Authorized Push Payments Fraud: The New Armor in Fraudsters Kit

APP FRAUD AND ITS CURRENT TRENDS

?The surge in APP fraud has been alarming and as reported by UK Finance in the first half of this year forty-five million people received either a suspicious text, recorded message or phone call over the last 3 to 4 months. An unknown communication is the start of the fraud cycle and the sheer size of the fraudsters’ activities suggest at least a doubling of UK Finance first half of 2021 record figure of ￡355 million which has overtaken Card Fraud losses.?

APP (Authorized push payment) fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false preferences to a bank account controlled by the fraudster. Real-time payments lower the risk for fraudsters, as money is transferred instantly, fraudsters can move payments through multiple accounts in a process of layering to launder the proceeds of the fraud and make tracing them more difficult.

The annual yearly Fraud losses in UK within the next 18 months from 2020 is likely to be ￡2.4 billion. Victims will lose ￡1.7 billion with the banks losing ￡0.7 billion in reimbursements. Since 2019 and given the increased fraudulent activities through 2023, over 1,000,000 people could be scammed. Being scammed causes intense financial and emotional stress to families.

What all these scams have in common is that criminals are using online platforms, including fraudulent advertising through search engines and social media, and fake websites. UK Finance analysis conducted earlier this year found that 70 per cent of authorized push payment scams originated on an online platform.

?

2.??? REASONS FOR SUDDEN SURGE IN APP FRAUD

?

The Covid-19?pandemic?has increased the use of digital payments. Digital payments take place on the touch of a mobile screen and its convenience has made it popular worldwide. These payments are secured by banks using multi-factor authentication methods for card transactions. Banks do extensive security checks on suspicious activities. Hence it has become difficult for fraudsters to break the security measures of banks and dupe customers. Account takeovers are not easy anymore. Because of this, fraudsters are finding newer ways to do frauds and the new trend is APP frauds. In authorized push payment frauds, victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks. Victims authorize the transfers themselves. Fraudsters don’t need to hack customer’s bank account and hence these frauds are on the rising trend in last couple of years.

?

3.??? REIMBURSEMENT LOSS TO BANKS

?

The Payment Systems Regulator?proposed ?that banks must reimburse payments over 100 pounds ($107.39) in?"authorized push payment" (APP) scams . The bank from which the money was sent, and the bank of the fraudster would split the reimbursement bill, the PSR said. Processing costs and fees charged to customers cannot exceed 35 pounds.

Such regulations on APP Fraud are putting a lot of pressure on the Banks and the reimbursement amount for APP Fraud will be huge. Though Customers are advised to be cautious while making transactions, it is assumed that for larger payments banks have strong Fraud Management System in place and that should take care and alert on APP Frauds. Currently 46% of customers get reimbursed for APP scams, largely footed by the sending bank, and the PSR expects this to rise to over 95% under its new rule.

?

4.??? IMPACT ON CUSTOMERS

According to the annual fraud report published by UK Finance in 2022, 44% of the total fraud losses in UK in 2021 are due to APP frauds.? There were 195,996 cases of Authorized Push Payment (APP) scams in 2021 with gross losses of ￡583.2 million, compared with ￡420.7 million in 2020. This was split between personal (￡505.8 million) and non-personal or business (￡77.4 million).? Few victims of APP fraud have lost their lifetime savings to these scams.

?

?

5.??? TYPES/METHODS OF APP FRAUD

There are many ways a customer can be tricked into APP fraud.

????????? Impersonation scam: Fraudster impersonates himself as a bank official or government employee or police officer and convinces victim to transfer money to his account.

·???????? Honey trap or romance or dating app scam: Fraudster connects to the victim through social media or dating websites and he pressurizes victim to transfer money to his account for a medical emergency or flights tickets purchase or some other personal reason.

·???????? Purchase scam: Victim pays for products via online transfer, but he never receives the product.

·???????? Investment scam: Fraudster convinces a victim to transfer money to a fictitious fund for big payouts or pay for fake investment.

·???????? Fake Invoice scams: These scams target individuals and businesses both. The invoice looks like child’s school fee invoice, but victim ends up sending money to fraudster account.

?

6.??? USE OF SOCIAL ENGINEERING

?

Social engineering scams rely on tricking individuals with fraudulent interactions that appear legitimate, thereby ensnaring them into becoming active participants themselves. Social engineering scams?went up by 57% ?in 2021?and one out of every three impersonation scams involved a payment over $1,000 USD.?

Social Engineering Frauds are difficult to differentiate because the victim’s involvement makes it hard for financial institutions (FIs) to tell if the behavior is suspicious. In effect, the criminal is using the victim to circumvent security measures designed to thwart criminal actors.

?Social engineering scams are also hard to stop because they come in a variety of forms, and criminals are getting even more creative. They can leverage the abundance of personal information floating around the internet along with spoofing capabilities or emerging technologies such as deep fakes to make compelling and personalized fraud schemes.

?

Steps that can be taken to prevent APP Fraud through Social Engineering

1. Companies can invest in machine learning (ML) and artificial intelligence (AI) tools to better?authenticate ?users, identify fake accounts and detect suspicious behavior
2. Companies should also educate consumers about potential scams and commonsense protections.
3. Companies should also encourage customers to secure their social media accounts with multifactor authentication.?

7.?PREVENTION OF APP FRAUD THROUGH BEHAVIOR BIOMETRICS

?Traditional fraud checks related to transaction monitoring alone are not enough to detect APP fraud. We need to understand if the transaction carried out by the user is manipulated by a fraudster and this can be done by behavior biometrics analysis. Behavioral biometrics is adept at stopping fraudsters from being successful by detecting when they’re using stolen information or manipulating users to enter their own information to access an online account. Behavioral biometrics ?detect when fraudsters try to use information obtained from social engineering attacks by monitoring how information is entered, not what information is entered.

8.??? TOOLS FOR APP FRAUD DETECTION

?There are various tools in the market for Fraud Detection but there are specific tools that talk in detail about APP Fraud detection. Tools are looking at combining Behavior based detection, with creation of niche analytics features and bringing this all together in a Hybrid model. Some niche tools are also implementing real-time fraud detection by recording digital behavior based on clicks, swipes, and typing patterns and marries that to human psychology to develop models that produce highly accurate profiling to detect advanced social engineering. Some advanced tools are building next-generation fraud defenses that can separate brute force fraud and impersonation attacks from highly sophisticated authorized push payment (APP) fraud. Beneficiary account monitoring is also one of the aspects that is critical in detection of APP Fraud.

?Some tools learn from and adapt to the slightest deviations in behavior, comparing each event to the profile, across a range of different entities simultaneously, in milli-seconds to determine any anomalies. It’s this understanding of what genuine behavior looks like that enables the accurate recognition of genuine customers without blocking their activity while stopping fraud and scams. Tools use data like login data, device data, 2FA data, behavior biometric data, session data, beneficiary data, payment data and create a risk score used to alert high risk behavior.

?

9.? SOLUTION TO IDENTIFY PROSPECTIVE VICTIMS OF APP FRAUD

?APP Fraud detection is a factor of rich internal data supplemented by external data sources and enriched by social media Network. Also, carefully analyzing the physical and behavior biometrics data might also help us raise alerts. The modus operandi of APP Fraud is interesting where the Fraudster convinces the victim to transfer funds from his account and use all the authorization information. While all traditional methods like Rule Identification using historical data, Watch List screening, Transaction scoring, Network Analysis to detect Collusion etc. is as always useful.

?It is seen that people who have lost jobs recently, who are divorced and are on dating sites, old people with large bank balances, students looking for jobs, people buying products online are all more prone to fall for APP fraud. We propose using customer level data and profiling this data to identify customers who have a high propensity to become victim of APP fraud.

?The solution that we suggest is Calculating the “Propensity/ Probability of an Individual Being a Victim of APP Fraud “. This score will combine user’s historical data, transaction data, his proximity to fraudsters/ others those have been defrauded in social media and generate one Score. The system can use this score and if it is high do further checks before approving transactions of these individuals.

Some of the key attributes that can be accounted for here is more transactions into Negative country list, has filed police complaint, has filed fraud complaint, have earlier been attempted for Fraud, Age Profile , Earlier transfer into Negative list /mule account , Network relations/proximity to others who have been defrauded, Multiple Password resets, Multiple Phone number changes, Sudden change in transaction pattern, multiple device change, Behavior Biometrics Changes observed. AI-ML models can be built to create a score at customer level.

?The paper is an attempt to find solution to one of the most challenging Fraud types in recent times and generate idea for building Fraud Solution for the same.

?

?Authors:

?Kavita Dwivedi – Kavita is a domain consultant and a data scientist with over 16 + years of experience in BFSI, Telecom and Insurance. Her key expertise is in Credit Risk, Fraud and AML space, Risk Modeling, Regulatory Risk, Marketing Analytics. She is currently working as a Fraud and AML Consultant in TCS

?Kalyani Gajmal - Kalyani is a data scientist with over 15+ years of experience in data analytics. She has worked on advanced analytics projects in multiple domains such as BFSI, Consumer packing goods, Healthcare and Lifesciences, Pharma. She is currently working as a Financial Crime Consultant within BFSI in TCS

?

?