Fraudsters relentlessly pursue other people’s money, and there’s no depth they won’t go to get it. The online scams and schemes that fraudsters devise are frighteningly sophisticated and getting smarter all the time.
Banks and other financial service businesses have done a great job reminding us to watch out for fraud. We know we need to shield our PINs when taking cash out of the ATM; leaving our payment cards unattended in public is unsafe, and leaving our phones unlocked is risky. We’re used to using passwords when doing practically any form of financial activity online.
You may have seen news headlines about people being tricked into sending large amounts of money to fraudsters online. Examples include fake investment schemes, online romance scams, or shopping offers that deceive people into thinking they’re getting a bargain or an exclusive item or service.
To give its proper name, these methods are all known as Authorised Push Payment (APP) Fraud, where fraudsters deceive you into making or authorising a bank transfer or card payment or handing over your sensitive personal and payment data. The scale of APP fraud is alarming – losses totalled around £500 million in 2022, with individuals and businesses falling prey to scams and authorising transfers to accounts controlled by fraudsters.
What is APP fraud, and how does it affect customers, banks and payment providers?
APP scams work by fraudsters manipulating victims into making payments or sharing personal details under false pretences. Often, fraudsters impersonate legitimate businesses or innocent individuals to win a victim’s trust. APP fraud depends on victims voluntarily making payments, hence the ‘authorised’.
Unsurprisingly, it’s easier to impersonate someone online or over the phone than face-to-face. According to data from UK Finance, while 16% originate via telephone.
Here are some of the most common types of APP fraud to watch out for:
- Impersonation scams: involve fraudsters posing as a legitimate company, government agency (such as the HMRC), or individual.
- Purchase scams: fraudsters offer goods or services that never materialise.
- Romance scams: fraudsters manipulate victims into an online relationship and request money.
- Investment scams: fraudsters entice victims to invest in schemes promising high returns, such as businesses, multi-level marketing, crypto, or commodities.
- Loan fee scams: fraudsters convince victims to pay administration fees for loans they never receive.
- Recruitment scams: fraudsters run fake job adverts and convince applicants to pay for application processing fees or home working equipment delivery fees.
From 7 October 2024, banks and payment providers that are direct or indirect participants in the UK’s Faster Payments scheme will be required to reimburse customers who are victims of APP fraud up to a maximum amount of £85,000. However, this doesn’t apply to international payments, payments made for unlawful purposes, payments made through other payment systems, or civil disputes.
Banks or payment providers which send the payment must reimburse the victim within five business days. Still, under certain circumstances, they can hold off on investigating or gathering additional information from the victim, the receiving bank, the payment provider, or law enforcement agencies. Receiving banks or payment providers are obligated to respond to a sending bank or provider’s requests for further information in connection with an APP fraud claim and must pay the sending PSP 50% of the reimbursement that the sending PSP has paid the customer.
However, there is a time limit for reporting APP fraud. Sending banks or providers can deny a customer’s APP fraud claim if it’s submitted more than 13 months after the payment was made to the fraudster.
There are also two exceptions where customers may be denied reimbursement:
- where the customer has acted fraudulently (“first-party fraud exception”); or
- where the customer has acted with gross negligence unless the customer is vulnerable (this could mean where circumstances like the customer’s health or impairments affect their decision-making and engagement with financial services).
The burden of proof is on the sending bank or provider to prove gross negligence, where the customer is proven to have shown a significant degree of carelessness. This could include ignoring direct warnings or interventions from their bank or payment provider that a potential payment is likely to be a fraud; payment; not notifying or reporting APP fraud to their bank or payment provider within the 13-month time limit; and not responding to requests for information or consenting to the fraud being reported to the police or other national authority.
How APP fraud can cause confusion between customers, banks and their service providers
No matter how it occurs, falling victim to fraud can be devastating, and people often feel humiliated, ashamed or angry that they have been tricked. It’s natural and understandable to feel like this. Sadly, many innocent individuals and businesses have been caught up in these scams, impersonated by fraudsters who have used their names to perpetrate theft. Many victims have left scathing reviews of these businesses, accusing them of stealing money or ignoring their pleas for help to get their funds back when the fact is that these businesses had nothing whatsoever to do with the fraudster.
Clear Junction only deals directly with regulated financial institutions and businesses, not their end customers. Sometimes, this has caused confusion when fraud occurs, as these end customers mistakenly think that their accounts or payments – and any fraud incidents – are the responsibility of Clear Junction when, in fact, it’s their banking or payment provider that is responsible for the security of their transactions. We only provide the technical infrastructure that these businesses use to provide services to their customers.
The simple fact is that it’s easy for fraudsters to pretend to be someone else online, and many people ignore their cautious instincts when presented with a request or deal that seems authentic. Even the most tech-savvy and financially aware can be caught off-guard by new scam methods, which are incredibly convincing.
At Clear Junction, we depend on the trust and security of our clients and their customers, and we want to ensure that fraudsters are thwarted at every opportunity. So, we’ve put together some tips to keep you safe online.
- Change your passwords – and make sure they’re strong.
You’d be surprised how easy it is for criminals to guess or crack passwords with automatic password generator widgets. So, get into the habit of changing your passwords regularly. Don’t use simple passwords or words personal to you, like family, friend, pet names, or sports team names. You can create an ultra-strong password by throwing in uppercase letters, numbers and symbols. And remember – the best way to protect your passwords is never to share them with anyone!
- Don’t over-share on social media – lock it down.
Likewise, be careful about what you share on your social media apps and ensure your privacy settings are set to a high level. It’s alarmingly easy for criminals to steal enough personal information from unprotected social media profiles to commit identity fraud or hack into your accounts. Never share private information (like your address or school) or personal details, like your birthday or address, on social media. - Use and update your anti-virus protection and system software.
Fast-mutating viruses and malicious software (malware) can infect your computer, tablet or phone. Once infected, your device can lock you out, steal your data, and expose your payment info online. Anti-virus software will scan your device for online bugs and block them. Constantly update your device’s operating system, too. System software and applications can become outdated quickly and become vulnerable to cyberattacks. Always install updates or patches from your OS or software developer when you’re alerted.
- Turn on two-factor authentication (2FA) for your accounts.
Two-factor authentication protects you when online. Even if your password is compromised somehow, 2FA helps to protect your accounts with an extra verification step. Accounts protected with 2FA will ask you to enter one-time passwords (OTPs) sent to you by text or through your device app. Turn on 2FA on any accounts containing sensitive personal or financial data.
- Check links or attachments before you click on them.
If you get emails or texts containing attachments or links from your financial provider, don’t click on them until you can verify the source. Check the spelling or website address to confirm that it matches the genuine address of your financial provider. Clicking on unverified links or attachments may take you to imitation websites that ask you to enter your account data and give fraudsters access to your devices. If in doubt, don’t click on it.
- Be wary when using free public WiFi.
Public free WiFi networks can expose your data to someone monitoring your internet traffic, enabling them to steal passwords, emails or payment details. Don’t use public WiFi when accessing your banking or payment accounts or looking at material you wouldn’t want a stranger looking over your shoulder to see.
- Always verify requests for personal information.
Fraudsters can easily impersonate someone from your bank, credit card provider, utility provider, or even law enforcement and ask you to give them your account details. Your bank will never ask for these details over the phone or via text message. If someone contacts you claiming to be from your financial provider, always take the time to verify them by checking the phone number or email address they’re messaging from.
- Take precautions when making a new payment – always check the Confirmation of Payee details.
If you’re making a new payment to an individual or company through your online banking, you may be asked to check the account details you’ve entered. This is known as Confirmation of Payee (CoP) and is a way for financial institutions to cross-check and confirm that the account that is sending and receiving funds is correct. This essentially makes it virtually impossible for APP scams to work. If you’re asked to check the account details you’ve entered, take a step back if the information does not match – don’t be in a rush to make the payment. If the account details don’t match, you should contact the person or business you are trying to pay to confirm the account name, sort code and account number.
- What to do if you think you’ve been a victim of APP fraud
If you think you’ve fallen victim to APP fraud, you should immediately contact your bank or payment provider to report it. It may be possible to block the transaction or trace the money. Also, report the fraud to Action Fraud online or by telephone on 0300 123 2040 (Monday to Friday, 8 am to 8 pm). The Action Fraud service is run by the City of London Police and the National Fraud Intelligence Bureau, who will investigate the incident and offer you help and support.
- Don’t be scared or embarrassed to report fraud.
If you’ve fallen victim to a romance, investment, or product fraud, don’t hesitate to report it to your bank or payment provider, the Police and Action Fraud. You aren’t the first person to be deceived, and won’t be the last. But by reporting it to the relevant authorities, you’re helping them to identify and track down fraudsters who prey on innocent people – and you can prevent it happening to someone else. Every piece of information you provide goes a long way to completing the puzzle of who is committing fraud, how they do it, and how it can be stopped. Do talk to your family and friends, too – they will want to reassure and support you, just as you would do the same for them.
Conclusion – we can all play a part in the fight against fraud
Following the steps above will give you the information you need to stay safe when making payments. But fraud will inevitably keep moving and mutating, so it’s on all of us to take precautions when making new payments, protect our sensitive information, stay alert, and act fast if we suspect fraud is taking place.
At Clear Junction, we work to ensure that every possible action has been taken to strengthen cybersecurity within our business amid the pervasive threat of fraud. That’s why we implemented Confirmation of Payee for clients receiving GBP payments in the UK, boosting the security of these transactions.
We continuously monitor fraud trends and devote significant resources to our risk management, AML and KYC processes. In fact, one-third of our team is focused solely on building the technology to manage these security protections. Moreover, our recent ISO 27001 certification assures clients and their customers that their transaction data is safe with us and protected by the highest global standard that corporates can achieve for information security.
However, while APP fraud is rife, it is vital to us that our clients feel safe against fraud. If you think you have been affected by fraud or have questions regarding your transaction security, don’t hesitate to get in touch with us at complaints@clearjunction.com.