Skip to Main Content Accessibility Help

What you need to know about APP Fraud

Latest News

What you need to know about APP Fraud

Published: November 9, 2022

It’s an unfortunate sign of the times that cyber criminals are constantly developing more sophisticated ways of defrauding businesses. With online crime on the rise, the best way to keep your organisation’s money and financial information safe is to be aware of the latest tactics. Here, James Dockerill, Financial Crime Operations Lead at Unity Trust Bank, explains one of the most common methods criminals use – Authorised Push Payment Fraud.James Dockerill, Financial Crime Operations Lead

What is Authorised Push Payment Fraud (APP Fraud)?

Authorised Push Payment fraud (also known as APP fraud) is where an employee of an organisation is deceived or coerced into authorising a payment to a criminal. This can manifest itself in several ways.

A common technique used by fraudsters is to pretend to be a supplier and send an invoice containing payment details to a fraudster’s account. This is often as a result of a recent or historic cyber attack at the supplier. As the payer keys in or authorises the payment in the system, they are ‘authorising’ the payment request that has been ‘pushed’ to them and are ‘pushing’ the payment on. This is very different from Unauthorised Payment Fraud. With UPF, there is no knowledge of any funds leaving an account, whether legitimately or not.

Why is APP Fraud increasing?

APP Fraud has been made more attractive to criminals since the advent of real-time payment schemes, such as Faster Payments in the UK. Using it, criminals can quickly take the money and run.

Payments made using real-time payment schemes are irrevocable. The victims cannot reverse a payment once they realise they have been scammed. However, banks can still endeavour to claim back the funds from the criminal account using an indemnity claim if they are alerted ASAP.

It has become an increasingly popular technique because it leaves very little in terms of an audit trail. There are no phone calls, no face to face interactions. It’s simply a manipulated payment request or invoice. Once the payment is made, criminals can transfer the funds quickly to another account and often abroad. Criminals are also aware that more and more transactions are being carried out online and more people are working remotely. This increases the risk of falling victim to APP Fraud.

Who is at risk of APP Fraud?

Anybody is at risk from APP Fraud, but certain groups are targeted more than others.

Charities are particularly vulnerable as they often operate through goodwill, with unpaid volunteers and only a small finance team. The biggest risk will be where there are no procedures in place for handling payments or just one person manages the finances of the entire operation, especially if they use or log into an account infrequently.

Organisations or groups which use a large number of suppliers may also be more exposed to APP fraud through no fault of their own. An example could be if a supplier has fallen victim to a cyber attack or data breach and a criminal is able to send a fake invoice from a hacked or compromised email account belonging to the supplier.

What tactics do fraudsters typically use?

As mentioned above, fraudsters’ preferred methods are those which can be completed online and leave little in the way of an audit trail. Some common techniques include:

Fake Invoice Fraud: Using a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince businesses to change bank account details. They get their victims to replace the account number of the legitimate suppliers with their own. When the business later or simultaneously goes to pay an invoice from their supplier, they are sending it to a fraudster instead. This may happen where the supplier or contractor has been victim of a cyber attack or data breach.

Sending Payment Fraud: This type of fraud is slightly more calculated than Fake Invoice Fraud. The fraudster may notice visible work being carried out or close to completion. For example, a parish council paying for restoration work on a church. The fraudster will then purport to be the contractor and request a payment. Another technique may be to impersonate the CEO or senior official in the organisation. The hacker will instruct an ‘urgent’ payment to be made, posing as the official.

Account Takeover: if an organisation divulges bank details via email or publicly posts account details on websites, it may open itself up to hackers. This is quite rare, but one to be aware of.

Internal Fraud: This is less common, but an organisation may fall victim to APP Fraud from within. A dishonest employee, or ‘bad actor’, may be an individual who always raises payments. Even if all external payments require dual or triple authorisation, they may, depending on circumstances or levels of desperation, take a chance and submit a rogue payment request – especially if there are low levels of checks carried out internally on raised payments.

What action that can be taken to avoid falling victim to this type of fraud?

Some suggestions to help mitigate APP fraud risk:

  1. Have a strong, National Cyber Security Centre (NCSC) supported cyber security framework (e.g. firewalls, password protection and spam filters). Avoid, where possible, public disclosure of information that fraudsters may then utilise.
  2. Have a documented procedure and process in place for handling payments. For example, carrying out checks or having a 4-eye protocol for large payments.
  3. Do you have a current account that allows single authority for external payments? Then consider increasing the authorisation levels on that account to dual or triple authority.
  4. Know your supplier. If a supplier suddenly changes bank account details, check it with them. If the request with altered bank details is via email, do not just respond to the email. You could use a trusted phone number or look up the contact details online and validate the change first.
  5. Inspect the source of the payment request – some things may appear odd about the request. For example, if it is sent from an email account that appears to have no connection to the supplier. Or, perhaps the invoice itself appears to have been doctored; especially where the bank details are usually present.
  6. Check for job numbers or invoice numbers. If these do not correlate to previous reference numbers if the payment is normally sequential, this may be a concern.
  7. Follow the guidance on Unity Trust Bank’s website: https://staging.unity.co.uk/protect-your-organisation-from-fraud/

What should you do if you do fall victim?

If you think there has been fraudulent activity on your Unity account, or if you are ever in doubt, call our Customer Service team right away on our dedicated fraud number, freephone 0808 196 8420. We also have a dedicated email address – fraud@unity.co.uk

We also encourage our customers to report fraud to the appropriate law enforcement agency. The police will have criminal prosecution powers.

Victims of fraud in England and Wales should file a case with Action Fraud and obtain a Crime Reference Number (CRN): https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime

Scotland customers should report it to police by dialling 101.