Figures from UK Finance – a trade association representing the UK finance and banking industry – revealed more than 19,000 people were targeted by Authorised Push Payment (APP) scams in the first half of 2017.
The fraud has cost customers more than £100 million, with an average loss of £3,000 for consumers and £21,000 for businesses.
An APP scam occurs when criminals trick victims into sending money directly from an account to one owned by fraudsters.
Victims are convinced by:
- Scammers impersonating bank employees or police officers
- Criminals claiming a fraud has been spotted on a customer’s account
- Fake invoices being sent to businesses
- Offers of fraudulent investment opportunities
- Fraudsters posing as a house purchaser’s solicitor
When the victim has authorised a payment, criminals transfer funds to numerous other accounts – often abroad. The funds are cashed out, making it difficult to trace fraudulent activity further.
In the absence of a legal order, there is no mechanism for banks to return money received following an APP scam. The UK Finance Industry is currently working with law enforcement to implement a new system that helps return money to victims within the current legal framework, while identifying where the UK government can change the law to make it easier to protect and help victims.
New best practice guidelines have been developed, including:
- Banks implementing 24-hour, 7-day dedicated staff trained in scam management to deal with and process APP complaints
- Banks collaborating with each other to support investigations and protect victims
- Direct communication between customers and their bank or account provider
While banks will endeavour to help customers recover stolen money, customers often only approach their bank after the payment has been processed. By this time the criminal has withdrawn the stolen funds and the money is gone. This has resulted in financial providers being able to only return a quarter of 2017’s losses.
To fight APP fraud, consumers should be aware banks or trusted organisations will never ask for a PIN or password, or to transfer money to a safe account. Personal and financial details should be kept private until the other party is proven to be secure. It is also important to never automatically click on a link in an unexplained e-mail or text.
For the latest on technology fraud, click here.