Cyber-fraud: Authorised Push Payment Fraud (APP)
We have lived through many changes in the past 18 months. Lockdowns and fears about the rise of a novel virus led to a much heavier reliance on the digital sector. Many businesses stopped using cheques to pay for services, shops were closed resulting in a swing towards using e-commerce platforms out of necessity and the use of Zoom, Webex and Teams for digital meetings became the norm.
Unfortunately, however, criminals have identified these changes in business practice as an opportunity to target victims online and these types of fraud are now prevalent. Society therefore needs to find ways to protect victims of these crimes, and to provide simple ways to compensate them for their losses.
APP fraud is a type of cyber-crime whereby the fraudster tricks a paying party into making an authorised payment into an account which is controlled by the fraudster.
There are two main types of APP:
- ‘Malicious misdirection’ APP scams: victims believe they are paying a known and legitimate payee but are instead tricked into making a push payment into a scammer’s account.
- ‘Malicious payee’ APP scams: victims make a push payment, typically in return for promised goods or services, to people they believe are legitimate but who subsequently turn out to be scammers.
The main difficulty with APP fraud is tracing the money. There are real problems in trying to establish whether the bank account the fraudster has access to belongs to them, or whether it is the compromised account of an innocent person. A usual fraud of this type may well result in the funds being sent to the first account, and then redistributed through a series of accounts all around the world.
This can cause problems in a commercial business relationship context especially if there is an international element. Trust and confidence are crucial to these relationships and are often hard won over years. The victim of the fraud has lost money and potentially is also in debt to their supplier which they can often see as a problem from the lack of sufficient cyber protection.
The reality is that cyber criminals are becoming more and more sophisticated and have used the COVID-19 pandemic as an opportunity to prey on the vulnerable and businesses alike.
In 2016, Which? submitted a ‘super-complaint’ to the FCA to try and obtain protection for consumers thus highlighting their concerns that banks were not doing enough in both responding to scams or protecting their customers. This resulted in the creation of the Payment Systems Regulator (“PSR”).
The PSR has required banks in the UK to implement a Confirmation of Payee direction and for firms to reimburse customers in cases where Confirmation of Payee would have likely prevented the scam. However, the banks have not been overwhelmingly cooperative, and evidence has shown that they have been making certain exceptions with their reimbursements or indeed making partial reimbursements, typically in relation to those customers whom the banks submit:
- had no reasonable basis for believing the transaction or recipient was genuine and/or
- ought to have displayed a higher degree of caution or knowledge of the scam than might ordinarily be reasonable (for example, accountants and lawyers)
Signatories to the Contingent Reimbursement Model Code for APP scams have a fund for customers to be reimbursed in the ‘no blame’ scenario. Under the Code, customers are expected to:
- Give extra messages when they set up, change or make payments. It’s very important that they pay attention to these and follow any instructions.
- Have a reasonable basis for believing that:
- The person they pay was the person they were expecting to pay
- That the payment is for genuine goods or services
- The person or business they are paying is legitimate
How to stay cyber-safe
There are several ways to protect your business from cyber-crime, but also from losses arising from APP:
- Invest in cyber-security to prevent data breaches and malicious attacks;
- Take out cyber-insurance to cover costs of data losses or breaches;
- Remind your teams to question every single financial transaction – have a system in place to verify and check payments;
- Empower colleagues to challenge anything which is ‘out of the ordinary’ – criminals will try and pressure transactions to happen quickly, and for your teams to skip checks, if something doesn’t seem right, check and verify again.
What to do if you’ve been a victim
The more sophisticated frauds are sometimes not uncovered for days or weeks, when the payee continues to chase for payment of an invoice, which the payer believes has been paid.
If you find out you have been the victim of fraud, or your system has been hacked and your suppliers or customers have been scammed, make sure you let them and your bank know and report it immediately to Action Fraud.
It’s important to realise that the payer may be able to claim compensation from their bank but the invoice will still need to be paid under contract law.
If you need any help or advice in reclaiming unpaid invoices resulting from authorised push payment fraud, please contact us.