Authorised Push Payment (APP) fraud has grown in recent years due to the increased real-time payment services available in online banking. And according to TechTarget, they are expected to increase even more in the near future.
To ensure the maximum level of security for their customers, banks run for cover by tightening the levels of anti-fraud control on their digital services, which, however, too often causes troubles to customers when they need to complete genuine actions on their accounts.
Are we sure there’s no effective way to overcome this challenge?
In this article, we explain what Authorised Push Payments are, how APP fraud works, and what you can do, as a bank, to protect your customers while keeping your online banking experience top level.
What is an Authorised Push Payment
An Authorised Push Payment (APP, in short) is a payment that customers make to another banking account through the online banking website or mobile app.
Examples of APPs are direct deposits, wire transfers, bank transfers, or digital wallet payments.
Advantages linked to this type of payment refer mainly to the fact that fastens the process of paying and receiving money without decreasing security. No personal information is shared among customers other than the account number that needs to receive money.
In the past few years, banks and digital payment providers have also introduced instant push payments, which are incredibly appealing to online fraudsters.
APP fraud: what it is and how does it work
Authorised Push Payment fraud is a social engineering attack to lure customers into making payments to fraudsters’ banking accounts.
This happens because the victims believe the payment, the bank account, and the receiver are legitimate.
For example, they could receive a fake call from their bank, asking to move urgently money from their account to another because they have been targeted by fraudsters, or from their landlord asking for money for house renovations, and so on.
As for all social engineering attacks, to be successful, fraudsters conduct a previous analysis of their victims to sound as realistic as possible. This usually means stealing their personal information via hacked email accounts, with techniques like phishing, smishing, or vishing, and waiting for the right moment to attack.
Falling into fraudsters’ traps might seem difficult, but they constantly evolve to sharpen their techniques and hit their target.
APP fraud has become a popular and very dangerous scam because it makes it challenging to track fraudsters back. Most of the time, transfers are made via instant payment, so it is impossible for the victim to block it and take the money back. Moreover, the transfers are performed “voluntarily” by the victim from their account, so most of the time, it is not even possible for them to receive a refund for the financial loss.
Audio deep fake scams and APP fraud
Knowing how to prevent APP fraud is extremely important for banks and digital payment providers that want to ensure their customer’s safety and satisfaction.
Right now, fraudsters are probably tricking thousands of customers pretending to be friends, colleagues, or providers that need to be paid urgently, and AI audio deep fake scams are accelerating at an unprecedented pace from Europe to the US.
Audio deep fake scams are a specific type of fraud that exploits Artificial Intelligence to perfectly recreate the sound of people’s voices.
Imagine receiving a call from a family member or from your boss asking you for an urgent money transfer, wouldn’t you do it?
As for now this technology is still in its early stages, there is a real concern that, with the continuous development of AI technologies, this will become a huge problem on different fronts, first of all, online banking fraud.
Protect customers from APP fraud: the challenges for online banks
Trying to detect and stop APP fraud is very challenging. Even with several anti-fraud solutions, detection has a fall down: it causes a lot of false positives, leading to high operational costs and worse online customer experience.
This happens because the fraud takes place outside the bank's perimeter. With APP fraud, there is no Account Takeover (ATO) or Automatic Transfer System (ATS) that anti-fraud systems can detect.
As previously seen, Account Takeover and Automatic Transfer System frauds involve installing malware on the victims’ devices, which, in a way, simplifies for advanced fraud management solutions to detect anomalies and block them before the attack is completed.
APP frauds are interesting for cyber-criminals because systems can’t detect any anomalies in the users’ devices or locations. The only signal comes from the transactional analysis, where a “new payee” is detected. From here, security experts can analyze the user behavioral pattern in more detail, such as the spending profile or the transaction’s timing.
This level of information is not enough, though, to make accurate decisions.
In this situation, the choices are either to allow most of the transactions, with a high risk of getting money stolen, or to block most of them, with a high risk of causing inconvenience to your customers.
Too many false positives: what does it actually mean?
False positives are all genuine sessions considered too risky and, thus, blocked, causing a high level of friction (and frustration) for the user.
In both cases, they require further investigations, resulting in more open cases laying on the fraud analysts’ plates until a final decision can be taken.
This causes three main disadvantages:
- More work-load for the security team, which will have to handle a high number of open cases;
- Higher operational costs for the business, which will have to dedicate more resources to customer service supporting customers’ complaints;
- Worse online customer experience, as users get blocked with extra security steps while completing an activity on their accounts.
It is useless to say that today, to compete with the development of innovative and aggressive online payment services, banks must keep the quality of their digital services at high levels.
Protect your customers from APP fraud while minimising the impact on their online experience
The solution to this problem goes beyond having more visibility on the current session, requiring to bring visibility to the next level.
The visibility of micro-details of what is happening right now is not enough. Still, it’s essential to correlate different events, which may have occurred over different sessions and at different times, and then identify what we call the logical blocks.
The holy grail against APP fraud and other advanced patterns is knowing how to exploit this type of visibility in an automated way.
We call it Dynamic Risk Assessment.
Dynamic Risk Assessment builds the logical bricks dynamically as the session unfolds, allowing early and adaptive decision-making.
Both risk and friction are minimized.
In the previous example, as soon as that logical block is detected, it is possible to automatically send a warning to the user or contact him by saying that what she/he is doing could be a fraud attempt.
Think about it: a simple question can avoid many fraud while avoiding inconveniencing customers who are making legitimate payments.
For example: "Are you sure you’re paying the person they say they are? In these hours, fraudsters are impersonating relatives, colleagues, and bosses of our customers to convince them to pay.".
Cleafy’s technology allows you to apply dynamic risk assessment throughout all the online banking digital channels to minimize the exposure to APP fraud risk and maximize the security for your customers.
Do you want to be part of the fight against APP fraud?