push payment scams become more commonplace, we should also expect them to increase in scope and sophistication.
There have been attempts to try and rein in authorized push payment fraud at the governmental level. In the UK, for instance, consumers and businesses were faster to adopt push payments. In response, the British government adopted the Contingent Reimbursement Model, or CRM.
The CRM is essentially a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.
As we’ve noted before, though, government efforts often have limited utility. The CRM ensures that consumers are insulated from fraud losses and can reduce consumer anxieties about push payment fraud. Unfortunately, it doesn’t actually prevent any fraud from taking place, though.
Banking Industry Response to Push Payment Fraud
In the absence of any broader public education campaign, banks may need to take point on this issue. They will need to increase their efforts to inform and educate the public about APP scams as soon as possible. They should also continue to search for and provide resources and solutions to detect and fight back against fraud.
That raises the question: What tools and strategies do banks have at their disposal to manage this problem?
For banks, screening tools that deploy a combination of machine learning and human oversight may be the answer. These tools can help drill down and segment suspicious push payments from legitimate ones. The bank can then ask for additional verification to complete the payment.
Financial institutions are on the front lines in the fight against push payment fraud. That’s why they must take action to protect their customers — and themselves — against these attacks.
Fighting Push Payment Fraud: The Merchant’s Perspective
The good news is that there aren’t many new practices or technologies one should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.
We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.
Sellers should clearly outline:
- The circumstances under which they’ll request payment.
- How they’ll request payment.
- Signs to watch for to identify suspicious activity.
- What a customer should do if they suspect they’ve been a victim.
While it’s obviously important to protect customers, merchants also need to protect themselves against potential abuse. This means educating staff on this issue. Fraud managers should ensure that all staff members know:
- Who within the company has the authority to authorize push payments.
- Situations in which push payments are allowed.
- Red flags that suggest malicious activity, like business email compromise.
It’s also a good idea to monitor communications within the organization. Specifically, merchants should monitor any exchanges that begin from a source outside the company. They can use indicators like IP address and geolocation to spot these potential threats.
Have other questions about merchant fraud prevention? Want to learn how you can save time and recover more revenue? Contact Chargebacks911® and get started today.
FAQs
What are examples of push payment fraud?
In the US, we generally refer to the tactics employed here according to the methodology, for instance, social engineering tactics, etc. At their core, push payment scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.
To illustrate, consider that these scams can take the shape of invoice scams, home improvement scams, and new account scams.
How do I stop push payment fraud?
The good news is that there aren’t many new practices or technologies merchants should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.
We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.