Watch out for push payment fraud

Cybercrime has been on the rise since the pandemic. More of us have had to make online purchases, which means scammers have more opportunity to defraud us.

If you regularly make online payments, whether for goods or services, you’ll need to watch out for the latest technique fraudsters are using to get their hands on your money – push payment fraud.

Figures from UK Finance, the banking trade body, have revealed that £236 million was lost to push payment fraud, with banks unable to return nearly three-quarters (74%) of the lost money.

In the vast majority of cases (88%) it was individual consumers who were conned out of their money, with an average loss of £2,784. The remaining cases were made up of businesses, who lost an average of £24,335 each.

What is push payment fraud?

Push payment fraud happens individuals or businesses are tricked into sending a payment to a bank account controlled by fraudsters. Most commonly used to take money during housing transactions, or when paying professional service invoices, fraudsters will con victims intercepting mail or hacking emails, before sending a payment demand posing as the legitimate business.

And because payments made using real-time payment schemes are often irreversible, there’s a good chance you won’t even be able to claim back the payment once you realise you’ve been conned.

Automated Push Payment (APP) fraud scams, where victims are manipulated into making real-time payments to fraudsters, have a terrible and lasting impact on their victims, who are more often than not consumers. According to UK Finance, in the first half of 2022, APP fraud amounted to around £250 million, nearly half of total losses from fraud in that period.

What are the most common types of push payment fraud?

There are several ways that fraudsters use push payment fraud, including:

Property transactions – This kind of fraud can affect any party in a property purchase, including the buyers, sellers, estate agents and even the conveyancing solicitors. Fraudsters intercept the email chain between sellers, buyers, estate agents and solicitors, and change the payment information related to transfer of funds so that payments are diverted to the criminal’s account. Sums involved can be huge, and victims can be ruined.

Invoice fraud – Fraudsters either intercept emails, or make telephone calls purporting to be from an official body, to whom payment is owed, and get businesses or individuals to replace the genuine bank account details with those of the fraudulent account. This sort of crime also often occurs when individuals pay tradesmen for services and a fraudster sends an invoice pretending to be from your legitimate comtractor.

Account takeover –  Fraudsters initiate push payments to new payees – often across different channels with the goal of outsmarting existing fraud controls.

How to protect yourself against push payment  fraud

When you transfer money from your bank account, you usually have to give three bits on information, but only two of them are cross-checked by the bank. So, when you give the name of the payee, along with their account number and sort code, only the numbers are checked, so you could theoretically give in any name and it wouldn’t make any difference – giving the correct payee name is no guarantee the real payee will get the money.

In order to protect yourself or your business against push payment fraud, you should:

  • Never give anyone your security details, such as your PIN or full banking password – at most, banks will ask for random characters from them.
  • Never assume an email, text or phone call is authentic, these things are really easy to replicate.
  • Never let yourself be rushed, a genuine organisation will never press you for information and will always be patient.
  • Always follow your instincts – if something doesn’t feel right, there’s a good chance something is amiss.
  • Always stay in control – don’t panic and make a decision you’ll regret, especially if you feel you’re being pressured into it.

Why your business needs to be vigilant

Without doubt, there’s an urgent need to adopt a cross-sectoral approach to protect consumers and reduce harm from APP scams in the future. But any new measures implemented must be well-thought-out and targeted in the right areas.

In its consultation, the PSR has proposed requiring reimbursement for scam victims and splitting the funding of that reimbursement 50/50 between the sending bank and the recipient bank. The PSR’s thinking is that it would place more incentives on both the sending and receiving banks to stop APP scams. The PSR has stated that payments initiated via Open Banking would be included in these proposals.

However, alongside its work on APP scams, the PSR also has a policy programme aimed at driving Open Banking-enabled A2A payments to compete with cards for retail payment use cases. We’re concerned there is a fundamental tension between the PSR’s ambitions for A2A retail payments and its latest proposals to address APP scams.

Beware the unintended consequences

For Open Banking-enabled A2A retail payments to compete effectively with cards, it’s key they are fast, low friction, and low cost. Unfortunately, the PSR’s APP scam proposals have the potential to adversely impact all of these characteristics. And this is unlikely to be for any material benefit, given that most Open Banking-enabled A2A payments to merchants are already at significantly lower risk of APP scams.

Our first issue is with friction. The PSR’s proposals will likely result in banks introducing more warning screens and steps to A2A payment consent and authentication journeys, adding more friction to the use of A2A for retail payments.

More broadly, there’s a risk of banks slowing down payments as a result of these proposals. For example, by introducing a lower threshold for payments that are escalated for enhanced fraud checks.

While more friction and slower speed may be an appropriate response for A2A payments at genuine higher risk of APP scams, it’s not appropriate for Open Banking-enabled A2A retail payments to merchants. For these payments, merchants partner with a payment provider to immutably pre-populate the merchant’s payment account details for the consumer. This means the consumer is unable to be convinced to change these details by an APP scammer.

Furthermore, a merchant using Open Banking A2A payments in this way is also at much lower risk of themselves being a scammer, given the merchant is subject to additional due diligence by their Open Banking payments partner. This is on top of the detailed vetting already done by the merchant’s own bank when providing them with a business bank account.

This explains why a report by the Open Banking Implementation Entity (OBIE) called out that the risk of APP fraud in merchant initiation via PISP as “exceptionally low”, and that the inclusion of Confirmation of Payee and other warnings in these payments would introduce more friction and costs disproportionate to any benefits.

Finally, we also believe broader liability for reimbursement could negatively impact the economics of instant payments. At present, instant payments are typically free to consumers on the send side, and businesses pay to receive them. To claw back some of what they would spend on victim reimbursements, banks may pass higher costs on to businesses — which could sway a business’ decision on whether to accept retail transactions using Open Banking.

Taking the next steps

The PSR has stated Open Banking has the “clear potential” to facilitate A2A payments for retail transactions and compete with cards. To avoid diminishing this potential, before implementing its APP scam proposals we think the PSR should consider in more detail their potential impact on the ability of Open Banking-enabled A2A payments to effectively compete as a retail payment method.

Further, the PSR should support the burgeoning Open Banking ecosystem to enable richer sharing of data between Open Banking providers and banks. This will help support banks in making more targeted and informed decisions around the vulnerability of a specific A2A scenario to APP scams.

Industry-level data around fraud and Open Banking payments is currently extremely limited. We think this is something that industry and regulators can help to collate to inform collaborative, targeted measures across the industry.

If provided with the right environment in which to flourish, Open Banking-enabled A2A retail payments can compete with cards but also help address the issue of APP scams. Let’s work together on tackling APP fraud for the benefit of consumers and merchants. Let’s get the balance right.

Have you been a victim of push payment fraud? Share your experience with our business community.