Authorized Push Payment FraudHow to Spot & Limit Exposure to Push Payment Scams for Merchants, Banks, & Consumers

March 23, 2023 | 15 min read

This image was created by artificial intelligence using the following prompts:

A bad guy stares over the top of his cell phone looking ominous. He is planning on stealing from someone using his phone. Mainly colored red and teal, all other colors muted, bright, candid, wide angle, plain background, professional photography, hyper-realistic, masterpiece, cinematic lighting, insanely detailed, unreal engine lighting

Authorized Push Payment Fraud

In a Nutshell

APP fraud is a modern take on one of the oldest scams in the book. It’s wreaking havoc in international commerce, but are US consumers and merchants at risk? This article will take a deep dive into authorized push payment fraud to explain what it is, how it works, who it targets, and how you can keep it from impacting your bottom line.

How to Identify Authorized Push Payment Fraud Before It’s Too Late

New technologies present new opportunities for businesses to reach customers and conduct transactions. So-called "push" payments, or buyer-initiated purchases, are one example.

Of course, whenever new technologies and payment options hit the market, fraudsters are always quick to find new ways to take advantage of the situation. Push payments are no exception.

In this post, we'll explain a bit about push payments and how fraudsters are abusing them. We'll also provide some tactics that merchants, banks, and cardholders can use to protect themselves from this emerging threat.

What is Push Payment Fraud?

Push Payment Fraud

[noun]/po͝oSH • pā • m(ə)nt • frôd/

Authorized push payment fraud, or APP fraud, happens when a cybercriminal tricks a consumer into authorizing a payment under false pretenses. During the APP scam, the fraudster will pretend to be someone the individual trusts, like a bank or utility provider, then attempt to convince the individual to authorize the payment without much consideration.

With push payments, merchants receive funds from a transaction faster, while customers never have to transfer any personal information to conduct a purchase. It’s a win-win setup…right?

Unfortunately, resourceful fraudsters are already identifying ways to game the system. Authorized push payment fraud is deceptively low-tech, but surprisingly effective at separating cardholders — and merchants — from their money.

Pull Pay

  • Merchant requests payment from buyer.
  • Buyer authorizes payment, and merchant submits payment for clearing.
  • Issuer releases funds to cover authorized amount.
  • Merchant acquirer receives funds.

Push Pay

  • The merchant provides a request for payment to buyer.
  • Buyer initiates payment to merchant.
  • Buyer authorizes payment, submitting directly for clearing.
  • Merchant acquirer receives funds.
 

Unfortunately, resourceful fraudsters are already identifying ways to game the system. Authorized push payment fraud is deceptively low-tech, but surprisingly effective at separating cardholders — and merchants — from their money.

The term “APP fraud” is most widely used in the UK. In the US, we generally refer to the tactics employed here according to the methodology; for instance, social engineering tactics, etc.

At their core, APP scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.

Common Question What is a Push Payment?

In essence, a push payment is a merchant-initiated payment. They let merchants provide invoices to buyers. Sellers can also submit payment requests through P2P apps like Venmo or Cash App. Buyers can then fulfill payments themselves; they don’t need to wait for merchants to batch and submit transactions for settlement.

How Does Authorized Push Payment Fraud Work?

Do you remember that old “Nigerian Prince” scam from the early days of the internet?

You’d get an email from somebody claiming to be foreign royalty. The sender would say they need you to give them a small, temporary loan. In exchange, you’d be entitled to a big reward later, once the prince reclaims the family fortune. Authorized push payment fraud actually has a lot in common with that trick, just in a more modern format.

Protect your revenue against third-party fraud chargebacks, regardless of the source.REQUEST A DEMO

APP fraudsters will begin by researching their victims. They will then carefully engineer a scenario through which they will attempt to manipulate an individual into approving a payment or releasing sensitive account information. 

A few common methods that fraudsters use include:

Social Engineering

This occurs when a fraudster impersonates a trusted individual, such as a representative from a billing department, and contacts the cardholder directly. The fraudster uses targeted, personal details to convince the cardholder to change personal account details. The next time the cardholder tries to make a push payment, the money gets routed to the fraudster’s account, rather than the merchant’s.

Phishing

A fraudster impersonates a merchant and sends a fake invoice to a cardholder. The cardholder, assuming that the invoice is legitimate, makes the requested payment. The funds, however, go to the fraudster. This is phishing in the sense that the fraudster will often send fake invoices to multiple cardholders in hopes that at least a few will take the bait.

Learn more about phishing

Account Takeover

A fraudster gains access to partial or complete cardholder information. This can be done by stealing the information or buying it on the dark web. The fraudster then uses that information to try and conduct push payments to themselves.

Learn more about account takeover

So, we now have a better understanding of how fraudsters target individuals for APP scams. Next, let’s illustrate a few examples of how these scams might take shape in the real world.  

Understanding APP Fraud: Common Examples

The point of authorized push payment fraud, from a criminal’s perspective, is to convince a victim to move money by impersonating someone that the victim recognizes and trusts. This can be a merchant, an employer, a governmental agency, or even a personal friend. 

It can help to have a concrete example. So, here are a few examples of how APP scams might play out in the real world:

Person-to-Person Scams

These are APP scams that target individuals on a personal level. The fraudster will attempt to convince a person that they are a trusted friend or relative, and have the victim deposit money into a non-related account. The fraudster will usually claim to be in some kind of bind; for instance, needing money to pay a past-due bill, or having forgotten login details to an important account.

A target might also receive:

  • Invoices that appear identical to ones issued by a child’s school, or fake bills from utility companies or service providers.
  • Emails from a hairdresser, designer, or some other nonessential servicer looking to set up payment options.
  • Personal ads, dating app scams, or other confidence scams in which scammers pose as people the individual has a relationship of some kind with.

Home Renovation Scam

In a neighborhood or apartment complex, it can be pretty difficult to hide ongoing renovations. It’s no different online, where homeowners might accidentally click fake links in search of contracting services or materials.

Fraudsters are always looking for the means to connect with potential victims. Home renovations are generally big investments, and thus present an opportunity for a big score.

Using fake invoicing with a contractor’s letterhead and details, the fraudster will send the homeowner fake payment information. Once the homeowner pays the fake invoice, the fraudster will disappear. 

New Account & Supplier Scams

Fraudsters that have access to a consumer’s email address might be notified when their target opens a new account with an application or service provider online.

The fraudster will send a fake payment request, then use spoofing techniques to convince the consumer the invoice comes directly from that company’s billing department. This can be particularly tricky if auto-billing is enabled. 

Merchants, too, can be targeted for this scam. All the fraudster needs to do is convince someone in the company’s billing department that they are a legitimate account provider. When this happens, the scam can roll on for as long as it takes the company to identify the scam. 

Property Purchase Scams

If a fraudster is able to work out that a consumer is in the market for a new home or property, fraudsters may take advantage. 

A scammer can pose as a mortgage broker or bank loan officer involved in the exchange. Or, they may operate silently, without any other party’s knowledge. In either case, the scammer intercepts communications between parties, then changes relevant payment details to hijack any payment and reroute the funds exchanged to their own account.

As you might imagine, this type of APP fraud can be devastating for consumers if enough money is on the line. 

How Big of a Problem is APP Fraud?

The answer varies depending on the market in question. Remember that push payment fraud is mainly an issue in countries in which immediate money transfers are made possible by banks under the law, such as in the UK.

While US consumer law does accommodate some bank transfer activity, these transfers are generally only approved pending authentication. Say, for example, that a consumer wants to send immediate person-to-person payments to a friend or family member. They are technically loaned the funds by their bank or third-party payment aggregator until the transfer clears authentication. This gives banks in the US more time to identify and act against fraud. 

In the UK, however, the Faster Payments Service allows instant transfer of funds ranging between £1 and £1 million sterling. Such payments can be transferred fairly immediately and are, therefore, irreversible. As a result of these easy transfers, UK financial losses linked to APP fraud increased by 71% in 2021. Push payment scams ran rampant during the pandemic, pushing it to the forefront of fraud schemes throughout the UK. Additionally, UK Finance reported £583.2 million in losses in 2021, which indicates a 74% increase from the previous year. 

Obviously, these statistics hint that APP fraud is not only a very real threat to consumers, but that merchants and banks are also at risk. 

APP Fraud: Impacts for Consumers, Merchants, & Banks

It’s not only cardholders that should worry about being victimized by push payment fraud. APP fraud negatively impacts everyone involved. Below, we break down the ramifications for each party involved:

Consumers

Consumers are on the ground floor of most APP scams. Most consumers have just a basic understanding of fraud prevention techniques. They generally invest less time and energy on fraud prevention than merchants and banks as a group. As a result, fraudsters specifically target consumers because there is less expectation of pushback.

Obviously, push payment fraud impacts on consumers can be quite severe, from general money loss to extreme data breaches and account takeovers. Consumer accounts can be emptied, their privacy compromised, and their lives utterly upended. However, it is the consumer who is afforded the most fraud protections under EU and US law. In the US, for example, consumers are usually only held liable for acts of fraud of $50 or less.

Merchants

Merchants can be targets for social engineering and phishing attacks. As mentioned above, fraudsters might target employees in an accounts payable department by spoofing an executive or manager’s email address. The object would be to convince the employee to divulge sensitive information that allows the scammer to drain accounts or expose entire databases.

This can cost merchants untold revenue. It can also do irreparable damage to their reputation. That’s why it’s important to be extra vigilant with push payments, regarding both customers and internal operations.

Banks

Aside from more apparent financial repercussions, push payment fraud can also deeply damages a bank's reputation with consumers and merchants.

Ask yourself: Would you feel comfortable sharing your money with a bank that is regularly associated with fraudulent attacks and data breaches? Probably not, which is precisely the issue with which banks are faced.

REAL-LIFE EXAMPLE

Petty Son and Prestwich, a UK-based real estate firm, published a post on their blog outlining how they were targeted by an authorized push payment fraud scheme. “The fraudsters targeted our accounts department by replicating our director’s email address, so any correspondence they chose to send would appear as if the email had come from him,” they explain. The fraudster sent multiple emails to an employee in the department with questions aimed at “warming up” the individual.

“It was only when the accounts department phoned our director informing them we had reached our payment limit for the day, so they therefore wouldn't be able to make the payment, that the scam was discovered. On another day the payment would have been made. It was for £19,000! We now have a code word in place to thwart any further attacks.”

Regulatory Responses to Push Payment Fraud

As push payment scams become more commonplace, we should also expect them to increase in scope and sophistication.

There have been attempts to try and rein in authorized push payment fraud at the governmental level. In the UK, for instance, consumers and businesses were faster to adopt push payments. In response, the British government adopted the Contingent Reimbursement Model, or CRM.

The CRM is essentially a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.

As we’ve noted before, though, government efforts often have limited utility. The CRM ensures that consumers are insulated from fraud losses and can reduce consumer anxieties about push payment fraud. Unfortunately, it doesn’t actually prevent any fraud from taking place, though.

Banking Industry Response to Push Payment Fraud

In the absence of any broader public education campaign, banks may need to take point on this issue. They will need to increase their efforts to inform and educate the public about APP scams as soon as possible. They should also continue to search for and provide resources and solutions to detect and fight back against fraud. 

That raises the question: What tools and strategies do banks have at their disposal to manage this problem?

For banks, screening tools that deploy a combination of machine learning and human oversight may be the answer. These tools can help drill down and segment suspicious push payments from legitimate ones. The bank can then ask for additional verification to complete the payment.

Financial institutions are on the front lines in the fight against push payment fraud. That’s why they must take action to protect their customers — and themselves — against these attacks.

Fighting Push Payment Fraud: The Merchant’s Perspective

The good news is that there aren’t many new practices or technologies one should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.

We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.

Sellers should clearly outline:

  • The circumstances under which they’ll request payment.
  • How they’ll request payment.
  • Signs to watch for to identify suspicious activity.
  • What a customer should do if they suspect they’ve been a victim.

While it’s obviously important to protect customers, merchants also need to protect themselves against potential abuse. This means educating staff on this issue. Fraud managers should ensure that all staff members know:

  • Who within the company has the authority to authorize push payments.
  • Situations in which push payments are allowed.
  • Red flags that suggest malicious activity, like business email compromise.

It’s also a good idea to monitor communications within the organization. Specifically, merchants should monitor any exchanges that begin from a source outside the company. They can use indicators like IP address and geolocation to spot these potential threats.

Have other questions about merchant fraud prevention? Want to learn how you can save time and recover more revenue? Contact Chargebacks911® and get started today.

FAQs

What are examples of push payment fraud?

In the US, we generally refer to the tactics employed here according to the methodology, for instance, social engineering tactics, etc. At their core, push payment scams are confidence-based in nature. Any scam that includes that particular “human element” could be considered a form of APP fraud. According to a recent report by ACI Worldwide, it is also one of the most common forms of fraud globally.

To illustrate, consider that these scams can take the shape of invoice scams, home improvement scams, and new account scams.

How do I stop push payment fraud?

The good news is that there aren’t many new practices or technologies merchants should need to implement. Generally, the best defenses are the same best practices that protect against other fraud schemes.

We suggest merchants take time to educate their customers about the risk posed by authorized push payment fraud. This does more than enlighten customers. It also demonstrates that the merchant values their security and wellbeing, which will build positive customer relationships.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form