Published: November 9, 2022
It’s an unfortunate sign of the times that cyber criminals are constantly developing more sophisticated ways of defrauding businesses. With online crime on the rise, the best way to keep your organisation’s money and financial information safe is to be aware of the latest tactics. Here, James Dockerill, Financial Crime Operations Lead at Unity Trust Bank, explains one of the most common methods criminals use – Authorised Push Payment Fraud.
What is Authorised Push Payment Fraud (APP Fraud)?
Authorised Push Payment fraud (also known as APP fraud) is where an employee of an organisation is deceived or coerced into authorising a payment to a criminal. This can manifest itself in several ways.
A common technique used by fraudsters is to pretend to be a supplier and send an invoice containing payment details to a fraudster’s account. This is often as a result of a recent or historic cyber attack at the supplier. As the payer keys in or authorises the payment in the system, they are ‘authorising’ the payment request that has been ‘pushed’ to them and are ‘pushing’ the payment on. This is very different from Unauthorised Payment Fraud. With UPF, there is no knowledge of any funds leaving an account, whether legitimately or not.
APP Fraud has been made more attractive to criminals since the advent of real-time payment schemes, such as Faster Payments in the UK. Using it, criminals can quickly take the money and run.
Payments made using real-time payment schemes are irrevocable. The victims cannot reverse a payment once they realise they have been scammed. However, banks can still endeavour to claim back the funds from the criminal account using an indemnity claim if they are alerted ASAP.
It has become an increasingly popular technique because it leaves very little in terms of an audit trail. There are no phone calls, no face to face interactions. It’s simply a manipulated payment request or invoice. Once the payment is made, criminals can transfer the funds quickly to another account and often abroad. Criminals are also aware that more and more transactions are being carried out online and more people are working remotely. This increases the risk of falling victim to APP Fraud.
Anybody is at risk from APP Fraud, but certain groups are targeted more than others.
Charities are particularly vulnerable as they often operate through goodwill, with unpaid volunteers and only a small finance team. The biggest risk will be where there are no procedures in place for handling payments or just one person manages the finances of the entire operation, especially if they use or log into an account infrequently.
Organisations or groups which use a large number of suppliers may also be more exposed to APP fraud through no fault of their own. An example could be if a supplier has fallen victim to a cyber attack or data breach and a criminal is able to send a fake invoice from a hacked or compromised email account belonging to the supplier.
As mentioned above, fraudsters’ preferred methods are those which can be completed online and leave little in the way of an audit trail. Some common techniques include:
Fake Invoice Fraud: Using a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince businesses to change bank account details. They get their victims to replace the account number of the legitimate suppliers with their own. When the business later or simultaneously goes to pay an invoice from their supplier, they are sending it to a fraudster instead. This may happen where the supplier or contractor has been victim of a cyber attack or data breach.
Sending Payment Fraud: This type of fraud is slightly more calculated than Fake Invoice Fraud. The fraudster may notice visible work being carried out or close to completion. For example, a parish council paying for restoration work on a church. The fraudster will then purport to be the contractor and request a payment. Another technique may be to impersonate the CEO or senior official in the organisation. The hacker will instruct an ‘urgent’ payment to be made, posing as the official.
Account Takeover: if an organisation divulges bank details via email or publicly posts account details on websites, it may open itself up to hackers. This is quite rare, but one to be aware of.
Internal Fraud: This is less common, but an organisation may fall victim to APP Fraud from within. A dishonest employee, or ‘bad actor’, may be an individual who always raises payments. Even if all external payments require dual or triple authorisation, they may, depending on circumstances or levels of desperation, take a chance and submit a rogue payment request – especially if there are low levels of checks carried out internally on raised payments.
Some suggestions to help mitigate APP fraud risk:
If you think there has been fraudulent activity on your Unity account, or if you are ever in doubt, call our Customer Service team right away on our dedicated fraud number, freephone 0808 196 8420. We also have a dedicated email address – fraud@unity.co.uk
We also encourage our customers to report fraud to the appropriate law enforcement agency. The police will have criminal prosecution powers.
Victims of fraud in England and Wales should file a case with Action Fraud and obtain a Crime Reference Number (CRN): https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime
Scotland customers should report it to police by dialling 101.